* [PATCH] KVM: VMX: Use _safe MSR accessors in LBR handler
@ 2026-05-26 17:44 xuanqingshi
2026-05-26 18:56 ` Sean Christopherson
0 siblings, 1 reply; 3+ messages in thread
From: xuanqingshi @ 2026-05-26 17:44 UTC (permalink / raw)
To: seanjc, pbonzini; +Cc: kvm, linux-kernel, Xuanqing Shi
From: Xuanqing Shi <1356292400@qq.com>
intel_pmu_handle_lbr_msrs_access() uses rdmsrq()/wrmsrq() to directly
access LBR-related MSRs on the physical CPU. If the guest provides an
out-of-range or otherwise invalid MSR index, the unchecked access
triggers a #GP fault, resulting in an "unchecked MSR access error"
warning and a host crash when panic_on_warn is enabled.
The crash was observed in a nested virtualization setup where a
VMCS-targeted fuzzer triggered a WRMSR to MSR 0x1c8 (LBR_SELECT)
that propagated through the PMU emulation path to the physical host:
unchecked MSR access error: WRMSR to 0x1c8
(tried to write 0x0000000000004000)
Call Trace:
? native_write_msr+0x4/0x30
? intel_pmu_handle_lbr_msrs_access+0xff/0x120 [kvm_intel]
intel_pmu_set_msr+0x4e0/0x7f0 [kvm_intel]
kvm_pmu_set_msr+0x17e/0x1c0 [kvm]
kvm_set_msr_common+0xc76/0x1440 [kvm]
vmx_set_msr+0x5e6/0x1570 [kvm_intel]
kvm_emulate_wrmsr+0x54/0x1d0 [kvm]
vmx_handle_exit+0x7fc/0x970 [kvm_intel]
Replace rdmsrq()/wrmsrq() with their _safe variants so that invalid
MSR accesses are caught gracefully and reported back to the guest as
errors instead of crashing the host.
Found by a VMCS-targeted fuzzer based on syzkaller.
Fixes: 1b5ac3226a1a ("KVM: vmx/pmu: Pass-through LBR msrs when the guest LBR event is ACTIVE")
Signed-off-by: Xuanqing Shi <1356292400@qq.com>
---
arch/x86/kvm/vmx/pmu_intel.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
index 27eb76e6b6a0..94d2cbffcff4 100644
--- a/arch/x86/kvm/vmx/pmu_intel.c
+++ b/arch/x86/kvm/vmx/pmu_intel.c
@@ -293,6 +293,7 @@ static bool intel_pmu_handle_lbr_msrs_access(struct kvm_vcpu *vcpu,
{
struct lbr_desc *lbr_desc = vcpu_to_lbr_desc(vcpu);
u32 index = msr_info->index;
+ int err;
if (!intel_pmu_is_valid_lbr_msr(vcpu, index))
return false;
@@ -309,12 +310,12 @@ static bool intel_pmu_handle_lbr_msrs_access(struct kvm_vcpu *vcpu,
local_irq_disable();
if (lbr_desc->event->state == PERF_EVENT_STATE_ACTIVE) {
if (read)
- rdmsrq(index, msr_info->data);
+ err = rdmsrq_safe(index, &msr_info->data);
else
- wrmsrq(index, msr_info->data);
+ err = wrmsrq_safe(index, msr_info->data);
__set_bit(INTEL_PMC_IDX_FIXED_VLBR, vcpu_to_pmu(vcpu)->pmc_in_use);
local_irq_enable();
- return true;
+ return !err;
}
clear_bit(INTEL_PMC_IDX_FIXED_VLBR, vcpu_to_pmu(vcpu)->pmc_in_use);
local_irq_enable();
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] KVM: VMX: Use _safe MSR accessors in LBR handler
2026-05-26 17:44 [PATCH] KVM: VMX: Use _safe MSR accessors in LBR handler xuanqingshi
@ 2026-05-26 18:56 ` Sean Christopherson
2026-05-26 22:12 ` Sean Christopherson
0 siblings, 1 reply; 3+ messages in thread
From: Sean Christopherson @ 2026-05-26 18:56 UTC (permalink / raw)
To: xuanqingshi; +Cc: pbonzini, kvm, linux-kernel
On Wed, May 27, 2026, xuanqingshi wrote:
> From: Xuanqing Shi <1356292400@qq.com>
>
> intel_pmu_handle_lbr_msrs_access() uses rdmsrq()/wrmsrq() to directly
> access LBR-related MSRs on the physical CPU. If the guest provides an
> out-of-range or otherwise invalid MSR index,
The fault isn't due to an invalid index, it's due to setting reserved bits.
> the unchecked access
> triggers a #GP fault, resulting in an "unchecked MSR access error"
> warning and a host crash when panic_on_warn is enabled.
>
> The crash was observed in a nested virtualization setup where a
> VMCS-targeted fuzzer triggered
Please stop describing this as a fuzzer. Pulling in information from an off-list
discussion:
: The fuzzer works by patching the L1 KVM exit dispatch path via a kernel
: module. Before KVM dispatches to the handler, the module replaces the
: EXIT_REASON field in the VMCS with a target value (e.g.,
: EXIT_REASON_TPR_BELOW_THRESHOLD). The L1 vCPU was created without calling
: KVM_CREATE_IRQCHIP, so vcpu->arch.apic is NULL. When the injected exit reason
: steers execution into the TPR handler, the NULL dereference occurs.
That's not a fuzzer, that's "fault" injection, where even that doesn't match the
kernel's typical terminology for "fault injection". Kernel usage of "fault
injection" is to inject _legitimate_ faults in paths where a "fault" is unlikely
to occur inpractice, e.g. an -ENOMEM due to OOM on an order-0 allocation.
The faults being injected here _can't_ happen absent a buggy (virtual) CPU. And
if the (virtual) CPU is buggy, we _want_ the WARNs.
That's not relevant to this bug though, this is a pretty straightforward KVM goof.
> a WRMSR to MSR 0x1c8 (LBR_SELECT) that propagated through the PMU emulation
> path to the physical host:
>
> unchecked MSR access error: WRMSR to 0x1c8
> (tried to write 0x0000000000004000)
^^^^
|
-- This is the culprit.
E.g. it's trivially easy to reproduce with:
diff --git tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c
index d004108dbdc6..9e9362e1a0a5 100644
--- tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c
+++ tools/testing/selftests/kvm/x86/vmx_pmu_caps_test.c
@@ -201,6 +201,7 @@ KVM_ONE_VCPU_TEST(vmx_pmu_caps, lbr_perf_capabilities, guest_code)
vcpu_set_msr(vcpu, MSR_IA32_PERF_CAPABILITIES, host_cap.capabilities);
vcpu_set_msr(vcpu, MSR_LBR_TOS, 7);
+ vcpu_set_msr(vcpu, MSR_LBR_SELECT, 0x4000);
vcpu_clear_cpuid_entry(vcpu, X86_PROPERTY_PMU_VERSION.function);
> Call Trace:
> ? native_write_msr+0x4/0x30
> ? intel_pmu_handle_lbr_msrs_access+0xff/0x120 [kvm_intel]
> intel_pmu_set_msr+0x4e0/0x7f0 [kvm_intel]
> kvm_pmu_set_msr+0x17e/0x1c0 [kvm]
> kvm_set_msr_common+0xc76/0x1440 [kvm]
> vmx_set_msr+0x5e6/0x1570 [kvm_intel]
> kvm_emulate_wrmsr+0x54/0x1d0 [kvm]
> vmx_handle_exit+0x7fc/0x970 [kvm_intel]
>
> Replace rdmsrq()/wrmsrq() with their _safe variants so that invalid
> MSR accesses are caught gracefully and reported back to the guest as
> errors instead of crashing the host.
>
> Found by a VMCS-targeted fuzzer based on syzkaller.
>
> Fixes: 1b5ac3226a1a ("KVM: vmx/pmu: Pass-through LBR msrs when the guest LBR event is ACTIVE")
> Signed-off-by: Xuanqing Shi <1356292400@qq.com>
> ---
> arch/x86/kvm/vmx/pmu_intel.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
> index 27eb76e6b6a0..94d2cbffcff4 100644
> --- a/arch/x86/kvm/vmx/pmu_intel.c
> +++ b/arch/x86/kvm/vmx/pmu_intel.c
> @@ -293,6 +293,7 @@ static bool intel_pmu_handle_lbr_msrs_access(struct kvm_vcpu *vcpu,
> {
> struct lbr_desc *lbr_desc = vcpu_to_lbr_desc(vcpu);
> u32 index = msr_info->index;
> + int err;
>
> if (!intel_pmu_is_valid_lbr_msr(vcpu, index))
> return false;
> @@ -309,12 +310,12 @@ static bool intel_pmu_handle_lbr_msrs_access(struct kvm_vcpu *vcpu,
> local_irq_disable();
> if (lbr_desc->event->state == PERF_EVENT_STATE_ACTIVE) {
> if (read)
> - rdmsrq(index, msr_info->data);
> + err = rdmsrq_safe(index, &msr_info->data);
> else
> - wrmsrq(index, msr_info->data);
> + err = wrmsrq_safe(index, msr_info->data);
I don't love throwing a value at hardware to see what sticks, but given that KVM
disables interception of these MSRs, it's not like there's a better option.
No need for a v2, I'll rewrite the changelog when applying.
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] KVM: VMX: Use _safe MSR accessors in LBR handler
2026-05-26 18:56 ` Sean Christopherson
@ 2026-05-26 22:12 ` Sean Christopherson
0 siblings, 0 replies; 3+ messages in thread
From: Sean Christopherson @ 2026-05-26 22:12 UTC (permalink / raw)
To: xuanqingshi; +Cc: pbonzini, kvm, linux-kernel
On Tue, May 26, 2026, Sean Christopherson wrote:
> On Wed, May 27, 2026, xuanqingshi wrote:
> > diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
> > index 27eb76e6b6a0..94d2cbffcff4 100644
> > --- a/arch/x86/kvm/vmx/pmu_intel.c
> > +++ b/arch/x86/kvm/vmx/pmu_intel.c
> > @@ -293,6 +293,7 @@ static bool intel_pmu_handle_lbr_msrs_access(struct kvm_vcpu *vcpu,
> > {
> > struct lbr_desc *lbr_desc = vcpu_to_lbr_desc(vcpu);
> > u32 index = msr_info->index;
> > + int err;
> >
> > if (!intel_pmu_is_valid_lbr_msr(vcpu, index))
> > return false;
> > @@ -309,12 +310,12 @@ static bool intel_pmu_handle_lbr_msrs_access(struct kvm_vcpu *vcpu,
> > local_irq_disable();
> > if (lbr_desc->event->state == PERF_EVENT_STATE_ACTIVE) {
> > if (read)
> > - rdmsrq(index, msr_info->data);
> > + err = rdmsrq_safe(index, &msr_info->data);
> > else
> > - wrmsrq(index, msr_info->data);
> > + err = wrmsrq_safe(index, msr_info->data);
>
> I don't love throwing a value at hardware to see what sticks, but given that KVM
> disables interception of these MSRs, it's not like there's a better option.
>
> No need for a v2, I'll rewrite the changelog when applying.
Actually, I'll post a v2, because I think it makes sense to continue using the
"unsafe" version for RDMSR. It should be impossible to reach this point with a
bad MSR index, i.e. we _want_ the resulting WARN if RDMSR fails.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-26 22:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26 17:44 [PATCH] KVM: VMX: Use _safe MSR accessors in LBR handler xuanqingshi
2026-05-26 18:56 ` Sean Christopherson
2026-05-26 22:12 ` Sean Christopherson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox