Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2862930pxv; Mon, 12 Jul 2021 03:52:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyza/IG3KiLNU2iN8QeM3sZ0S/Z6a0SxfNe8PvfGIg1/sxPfoi3yZSpS9AeMMiZcJh2Sm0x X-Received: by 2002:a5d:8602:: with SMTP id f2mr39132339iol.61.1626087169770; Mon, 12 Jul 2021 03:52:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626087169; cv=none; d=google.com; s=arc-20160816; b=fy+ZVB4a5P+7kCOFaGEsahRRVsTjFQe+c90acJcYaFaF/bWoT7e3iTBeW/TnZDAYbf sRxbuZW1lJ/bc/ZKWKtX4CXNtdB620ZWEhKacWi+AuZ3lvNjsgX+Ki29JIJJrFyt5Rmb m0zr+hVT84ioK3OpYz0tofnLK2tkSbkKOeXlf2vyen8djcCMuss+QM5JMU5mAG0WDOFJ zAkeOq5r3WhaV2I8IgIponQt0VaRezA3jttBZ6EQnaWf3oR4JZaTHC4l1rZWtaABn+KD r1zb6PLcb71Bct6hko2tq/nCh+vpzVL1hn9lCSaoiq3jmqzu1Cq2j5SmhN9MIoJMNS8+ uF5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=F/IqhK6xvILvw7WEwaSTrkNYew54i6QEoeKzRM9vH84=; b=wAALoJgIh5XC5R5byqG/0+R/PsHiXy8AahqPmi3XpeQ6ScLJzMZB+sq2ciB1sq7ANK LZ22xrKHtFFkZoCDXIqf8F9B3Bn9qvkNbNfysyp72HN/TLQ6sIwPn+WDEOtE4X9Dmh2k f00dR1SjwUgrOTGcU4RuspGqOMvtYZQXn/lVMQveeEBdk3X5hWS40f11X7knjBSabMrA ff4+Ny3FQfxZOioXWlYb962HPdAmm565ykNCeowaZ8eQ9uKBuK9HkQU90V1f+8bR3PGA Sajg0GBHYUsO1hH60CiAVhQrKtnQYizj4Y0/jCtnf+TIdw7naHXYZYWHCt5xR+x3n+O+ H4PQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AVUuOJ9E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k11si18429748jav.18.2021.07.12.03.52.36; Mon, 12 Jul 2021 03:52:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AVUuOJ9E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357462AbhGLIRR (ORCPT + 99 others); Mon, 12 Jul 2021 04:17:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:56948 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245390AbhGLHdi (ORCPT ); Mon, 12 Jul 2021 03:33:38 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 169D661436; Mon, 12 Jul 2021 07:30:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626075050; bh=/2BtdF8/XA6MOb8mLNBXedhNMM9rq+4hL5hTGmF9pFI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AVUuOJ9ElHWIPvTr6/jTXBRePK34NTWtnipLzi8Yf9o4PaLYRsEEcsN96Bjbnxe/O 7Qs1hDx77b6XQLJMO4lOgb18VlAh/A9gd39CP3Z/qknmEi7nCqBoA1qO/AJCt1LgyQ GwgeRmI1es+GCW9Q72c+C4Aeqg59JKK9+Id7KW+4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yu Zhang , Sean Christopherson , Paolo Bonzini Subject: [PATCH 5.13 080/800] KVM: x86: Force all MMUs to reinitialize if guest CPUID is modified Date: Mon, 12 Jul 2021 08:01:43 +0200 Message-Id: <20210712060924.396778441@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060912.995381202@linuxfoundation.org> References: <20210712060912.995381202@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson commit 49c6f8756cdffeb9af1fbcb86bacacced26465d7 upstream. Invalidate all MMUs' roles after a CPUID update to force reinitizliation of the MMU context/helpers. Despite the efforts of commit de3ccd26fafc ("KVM: MMU: record maximum physical address width in kvm_mmu_extended_role"), there are still a handful of CPUID-based properties that affect MMU behavior but are not incorporated into mmu_role. E.g. 1gb hugepage support, AMD vs. Intel handling of bit 8, and SEV's C-Bit location all factor into the guest's reserved PTE bits. The obvious alternative would be to add all such properties to mmu_role, but doing so provides no benefit over simply forcing a reinitialization on every CPUID update, as setting guest CPUID is a rare operation. Note, reinitializing all MMUs after a CPUID update does not fix all of KVM's woes. Specifically, kvm_mmu_page_role doesn't track the CPUID properties, which means that a vCPU can reuse shadow pages that should not exist for the new vCPU model, e.g. that map GPAs that are now illegal (due to MAXPHYADDR changes) or that set bits that are now reserved (PAGE_SIZE for 1gb pages), etc... Tracking the relevant CPUID properties in kvm_mmu_page_role would address the majority of problems, but fully tracking that much state in the shadow page role comes with an unpalatable cost as it would require a non-trivial increase in KVM's memory footprint. The GBPAGES case is even worse, as neither Intel nor AMD provides a way to disable 1gb hugepage support in the hardware page walker, i.e. it's a virtualization hole that can't be closed when using TDP. In other words, resetting the MMU after a CPUID update is largely a superficial fix. But, it will allow reverting the tracking of MAXPHYADDR in the mmu_role, and that case in particular needs to mostly work because KVM's shadow_root_level depends on guest MAXPHYADDR when 5-level paging is supported. For cases where KVM botches guest behavior, the damage is limited to that guest. But for the shadow_root_level, a misconfigured MMU can cause KVM to incorrectly access memory, e.g. due to walking off the end of its shadow page tables. Fixes: 7dcd57552008 ("x86/kvm/mmu: check if tdp/shadow MMU reconfiguration is needed") Cc: Yu Zhang Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20210622175739.3610207-7-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/cpuid.c | 6 +++--- arch/x86/kvm/mmu/mmu.c | 12 ++++++++++++ 3 files changed, 16 insertions(+), 3 deletions(-) --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1464,6 +1464,7 @@ int kvm_mmu_create(struct kvm_vcpu *vcpu void kvm_mmu_init_vm(struct kvm *kvm); void kvm_mmu_uninit_vm(struct kvm *kvm); +void kvm_mmu_after_set_cpuid(struct kvm_vcpu *vcpu); void kvm_mmu_reset_context(struct kvm_vcpu *vcpu); void kvm_mmu_slot_remove_write_access(struct kvm *kvm, struct kvm_memory_slot *memslot, --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -202,10 +202,10 @@ static void kvm_vcpu_after_set_cpuid(str static_call(kvm_x86_vcpu_after_set_cpuid)(vcpu); /* - * Except for the MMU, which needs to be reset after any vendor - * specific adjustments to the reserved GPA bits. + * Except for the MMU, which needs to do its thing any vendor specific + * adjustments to the reserved GPA bits. */ - kvm_mmu_reset_context(vcpu); + kvm_mmu_after_set_cpuid(vcpu); } static int is_efer_nx(void) --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -4859,6 +4859,18 @@ kvm_mmu_calc_root_page_role(struct kvm_v return role.base; } +void kvm_mmu_after_set_cpuid(struct kvm_vcpu *vcpu) +{ + /* + * Invalidate all MMU roles to force them to reinitialize as CPUID + * information is factored into reserved bit calculations. + */ + vcpu->arch.root_mmu.mmu_role.ext.valid = 0; + vcpu->arch.guest_mmu.mmu_role.ext.valid = 0; + vcpu->arch.nested_mmu.mmu_role.ext.valid = 0; + kvm_mmu_reset_context(vcpu); +} + void kvm_mmu_reset_context(struct kvm_vcpu *vcpu) { kvm_mmu_unload(vcpu);