From: Sean Christopherson <seanjc@google.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>, Paul Durrant <paul@xen.org>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com,
Joao Martins <joao.m.martins@oracle.com>
Subject: Re: [PATCH 1/5] KVM: x86/xen: Restrict hypercall MSR to unofficial synthetic range
Date: Wed, 5 Feb 2025 07:51:01 -0800 [thread overview]
Message-ID: <Z6OI5VMDlgLbqytM@google.com> (raw)
In-Reply-To: <cd3fb8dd79d7766f383748ec472de3943021eb39.camel@infradead.org>
On Wed, Feb 05, 2025, David Woodhouse wrote:
> On Wed, 2025-02-05 at 07:06 -0800, Sean Christopherson wrote:
> > On Wed, Feb 05, 2025, David Woodhouse wrote:
> > > Especially as there is a corresponding requirement that they never be set
> > > from host context (which is where the potential locking issues come in).
> > > Which train of thought leads me to ponder this as an alternative (or
> > > additional) solution:
> > >
> > > --- a/arch/x86/kvm/x86.c
> > > +++ b/arch/x86/kvm/x86.c
> > > @@ -3733,7 +3733,13 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> > > u32 msr = msr_info->index;
> > > u64 data = msr_info->data;
> > >
> > > - if (msr && msr == vcpu->kvm->arch.xen_hvm_config.msr)
> > > + /*
> > > + * Do not allow host-initiated writes to trigger the Xen hypercall
> > > + * page setup; it could incur locking paths which are not expected
> > > + * if userspace sets the MSR in an unusual location.
> >
> > That's just as likely to break userspace. Doing a save/restore on the MSR doesn't
> > make a whole lot of sense since it's effectively a "command" MSR, but IMO it's not
> > any less likely than userspace putting the MSR index outside of the synthetic range.
>
> Save/restore on the MSR makes no sense. It's a write-only MSR; writing
> to it has no effect *other* than populating the target page. In KVM we
> don't implement reading from it at all; I don't think Xen does either?
Hah, that's another KVM bug, technically. KVM relies on the MSR not being handled
in order to generate the write-only semantics, but if the MSR index collides with
an MSR that KVM emulates, then the MSR would be readable. KVM supports Hyper-V's
HV_X64_MSR_TSC_INVARIANT_CONTROL (0x40000118), so just a few hundred more MSRs
until fireworks :-)
If we want to close that hole, it'd be easy enough to add a check in
kvm_get_msr_common().
> Those two happen in reverse chronological order, don't they? And in the
> lower one the comment tells you that hyperv_enabled() doesn't work yet.
> When the higher one is called later, it calls kvm_xen_init() *again* to
> put the MSR in the right place.
>
> It could be prettier, but I don't think it's broken, is it?
Gah, -ENOCOFFEE.
> > Userspace breakage aside, disallowng host writes would fix the immediate issue,
> > and I think would mitigate all concerns with putting the host at risk. But it's
> > not enough to actually make an overlapping MSR index work. E.g. if the MSR is
> > passed through to the guest, the write will go through to the hardware MSR, unless
> > the WRMSR happens to be emulated.
> >
> > I really don't want to broadly support redirecting any MSR, because to truly go
> > down that path we'd need to deal with x2APIC, EFER, and other MSRs that have
> > special treatment and meaning.
> >
> > While KVM's stance is usually that a misconfigured vCPU model is userspace's
> > problem, in this case I don't see any value in letting userspace be stupid. It
> > can't work generally, it creates unique ABI for KVM_SET_MSRS, and unless there's
> > a crazy use case I'm overlooking, there's no sane reason for userspace to put the
> > index in outside of the synthetic range (whereas defining seemingly nonsensical
> > CPUID feature bits is useful for testing purposes, implementing support in
> > userspace, etc).
>
> Right, I think we should do *both*. Blocking host writes solves the
> issue of locking problems with the hypercall page setup. All it would
> take for that issue to recur is for us (or Microsoft) to invent a new
> MSR in the synthetic range which is also written on vCPU init/reset.
> And then the sanity check on where the VMM puts the Xen MSR doesn't
> save us.
Ugh, indeed. MSRs are quite the conundrum. Userspace MSR filters have a similar
problem, where it's impossible to know the semantics of future hardware MSRs, and
so it's impossible to document which MSRs userspace is allowed to intercept :-/
Oh! It doesn't help KVM avoid breaking userspace, but a way for QEMU to avoid a
future collision would be to have QEMU start at 0x40000200 when Hyper-V is enabled,
but then use KVM_GET_MSR_INDEX_LIST to detect a collision with KVM Hyper-V, e.g.
increment the index until an available index is found (with sanity checks and whatnot).
> But yes, we should *also* do that sanity check.
Ah, I'm a-ok with that.
next prev parent reply other threads:[~2025-02-05 15:51 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-01 1:13 [PATCH 0/5] KVM: x86/xen: Restrict hypercall MSR index Sean Christopherson
2025-02-01 1:13 ` [PATCH 1/5] KVM: x86/xen: Restrict hypercall MSR to unofficial synthetic range Sean Christopherson
2025-02-03 9:09 ` Paul Durrant
2025-02-05 9:27 ` David Woodhouse
2025-02-05 15:06 ` Sean Christopherson
2025-02-05 15:26 ` David Woodhouse
2025-02-05 15:51 ` Sean Christopherson [this message]
2025-02-05 16:18 ` David Woodhouse
2025-02-05 17:15 ` David Woodhouse
2025-02-05 19:20 ` Sean Christopherson
2025-02-06 18:58 ` David Woodhouse
2025-02-07 17:18 ` Sean Christopherson
2025-02-06 9:18 ` David Woodhouse
2026-04-28 14:54 ` David Woodhouse
2025-02-06 16:51 ` David Woodhouse
2025-02-01 1:13 ` [PATCH 2/5] KVM: x86/xen: Add an #ifdef'd helper to detect writes to Xen MSR Sean Christopherson
2025-02-03 9:09 ` Paul Durrant
2025-02-06 16:28 ` David Woodhouse
2025-02-01 1:13 ` [PATCH 3/5] KVM: x86/xen: Consult kvm_xen_enabled when checking for Xen MSR writes Sean Christopherson
2025-02-03 9:15 ` Paul Durrant
2025-02-06 16:29 ` David Woodhouse
2025-02-01 1:13 ` [PATCH 4/5] KVM: x86/xen: Bury xen_hvm_config behind CONFIG_KVM_XEN=y Sean Christopherson
2025-02-03 9:19 ` Paul Durrant
2025-02-06 16:30 ` David Woodhouse
2025-02-01 1:14 ` [PATCH 5/5] KVM: x86/xen: Move kvm_xen_hvm_config field into kvm_xen Sean Christopherson
2025-02-03 9:21 ` Paul Durrant
2025-02-06 16:32 ` David Woodhouse
2025-02-06 19:14 ` [PATCH] KVM: x86/xen: Only write Xen hypercall page for guest writes to MSR David Woodhouse
2025-02-15 0:50 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z6OI5VMDlgLbqytM@google.com \
--to=seanjc@google.com \
--cc=dwmw2@infradead.org \
--cc=joao.m.martins@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@xen.org \
--cc=pbonzini@redhat.com \
--cc=syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.