Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp291858pxa;
        Fri, 21 Aug 2020 07:25:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzcNKKg8V6o0ovhbymTnumCyfcd4pHdd6o/0QkHBZDvirs5LnmbEMczfh9K3HH46Bkj872W
X-Received: by 2002:a17:906:260f:: with SMTP id h15mr3129199ejc.48.1598019909133;
        Fri, 21 Aug 2020 07:25:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598019909; cv=none;
        d=google.com; s=arc-20160816;
        b=hPx0rYUZRS1EisETcvhnYSEhXyd7O+1AQKmAAU5qj4Q5LNQik0UhUohFXRxl/h4Yej
         UyHSqbVkVaOtaN5lYRu00btA88M3gmYDnHHZipBUhFSardoISIU43dc58q/lMv5LVeLe
         DHYxbFdxJ5K6nJoCcXyA+RKlf40LLLeD2lI2JidgTlx+fw2AESArxtaB3rMUDOYhw80S
         /3jcuKhcA6TOPoQQNp/VOCjsnhfs6x3PS87U2CQZJgQ6XV5/XRr82JQ4q3ihYNZaSMSN
         p+S+C08BEemwGTNzjtk7PKGRQiRa0j58iT2SP7JUjSsSj33AocMZunk5hb4QXiVNFMdt
         Rv2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :robot-unsubscribe:robot-id:message-id:mime-version:references
         :in-reply-to:cc:subject:to:reply-to:from:dkim-signature
         :dkim-signature:date;
        bh=Y2DFeXJNPuolDylpb3isSZwbqmOXxlSF3hwLU1zC9DM=;
        b=gVP5VzC9MxpRU0s1o2WhKVNvQGMollW6VfplueRWR/DpGvhIqy3zoaThCap8TsfTjV
         gDR93p282qc8Si/N8hj+Be6By2opuLDsHlzTi6T7eDihdfepfWYyAq0hn7OwRa5QC5bk
         IgDn9Z2vtoyWZ4qE1Ar/4pc/SvTv2YlOupVSJvLks9nbqe3lwLcgaQUEec+kMYYhZ4yu
         flpVRQJtwHlgtNEaNp7xgmS84GSSX6AsJawgFom62wIbYbj9xDNKOosAQFSYbdpWp3NC
         AvgUnXFoIGVnYKyFinaoC+89wm3QkiVL5W4EM3OlvmLU4NEEFVkzZIPAVrWv1W44ODHs
         rkMQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@linutronix.de header.s=2020 header.b=pcyjF1S6;
       dkim=neutral (no key) header.i=@vger.kernel.org;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i4si1226366ejz.318.2020.08.21.07.24.45;
        Fri, 21 Aug 2020 07:25:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@linutronix.de header.s=2020 header.b=pcyjF1S6;
       dkim=neutral (no key) header.i=@vger.kernel.org;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727839AbgHUOV7 (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Fri, 21 Aug 2020 10:21:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43184 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726946AbgHUOVz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Aug 2020 10:21:55 -0400
Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E91AC061573;
        Fri, 21 Aug 2020 07:21:55 -0700 (PDT)
Date:   Fri, 21 Aug 2020 14:21:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de;
        s=2020; t=1598019710;
        h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
         message-id:message-id:to:to:cc:cc:mime-version:mime-version:
         content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=Y2DFeXJNPuolDylpb3isSZwbqmOXxlSF3hwLU1zC9DM=;
        b=pcyjF1S6TrWlazAe6CDtL5jdgrKb6+wE7Go/S1TOIZk5cINZDoYPtXfSy+8oY1l/BrGeIF
        F0xkXoi3I22g2XOcH4AFmKRISZWZ4mcJLtESKGs9V4FA6FgCHzHHHAbK/pauGvzSQS7Ztv
        Ncd/kUgfiaVnXxazkqk2MolUNc0Ol0VUqIMEWZjcE3IIyw+779IdCQhgYLOd2hc7hfXn85
        87/wyQI/KD3mWnK8S184Qo6jpIwNq9mQ0v3KIdtqSpexTU85WTQGmBh7vMpK3BnHB6M0yx
        fVuAqiCIFtTwiYdlT9QLUEvW7WvFLlYf8uM+MwTpyrTt+SH9CLJ2LmUR9xUSNQ==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de;
        s=2020e; t=1598019710;
        h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
         message-id:message-id:to:to:cc:cc:mime-version:mime-version:
         content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=Y2DFeXJNPuolDylpb3isSZwbqmOXxlSF3hwLU1zC9DM=;
        b=DjxMqSSfcFUTtU/YDCocR6utWvQKs2cn2N0MMIVEJxffTDTnIcP6ApJ9Yp5+0Rkr1G17DW
        4/nJY2UVboehkCDA==
From:   "tip-bot2 for Sean Christopherson" <tip-bot2@linutronix.de>
Reply-to: linux-kernel@vger.kernel.org
To:     linux-tip-commits@vger.kernel.org
Subject: [tip: x86/urgent] x86/entry/64: Do not use RDPID in paranoid entry to
 accomodate KVM
Cc:     Tom Lendacky <thomas.lendacky@amd.com>,
        Andy Lutomirski <luto@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>, x86 <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
In-Reply-To: <20200821105229.18938-1-pbonzini@redhat.com>
References: <20200821105229.18938-1-pbonzini@redhat.com>
MIME-Version: 1.0
Message-ID: <159801970916.3192.4141400413119808645.tip-bot2@tip-bot2>
Robot-ID: <tip-bot2.linutronix.de>
Robot-Unsubscribe: Contact <mailto:tglx@linutronix.de> to get blacklisted from these emails
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     6a3ea3e68b8a8a26c4aaac03432ed92269c9a14e
Gitweb:        https://git.kernel.org/tip/6a3ea3e68b8a8a26c4aaac03432ed92269c9a14e
Author:        Sean Christopherson <sean.j.christopherson@intel.com>
AuthorDate:    Fri, 21 Aug 2020 06:52:29 -04:00
Committer:     Thomas Gleixner <tglx@linutronix.de>
CommitterDate: Fri, 21 Aug 2020 16:15:27 +02:00

x86/entry/64: Do not use RDPID in paranoid entry to accomodate KVM

KVM has an optmization to avoid expensive MRS read/writes on
VMENTER/EXIT. It caches the MSR values and restores them either when
leaving the run loop, on preemption or when going out to user space.

The affected MSRs are not required for kernel context operations. This
changed with the recently introduced mechanism to handle FSGSBASE in the
paranoid entry code which has to retrieve the kernel GSBASE value by
accessing per CPU memory. The mechanism needs to retrieve the CPU number
and uses either LSL or RDPID if the processor supports it.

Unfortunately RDPID uses MSR_TSC_AUX which is in the list of cached and
lazily restored MSRs, which means between the point where the guest value
is written and the point of restore, MSR_TSC_AUX contains a random number.

If an NMI or any other exception which uses the paranoid entry path happens
in such a context, then RDPID returns the random guest MSR_TSC_AUX value.

As a consequence this reads from the wrong memory location to retrieve the
kernel GSBASE value. Kernel GS is used to for all regular this_cpu_*()
operations. If the GSBASE in the exception handler points to the per CPU
memory of a different CPU then this has the obvious consequences of data
corruption and crashes.

As the paranoid entry path is the only place which accesses MSR_TSX_AUX
(via RDPID) and the fallback via LSL is not significantly slower, remove
the RDPID alternative from the entry path and always use LSL.

The alternative would be to write MSR_TSC_AUX on every VMENTER and VMEXIT
which would be inflicting massive overhead on that code path.

[ tglx: Rewrote changelog ]

Fixes: eaad981291ee3 ("x86/entry/64: Introduce the FIND_PERCPU_BASE macro")
Reported-by: Tom Lendacky <thomas.lendacky@amd.com>
Debugged-by: Tom Lendacky <thomas.lendacky@amd.com>
Suggested-by: Andy Lutomirski <luto@kernel.org>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20200821105229.18938-1-pbonzini@redhat.com
---
 arch/x86/entry/calling.h | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
index 98e4d88..ae9b0d4 100644
--- a/arch/x86/entry/calling.h
+++ b/arch/x86/entry/calling.h
@@ -374,12 +374,14 @@ For 32-bit we have the following conventions - kernel is built with
  * Fetch the per-CPU GSBASE value for this processor and put it in @reg.
  * We normally use %gs for accessing per-CPU data, but we are setting up
  * %gs here and obviously can not use %gs itself to access per-CPU data.
+ *
+ * Do not use RDPID, because KVM loads guest's TSC_AUX on vm-entry and
+ * may not restore the host's value until the CPU returns to userspace.
+ * Thus the kernel would consume a guest's TSC_AUX if an NMI arrives
+ * while running KVM's run loop.
  */
 .macro GET_PERCPU_BASE reg:req
-	ALTERNATIVE \
-		"LOAD_CPU_AND_NODE_SEG_LIMIT \reg", \
-		"RDPID	\reg", \
-		X86_FEATURE_RDPID
+	LOAD_CPU_AND_NODE_SEG_LIMIT \reg
 	andq	$VDSO_CPUNODE_MASK, \reg
 	movq	__per_cpu_offset(, \reg, 8), \reg
 .endm