Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1670292ybt; Thu, 25 Jun 2020 11:15:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzfVXfg6UzBj5e1vGCNXsGwC72IY2DJ11ZBU4/DgL3DO4iFbNSzQVWNQOcLOiJbc9X84Y31 X-Received: by 2002:a17:906:1044:: with SMTP id j4mr4650066ejj.187.1593108943022; Thu, 25 Jun 2020 11:15:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593108943; cv=none; d=google.com; s=arc-20160816; b=bcVpGPtzWO/2ZW+1JclSqBlAkGkOI8otxmw70U6/nE4ucDY0TfS4B6KmhUAa1KNnsv r8gAnnmMeNGTkQXqHSmqMtmfgVeclFveLUBF0VfJ0dGaxHDsqEVjZtybqR+j9U7UN1YG HVnG5iXhGgJur7W1h9mUDysUqkT+FuSrprh958whU7Pt6i907DAkApUSsOMgtky7gYzM CK78cZV3nP9k5Yf75cBKUgqhZM3DoLUcKuWa/B/CCAWxXH1sQIsZWOcvE3evMPEt6mcj 4KH6+EyLxKce4DFPSA6ssVJ+OMXkc2grwemGF3VUMJCl+rnT+EzHjtS9qmd6GF/x9k8X bohQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:ironport-sdr:ironport-sdr; bh=ycrGN9Q3Lg/HPweKA/ccJ53+QUfCnr5jRKP4VvSOtSs=; b=d94o469XgiDOb4kPIsEzBmXL65MSxVFyTf/Hqkq7/nSsv6PkVulGZLriEgRyjNEyC5 9SZ3U6+sJr7/VP8XPVXf4HjUCxGystFRqoOAO40ZknSFA+fgS3CaIhxk6xLRTOWkLTzO 35vD2c/MGHdQ2sykrZuxOPl2r0sDLFF8KZiV4Y3Fc+2mrFd6pCEUZXaeFhO8vHXCOnC6 EchXS6DSKKpRTUXzjt8cFmTeWv20cjFABQptChJ6zcd2KXDP++DcizLYgeGdxRlofLbY iWe7Wq2goV7F4efM5Qe/kZvicQBuv49anntBbtdvYuS7WfxrT0pfC7urWh0xdEnjBD1F FiSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 18si13992160ejv.611.2020.06.25.11.15.19; Thu, 25 Jun 2020 11:15:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406089AbgFYQZl (ORCPT + 99 others); Thu, 25 Jun 2020 12:25:41 -0400 Received: from mga17.intel.com ([192.55.52.151]:57733 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403774AbgFYQZl (ORCPT ); Thu, 25 Jun 2020 12:25:41 -0400 IronPort-SDR: u6XJbGrSiCBnPK2yuWidMn5K81r3e5SRQok+qCx/868SI0NqfEnl1D8L1HvtQ0BclGBaJzMhEC FboovSrdY8bQ== X-IronPort-AV: E=McAfee;i="6000,8403,9663"; a="125206964" X-IronPort-AV: E=Sophos;i="5.75,279,1589266800"; d="scan'208";a="125206964" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jun 2020 09:25:40 -0700 IronPort-SDR: 1zS+rKFXbHVQPEC745baSDFiDF5jgMUXzZR8vksvauU4x2EUqzh4xrkgKCNl9SBfMX6UlBpuNR sTWBigkKJ+JQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,279,1589266800"; d="scan'208";a="293931084" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.152]) by orsmga002.jf.intel.com with ESMTP; 25 Jun 2020 09:25:40 -0700 Date: Thu, 25 Jun 2020 09:25:40 -0700 From: Sean Christopherson To: Paolo Bonzini Cc: Peter Xu , linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Vitaly Kuznetsov Subject: Re: [PATCH 1/2] KVM: X86: Move ignore_msrs handling upper the stack Message-ID: <20200625162540.GC3437@linux.intel.com> References: <20200622220442.21998-1-peterx@redhat.com> <20200622220442.21998-2-peterx@redhat.com> <20200625061544.GC2141@linux.intel.com> <1cebc562-89e9-3806-bb3c-771946fc64f3@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1cebc562-89e9-3806-bb3c-771946fc64f3@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 25, 2020 at 10:09:13AM +0200, Paolo Bonzini wrote: > On 25/06/20 08:15, Sean Christopherson wrote: > > IMO, kvm_cpuid() is simply buggy. If KVM attempts to access a non-existent > > MSR then it darn well should warn. > > > > diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c > > index 8a294f9747aa..7ef7283011d6 100644 > > --- a/arch/x86/kvm/cpuid.c > > +++ b/arch/x86/kvm/cpuid.c > > @@ -1013,7 +1013,8 @@ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx, > > *ebx = entry->ebx; > > *ecx = entry->ecx; > > *edx = entry->edx; > > - if (function == 7 && index == 0) { > > + if (function == 7 && index == 0 && (*ebx | (F(RTM) | F(HLE))) && > > + (vcpu->arch.arch_capabilities & ARCH_CAP_TSX_CTRL_MSR)) { > > u64 data; > > if (!__kvm_get_msr(vcpu, MSR_IA32_TSX_CTRL, &data, true) && > > (data & TSX_CTRL_CPUID_CLEAR)) > > > > That works too, but I disagree that warning is the correct behavior > here. It certainly should warn as long as kvm_get_msr blindly returns > zero. However, for a guest it's fine to access a potentially > non-existent MSR if you're ready to trap the #GP, and the point of this > series is to let cpuid.c or any other KVM code do the same. I get the "what" of the change, and even the "why" to some extent, but I dislike the idea of supporting/encouraging blind reads/writes to MSRs. Blind writes are just asking for problems, and suppressing warnings on reads is almost guaranteed to be suppressing a KVM bug. Case in point, looking at the TSX thing again, I actually think the fix should be: diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 5eb618dbf211..64322446e590 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -1013,9 +1013,9 @@ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx, *ebx = entry->ebx; *ecx = entry->ecx; *edx = entry->edx; - if (function == 7 && index == 0) { + if (function == 7 && index == 0 && (*ebx | (F(RTM) | F(HLE))) { u64 data; - if (!__kvm_get_msr(vcpu, MSR_IA32_TSX_CTRL, &data, true) && + if (!kvm_get_msr(vcpu, MSR_IA32_TSX_CTRL, &data) && (data & TSX_CTRL_CPUID_CLEAR)) *ebx &= ~(F(RTM) | F(HLE)); } On VMX, MSR_IA32_TSX_CTRL will be added to the so called shared MSR array regardless of whether or not it is being advertised to userspace (this is a bug in its own right). Using the host_initiated variant means KVM will incorrectly bypass VMX's ARCH_CAP_TSX_CTRL_MSR check, i.e. incorrectly clear the bits if userspace is being weird and stuffed MSR_IA32_TSX_CTRL without advertising it to the guest. In short, the whole MSR_IA32_TSX_CTRL implementation seems messy and this is just papering over that mess. The correct fix is to invoke setup_msrs() on writes to MSR_IA32_ARCH_CAPABILITIES, filtering MSR_IA32_TSX_CTRL out of shared MSRs when it's not advertised, and change kvm_cpuid() to use the unpriveleged variant. TSC_CTRL aside, if we insist on pointing a gun at our foot at some point, this should be a dedicated flavor of MSR access, e.g. msr_data.kvm_initiated, so that it at least requires intentionally loading the gun.