Re: [PATCH] KVM: VMX: Micro-optimize SPEC_CTRL handling in __vmx_vcpu_run()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Christopherson <seanjc@google.com>
To: Uros Bizjak <ubizjak@gmail.com>
Cc: kvm@vger.kernel.org, x86@kernel.org,
	linux-kernel@vger.kernel.org,
	 Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@kernel.org>,  Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	 "H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH] KVM: VMX: Micro-optimize SPEC_CTRL handling in __vmx_vcpu_run()
Date: Tue, 19 Aug 2025 11:56:21 -0700	[thread overview]
Message-ID: <aKTI1WOJAKDnkRyu@google.com> (raw)
In-Reply-To: <CAFULd4ZOtj7WZkSSKqLjxCJ-yBr20AYrqzCpxj2K_=XmrX1QZg@mail.gmail.com>

On Tue, Aug 19, 2025, Uros Bizjak wrote:
> > >   2d: 48 8b 7c 24 10          mov    0x10(%rsp),%rdi
> > >   32: 8b 87 48 18 00 00       mov    0x1848(%rdi),%eax
> > >   38: 65 3b 05 00 00 00 00    cmp    %gs:0x0(%rip),%eax
> > >   3f: 74 09                   je     4a <...>
> > >   41: b9 48 00 00 00          mov    $0x48,%ecx
> > >   46: 31 d2                   xor    %edx,%edx
> > >   48: 0f 30                   wrmsr
> > >
> > > No functional change intended.
> > >
> > > Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
> > > Cc: Sean Christopherson <seanjc@google.com>
> > > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > > Cc: Thomas Gleixner <tglx@linutronix.de>
> > > Cc: Ingo Molnar <mingo@kernel.org>
> > > Cc: Borislav Petkov <bp@alien8.de>
> > > Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > > Cc: "H. Peter Anvin" <hpa@zytor.com>
> > > ---
> > >  arch/x86/kvm/vmx/vmenter.S | 6 ++----
> > >  1 file changed, 2 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S
> > > index 0a6cf5bff2aa..c65de5de92ab 100644
> > > --- a/arch/x86/kvm/vmx/vmenter.S
> > > +++ b/arch/x86/kvm/vmx/vmenter.S
> > > @@ -118,13 +118,11 @@ SYM_FUNC_START(__vmx_vcpu_run)
> > >        * and vmentry.
> > >        */
> > >       mov 2*WORD_SIZE(%_ASM_SP), %_ASM_DI
> > > -     movl VMX_spec_ctrl(%_ASM_DI), %edi
> > > -     movl PER_CPU_VAR(x86_spec_ctrl_current), %esi
> > > -     cmp %edi, %esi
> > > +     movl VMX_spec_ctrl(%_ASM_DI), %eax
> > > +     cmp PER_CPU_VAR(x86_spec_ctrl_current), %eax
> >
> > Huh.  There's a pre-existing bug lurking here, and in the SVM code.  SPEC_CTRL
> > is an MSR, i.e. a 64-bit value, but the assembly code assumes bits 63:32 are always
> > zero.
> 
> But MSBs are zero, MSR is defined in arch/x86/include/msr-index.h as:
> 
> #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */
> 
> and "movl $..., %eax" zero-extends the value to full 64-bit width.
> 
> FWIW, MSR_IA32_SPEC_CTR is handled in the same way in arch/x86/entry/entry.S:
> 
> movl $MSR_IA32_PRED_CMD, %ecx

That's the MSR index, not the value.  I'm pointing out that:

	movl VMX_spec_ctrl(%_ASM_DI), %edi              <== drops vmx->spec_ctrl[63:32]
	movl PER_CPU_VAR(x86_spec_ctrl_current), %esi   <== drop x86_spec_ctrl_current[63:32]
	cmp %edi, %esi                                  <== can get false negatives
	je .Lspec_ctrl_done
	mov $MSR_IA32_SPEC_CTRL, %ecx
	xor %edx, %edx                                  <== can clobber guest value
	mov %edi, %eax
	wrmsr

The bug is _currently_ benign because neither KVM nor the kernel support setting
any of bits 63:32, but it's still a bug that needs to be fixed.

next prev parent reply	other threads:[~2025-08-19 18:56 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-07  6:36 [PATCH] KVM: VMX: Micro-optimize SPEC_CTRL handling in __vmx_vcpu_run() Uros Bizjak
2025-08-19 14:59 ` Sean Christopherson
2025-08-19 16:24   ` Uros Bizjak
2025-08-19 18:56     ` Sean Christopherson [this message]
2025-08-20  6:10       ` Uros Bizjak
2025-08-20 11:50         ` Uros Bizjak
2025-11-06  1:12           ` Sean Christopherson
2025-11-06 18:29             ` Uros Bizjak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aKTI1WOJAKDnkRyu@google.com \
    --to=seanjc@google.com \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=ubizjak@gmail.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.