Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp1646357ioo; Sun, 22 May 2022 22:52:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxDh9/iFuZkazbr5pj5p/On/PnIv5esaJRmks7OrezKT1PijrHWpA2QJsTRbNbbmlQ8nKjt X-Received: by 2002:a17:902:9a07:b0:161:fdc3:3b9d with SMTP id v7-20020a1709029a0700b00161fdc33b9dmr12186350plp.94.1653285171712; Sun, 22 May 2022 22:52:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653285171; cv=none; d=google.com; s=arc-20160816; b=ThpNNrNMywwIuutRNqlUVn5+u8a0+g9h3O/2YH3wMXaLRJNozbRgiYeSUNKTQKlhZQ zHYYpCAG4ZIjDl4DWHV0IoQfjzIjXOxjMYqK86ZGrvYSij6YpDyYTUir77hoAo9s5wnM WqtViSzA1MLrpDn/ATaDTrTcj0zDhoE78ggXmAC7b5N+5gHHOCH5SBiSWsxpr/+mBKqY mvb/6n6zOAuH+ic5xW3DQ8aQ0zQ1zCfoJqNXl3/VlyJdPDfcb97wExgD8GbIt/TvD37f bdragf0mY8Haw5ZAQ5C1g6/WuW06ZSEiqHO0YplhI1dKYz4k9mYOgxApyZRVVvdovtyg 0MOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=lAoFLAZClaXd8fd/V0KTEeUVpBsVq8dDj5Pbr2VssL0=; b=IMSXgvF2hEOtpvOx3PfT0iERtqMdhcie8cu6EmZMjhtABTEwdFkKETMrMjxuaks7Kh 5HQYqR7uMMxB5gI5fCCIC8JodsnL3rnXn08JLDQH2rCvQqvlsPCKZ8MkEHkM2jPZct1F 9Tb8s2Lx9UOPjRlbN3Qm71ReKBCJaJQIL5PzY3X7p1oK7KjeTLK61M1IwfpwGitPCS3N fvzxwFfCi2YlIXtre6D/9LkK9uUR7MGqkCDDhv27b/vz7sgTZ10T8zUOlzbcjTcWIsh0 RPLSXkOgP4tF12W6DlurwuFm41UUFSYj+R8UtGw4zRyttOlDravX+6RjH3yrX03t/Hyq rr8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="aalpFu/M"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id mn20-20020a17090b189400b001df7c2c5f37si12795513pjb.82.2022.05.22.22.52.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 May 2022 22:52:51 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="aalpFu/M"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id EBBB02CE37; Sun, 22 May 2022 22:50:34 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352335AbiETRri (ORCPT + 99 others); Fri, 20 May 2022 13:47:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352326AbiETRrg (ORCPT ); Fri, 20 May 2022 13:47:36 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AA20D2E68C for ; Fri, 20 May 2022 10:47:35 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id q4so7936065plr.11 for ; Fri, 20 May 2022 10:47:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=lAoFLAZClaXd8fd/V0KTEeUVpBsVq8dDj5Pbr2VssL0=; b=aalpFu/MVF1DHHxMs4gLPTt22wEhmmmSjJpxpsUeJNoFTatDlVBeG9q8mD5RPFjrFa fMxW8EVAfH+NoGJNNoAHss+R1VHIaeciSsb9y3zZDvpzmF4P7p/VACErvpwfshapsmYh N9qwsFt57RwKY1HgNarsE3zgHN0srytox0sr7pjd5AUKXj8g2vvSmLBXiurIDVl0PvP4 s2uS7dn0o87RzGGVrjHPaS/9i3QtBuGROzap2powOZDQG5KI7RBOIjE76f/OEl93e34N CCAIanbV/GmBtc83hkGf/NC2UvrEsS22i+MNyIFOBFRpDcT0yLqVk7//QjalAHPisbnP 3Qrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=lAoFLAZClaXd8fd/V0KTEeUVpBsVq8dDj5Pbr2VssL0=; b=hq8vIdEMOA83vpk0pVUMdwblGl0d0yD55gNvzoxlidxDLTw0rw46XAeLSrNdJm/dXk ckdh8Fx7qprnXm7l5ZBYfJDnTf1+3P0fAK4NQFQeZAENRBBLs1pgc+kf/cHdRHp8xj46 M25UH9nxGxFgVffwRmvbWPJUav+hutNzNsFlH7r3QByatCbOoGS/5k0PkThdopWnRZ41 ZCtfNOxPgHkr/Sw66DdZtql/jEIj+TZf6HJ904s35fqYigtL7e+L7CpTG29Bx9NvhweB BhF8twLqeDU1alqDtAqngXx2zMxcjS0XPx75FExhL/hzya1bjS3Xa1E77dWgKEMtLe3K wZnQ== X-Gm-Message-State: AOAM531QVu9yxDb/AwwO7JSWlPOg00zwvyuse7L4eCWU7fdQ0D6hn4cN +GgvwGWEi/qMOsa9WJyPaNMW2w== X-Received: by 2002:a17:902:cecb:b0:161:bbbf:c45f with SMTP id d11-20020a170902cecb00b00161bbbfc45fmr10867951plg.155.1653068854938; Fri, 20 May 2022 10:47:34 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id x21-20020a1709027c1500b0015e8d4eb272sm30850pll.188.2022.05.20.10.47.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 May 2022 10:47:34 -0700 (PDT) Date: Fri, 20 May 2022 17:47:30 +0000 From: Sean Christopherson To: "Kirill A. Shutemov" Cc: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@intel.com, luto@kernel.org, peterz@infradead.org, ak@linux.intel.com, dan.j.williams@intel.com, david@redhat.com, hpa@zytor.com, linux-kernel@vger.kernel.org, sathyanarayanan.kuppuswamy@linux.intel.com, thomas.lendacky@amd.com, x86@kernel.org Subject: Re: [PATCHv2 3/3] x86/tdx: Handle load_unaligned_zeropad() page-cross to a shared page Message-ID: References: <20220520031316.47722-1-kirill.shutemov@linux.intel.com> <20220520031316.47722-4-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220520031316.47722-4-kirill.shutemov@linux.intel.com> X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 20, 2022, Kirill A. Shutemov wrote: > load_unaligned_zeropad() can lead to unwanted loads across page boundaries. > The unwanted loads are typically harmless. But, they might be made to > totally unrelated or even unmapped memory. load_unaligned_zeropad() > relies on exception fixup (#PF, #GP and now #VE) to recover from these > unwanted loads. > > In TDX guests, the second page can be shared page and VMM may configure > it to trigger #VE. > > Kernel assumes that #VE on a shared page is MMIO access and tries to > decode instruction to handle it. In case of load_unaligned_zeropad() it > may result in confusion as it is not MMIO access. > > Check fixup table before trying to handle MMIO. > > The issue was discovered by analysis. It was not triggered during the > testing. > > Signed-off-by: Kirill A. Shutemov > --- > arch/x86/coco/tdx/tdx.c | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c > index 010dc229096a..1a1c8a92cfa5 100644 > --- a/arch/x86/coco/tdx/tdx.c > +++ b/arch/x86/coco/tdx/tdx.c > @@ -11,6 +11,8 @@ > #include > #include > #include > +#include > +#include > > /* TDX module Call Leaf IDs */ > #define TDX_GET_INFO 1 > @@ -299,6 +301,24 @@ static int handle_mmio(struct pt_regs *regs, struct ve_info *ve) > if (WARN_ON_ONCE(user_mode(regs))) > return -EFAULT; > > + /* > + * load_unaligned_zeropad() relies on exception fixups in case of the > + * word being a page-crosser and the second page is not accessible. > + * > + * In TDX guests, the second page can be shared page and VMM may > + * configure it to trigger #VE. > + * > + * Kernel assumes that #VE on a shared page is MMIO access and tries to > + * decode instruction to handle it. In case of load_unaligned_zeropad() > + * it may result in confusion as it is not MMIO access. The guest kernel can't know that it's not "MMIO", e.g. nothing prevents the host from manually serving accesses to some chunk of shared memory instead of backing the shared chunk with host DRAM. > + * > + * Check fixup table before trying to handle MMIO. This ordering is wrong, fixup should be done if and only if the instruction truly "faults". E.g. if there's an MMIO access lurking in the kernel that is wrapped in exception fixup, then this will break that usage and provide garbage data on a read and drop any write. > + */ > + if (fixup_exception(regs, X86_TRAP_VE, 0, ve->gla)) { > + /* regs->ip is adjusted by fixup_exception() */ > + return 0; > + } > + > if (copy_from_kernel_nofault(buffer, (void *)regs->ip, MAX_INSN_SIZE)) > return -EFAULT; > > -- > 2.35.1 >