From: David Matlack <dmatlack@google.com>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Mingwei Zhang <mizhang@google.com>,
Jim Mattson <jmattson@google.com>
Subject: Re: [PATCH 6/9] KVM: x86/mmu: Bug the VM if a vCPU ends up in long mode without PAE enabled
Date: Fri, 12 May 2023 16:33:12 -0700 [thread overview]
Message-ID: <ZF7MuDGp9MvPNwFh@google.com> (raw)
In-Reply-To: <20230511235917.639770-7-seanjc@google.com>
On Thu, May 11, 2023 at 04:59:14PM -0700, Sean Christopherson wrote:
> Promote the ASSERT(), which is quite dead code in KVM, into a KVM_BUG_ON()
> for KVM's sanity check that CR4.PAE=1 if the vCPU is in long mode when
> performing a walk of guest page tables. The sanity is quite cheap since
> neither EFER nor CR4.PAE requires a VMREAD, especially relative to the
> cost of walking the guest page tables.
>
> More importantly, the sanity check would have prevented the true badness
> fixed by commit 112e66017bff ("KVM: nVMX: add missing consistency checks
> for CR0 and CR4"). The missed consistency check resulted in some versions
> of KVM corrupting the on-stack guest_walker structure due to KVM thinking
> there are 4/5 levels of page tables, but wiring up the MMU hooks to point
> at the paging32 implementation, which only allocates space for two levels
> of page tables in "struct guest_walker32".
>
> Queue a page fault for injection if the assertion fails, as the sole
> caller, FNAME(gva_to_gpa), assumes that walker.fault contains sane info
FNAME(page_fault)->FNAME(walk_addr)->FNAME(walk_addr_generic) is another
caller but I think the same reasoning here applies.
> on a walk failure, i.e. avoid making the situation worse between the time
> the assertion fails and when KVM kicks the vCPU out to userspace (because
> the VM is bugged).
>
> Move the check below the initialization of "pte_access" so that the
> aforementioned to-be-injected page fault doesn't consume uninitialized
> stack data. The information _shouldn't_ reach the guest or userspace,
> but there's zero downside to being paranoid in this case.
>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
> arch/x86/kvm/mmu/paging_tmpl.h | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
> index a3fc7c1a7f8d..f297e9311dcd 100644
> --- a/arch/x86/kvm/mmu/paging_tmpl.h
> +++ b/arch/x86/kvm/mmu/paging_tmpl.h
> @@ -338,7 +338,6 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
> }
> #endif
> walker->max_level = walker->level;
> - ASSERT(!(is_long_mode(vcpu) && !is_pae(vcpu)));
>
> /*
> * FIXME: on Intel processors, loads of the PDPTE registers for PAE paging
> @@ -348,6 +347,10 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
> nested_access = (have_ad ? PFERR_WRITE_MASK : 0) | PFERR_USER_MASK;
>
> pte_access = ~0;
> +
> + if (KVM_BUG_ON(is_long_mode(vcpu) && !is_pae(vcpu), vcpu->kvm))
> + goto error;
This if() deserves a comment since it's queueing a page fault for what
is likely a KVM bug. As a reader that'd be pretty jarring to see.
> +
> ++walker->level;
>
> do {
> --
> 2.40.1.606.ga4b1b128d6-goog
>
next prev parent reply other threads:[~2023-05-12 23:33 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-11 23:59 [PATCH 0/9] KVM: x86/mmu: Clean up MMU_DEBUG and BUG/WARN usage Sean Christopherson
2023-05-11 23:59 ` [PATCH 1/9] KVM: x86/mmu: Delete pgprintk() and all its usage Sean Christopherson
2023-05-11 23:59 ` [PATCH 2/9] KVM: x86/mmu: Delete rmap_printk() " Sean Christopherson
2023-05-11 23:59 ` [PATCH 3/9] KVM: x86/mmu: Delete the "dbg" module param Sean Christopherson
2023-05-11 23:59 ` [PATCH 4/9] KVM: x86/mmu: Rename MMU_WARN_ON() to KVM_MMU_WARN_ON() Sean Christopherson
2023-05-12 23:23 ` David Matlack
2023-05-12 23:30 ` Sean Christopherson
2023-05-12 23:35 ` David Matlack
2023-05-11 23:59 ` [PATCH 5/9] KVM: x86/mmu: Convert "runtime" WARN_ON() assertions to WARN_ON_ONCE() Sean Christopherson
2023-05-12 23:14 ` David Matlack
2023-05-12 23:18 ` Sean Christopherson
2023-05-12 23:24 ` David Matlack
2023-05-11 23:59 ` [PATCH 6/9] KVM: x86/mmu: Bug the VM if a vCPU ends up in long mode without PAE enabled Sean Christopherson
2023-05-12 23:33 ` David Matlack [this message]
2023-05-12 23:40 ` Sean Christopherson
2023-05-11 23:59 ` [PATCH 7/9] KVM: x86/mmu: Replace MMU_DEBUG with proper KVM_PROVE_MMU Kconfig Sean Christopherson
2023-05-11 23:59 ` [PATCH 8/9] KVM: x86/mmu: Plumb "struct kvm" all the way to pte_list_remove() Sean Christopherson
2023-05-11 23:59 ` [PATCH 9/9] KVM: x86/mmu: BUG() in rmap helpers iff CONFIG_BUG_ON_DATA_CORRUPTION=y Sean Christopherson
2023-05-18 19:05 ` Mingwei Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZF7MuDGp9MvPNwFh@google.com \
--to=dmatlack@google.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mizhang@google.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.