Received: by 2002:ab2:3b09:0:b0:1ed:14ea:9113 with SMTP id b9csp207173lqc;
        Thu, 29 Feb 2024 15:07:07 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCV9r1N1qJvZFcWtOGaRz05la8DmrZ15af5wp5m6s9zGuawoI6Tf6UGMBW5J6kRelkF1U4dnrJgDzks86PvMQU8qpS2faTyu8AT0H4nOpA==
X-Google-Smtp-Source: AGHT+IFCDabSIj6pf4AckYnDe+3kqWD63a/N4XLELp934OvcRJufnn0W35ztbCunWXvuyiRJ8i25
X-Received: by 2002:a17:906:68d4:b0:a3f:ac54:eb68 with SMTP id y20-20020a17090668d400b00a3fac54eb68mr58262ejr.69.1709248026940;
        Thu, 29 Feb 2024 15:07:06 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709248026; cv=pass;
        d=google.com; s=arc-20160816;
        b=zjOsxFi9U6pmUDnN860MJ13kfGihX8mMvFcnV6cYJg0XDV6NCB4/HVPJIXfeamrT6D
         9veKheZpA8cgOSx8dkJlEGvojtuDiKBObzeUxrn9cv4bcW0RRMphWFje1Vu8/NanpajT
         /xfd+EgIJsVtt4NZxc4FU0lrZD+bVkSK6saKkKTdDcVxj7bmHfItTqUr8WNxeKjW9k0r
         6Q9upiDmd/mfrKY3Wlo6Hx8GimMgionOg0FFM2kUha37VjgReiATcIN60HD1QK3kgMM5
         GCq44441sOE1epD5TmViZQ97S0XG66d02Z6vA8wuaUJmf7egLvm+EVo7ludpMtmoEkSn
         L/JQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:from:subject:message-id:references:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:in-reply-to:date
         :dkim-signature;
        bh=aDSHqiXfNKpfl7COydQUrDyx9a3y4hCYnPwB57HeAq4=;
        fh=IW4b3U5Rou5d08ys8LvzGLSqZP/VSZJv5sfeboBSO1Y=;
        b=UatqOJ7zQyz2xaeimB0GZR2WuX05L6/SBieXPd/mXT9uDgiFfCcWutTvAXN78j/l5f
         xFYD8gKXGonUS0qe2u8VJ1SucdhRI6qWqAXrR30ZtDzf6LS4pUHmrlToj5dYphmCosWH
         TXQZhgSDli/qbJciBXA+pbt7wsMWgHaDxfU9VH+VgP87eyiXobG8uV2c51acOpoVD0Zn
         sGYpcpnVE7XfsJwiLxQlSliWfhFQwbF24X1mV+8p0ZQj7Mlsz26IFQKdr6R3Phh6Xnkj
         a118ZL1ZHTfAXWWmUbwUpLgpz2n4BnC1utMR4XTFYanIG6IrL6WZhYlTKDrR3vMmkghN
         JpHg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b="vmzF74//";
       arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
       spf=pass (google.com: domain of linux-kernel+bounces-87663-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-87663-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel+bounces-87663-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id f17-20020a170906139100b00a3ea034e5dasi944705ejc.57.2024.02.29.15.07.06
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 29 Feb 2024 15:07:06 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-87663-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b="vmzF74//";
       arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
       spf=pass (google.com: domain of linux-kernel+bounces-87663-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-87663-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 78FFD1F2313D
	for <linux.lists.archive@gmail.com>; Thu, 29 Feb 2024 23:07:06 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3187874C0B;
	Thu, 29 Feb 2024 23:06:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="vmzF74//"
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C97574BEA
	for <linux-kernel@vger.kernel.org>; Thu, 29 Feb 2024 23:06:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709248015; cv=none; b=O3B+1w//MiQnnjgyRLuCa627MJLFSIZGKrmiqBm+6hK1PzQl+fF9a0SkMFUpntWlrHkjjqYu+ZsXjBqR92LqRulEdL3LqYb37FU2bCVZB6wWBJ7Lv2TklO7M0/D6ViDqsmFltfFu3eutl8yagNtgVagRVSLKmT61hKbnFLV54Q4=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709248015; c=relaxed/simple;
	bh=xlv4BCWUd+xW1oov75VPMIAgTQnOq8HdvUJUz5cAOE0=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type; b=pKvBJcjgdYN7Bo/dFSPI5txypoJOE+OsfpJfKiZw9S+eLBeecCkqBYyC3tM6dq7BpV9+/ynsSyueaZH8kEYs1U4iShpfdQoIB1scZL7d4h6XSpo9Q9jV5DCrWvv574BPwVaztmn74yTPI1t8Uh5DcE6glMCVsP9EMygXo3sSV1U=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=vmzF74//; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-6e5588db705so1210362b3a.1
        for <linux-kernel@vger.kernel.org>; Thu, 29 Feb 2024 15:06:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1709248012; x=1709852812; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=aDSHqiXfNKpfl7COydQUrDyx9a3y4hCYnPwB57HeAq4=;
        b=vmzF74//eEnu3FEZLvDTrbaKWrHKwN7zPUve1BN473bFERGEAiIRRD+OhFE7prwF6S
         TG9eusVU4Dy3O0jkT89W+9V8w+EiIK5SwoOPH3CamhnPFItXpwCxl5HbxvWExFK1z0DK
         oa5PV9w9iwPmnZhzZL1BndkUIy5I2grBHyNasg//eux/xH8uNx3XVmkWFJGcYo9B3Efq
         t2p03mOEsi/l4goNKK6l8cyYiZLFHQDKq1LWSOEIcZtz922m8nRIqaqcoVzEr7LDmKSM
         k77mt0qF/YSp+Evm/BhxLhp/KaPd3phOGzOrUAV0YadS8o2Uow0yxDoyPa4RSf4bwJ9Q
         QmPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1709248012; x=1709852812;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=aDSHqiXfNKpfl7COydQUrDyx9a3y4hCYnPwB57HeAq4=;
        b=IRDtVr//jMAmvOFmanq+a8NOqYbASB6Y8+tP6gdsFdvOqso4tiSl0/NntgAbNGeHKU
         WlVcykDFnvdUO16O7eNJkhLIosNy3X9uvsyouajHcZpxP7vdyTaB0ZQIgvNK0MauaKmK
         ieic4ASaUMEKUgTen/g6eqbhREgFNY88F2r9yoexWAjV+H3mcF6a9RhBHS4Fs6PiLME7
         p7h6SGHmbUAo03GJ2cDP2UCTucSYCl3UmZGh8vgqVUKcMUovLRL/BJkE5O5ZwZw7tNvw
         /YUWbW86w/pSs5dgOPzLbTwPbnVUmxQOBb5WkeXMhI4vV13KeMELfnMV3Dxc2PXduekp
         3BAQ==
X-Forwarded-Encrypted: i=1; AJvYcCUYvsflwWryxw1XcHxPsNBq5o/wQYCdreN8OwqVXJX7hmfMwHejJrpKMtA1nMmIIjJZR4kjfjuL6SCCkErgN/BRPRCVDWWm2hujxnXz
X-Gm-Message-State: AOJu0YyohJ1Z3dvI/1nnrdEir6SYuN3z7dnpVwITWOZWyhfTTgBU4rPI
	VDHsg39jkkqMaXma/sX0SPfusPSCMTkpZl4u2bZYVl22s+jK9mW8fJ548Q01MYvUyuTVhLBZuE7
	+PA==
X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:6a00:2d09:b0:6e5:4142:ea1c with SMTP id
 fa9-20020a056a002d0900b006e54142ea1cmr4589pfb.3.1709248012512; Thu, 29 Feb
 2024 15:06:52 -0800 (PST)
Date: Thu, 29 Feb 2024 15:06:51 -0800
In-Reply-To: <2237d6b1-1c90-4acd-99e9-f051556dd6ac@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20240228024147.41573-1-seanjc@google.com> <20240228024147.41573-9-seanjc@google.com>
 <2237d6b1-1c90-4acd-99e9-f051556dd6ac@intel.com>
Message-ID: <ZeEOC0mo8C4GL708@google.com>
Subject: Re: [PATCH 08/16] KVM: x86/mmu: WARN and skip MMIO cache on private,
 reserved page faults
From: Sean Christopherson <seanjc@google.com>
To: Kai Huang <kai.huang@intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, 
	Yan Zhao <yan.y.zhao@intel.com>, Isaku Yamahata <isaku.yamahata@intel.com>, 
	Michael Roth <michael.roth@amd.com>, Yu Zhang <yu.c.zhang@linux.intel.com>, 
	Chao Peng <chao.p.peng@linux.intel.com>, Fuad Tabba <tabba@google.com>, 
	David Matlack <dmatlack@google.com>
Content-Type: text/plain; charset="us-ascii"

On Fri, Mar 01, 2024, Kai Huang wrote:
> 
> 
> On 28/02/2024 3:41 pm, Sean Christopherson wrote:
> > WARN and skip the emulated MMIO fastpath if a private, reserved page fault
> > is encountered, as private+reserved should be an impossible combination
> > (KVM should never create an MMIO SPTE for a private access).
> > 
> > Signed-off-by: Sean Christopherson <seanjc@google.com>
> > ---
> >   arch/x86/kvm/mmu/mmu.c | 3 ++-
> >   1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> > index bd342ebd0809..9206cfa58feb 100644
> > --- a/arch/x86/kvm/mmu/mmu.c
> > +++ b/arch/x86/kvm/mmu/mmu.c
> > @@ -5866,7 +5866,8 @@ int noinline kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 err
> >   		error_code |= PFERR_PRIVATE_ACCESS;
> >   	r = RET_PF_INVALID;
> > -	if (unlikely(error_code & PFERR_RSVD_MASK)) {
> > +	if (unlikely((error_code & PFERR_RSVD_MASK) &&
> > +		     !WARN_ON_ONCE(error_code & PFERR_PRIVATE_ACCESS))) {
> >   		r = handle_mmio_page_fault(vcpu, cr2_or_gpa, direct);
> >   		if (r == RET_PF_EMULATE)
> >   			goto emulate;
> 
> It seems this will make KVM continue to call kvm_mmu_do_page_fault() when
> such private+reserve error code actually happens (e.g., due to bug), because
> @r is still RET_PF_INVALID in such case.

Yep.

> Is it better to just return error, e.g., -EINVAL, and give up?

As long as there is no obvious/immediate danger to the host, no obvious way for
the "bad" behavior to cause data corruption for the guest, and continuing on has
a plausible chance of working, then KVM should generally try to continue on and
not terminate the VM.

E.g. in this case, KVM will just skip various fast paths because of the RSVD flag,
and treat the fault like a PRIVATE fault.  Hmm, but page_fault_handle_page_track()
would skip write tracking, which could theoretically cause data corruption, so I
guess arguably it would be safer to bail?

Anyone else have an opinion?  This type of bug should never escape development,
so I'm a-ok effectively killing the VM.  Unless someone has a good argument for
continuing on, I'll go with Kai's suggestion and squash this:

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index cedacb1b89c5..d796a162b2da 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -5892,8 +5892,10 @@ int noinline kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 err
                error_code |= PFERR_PRIVATE_ACCESS;
 
        r = RET_PF_INVALID;
-       if (unlikely((error_code & PFERR_RSVD_MASK) &&
-                    !WARN_ON_ONCE(error_code & PFERR_PRIVATE_ACCESS))) {
+       if (unlikely(error_code & PFERR_RSVD_MASK)) {
+               if (WARN_ON_ONCE(error_code & PFERR_PRIVATE_ACCESS))
+                       return -EFAULT;
+
                r = handle_mmio_page_fault(vcpu, cr2_or_gpa, direct);
                if (r == RET_PF_EMULATE)
                        goto emulate;