Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp297757rwb; Thu, 6 Oct 2022 18:56:03 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7Z48NaWd5KtSnEt4L/UDbKcWD8pGqFJvlsg3u1vnpiuCLAVFRNy/PxV2eTcSvpMIQ/HTN0 X-Received: by 2002:a17:907:3daa:b0:782:1053:ccb5 with SMTP id he42-20020a1709073daa00b007821053ccb5mr2170585ejc.312.1665107762855; Thu, 06 Oct 2022 18:56:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665107762; cv=none; d=google.com; s=arc-20160816; b=kn9c0hggiW3jrAyUMjrb3Yz7yOjpP3y0heJhFrBfzmWlo6t1uYNvb0DhlTOmvkGzG/ IOi+qg89KlvLtzM1NM49hIuOdAtNnfX6TKPBMuCq+v3vD2Q1/tx0svaB9iK7lhBUzVyF l9GgvPunyMdrLZPYipIWLPH+EQ0iL1ikC046oM46K84H+QRhq7EvJQin2+m2wXC6RQpm Vhh4Yrgkpr+g/dX/xwighVQNfbgbpaEfadtZUTxpmrAYjRBfW8aq4maepWMkCrHkdfio ds8ekFoMiBFwB9Ue3kq7GguXm6J6D5QI8BjSVZMh4yU+TJdGfZlKojhysXhhSHiVfql8 f1gQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=NcBtk6a7IuEjI05U4g8450qYK7dFXLN2jtthseAcZ7Y=; b=Sa0cr9jggIQB8zSTRF2x7OIW6zSFXbP6ev7PSijA3Sb/C+HxAOQxunRbTMnU03rjyG aeEngCNePspBJjcXC/BPo6b8yYK/AckdqTIx2cQouySvpOKllaRqmdxLIyo+gtMduU9g vEUPgrjqbu85mWpQ4tNkOWwA3t/oj1gxdV2OgZfKMclyap8eOaXNGOCwmUfQLfR7a3sU jtw0bYPSR6omcMU3BwxDsc3jzlQisKE/t9Fhzl4TRd2dC1iM0GLVW+b1t/ymEl2wl3Uy cRCiuGoZStisEmbqy5ZHOr90df16/84RpvJuB4YGDIz/wGnZDRhOt4n54ottRkIThOf8 zctw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=eUUnaBU9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l15-20020a170906794f00b0078cb08c3727si975564ejo.916.2022.10.06.18.55.32; Thu, 06 Oct 2022 18:56:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=eUUnaBU9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231464AbiJGBox (ORCPT + 99 others); Thu, 6 Oct 2022 21:44:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229906AbiJGBou (ORCPT ); Thu, 6 Oct 2022 21:44:50 -0400 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5D7314D30; Thu, 6 Oct 2022 18:44:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1665107087; x=1696643087; h=date:from:to:cc:subject:message-id:references: mime-version:content-transfer-encoding:in-reply-to; bh=Fs3FGSpDMneExo+IDXFzUA3FQKcmBRvaSI4o4deHzJc=; b=eUUnaBU9YtGnb++MflraX1vkbXgknM9Q9X8NgA/EtrHwHs1AIN6vbEKx ivsSZa9FeT2yQwMoxuAWkHVvnXt6RXUBkPzEjcCIzvBWkBV29vplP8YGV oup9ZYCYTVVmhQ9lcIlaDLkN30mQuUIdU/MSQuc5k3yEwSmaaHEqJYgf4 V+ixLZ5/t2Huu6xCTL5J/nwEL+L+vplViN/T3J7JdNrqix+XvGfm8nMO5 Hbfv7Enx/KHyUoBGU1rWqwY9JICavXc3FMVuQQ/ap7+CTFsu2d67A3FUY 1kOpYmWovjsDaP90I1X6EHXxapB4rl7RmBKXE8HyhhWchMR1FDbJCsJM4 Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10492"; a="283993153" X-IronPort-AV: E=Sophos;i="5.95,164,1661842800"; d="scan'208";a="283993153" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Oct 2022 18:44:46 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10492"; a="655852881" X-IronPort-AV: E=Sophos;i="5.95,164,1661842800"; d="scan'208";a="655852881" Received: from spvenkat-mobl.amr.corp.intel.com (HELO desk) ([10.209.50.56]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Oct 2022 18:44:45 -0700 Date: Thu, 6 Oct 2022 18:44:43 -0700 From: "pawan.kumar.gupta@linux.intel.com" To: Andrew Cooper Cc: Suraj Jitindar Singh , "kvm@vger.kernel.org" , "sjitindarsingh@gmail.com" , "linux-kernel@vger.kernel.org" , "x86@kernel.org" , "tglx@linutronix.de" , "mingo@redhat.com" , "bp@suse.de" , "dave.hansen@linux.intel.com" , "seanjc@google.com" , "pbonzini@redhat.com" , "peterz@infradead.org" , "jpoimboe@kernel.org" , "daniel.sneddon@linux.intel.com" , "benh@kernel.crashing.org" , "stable@vger.kernel.org" Subject: Re: [PATCH] x86/speculation: Mitigate eIBRS PBRSB predictions with WRMSR Message-ID: <20221007014443.flhhnzrtdmcsst3x@desk> References: <20221005220227.1959-1-surajjs@amazon.com> <11ebe489-0734-28af-07a4-f658709cfd9e@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <11ebe489-0734-28af-07a4-f658709cfd9e@citrix.com> X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 06, 2022 at 02:42:10AM +0000, Andrew Cooper wrote: >On 05/10/2022 23:02, Suraj Jitindar Singh wrote: >> == Solution == >> >> The WRMSR instruction can be used as a speculation barrier and a serialising >> instruction. Use this on the VM exit path instead to ensure that a CALL >> instruction (in this case the call to vmx_spec_ctrl_restore_host) has retired >> before the prediction of a following unbalanced RET. > >While both of these sentences are true statements, you've missed the >necessary safety property. > >One CALL has to retire before *any* RET can execute. > >There are several ways the frontend can end up eventually consuming the >bad RSB entry; they all stem from an execute (not prediction) of the >next RET instruction. > >As to the change, ... > >> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c >> index c9b49a09e6b5..fdcd8e10c2ab 100644 >> --- a/arch/x86/kvm/vmx/vmx.c >> +++ b/arch/x86/kvm/vmx/vmx.c >> @@ -7049,8 +7049,13 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx, > >... out of context above this hunk is: > >    if (!cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) >        return; > >meaning that there is a return instruction which is programmatically >reachable ahead of the WRMSR. > >Whether it is speculatively reachable depends on whether the frontend >can see through the _static_cpu_has(), as well as >X86_FEATURE_MSR_SPEC_CTRL never becoming compile time evaluable. In this case wouldn't _static_cpu_has() be runtime patched to a JMP (<+8> below) or a NOP? RET (at <+13>) should not be reachable even speculatively. What am I missing? Dump of assembler code for function vmx_spec_ctrl_restore_host: arch/x86/kvm/vmx/vmx.c: u64 hostval = this_cpu_read(x86_spec_ctrl_current); <+0>: mov %gs:0x7e022e60(%rip),%r8 # 0x1ad48 ./arch/x86/include/asm/cpufeature.h: asm_volatile_goto( <+8>: jmp <+10>: nopl (%rax) <+13>: ret arch/x86/kvm/vmx/vmx.c: if (flags & VMX_RUN_SAVE_SPEC_CTRL) <+14>: and $0x2,%esi <+17>: je [...]