Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4454290rdh;
        Wed, 29 Nov 2023 01:51:38 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGlzR72TDzwo8xKlAdsk6zkSUQ2UFQsGkFl74YvXYNWwAz4caCm/uJ3bs4YmdZW2i28XWkE
X-Received: by 2002:a17:90b:3e8d:b0:285:93d4:16c with SMTP id rj13-20020a17090b3e8d00b0028593d4016cmr22977377pjb.20.1701251498267;
        Wed, 29 Nov 2023 01:51:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701251498; cv=none;
        d=google.com; s=arc-20160816;
        b=iiv3C+AFlmICn4vQIDLjYoGVER0TXRUnsnB0dQ+Z90hXPTRbpMzC3ctZDB38ScOyy4
         6uLy9u5XK0Pkz5pMWlUNsjag52a9mdmks1TmWEqgn794MYh741UHytbQp6ly9fg6VHDn
         zE2ZtH7Mqp8dXS7rsi+LUj4L3pX0hdrGZI8oi9Qim/QBPIhNWxkEfbI5DGFUumiEWuG4
         Yy57siFejMeDs+eI6LOpbzXjdMNeWbWLPQNSzavhEshPWEWhBWJl2Jz75FNxb8OQtUJV
         ITMqlXqjQ2XGi2iMZhSZGvRW3Co6pS0b1zWsxq6J8PhEicq0EtMyBw/x0dcaUNyy+Sq0
         lJ5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=HQ+LDwQ3Bi2N8eKNE7wHcwQgSEsXHaXC33trFiDy14A=;
        fh=GCDrqIUoSuf516CdEf/yUgnogT0axZCPa9WfpkaXe9w=;
        b=mdBAyA9oLPKSLbcIxyqmkE8LbDtcPKPSHR7W0H87vLyWhPBHSww5vNd+CTFrE5TP+4
         02os839I4iyQIio7rSMkMptRr+jC2ep6wIdPsJNSxHYz863d1detlka7QAKvfIZY6nAU
         h59ua+rkYoy8L/CBz7lZ5lHWhq50tybJF7hfKmOIt6J9SoSvr4xrwGn7bsSIGe/idq0s
         RaWcI9e+K4QKMsa20YxxaEU/XThl7HPeymSqMZniBnIr5MawMP7Rt0rMrQTgxhrVixWt
         85EtaCQS3sBWMPyxVNWxI6hGz8A0Qb74WiHXhT5EQ5Yl1pnyi/svg5QA+yVlFNA2AbDF
         aytw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=C8LMXvad;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id ce20-20020a17090aff1400b00285779f81cbsi962622pjb.64.2023.11.29.01.51.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 29 Nov 2023 01:51:38 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=C8LMXvad;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 533228031E19;
	Wed, 29 Nov 2023 01:51:36 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229864AbjK2JvN (ORCPT <rfc822;aaronngray.lists@gmail.com>
        + 99 others); Wed, 29 Nov 2023 04:51:13 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58910 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229509AbjK2JvH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2023 04:51:07 -0500
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B166D19A0;
        Wed, 29 Nov 2023 01:51:13 -0800 (PST)
Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-6cbd24d9557so555417b3a.1;
        Wed, 29 Nov 2023 01:51:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1701251473; x=1701856273; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=HQ+LDwQ3Bi2N8eKNE7wHcwQgSEsXHaXC33trFiDy14A=;
        b=C8LMXvadrV0O1RBJGUBUQK+4otduMBx/iuXvPRjuMVVijERfNwUYvIWFiEEQsp8//U
         AB2pshEPz6c0z/sfOTyUW641dwu6IIsxK4PgvzF+QASdrZmqzInSyNScKvC8kTka3nV+
         q6q2RSF2z9gPyPzqWmCnhzdSlWzu3CTOLGhT0k/RV26icKX+c1+SHIVkQRyYcZiQr6i3
         /4MqXlwewDDH9URVLEGWsih88nG8DMYS1/hl19uR6IG41tzL2XQ475Gl+/3B8CneE+3Z
         zcYafS1Qbae2qBB898NoJ+u/W5dCAlCnknHYrk3fa77Ty9typdkz3fHUSIeS4CC5WP5l
         IOFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1701251473; x=1701856273;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HQ+LDwQ3Bi2N8eKNE7wHcwQgSEsXHaXC33trFiDy14A=;
        b=ZU3meDAX7AbQrXChEXrnwGDbVhRuFRPYfCMjiTyD+GaJ/ycGNkEwLmDSnlQVECefb5
         ttseXXybHtLEiRqPKD5qNs80K0A4O/DPQNRWw6z5XuHRmP+Ubpn9Lu77cnBRUtRV7bSb
         HvO8Mxvorxs/GYToQhh4Bp0Lk5yVUUbayYR90ZETAhJlpFpPxXVytV7TNfv/MVCQJ4a9
         YwwXmsp7zUfaHzNCYMg2AC3P8BeeDIgFYijCZozEVuUzRT55xNACjO+obIU5O9Zf/pQP
         L8YaUJuKdJLVCrJfY/C15r/6bEPQLA12T3YxfM/2Y0rItiVgj1qn9yUPEmA5XPswaeWX
         rQnA==
X-Gm-Message-State: AOJu0YzQ4vd7RfNY3PS5JlTBX1UyX9BBeFOiC+hAsV9+R8xiwjVV6P3S
        0+D1b7tS8FHIx3ISqeOsoTp2QtPvpPBZKg==
X-Received: by 2002:a05:6a20:8e1f:b0:13f:13cb:bc50 with SMTP id y31-20020a056a208e1f00b0013f13cbbc50mr23216894pzj.25.1701251473085;
        Wed, 29 Nov 2023 01:51:13 -0800 (PST)
Received: from localhost.localdomain ([103.7.29.32])
        by smtp.gmail.com with ESMTPSA id j21-20020a62e915000000b006c34015a8f2sm10692761pfh.146.2023.11.29.01.51.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 29 Nov 2023 01:51:12 -0800 (PST)
From:   Like Xu <like.xu.linux@gmail.com>
X-Google-Original-From: Like Xu <likexu@tencent.com>
To:     Sean Christopherson <seanjc@google.com>,
        Peter Zijlstra <peterz@infradead.org>
Cc:     Kan Liang <kan.liang@linux.intel.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] KVM: x86/pmu: Prevent any host user from enabling PEBS for profiling guest
Date:   Wed, 29 Nov 2023 17:50:55 +0800
Message-ID: <20231129095055.88060-1-likexu@tencent.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 29 Nov 2023 01:51:36 -0800 (PST)

From: Like Xu <likexu@tencent.com>

Stop using PEBS counters on host to profiling guest. Limit the range of
enabled PEBS counters to only those counters enabled from the guest PEBS
emulation perspective.

If there is a perf-record agent on host that uses perf-tools events like
"cpu-cycles:GP" (G for attr.exclude_host, P for max precise event counter)
to capture guest performance events, then the guest will be hanged. This is
because Intel DS-based PEBS buffer is addressed using the 64-bit linear
address of the current {p/v}CPU context based on MSR_IA32_DS_AREA.

Any perf user using PEBS counters to profile guest on host is, in perf/core
implementation details, trying to set bits on cpuc->intel_ctrl_guest_mask
and arr[pebs_enable].guest, much like the guest PEBS emulation behaviour.
But the subsequent PEBS memory write, regardless of whether guest PEBS is
enabled, can overshoot guest entry and corrupt guest memory.

Profiling guest via PEBS-DS buffer on host is not supported at this time.
Fix this by filtering the real configured value of arr[pebs_enable].guest
with the emulated state of guest enabled PEBS counters, under the condition
of none cross-mapped PEBS counters.

Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Fixes: c59a1f106f5c ("KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS")
Signed-off-by: Like Xu <likexu@tencent.com>
---
 arch/x86/events/intel/core.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
index a08f794a0e79..17afd504c35b 100644
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -4103,13 +4103,19 @@ static struct perf_guest_switch_msr *intel_guest_get_msrs(int *nr, void *data)
 		.guest = pebs_mask & ~cpuc->intel_ctrl_host_mask,
 	};
 
+	/* In any case, clear guest PEBS bits first. */
+	arr[global_ctrl].guest &= ~arr[pebs_enable].guest;
+
 	if (arr[pebs_enable].host) {
 		/* Disable guest PEBS if host PEBS is enabled. */
 		arr[pebs_enable].guest = 0;
 	} else {
 		/* Disable guest PEBS thoroughly for cross-mapped PEBS counters. */
 		arr[pebs_enable].guest &= ~kvm_pmu->host_cross_mapped_mask;
-		arr[global_ctrl].guest &= ~kvm_pmu->host_cross_mapped_mask;
+
+		/* Prevent any host user from enabling PEBS for profiling guest. */
+		arr[pebs_enable].guest &= (kvm_pmu->pebs_enable & kvm_pmu->global_ctrl);
+
 		/* Set hw GLOBAL_CTRL bits for PEBS counter when it runs for guest */
 		arr[global_ctrl].guest |= arr[pebs_enable].guest;
 	}

base-commit: 6803fb00772cc50cd59a66bd8caaee5c84b13fcf
-- 
2.43.0