Re: [PATCH] KVM: x86: Mark transfer type as X86_TRANSFER_RET when loading CS in iret emulation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Christopherson <seanjc@google.com>
To: Hou Wenlong <houwenlong.hwl@antgroup.com>
Cc: kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] KVM: x86: Mark transfer type as X86_TRANSFER_RET when loading CS in iret emulation
Date: Wed, 12 Oct 2022 16:34:57 +0000	[thread overview]
Message-ID: <Y0bssbjJTQVB+SCg@google.com> (raw)
In-Reply-To: <fcaf1408d2aaaa39b33cdd3b11bf06e7e935d11a.1665565774.git.houwenlong.hwl@antgroup.com>

On Wed, Oct 12, 2022, Hou Wenlong wrote:
> When loading code segment descriptor in iret instruction emulation, the
> checks are same as far return instruction emulation, so transfer type
> should be X86_TRANSFER_RET in __load_segment_descriptor(). Although,
> only iret in real mode is implemented now, and no checks are actually
> needed for real mode, it would still be better to mark transfer type as
> X86_TRANSFER_RET.

It's not strictly a RET though.  The RPL vs. DPL checks in __load_segment_descriptor()
might do the right thing, but there's a rather large pile of stuff IRET can do that
RET can't (ignoring the fact that KVM doesn't even emulate FAR RET to outer privilege
levels).

And __emulate_int_real() also loads CS with X86_TRANSFER_NONE, i.e. KVM still has
a weird path to worry about.

Rather than make the IRET case slightly less wrong, what about adding a sanity
check in __load_segment_descriptor() that KVM doesn't attempt to load CS in Protected
Mode with X86_TRANSFER_NONE?

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 3b27622d4642..fe735e18c419 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1641,6 +1641,14 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
                        goto exception;
                break;
        case VCPU_SREG_CS:
+               /*
+                * KVM uses "none" when loading CS as part of emulating Real
+                * Mode exceptions and IRET (handled above).  In all other
+                * cases, loading CS without a control transfer is a KVM bug.
+                */
+               if (WARN_ON_ONCE(transfer == X86_TRANSFER_NONE))
+                       goto exception;
+
                if (!(seg_desc.type & 8))
                        goto exception;

> 
> No functional change intended.
> 
> Signed-off-by: Hou Wenlong <houwenlong.hwl@antgroup.com>
> ---
>  arch/x86/kvm/emulate.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 3b27622d4642..5052eb480068 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -2100,6 +2100,7 @@ static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
>  			     X86_EFLAGS_FIXED;
>  	unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
>  				  X86_EFLAGS_VIP;
> +	u8 cpl = ctxt->ops->cpl(ctxt);
>  
>  	/* TODO: Add stack limit check */
>  
> @@ -2121,7 +2122,8 @@ static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
>  	if (rc != X86EMUL_CONTINUE)
>  		return rc;
>  
> -	rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
> +	rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
> +				       X86_TRANSFER_RET, NULL);
>  
>  	if (rc != X86EMUL_CONTINUE)
>  		return rc;
> -- 
> 2.31.1
>

next prev parent reply	other threads:[~2022-10-12 16:35 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-12  9:11 [PATCH] KVM: x86: Mark transfer type as X86_TRANSFER_RET when loading CS in iret emulation Hou Wenlong
2022-10-12 16:34 ` Sean Christopherson [this message]
2022-10-13  6:52   ` Hou Wenlong
2022-10-14  4:16     ` Sean Christopherson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3b27622d464 dfblob:fe735e18c41 )
 OR (
bs:"Re: [PATCH] KVM: x86: Mark transfer type as X86_TRANSFER_RET when loading CS in iret emulation" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y0bssbjJTQVB+SCg@google.com \
    --to=seanjc@google.com \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=houwenlong.hwl@antgroup.com \
    --cc=hpa@zytor.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.