Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3809063ybi; Mon, 29 Jul 2019 13:03:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqy21jWBSbojblwxFu7KoW694awqQPKGYnFF3adXns0CJpzx36a0gmPI8KUe6TrGX3UioVAu X-Received: by 2002:a65:50c5:: with SMTP id s5mr105610794pgp.368.1564430606331; Mon, 29 Jul 2019 13:03:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564430606; cv=none; d=google.com; s=arc-20160816; b=dND9DTz8dYJYgQd8360FVxpz8oEdbumNkGBSU8ELC3YBDGTnGyFoX+9/Z+EAuzm8eq bWy5Ig0qmtWdR0mkTqziLlL0+ItU86W3Qi/Oq2LYiu1gcdmoGcuUs1vp3Spc/jlXDNSy aP3/SXrK4g26dlU6KlreTutRQtPdCcVq5Q7pE1ff4+V+RrTBB5H3rRcQWG+Mu2/JrwNA Qqv/I+pUjBvB2n3s4JAV+4Xmfr4zE/J0t2R/XjcmukXKp0L0IIwAzWfrUdUloXmbXLpq elDgPPEE9InN55rLXAyf8EBfNKjK320s+7x2UyKvKhPLrmzcdunnGHAST28cS6fJPLzY 9zBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dKXbCgCYB73elwlqHgNljibac4ePosNDgTySLRM/4o8=; b=B+vka5vpzuuoJuIEin047EHpX8BZexGjHZnToomZOev/ugngmTVRN9qtzhij9l8sCv kS9KLfZFx4zr2wy+IZmXM/JL/IBqLBK9H+xSvzrrgWQdlhI//gTaSGT0DDJGz+Qjt8PU iniDrN93cyI4kMnr2DlIJ8+dHKW2Sj5MgzKeGR5BjnPvn9MHtcZ51GqX+uT/Lm/ncvNb mwb5S1ZkY5K+LaJWRjXahZZoQV2rJec5Yi/mfGWj3PSJiXNNCqeuIuEKbKC8T+/kolGo 50utP+HWN2miLNbDYu8sf1q/SLWMJX2PcqdAUGiMeMnX5Cr5hOsdbLi9FJjOz2Ny8RgW +JUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2Elawo3w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w186si31424743pgd.176.2019.07.29.13.03.10; Mon, 29 Jul 2019 13:03:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2Elawo3w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390017AbfG2Tti (ORCPT + 99 others); Mon, 29 Jul 2019 15:49:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:40138 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389987AbfG2Tte (ORCPT ); Mon, 29 Jul 2019 15:49:34 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 372FE21655; Mon, 29 Jul 2019 19:49:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564429773; bh=BB3i0a7WNVHRMHYQq60v4UZ2dAiAnHvjY8Jd6CqZtOo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2Elawo3wlr0GnbOdajg/zAc68UPBksIH262DDzYnpu2aQbHjwxhbuVMCVu6fxuefP k3qMnULx08OSYseDh5eA5Q16CLmYzUkmwcGtRVV6BS4U3THXKDXpgWLt8DDjq5XeKD 8xJsHWIKYnVdWpnv4f+I2f9YM+nrJHQGbCl9uZqk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jim Mattson , Liran Alon , Sean Christopherson , Paolo Bonzini , Sasha Levin Subject: [PATCH 5.2 074/215] KVM: nVMX: Intercept VMWRITEs to GUEST_{CS,SS}_AR_BYTES Date: Mon, 29 Jul 2019 21:21:10 +0200 Message-Id: <20190729190752.935522010@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190739.971253303@linuxfoundation.org> References: <20190729190739.971253303@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit b643780562af5378ef7fe731c65b8f93e49c59c6 ] VMMs frequently read the guest's CS and SS AR bytes to detect 64-bit mode and CPL respectively, but effectively never write said fields once the VM is initialized. Intercepting VMWRITEs for the two fields saves ~55 cycles in copy_shadow_to_vmcs12(). Because some Intel CPUs, e.g. Haswell, drop the reserved bits of the guest access rights fields on VMWRITE, exposing the fields to L1 for VMREAD but not VMWRITE leads to inconsistent behavior between L1 and L2. On hardware that drops the bits, L1 will see the stripped down value due to reading the value from hardware, while L2 will see the full original value as stored by KVM. To avoid such an inconsistency, emulate the behavior on all CPUS, but only for intercepted VMWRITEs so as to avoid introducing pointless latency into copy_shadow_to_vmcs12(), e.g. if the emulation were added to vmcs12_write_any(). Since the AR_BYTES emulation is done only for intercepted VMWRITE, if a future patch (re)exposed AR_BYTES for both VMWRITE and VMREAD, then KVM would end up with incosistent behavior on pre-Haswell hardware, e.g. KVM would drop the reserved bits on intercepted VMWRITE, but direct VMWRITE to the shadow VMCS would not drop the bits. Add a WARN in the shadow field initialization to detect any attempt to expose an AR_BYTES field without updating vmcs12_write_any(). Note, emulation of the AR_BYTES reserved bit behavior is based on a patch[1] from Jim Mattson that applied the emulation to all writes to vmcs12 so that live migration across different generations of hardware would not introduce divergent behavior. But given that live migration of nested state has already been enabled, that ship has sailed (not to mention that no sane VMM will be affected by this behavior). [1] https://patchwork.kernel.org/patch/10483321/ Cc: Jim Mattson Cc: Liran Alon Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin --- arch/x86/kvm/vmx/nested.c | 15 +++++++++++++++ arch/x86/kvm/vmx/vmcs_shadow_fields.h | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 543d7d82479b..ac98b1328124 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -91,6 +91,10 @@ static void init_vmcs_shadow_fields(void) pr_err("Missing field from shadow_read_write_field %x\n", field + 1); + WARN_ONCE(field >= GUEST_ES_AR_BYTES && + field <= GUEST_TR_AR_BYTES, + "Update vmcs12_write_any() to expose AR_BYTES RW"); + /* * PML and the preemption timer can be emulated, but the * processor cannot vmwrite to fields that don't exist @@ -4500,6 +4504,17 @@ static int handle_vmwrite(struct kvm_vcpu *vcpu) vmcs12 = get_shadow_vmcs12(vcpu); } + /* + * Some Intel CPUs intentionally drop the reserved bits of the AR byte + * fields on VMWRITE. Emulate this behavior to ensure consistent KVM + * behavior regardless of the underlying hardware, e.g. if an AR_BYTE + * field is intercepted for VMWRITE but not VMREAD (in L1), then VMREAD + * from L1 will return a different value than VMREAD from L2 (L1 sees + * the stripped down value, L2 sees the full value as stored by KVM). + */ + if (field >= GUEST_ES_AR_BYTES && field <= GUEST_TR_AR_BYTES) + field_value &= 0x1f0ff; + if (vmcs12_write_any(vmcs12, field, field_value) < 0) return nested_vmx_failValid(vcpu, VMXERR_UNSUPPORTED_VMCS_COMPONENT); diff --git a/arch/x86/kvm/vmx/vmcs_shadow_fields.h b/arch/x86/kvm/vmx/vmcs_shadow_fields.h index 132432f375c2..97dd5295be31 100644 --- a/arch/x86/kvm/vmx/vmcs_shadow_fields.h +++ b/arch/x86/kvm/vmx/vmcs_shadow_fields.h @@ -40,14 +40,14 @@ SHADOW_FIELD_RO(VM_EXIT_INSTRUCTION_LEN) SHADOW_FIELD_RO(IDT_VECTORING_INFO_FIELD) SHADOW_FIELD_RO(IDT_VECTORING_ERROR_CODE) SHADOW_FIELD_RO(VM_EXIT_INTR_ERROR_CODE) +SHADOW_FIELD_RO(GUEST_CS_AR_BYTES) +SHADOW_FIELD_RO(GUEST_SS_AR_BYTES) SHADOW_FIELD_RW(CPU_BASED_VM_EXEC_CONTROL) SHADOW_FIELD_RW(EXCEPTION_BITMAP) SHADOW_FIELD_RW(VM_ENTRY_EXCEPTION_ERROR_CODE) SHADOW_FIELD_RW(VM_ENTRY_INTR_INFO_FIELD) SHADOW_FIELD_RW(VM_ENTRY_INSTRUCTION_LEN) SHADOW_FIELD_RW(TPR_THRESHOLD) -SHADOW_FIELD_RW(GUEST_CS_AR_BYTES) -SHADOW_FIELD_RW(GUEST_SS_AR_BYTES) SHADOW_FIELD_RW(GUEST_INTERRUPTIBILITY_INFO) SHADOW_FIELD_RW(VMX_PREEMPTION_TIMER_VALUE) -- 2.20.1