Re: [PATCH v2 02/24] KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS

[Sean Christopherson <seanjc@google.com>]

On Mon, Jul 18, 2022, Maxim Levitsky wrote:
> On Fri, 2022-07-15 at 20:42 +0000, Sean Christopherson wrote:
> > Deliberately truncate the exception error code when shoving it into the
> > VMCS (VM-Entry field for vmcs01 and vmcs02, VM-Exit field for vmcs12).
> > Intel CPUs are incapable of handling 32-bit error codes and will never
> > generate an error code with bits 31:16, but userspace can provide an
> > arbitrary error code via KVM_SET_VCPU_EVENTS.  Failure to drop the bits
> > on exception injection results in failed VM-Entry, as VMX disallows
> > setting bits 31:16.  Setting the bits on VM-Exit would at best confuse
> > L1, and at worse induce a nested VM-Entry failure, e.g. if L1 decided to
> > reinject the exception back into L2.
> > 
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Sean Christopherson <seanjc@google.com>
> > Reviewed-by: Jim Mattson <jmattson@google.com>
> > ---
> >  arch/x86/kvm/vmx/nested.c |  9 ++++++++-
> >  arch/x86/kvm/vmx/vmx.c    | 11 ++++++++++-
> >  2 files changed, 18 insertions(+), 2 deletions(-)
> > 
> > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > index 8c2c81406248..05c34a72c266 100644
> > --- a/arch/x86/kvm/vmx/nested.c
> > +++ b/arch/x86/kvm/vmx/nested.c
> > @@ -3822,7 +3822,14 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu,
> >         u32 intr_info = nr | INTR_INFO_VALID_MASK;
> >  
> >         if (vcpu->arch.exception.has_error_code) {
> > -               vmcs12->vm_exit_intr_error_code = vcpu->arch.exception.error_code;
> > +               /*
> > +                * Intel CPUs will never generate an error code with bits 31:16
> > +                * set, and more importantly VMX disallows setting bits 31:16
> > +                * in the injected error code for VM-Entry.  Drop the bits to
> > +                * mimic hardware and avoid inducing failure on nested VM-Entry
> > +                * if L1 chooses to inject the exception back to L2.
> 
> Very small nitpick:
> I think I would still prefer to have a mention that AMD CPUs can have error code > 16 bit,
> The above comment kind of implies this, but it would be a bit more clear, but I don't
> have a strong preference on this.

Agreed, I'll reword this to make it abundantly clear that setting bits 31:16 is
architecturally allowed and done by AMD, and that this is purely an Intel oddity.

> > +                */
> > +               vmcs12->vm_exit_intr_error_code = (u16)vcpu->arch.exception.error_code;
> >                 intr_info |= INTR_INFO_DELIVER_CODE_MASK;
> >         }
> >  
> > diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> > index b0cc911a8f6f..d2b3d30d6afb 100644
> > --- a/arch/x86/kvm/vmx/vmx.c
> > +++ b/arch/x86/kvm/vmx/vmx.c
> > @@ -1621,7 +1621,16 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu)
> >         kvm_deliver_exception_payload(vcpu);
> >  
> >         if (has_error_code) {
> > -               vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, error_code);
> > +               /*
> > +                * Despite the error code being architecturally defined as 32
> > +                * bits, and the VMCS field being 32 bits, Intel CPUs and thus
> > +                * VMX don't actually supporting setting bits 31:16.  Hardware
> > +                * will (should) never provide a bogus error code, but KVM's
> > +                * ABI lets userspace shove in arbitrary 32-bit values.  Drop

I'll update this to mention AMD CPUs as well.

> > +                * the upper bits to avoid VM-Fail, losing information that
> > +                * does't really exist is preferable to killing the VM.
> > +                */
> > +               vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, (u16)error_code);
> >                 intr_info |= INTR_INFO_DELIVER_CODE_MASK;
> >         }
> >  
> 
> 
> Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
> 
> Best regards,
>  Maxim Levitsky
> 
>