From: Sean Christopherson <seanjc@google.com>
To: Aaron Lewis <aaronlewis@google.com>
Cc: kvm@vger.kernel.org, pbonzini@redhat.com, jmattson@google.com
Subject: Re: [PATCH v5 2/7] kvm: x86/pmu: Remove invalid raw events from the pmu event filter
Date: Fri, 7 Oct 2022 23:48:46 +0000 [thread overview]
Message-ID: <Y0C63uh77IqIQWfr@google.com> (raw)
In-Reply-To: <20220920174603.302510-3-aaronlewis@google.com>
On Tue, Sep 20, 2022, Aaron Lewis wrote:
> If a raw event is invalid, i.e. bits set outside the event select +
> unit mask, the event will never match the search, so it's pointless
> to have it in the list. Opt for a shorter list by removing invalid
> raw events.
Please use "impossible" instead of "invalid". While I agree they are invalid,
because this is pre-existing ABI, KVM can't treat them as invalid, i.e. can't
reject them. My initial reaction to seeing remove_invalid_raw_events() was not
exactly PG-13 :-)
Can you also call out that because this is established uABI, KVM can't outright
reject garbage?
> Signed-off-by: Aaron Lewis <aaronlewis@google.com>
> Reviewed-by: Jim Mattson <jmattson@google.com>
> ---
> arch/x86/kvm/pmu.c | 34 ++++++++++++++++++++++++++++++++++
> 1 file changed, 34 insertions(+)
>
> diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c
> index 98f383789579..e7d94e6b7f28 100644
> --- a/arch/x86/kvm/pmu.c
> +++ b/arch/x86/kvm/pmu.c
> @@ -577,6 +577,38 @@ void kvm_pmu_trigger_event(struct kvm_vcpu *vcpu, u64 perf_hw_id)
> }
> EXPORT_SYMBOL_GPL(kvm_pmu_trigger_event);
>
> +static inline u64 get_event_filter_mask(void)
> +{
> + u64 event_select_mask =
> + static_call(kvm_x86_pmu_get_eventsel_event_mask)();
> +
> + return event_select_mask | ARCH_PERFMON_EVENTSEL_UMASK;
> +}
> +
> +static inline bool is_event_valid(u64 event, u64 mask)
> +{
> + return !(event & ~mask);
> +}
As a general theme, don't go crazy with short helpers that only ever have a single
user. Having to jump around to find the definition interrupts the reader and
obfuscates simple things. If the code is particularly complex/weird, then adding
a helper to abstract the concept is useful, but that's not the case here.
> +
> +static void remove_invalid_raw_events(struct kvm_pmu_event_filter *filter)
s/invalid/impossible, and drop the "raw". Making up terminology when it's not
strictly necessary is always confusing.
> +{
> + u64 raw_mask;
> + int i, j;
> +
> + if (filter->flags)
If I'm reading all this magic correctly, this is dead code because
kvm_vm_ioctl_set_pmu_event_filter() checks flags
if (tmp.flags != 0)
return -EINVAL;
and does the somehwat horrific thing of:
/* Ensure nevents can't be changed between the user copies. */
*filter = tmp;
> + return;
> +
> + raw_mask = get_event_filter_mask();
> + for (i = 0, j = 0; i < filter->nevents; i++) {
> + u64 raw_event = filter->events[i];
Meh, using a local variable is unecessary.
> +
> + if (is_event_valid(raw_event, raw_mask))
> + filter->events[j++] = raw_event;
With the helpers gone, this is simply:
if (filter->events[i] & ~kvm_pmu_ops.EVENTSEL_MASK)
continue;
filter->events[j++] = filter->events[i];
> + }
> +
> + filter->nevents = j;
> +}
> +
> int kvm_vm_ioctl_set_pmu_event_filter(struct kvm *kvm, void __user *argp)
> {
> struct kvm_pmu_event_filter tmp, *filter;
> @@ -608,6 +640,8 @@ int kvm_vm_ioctl_set_pmu_event_filter(struct kvm *kvm, void __user *argp)
> /* Ensure nevents can't be changed between the user copies. */
> *filter = tmp;
Eww. This is so gross. But I guess it's not really that much worse than copying
only the new bits.
Can you opportunisticaly rewrite the comment to clarify that it guards against
_all_ TOCTOU attacks on the verified data?
/* Restore the verified state to guard against TOCTOU attacks. */
*filter = tmp;
As a full diff:
---
arch/x86/kvm/pmu.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c
index d0e2c7eda65b..384cefbe20dd 100644
--- a/arch/x86/kvm/pmu.c
+++ b/arch/x86/kvm/pmu.c
@@ -574,6 +574,20 @@ void kvm_pmu_trigger_event(struct kvm_vcpu *vcpu, u64 perf_hw_id)
}
EXPORT_SYMBOL_GPL(kvm_pmu_trigger_event);
+static void remove_impossible_events(struct kvm_pmu_event_filter *filter)
+{
+ int i, j;
+
+ for (i = 0, j = 0; i < filter->nevents; i++) {
+ if (filter->events[i] & ~kvm_pmu_ops.EVENTSEL_MASK)
+ continue;
+
+ filter->events[j++] = filter->events[i];
+ }
+
+ filter->nevents = j;
+}
+
int kvm_vm_ioctl_set_pmu_event_filter(struct kvm *kvm, void __user *argp)
{
struct kvm_pmu_event_filter tmp, *filter;
@@ -602,9 +616,11 @@ int kvm_vm_ioctl_set_pmu_event_filter(struct kvm *kvm, void __user *argp)
if (copy_from_user(filter, argp, size))
goto cleanup;
- /* Ensure nevents can't be changed between the user copies. */
+ /* Restore the verified state to guard against TOCTOU attacks. */
*filter = tmp;
+ remove_impossible_events(filter);
+
/*
* Sort the in-kernel list so that we can search it with bsearch.
*/
base-commit: a5c25b1eacf50b851badf1c5cbb618094cbdf40f
--
next prev parent reply other threads:[~2022-10-07 23:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-20 17:45 [PATCH v5 0/7] Introduce and test masked events Aaron Lewis
2022-09-20 17:45 ` [PATCH v5 1/7] kvm: x86/pmu: Correct the mask used in a pmu event filter lookup Aaron Lewis
2022-10-07 23:25 ` Sean Christopherson
2022-10-15 15:43 ` Aaron Lewis
2022-10-17 18:20 ` Sean Christopherson
2022-10-21 1:33 ` Aaron Lewis
2022-09-20 17:45 ` [PATCH v5 2/7] kvm: x86/pmu: Remove invalid raw events from the pmu event filter Aaron Lewis
2022-10-07 23:48 ` Sean Christopherson [this message]
2022-09-20 17:45 ` [PATCH v5 3/7] kvm: x86/pmu: prepare the pmu event filter for masked events Aaron Lewis
2022-10-08 0:08 ` Sean Christopherson
2022-09-20 17:46 ` [PATCH v5 4/7] kvm: x86/pmu: Introduce masked events to the pmu event filter Aaron Lewis
2022-10-08 0:37 ` Sean Christopherson
2022-10-10 15:42 ` Sean Christopherson
2022-10-15 15:43 ` Aaron Lewis
2022-10-17 17:47 ` Sean Christopherson
2022-10-19 1:06 ` Aaron Lewis
2022-10-21 1:33 ` Aaron Lewis
2022-10-21 17:50 ` Sean Christopherson
2022-09-20 17:46 ` [PATCH v5 5/7] selftests: kvm/x86: Add flags when creating a " Aaron Lewis
2022-09-20 17:46 ` [PATCH v5 6/7] selftests: kvm/x86: Add testing for KVM_SET_PMU_EVENT_FILTER Aaron Lewis
2022-09-20 17:56 ` Jim Mattson
2022-09-20 17:46 ` [PATCH v5 7/7] selftests: kvm/x86: Test masked events Aaron Lewis
2022-09-20 17:59 ` Jim Mattson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0C63uh77IqIQWfr@google.com \
--to=seanjc@google.com \
--cc=aaronlewis@google.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).