From: Sean Christopherson <seanjc@google.com>
To: Maxim Levitsky <mlevitsk@redhat.com>
Cc: kvm@vger.kernel.org, Joerg Roedel <joro@8bytes.org>,
Thomas Gleixner <tglx@linutronix.de>,
Jim Mattson <jmattson@google.com>,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<x86@kernel.org>,
"open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<linux-kernel@vger.kernel.org>,
Wanpeng Li <wanpengli@tencent.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
Ingo Molnar <mingo@redhat.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>
Subject: Re: [PATCH v2 1/3] KVM: nSVM: restore the L1 host state prior to resuming a nested guest on SMM exit
Date: Wed, 8 Sep 2021 22:04:01 +0000 [thread overview]
Message-ID: <YTkzUaFD664+9WB+@google.com> (raw)
In-Reply-To: <20210823114618.1184209-2-mlevitsk@redhat.com>
On Mon, Aug 23, 2021, Maxim Levitsky wrote:
> If the guest is entered prior to restoring the host save area,
> the guest entry code might see incorrect L1 state (e.g paging state).
>
> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
> ---
> arch/x86/kvm/svm/svm.c | 23 +++++++++++++----------
> 1 file changed, 13 insertions(+), 10 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 1a70e11f0487..ea7a4dacd42f 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -4347,27 +4347,30 @@ static int svm_leave_smm(struct kvm_vcpu *vcpu, const char *smstate)
> gpa_to_gfn(vmcb12_gpa), &map) == -EINVAL)
> return 1;
>
> - if (svm_allocate_nested(svm))
> + if (kvm_vcpu_map(vcpu, gpa_to_gfn(svm->nested.hsave_msr),
> + &map_save) == -EINVAL)
> return 1;
Returning here will neglect to unmap "map".
>
> - vmcb12 = map.hva;
> -
> - nested_load_control_from_vmcb12(svm, &vmcb12->control);
> -
> - ret = enter_svm_guest_mode(vcpu, vmcb12_gpa, vmcb12);
> - kvm_vcpu_unmap(vcpu, &map, true);
> + if (svm_allocate_nested(svm))
> + return 1;
Ditto here for both "map" and "map_save", though it looks like there's a
pre-existing bug if svm_allocate_nested() fails. If you add a prep cleanup patch
to remove the statement nesting (between the bug fix and this patch), it will make
handling this a lot easier, e.g.
static int svm_leave_smm(struct kvm_vcpu *vcpu, const char *smstate)
{
struct vcpu_svm *svm = to_svm(vcpu);
struct kvm_host_map map, map_save;
u64 saved_efer, vmcb12_gpa;
struct vmcb *vmcb12;
int ret;
if (!guest_cpuid_has(vcpu, X86_FEATURE_LM))
return 0;
/* Non-zero if SMI arrived while vCPU was in guest mode. */
if (!GET_SMSTATE(u64, smstate, 0x7ed8))
return 0;
if (!guest_cpuid_has(vcpu, X86_FEATURE_SVM))
return 1;
saved_efer = GET_SMSTATE(u64, smstate, 0x7ed0);
if (!(saved_efer & EFER_SVME))
return 1;
vmcb12_gpa = GET_SMSTATE(u64, smstate, 0x7ee0);
if (kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map) == -EINVAL)
return 1;
ret = 1;
if (kvm_vcpu_map(vcpu, gpa_to_gfn(svm->nested.hsave_msr), &map_save) == -EINVAL)
goto unmap_map;
if (svm_allocate_nested(svm))
goto unmap_save;
/*
* Restore L1 host state from L1 HSAVE area as VMCB01 was
* used during SMM (see svm_enter_smm())
*/
svm_copy_vmrun_state(&svm->vmcb01.ptr->save,
map_save.hva + 0x400);
/*
* Restore L2 state
*/
vmcb12 = map.hva;
nested_load_control_from_vmcb12(svm, &vmcb12->control);
ret = enter_svm_guest_mode(vcpu, vmcb12_gpa, vmcb12);
unmap_save;
kvm_vcpu_unmap(vcpu, &map_save, true);
unmap_map:
kvm_vcpu_unmap(vcpu, &map, true);
return 1;
}
next prev parent reply other threads:[~2021-09-08 22:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-23 11:46 [PATCH v2 0/3] KVM: few more SMM fixes Maxim Levitsky
2021-08-23 11:46 ` [PATCH v2 1/3] KVM: nSVM: restore the L1 host state prior to resuming a nested guest on SMM exit Maxim Levitsky
2021-09-08 22:04 ` Sean Christopherson [this message]
2021-09-12 10:33 ` Maxim Levitsky
2021-08-23 11:46 ` [PATCH v2 2/3] KVM: x86: force PDPTRs reload " Maxim Levitsky
2021-09-09 0:55 ` Sean Christopherson
2021-09-12 10:33 ` Maxim Levitsky
2021-08-23 11:46 ` [PATCH v2 3/3] KVM: nSVM: call KVM_REQ_GET_NESTED_STATE_PAGES on exit from SMM mode Maxim Levitsky
2021-09-09 0:59 ` Sean Christopherson
2021-09-12 10:35 ` Maxim Levitsky
2021-08-23 13:01 ` [PATCH v2 0/3] KVM: few more SMM fixes Maxim Levitsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YTkzUaFD664+9WB+@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.