Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1633384ybt;
        Thu, 9 Jul 2020 11:29:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyI7qPQR5T9q9GxjmJpq7HhqvHJEs2kPEgdd4r86Yfpyidsn9VxZTZgpK2C6PUHgA7PjoiD
X-Received: by 2002:a17:906:3ac4:: with SMTP id z4mr53783704ejd.65.1594319384884;
        Thu, 09 Jul 2020 11:29:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594319384; cv=none;
        d=google.com; s=arc-20160816;
        b=WegRMM9wz+RpqQXOfXrcxjuYSUHMHu2o+zX070ZG10MG5243u4YCBWgFWeqC8lmlna
         0RqqTYWny5267Q5XsaSObDINqG/ytJRQ8wZuVQmlLeaG4rvjzCA4U8UK9UYYOV9B9Ej4
         YOcM/BlO5m10sh/YMH7Dc/D9PrOJcuul3RYHS1kdANDqi1nsQ78yEyyQZbOdb0mFUkct
         z/xQGIMIH/EKHuawE2I8UoAijl0+iWiYbmLnDoRaWUFNPJODSuUHqbMI3n4KnQCq07V8
         zpUcirgGMrqyU4MwzApZqM9Bln4UpkLhjnPIPBu81DtVU6o+aIqMlmakMZ9Ra5BMG3JK
         ij1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=5zjs+rIBBj6MrxntmJxcLKegx38dFb1Uyu8eE1it5wg=;
        b=NFmU9C17gQoH+9+m4dwUSRzFXSJYDpCwrDcGakv1iiw0HR4+62doxuajbjbbZZGC5t
         oyqrnQjewGaLQBrRR7tixDLUo3JlZFK81NL3tfEKEl3TmmZZBUzgp+2aJtX5L4aOr5A6
         cuCPSGfzRr00033WpH7kle3fAfIIZ2i6J4j0TzimcGOQ/yWDmyr1ojbJAtDr6VhCu94k
         oOICnR52O9ahT5L/Iw57b4SF2Ju8v3ntgC7B9n+YB3Tn254xOaL/7vdrXQ7Lygo3ukgJ
         aBMbiOL+jl/wA0AKhKRAR9PUjPrn+x/oCVYWWvxVYAZosZ7B59oHp9GM7xsDZanRHYNv
         IKOw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=gwaWKxJv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v20si2421443ejx.754.2020.07.09.11.29.21;
        Thu, 09 Jul 2020 11:29:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=gwaWKxJv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726859AbgGIS2i (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Thu, 9 Jul 2020 14:28:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55622 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726116AbgGIS2h (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Jul 2020 14:28:37 -0400
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B9E4C08C5CE
        for <linux-kernel@vger.kernel.org>; Thu,  9 Jul 2020 11:28:37 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id q74so3396963iod.1
        for <linux-kernel@vger.kernel.org>; Thu, 09 Jul 2020 11:28:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=5zjs+rIBBj6MrxntmJxcLKegx38dFb1Uyu8eE1it5wg=;
        b=gwaWKxJvSK5tHnvv6KDqfs/WIspheIA1bzQ3YgabM9QKy2rzT4HNP1lPPS/H1qS4xt
         FNYPUI0Fd6nh2BOqEDkNIRjhg68UOxU6LLjqet3IruG8ax/fcivVw+UOiE0A8M43gHpZ
         Ey+aea76o+UfwUlN/OyVdWgxT4oqcJAyXiEFBdV3P57YO3kEpJ/RS4/OSlaVcI1iir2o
         wcaMut+gck89mop3SCn1LvFENY/PTVZhsCdFUiIUSuqhKskucMCYeqU4LFI4tY9HlUC3
         Kh/ZQiXHJvffMoMC1zYo+N31cqd7MhypUazR4kBwZOBGW2CuX0AN2Q9FABALvRAKFd64
         y7MA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=5zjs+rIBBj6MrxntmJxcLKegx38dFb1Uyu8eE1it5wg=;
        b=hhG2jrObKYafdGLYCcJf+kBnFji0wRJ/dGkJLXXwdT8ugNZ3jELDhw3EFw6KYmb14e
         389pI7YvESnEBtrpeppP1qcB0y1sLZikiHHqO/TqYzvJrFwXVLJQjg/OsgjX8gX8EjjJ
         lbNJqEOpQf3UI5D9PfA60Jmqlm6SEmwbdEURRmfmX9WArtV296Qt4EiWVNG4X62tFwzc
         q0/T1F4tyPOF+KaPzi0op2Ae3p45g/cnpLSr8zdUSJulcL852n2AIKJRjFv8t877FsIQ
         3ujF+dyPEiEnv0kp64ybPHdqp9MJq0CLDeGyAfM68ZyGyp0iAhR/tUkorTpuFkY3GVRr
         TDSg==
X-Gm-Message-State: AOAM530MaqupdgF7ANdqq48kdBR/7uBE83a8MlIJ969cs852kgNXKeHZ
        NQOcPaEI9MCDTK4LQCxCl846UGqNVKeMZ6Dr0QkoWQ==
X-Received: by 2002:a5e:c311:: with SMTP id a17mr14217665iok.12.1594319316616;
 Thu, 09 Jul 2020 11:28:36 -0700 (PDT)
MIME-Version: 1.0
References: <20200709095525.907771-1-pbonzini@redhat.com> <CALMp9eREY4e7kb22CxReNV83HwR7D_tBkn2i5LUbGLGe_yw5nQ@mail.gmail.com>
 <782fdf92-38f8-c081-9796-5344ab3050d5@redhat.com>
In-Reply-To: <782fdf92-38f8-c081-9796-5344ab3050d5@redhat.com>
From:   Jim Mattson <jmattson@google.com>
Date:   Thu, 9 Jul 2020 11:28:25 -0700
Message-ID: <CALMp9eRSvdx+UHggLbvFPms3Li2KY-RjZhjGjcQ3=GbSB1YyyA@mail.gmail.com>
Subject: Re: [PATCH] KVM: nSVM: vmentry ignores EFER.LMA and possibly RFLAGS.VM
To:     Paolo Bonzini <pbonzini@redhat.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        kvm list <kvm@vger.kernel.org>,
        Maxim Levitsky <mlevitsk@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jul 9, 2020 at 10:25 AM Paolo Bonzini <pbonzini@redhat.com> wrote:
>
> On 09/07/20 19:12, Jim Mattson wrote:
> >> +
> >> +       /* The processor ignores EFER.LMA, but svm_set_efer needs it.  */
> >> +       efer &= ~EFER_LMA;
> >> +       if ((nested_vmcb->save.cr0 & X86_CR0_PG)
> >> +           && (nested_vmcb->save.cr4 & X86_CR4_PAE)
> >> +           && (efer & EFER_LME))
> >> +               efer |= EFER_LMA;
> > The CR4.PAE check is unnecessary, isn't it? The combination CR0.PG=1,
> > EFER.LMA=1, and CR4.PAE=0 is not a legal processor state.

Oops, I meant EFER.LME above.

Krish pointed out that I was quoting from Intel's documentation. The
same constraints are covered in Table 14-5 of AMD's APM, volume 2.

> Yeah, I was being a bit cautious because this is the nested VMCB and it
> can be filled in with invalid state, but indeed that condition was added
> just yesterday by myself in nested_vmcb_checks (while reviewing Krish's
> CR0/CR3/CR4 reserved bit check series).

From Canonicalization and Consistency Checks of section 15.5 in AMD's
APM, volume 2:

The following conditions are considered illegal state combinations:
...
EFER.LME and CR0.PG are both set and CR4.PAE is zero.

This VMCB state should result in an immediate #VMEXIT with exit code -1.

> That said, the VMCB here is guest memory and it can change under our
> feet between nested_vmcb_checks and nested_prepare_vmcb_save.  Copying
> the whole save area is overkill, but we probably should copy at least
> EFER/CR0/CR3/CR4 in a struct at the beginning of nested_svm_vmrun; this
> way there'd be no TOC/TOU issues between nested_vmcb_checks and
> nested_svm_vmrun.  This would also make it easier to reuse the checks in
> svm_set_nested_state.  Maybe Maxim can look at it while I'm on vacation,
> as he's eager to do more nSVM stuff. :D

I fear that nested SVM is rife with TOCTTOU issues.