From: Sean Christopherson <seanjc@google.com>
To: Chao Gao <chao.gao@intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Lai Jiangshan <jiangshanlai@gmail.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Josh Triplett <josh@joshtriplett.org>,
kvm@vger.kernel.org, rcu@vger.kernel.org,
linux-kernel@vger.kernel.org, Kevin Tian <kevin.tian@intel.com>,
Yan Zhao <yan.y.zhao@intel.com>,
Yiwei Zhang <zzyiwei@google.com>
Subject: Re: [PATCH 5/5] KVM: VMX: Always honor guest PAT on CPUs that support self-snoop
Date: Mon, 1 Apr 2024 15:29:38 -0700 [thread overview]
Message-ID: <Zgs1Ul2rZjyUvMEx@google.com> (raw)
In-Reply-To: <ZgDyxpaf+HgQzYDp@chao-email>
On Mon, Mar 25, 2024, Chao Gao wrote:
> On Fri, Mar 08, 2024 at 05:09:29PM -0800, Sean Christopherson wrote:
> >Unconditionally honor guest PAT on CPUs that support self-snoop, as
> >Intel has confirmed that CPUs that support self-snoop always snoop caches
> >and store buffers. I.e. CPUs with self-snoop maintain cache coherency
> >even in the presence of aliased memtypes, thus there is no need to trust
> >the guest behaves and only honor PAT as a last resort, as KVM does today.
> >
> >Honoring guest PAT is desirable for use cases where the guest has access
> >to non-coherent DMA _without_ bouncing through VFIO, e.g. when a virtual
> >(mediated, for all intents and purposes) GPU is exposed to the guest, along
> >with buffers that are consumed directly by the physical GPU, i.e. which
> >can't be proxied by the host to ensure writes from the guest are performed
> >with the correct memory type for the GPU.
...
> > int kvm_tdp_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
> >diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> >index 17a8e4fdf9c4..5dc4c24ae203 100644
> >--- a/arch/x86/kvm/vmx/vmx.c
> >+++ b/arch/x86/kvm/vmx/vmx.c
> >@@ -7605,11 +7605,13 @@ static u8 vmx_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio)
> >
> > /*
> > * Force WB and ignore guest PAT if the VM does NOT have a non-coherent
> >- * device attached. Letting the guest control memory types on Intel
> >- * CPUs may result in unexpected behavior, and so KVM's ABI is to trust
> >- * the guest to behave only as a last resort.
> >+ * device attached and the CPU doesn't support self-snoop. Letting the
> >+ * guest control memory types on Intel CPUs without self-snoop may
> >+ * result in unexpected behavior, and so KVM's (historical) ABI is to
> >+ * trust the guest to behave only as a last resort.
> > */
> >- if (!kvm_arch_has_noncoherent_dma(vcpu->kvm))
> >+ if (!static_cpu_has(X86_FEATURE_SELFSNOOP) &&
> >+ !kvm_arch_has_noncoherent_dma(vcpu->kvm))
> > return (MTRR_TYPE_WRBACK << VMX_EPT_MT_EPTE_SHIFT) | VMX_EPT_IPAT_BIT;
>
> W/ this change, guests w/o pass-thru devices can also access UC memory. Locking
> UC memory leads to bus lock. So, guests w/o pass-thru devices can potentially
> launch DOS attacks on other CPUs on host. isn't it a problem?
Guests can already trigger bus locks with atomic accesses that split cache lines.
And SPR adds bus lock detection. So practically speaking, I'm pretty sure ICX is
the only CPU where anything close to a novel attack is possible. And FWIW, such
an attack is already possible on AMD.
next prev parent reply other threads:[~2024-04-01 22:29 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-09 1:09 [PATCH 0/5] KVM: VMX: Drop MTRR virtualization, honor guest PAT Sean Christopherson
2024-03-09 1:09 ` [PATCH 1/5] KVM: x86: Remove VMX support for virtualizing guest MTRR memtypes Sean Christopherson
2024-03-11 7:44 ` Yan Zhao
2024-03-12 0:08 ` Sean Christopherson
2024-03-12 1:10 ` Dongli Zhang
2024-03-12 17:08 ` Sean Christopherson
2024-03-14 10:31 ` Dongli Zhang
2024-03-14 14:47 ` Sean Christopherson
2024-03-09 1:09 ` [PATCH 2/5] KVM: VMX: Drop support for forcing UC memory when guest CR0.CD=1 Sean Christopherson
2024-03-09 1:09 ` [PATCH 3/5] srcu: Add an API for a memory barrier after SRCU read lock Sean Christopherson
2024-03-09 1:09 ` [PATCH 4/5] KVM: x86: Ensure a full memory barrier is emitted in the VM-Exit path Sean Christopherson
2024-06-20 22:38 ` Paolo Bonzini
2024-06-20 23:42 ` Paul E. McKenney
2024-06-21 0:52 ` Yan Zhao
2024-03-09 1:09 ` [PATCH 5/5] KVM: VMX: Always honor guest PAT on CPUs that support self-snoop Sean Christopherson
2024-03-11 1:16 ` Yan Zhao
2024-03-12 0:25 ` Sean Christopherson
2024-03-12 7:30 ` Tian, Kevin
2024-03-12 16:07 ` Sean Christopherson
2024-03-13 1:18 ` Yan Zhao
2024-03-13 8:52 ` Tian, Kevin
2024-03-13 8:55 ` Yan Zhao
2024-03-13 15:09 ` Sean Christopherson
2024-03-14 0:12 ` Yan Zhao
2024-03-14 1:00 ` Sean Christopherson
2024-03-25 3:43 ` Chao Gao
2024-04-01 22:29 ` Sean Christopherson [this message]
2024-08-30 9:35 ` Vitaly Kuznetsov
2024-08-30 11:05 ` Gerd Hoffmann
2024-08-30 13:47 ` Vitaly Kuznetsov
2024-08-30 13:52 ` Sean Christopherson
2024-08-30 14:06 ` Vitaly Kuznetsov
2024-08-30 14:37 ` Vitaly Kuznetsov
2024-08-30 16:13 ` Sean Christopherson
2024-09-02 8:23 ` Gerd Hoffmann
2024-09-02 1:44 ` Yan Zhao
2024-09-02 9:49 ` Vitaly Kuznetsov
2024-09-03 0:25 ` Yan Zhao
2024-09-03 15:30 ` Sean Christopherson
2024-09-03 16:20 ` Vitaly Kuznetsov
2024-09-04 2:28 ` Yan Zhao
2024-09-04 12:17 ` Yan Zhao
2024-09-05 0:41 ` Sean Christopherson
2024-09-05 9:43 ` Yan Zhao
2024-09-09 5:30 ` Yan Zhao
2024-09-09 13:24 ` Paolo Bonzini
2024-09-09 16:04 ` Sean Christopherson
2024-09-10 1:05 ` Yan Zhao
2024-09-04 11:47 ` Vitaly Kuznetsov
2024-10-07 13:28 ` Linux regression tracking (Thorsten Leemhuis)
2024-10-07 13:38 ` Vitaly Kuznetsov
2024-10-07 14:04 ` Linux regression tracking (Thorsten Leemhuis)
2024-03-22 9:29 ` [PATCH 0/5] KVM: VMX: Drop MTRR virtualization, honor guest PAT Ma, Yongwei
2024-03-22 13:08 ` Yan Zhao
2024-03-25 6:56 ` Ma, XiangfeiX
2024-03-25 8:02 ` Ma, XiangfeiX
2024-06-05 23:20 ` Sean Christopherson
2024-06-06 0:03 ` Paul E. McKenney
-- strict thread matches above, loose matches on Subject: below --
2025-04-10 1:13 [PATCH 5/5] KVM: VMX: Always honor guest PAT on CPUs that support self-snoop Myrsky Lintu
2025-04-10 5:12 ` Yan Zhao
2025-04-10 10:05 ` Myrsky Lintu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zgs1Ul2rZjyUvMEx@google.com \
--to=seanjc@google.com \
--cc=chao.gao@intel.com \
--cc=jiangshanlai@gmail.com \
--cc=josh@joshtriplett.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paulmck@kernel.org \
--cc=pbonzini@redhat.com \
--cc=rcu@vger.kernel.org \
--cc=yan.y.zhao@intel.com \
--cc=zzyiwei@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).