Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3018910rwb; Mon, 15 Aug 2022 16:15:45 -0700 (PDT) X-Google-Smtp-Source: AA6agR60WlHZFMTGjqH4481paSWPkhPGrNh4oBSoKydlWdTulMrrZV2KnH4AlCrYF5cyFhH9STG2 X-Received: by 2002:a17:906:7309:b0:731:5c2:a9a6 with SMTP id di9-20020a170906730900b0073105c2a9a6mr11816153ejc.486.1660605345633; Mon, 15 Aug 2022 16:15:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660605345; cv=none; d=google.com; s=arc-20160816; b=PMt45gchQYJVmYLJ3c3NOO3amXAdgGWKuokLX4e/oqk5nIlv8tyMtqkjSJjQQwJZd/ tLSl7m+8N3PjGp20vVifTd9cFKWB/tQ6T3A8P8ce4ghZ3suxFwELrHeEdiE1El/KHs4o HFZ+hv4oz/36CxeLRFfYSiM/ncy5EHAGzUjYHa8jRw4kZMrJDUiz/rTsWjlwjqxYXuCg OwT+m9DPfVGRiU0qYIFmXU8jSvZMa8jadcVOGzT7da9+fEgVCEIZnxwcRZFN2Yxj4YjD kfb0LqSb8rSRlJDDX8cGpfHd8H9OimPW1pEuNADKEewpHcBSz+b4JbSvmph3yRC9MHSP piTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=UNleIRetBqlRScXjP987HvU8YbaPTox0kM9Q5eLrZ1w=; b=PE3APBVgNLGPFkufanGPcUCsSA0P7hNYPq6Tacz8f3wwKSWhGQBmRb7OjnM0k75NY3 bBGkEcAmBb1nPzK5mvDUY9mvqe/S/0PUAJD/7D66XFjuy5dsiFVSCOzoxp5oc9/IP5F0 DthbkgFs63HHnRpkGfFUv+PnGGnxPri4MdkzDV2c+OvYRl2fE6ybyePj4rLzKJQRHOiP cXKpxqvjOQkypcrrxokJJdrRh53YYSJly/4S0hiR8YDQh71vIB+hgdneNh63J5Dx5b9T rNSTlqt4Nuj6uOYEHcc1Kv0v4pD3weVEOcXs3M1EgRiLyxCS5rIsu/ONtnqtc/liQjCn 2VAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vjBhLi35; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id du8-20020a17090772c800b00733ca35c0a6si9339178ejc.626.2022.08.15.16.15.20; Mon, 15 Aug 2022 16:15:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vjBhLi35; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232661AbiHOVaG (ORCPT + 99 others); Mon, 15 Aug 2022 17:30:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48560 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348017AbiHOV0v (ORCPT ); Mon, 15 Aug 2022 17:26:51 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70F36E97C2; Mon, 15 Aug 2022 12:22:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B50DBB810C6; Mon, 15 Aug 2022 19:22:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF8D3C433C1; Mon, 15 Aug 2022 19:22:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660591365; bh=egGKbDqvXc1EvJ4PBDPmmMxMGc9KA8xbMp/xsy6gDFg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vjBhLi35tXOzsTa5VyyzO5PHuosMAyVWonOZOXdwW9xNVk0bfYECKI9w3o5hJgCTO W2ni+w45d+kneiVOv+nqQZGw1xZwnenVDtbtF9xpVbZynWQFGGjjOI0KTuJsKKOZzB XvlY1kPL7PauZwYb5AoVt1hty/dyqmakcx5UKM3A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Maxim Levitsky , Sean Christopherson , "Maciej S. Szmigiero" , Paolo Bonzini , Sasha Levin Subject: [PATCH 5.18 0556/1095] KVM: SVM: Unwind "speculative" RIP advancement if INTn injection "fails" Date: Mon, 15 Aug 2022 19:59:15 +0200 Message-Id: <20220815180452.559585831@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180429.240518113@linuxfoundation.org> References: <20220815180429.240518113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson [ Upstream commit cd9e6da8048c5b40315ee2d929b6230ce1252c3c ] Unwind the RIP advancement done by svm_queue_exception() when injecting an INT3 ultimately "fails" due to the CPU encountering a VM-Exit while vectoring the injected event, even if the exception reported by the CPU isn't the same event that was injected. If vectoring INT3 encounters an exception, e.g. #NP, and vectoring the #NP encounters an intercepted exception, e.g. #PF when KVM is using shadow paging, then the #NP will be reported as the event that was in-progress. Note, this is still imperfect, as it will get a false positive if the INT3 is cleanly injected, no VM-Exit occurs before the IRET from the INT3 handler in the guest, the instruction following the INT3 generates an exception (directly or indirectly), _and_ vectoring that exception encounters an exception that is intercepted by KVM. The false positives could theoretically be solved by further analyzing the vectoring event, e.g. by comparing the error code against the expected error code were an exception to occur when vectoring the original injected exception, but SVM without NRIPS is a complete disaster, trying to make it 100% correct is a waste of time. Reviewed-by: Maxim Levitsky Fixes: 66b7138f9136 ("KVM: SVM: Emulate nRIP feature when reinjecting INT3") Signed-off-by: Sean Christopherson Signed-off-by: Maciej S. Szmigiero Message-Id: <450133cf0a026cb9825a2ff55d02cb136a1cb111.1651440202.git.maciej.szmigiero@oracle.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin --- arch/x86/kvm/svm/svm.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 2851d1e58cb8..e4c736d74fcb 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -3613,6 +3613,18 @@ static void svm_complete_interrupts(struct kvm_vcpu *vcpu) vector = exitintinfo & SVM_EXITINTINFO_VEC_MASK; type = exitintinfo & SVM_EXITINTINFO_TYPE_MASK; + /* + * If NextRIP isn't enabled, KVM must manually advance RIP prior to + * injecting the soft exception/interrupt. That advancement needs to + * be unwound if vectoring didn't complete. Note, the _new_ event may + * not be the injected event, e.g. if KVM injected an INTn, the INTn + * hit a #NP in the guest, and the #NP encountered a #PF, the #NP will + * be the reported vectored event, but RIP still needs to be unwound. + */ + if (int3_injected && type == SVM_EXITINTINFO_TYPE_EXEPT && + kvm_is_linear_rip(vcpu, svm->int3_rip)) + kvm_rip_write(vcpu, kvm_rip_read(vcpu) - int3_injected); + switch (type) { case SVM_EXITINTINFO_TYPE_NMI: vcpu->arch.nmi_injected = true; @@ -3626,16 +3638,11 @@ static void svm_complete_interrupts(struct kvm_vcpu *vcpu) /* * In case of software exceptions, do not reinject the vector, - * but re-execute the instruction instead. Rewind RIP first - * if we emulated INT3 before. + * but re-execute the instruction instead. */ - if (kvm_exception_is_soft(vector)) { - if (vector == BP_VECTOR && int3_injected && - kvm_is_linear_rip(vcpu, svm->int3_rip)) - kvm_rip_write(vcpu, - kvm_rip_read(vcpu) - int3_injected); + if (kvm_exception_is_soft(vector)) break; - } + if (exitintinfo & SVM_EXITINTINFO_VALID_ERR) { u32 err = svm->vmcb->control.exit_int_info_err; kvm_requeue_exception_e(vcpu, vector, err); -- 2.35.1