Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3552300pxk; Mon, 5 Oct 2020 12:43:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJySk3TJnUKVbik41s3F8RFQDiZyweo5LZ+z0sNE344pzHBQWPLLnzUhaX75txOHHaLjLcEz X-Received: by 2002:a17:907:70cb:: with SMTP id yk11mr1393116ejb.312.1601927005697; Mon, 05 Oct 2020 12:43:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601927005; cv=none; d=google.com; s=arc-20160816; b=NBo7OjJeMZfdAMdSf9CXS0k2Mx/xyecTmvXSQiNQ3OrAukC0HA7r0QJFHR/FYqOb/o h+mNc4XaKgP6Fcadqvk4PA2PfejC7Ra0Ot/XIpOgi58inrTdV5VAqW4VvHGj4R1Kh33O 09JIKEWTAESdViY7rSZE+IcvXa+OVHurkNUttwHeEqdXo2eeasYuIGf8GHsJaIJM24KO Qxca5l2H62Lh+y2JtEKmdjW3uQTo0tUH+glX4Vx5/Eptu3opgJKsYnMWMGfPcHDs53rR QYWyVFVZLBLj3kQlokPrN/yu/uZT7heaqPquqp4NoKI4CMTL2ye3a6drrUDNr85XRaIO VaiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :ironport-sdr:ironport-sdr; bh=bv+7S153g7WTHDYebHuktegzCYaeXKGVaDVORMp6zPY=; b=hJtsRdsmpVFhMesVKTAjrNqmJYGntqTcx+khTO9ZyPNPUwfZzVWlNcc+Wv013725m4 AlomSAS54eyUkgtiF+92he6od4DW/YGAcejNv4it71sR78PKRcwlaNPMSu4LeA/fxwDs X1ientOoM7JBvam0x4+w9TyKku3zriySWjvBek2wdm6nTBOWcbf2RvKL2S3i0oNPgC1R daqnZOocYA1TPxGicn3WVMnp3avE9wcPvioE1gKApks765172799eawMOT/2I9d+Gike BfCxjfMJ8bW/sf9iRTwqCeYzMowcQLiPbedje0bFdcmueAdnes0S0aWN55eQz5ixwve3 7gYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q9si630457edn.539.2020.10.05.12.43.02; Mon, 05 Oct 2020 12:43:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729483AbgJETlO (ORCPT + 99 others); Mon, 5 Oct 2020 15:41:14 -0400 Received: from mga17.intel.com ([192.55.52.151]:19752 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729302AbgJETlN (ORCPT ); Mon, 5 Oct 2020 15:41:13 -0400 IronPort-SDR: Bdw+cKsjTJ//04f6oh3Zxhgc3NQT9tb006m0ZwF7n152IAfu36hBoiNhk5O9q3DJ5F160QPfg0 ZQ3O4ZJiEfrQ== X-IronPort-AV: E=McAfee;i="6000,8403,9765"; a="143832465" X-IronPort-AV: E=Sophos;i="5.77,340,1596524400"; d="scan'208";a="143832465" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga107.fm.intel.com with ESMTP; 05 Oct 2020 12:26:06 -0700 IronPort-SDR: lxF6D25Y207qlLNXScXhxkLPsDRbK1kc/MVlkM2tgjHEmEqB9WNJ8MI7ZEXXSbfyiX3amIf/dz tc0QX9Ic3oBg== X-IronPort-AV: E=Sophos;i="5.77,340,1596524400"; d="scan'208";a="517163416" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.160]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Oct 2020 11:43:35 -0700 Date: Mon, 5 Oct 2020 11:43:20 -0700 From: Sean Christopherson To: Peter Xu Cc: Alexander Graf , kvm list , Aaron Lewis , Paolo Bonzini , Jonathan Corbet , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , KarimAllah Raslan , Dan Carpenter , Maxim Levitsky , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v8 6/8] KVM: x86: VMX: Prevent MSR passthrough when MSR access is denied Message-ID: <20201005184320.GA15803@linux.intel.com> References: <20200925143422.21718-1-graf@amazon.com> <20200925143422.21718-7-graf@amazon.com> <20201002011139.GA5473@xz-x1> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201002011139.GA5473@xz-x1> User-Agent: Mutt/1.5.24 (2015-08-30) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 01, 2020 at 09:11:39PM -0400, Peter Xu wrote: > Hi, > > I reported in the v13 cover letter of kvm dirty ring series that this patch > seems to have been broken. Today I tried to reproduce with a simplest vm, and > after a closer look... > > On Fri, Sep 25, 2020 at 04:34:20PM +0200, Alexander Graf wrote: > > @@ -3764,15 +3859,14 @@ static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu) > > return mode; > > } > > > > -static void vmx_update_msr_bitmap_x2apic(struct kvm_vcpu *vcpu, > > - unsigned long *msr_bitmap, u8 mode) > > +static void vmx_update_msr_bitmap_x2apic(struct kvm_vcpu *vcpu, u8 mode) > > { > > int msr; > > > > - for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) { > > - unsigned word = msr / BITS_PER_LONG; > > - msr_bitmap[word] = (mode & MSR_BITMAP_MODE_X2APIC_APICV) ? 0 : ~0; > > - msr_bitmap[word + (0x800 / sizeof(long))] = ~0; > > + for (msr = 0x800; msr <= 0x8ff; msr++) { > > + bool intercepted = !!(mode & MSR_BITMAP_MODE_X2APIC_APICV); > > + > > + vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_RW, intercepted); Yeah, this is busted. > > } > > > > if (mode & MSR_BITMAP_MODE_X2APIC) { > > ... I think we may want below change to be squashed: > > diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c > index d160aad59697..7d3f2815b04d 100644 > --- a/arch/x86/kvm/vmx/vmx.c > +++ b/arch/x86/kvm/vmx/vmx.c > @@ -3781,9 +3781,10 @@ static void vmx_update_msr_bitmap_x2apic(struct kvm_vcpu *vcpu, u8 mode) > int msr; > > for (msr = 0x800; msr <= 0x8ff; msr++) { > - bool intercepted = !!(mode & MSR_BITMAP_MODE_X2APIC_APICV); > + bool apicv = mode & MSR_BITMAP_MODE_X2APIC_APICV; > > - vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_RW, intercepted); > + vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_R, !apicv); > + vmx_set_intercept_for_msr(vcpu, msr, MSR_TYPE_W, true); I would prefer a full revert of sorts. Allowing userspace to intercept reads to x2APIC MSRs when APICV is fully enabled for the guest simply can't work. The LAPIC and thus virtual APIC is in-kernel and cannot be directly accessed by userspace. I doubt it actually affects real world performance, but resetting each MSR one-by-one bugs me. Intercepting writes to TPR, EOI and SELF_IPI are somewhat plausible, but I just don't see how intercepting reads when APICV is active is a sane setup. I'll send a patch and we can go from there. > } > > if (mode & MSR_BITMAP_MODE_X2APIC) { > > This fixes my problem the same as having this patch reverted. > > -- > Peter Xu >