Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp1722885lqz; Mon, 1 Apr 2024 15:29:54 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXe5qQM5JFYpYDcmPdgbJHDTGZ2r53evxb/ldx8YRKGSbIj7Jw5Xq2VIlhp5uy1fTA0UpFL7mYDufG9StRPCw1GN73RhiR7/a1X9WLRdA== X-Google-Smtp-Source: AGHT+IEqHbUN0O3u+ojTYO1PtzixEsYeWk6FVV+VaLQDN72KlV4K8gQdTf426eqLAEe4Ka7vqORy X-Received: by 2002:a50:d5d9:0:b0:568:1248:9f49 with SMTP id g25-20020a50d5d9000000b0056812489f49mr6121050edj.18.1712010594618; Mon, 01 Apr 2024 15:29:54 -0700 (PDT) Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a11-20020a05640213cb00b0056dc70ae269si2328135edx.181.2024.04.01.15.29.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Apr 2024 15:29:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-127134-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20230601 header.b=eyJbGAh0; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-127134-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-127134-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 5D9F01F2259F for ; Mon, 1 Apr 2024 22:29:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6F99F5674B; Mon, 1 Apr 2024 22:29:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="eyJbGAh0" Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 102B7535A6 for ; Mon, 1 Apr 2024 22:29:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712010582; cv=none; b=RPwjoc95haHDdLlaom0O4TLko9NBAPMYaFUcOkTAaQxC6j8nAaoZlKLGFeXRFQtx88RiajxWYRCT9D64P8zio+NS5r2UHx/WU9ffYLTpwzzpFSP80z7edv7DzhpzQmybhfCjGyGN6dU1QrFTjq/v/DyQs+jAnVSLshuJIWjYc3Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712010582; c=relaxed/simple; bh=uRf1QBahqZS8Z955x72vM5aZgORLckJbANqvbX6mN9A=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ALU4QvlkyFG8XiYqqY1DP/N7Kf7P0efhJ/czcIr3GR6khcfEMaVte/tTb5qoRoETDiVW8SIVYeqdNHY87kw5dcQ5JBOW1KksrFEXZOhsys1bpgxcdmZxJdlV92gH/fdKLaOQVBmDAuDf6kYXIEy5f4rd5RjLYRVExX0u+I9xQGk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=eyJbGAh0; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-61506d6d667so11922677b3.1 for ; Mon, 01 Apr 2024 15:29:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712010580; x=1712615380; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=dxbv2zR344az1ZpGGMLXWBIEjEGxYRekW2mxLE4Y23k=; b=eyJbGAh0iBdRTIwMI4OtvSBqKQoDFg8NJ0Ep0pbIoQM4UVBLdB+08muoCbmzO0irzt vMLd2qxkSYhzgMbqjXOPsYAfCv6KsjCPt50iAmogxnZ55hxu+sWNoRxuKrQz7qk5KXbY xd8ehcUj5hymmgHqFksAHhoYb8JyrVuMxfIxLyif2Kw9rIoNnkGStYSc/41R1Nmlz3P6 xCGGqBbjPdRaKiYL3zLyYPsh/lvAlGUB+iq1/nabr0gicxOJMQJ2YcGfAOYfO6Xs9C83 YLnx80yRuicS13u4vTP4/LV6Yb9ni169DPe/1YHhZM9Z7TvZ+iU22QWmVMRezUa+OBr4 eIyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712010580; x=1712615380; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dxbv2zR344az1ZpGGMLXWBIEjEGxYRekW2mxLE4Y23k=; b=jcDZOikfq+Jy+hzX5MIukp5ZldCRoCURGVGrvmh74N6C9ifONW5mOR7EKRHr01ST8l CTPxUmLugSY/gy1O9v3eXsSnDmc6CK0CwHkv4UKU/EpT0SBPco4GaRKp/1xF2wT9ZdcG afjnBrzci5Q8lPDQ77sTrHQgecb4LN/AvqHOh+dtP89XSWkmQjTCAMO/BTS9OjY/YUAy EP7Y7M6AHZGsMXJw6hXdBXv7IigYDrOVPflYrlzs3/fPSyxrOaVUhqLj1apim4A//gSM k33zWdWAxA3y6UcYzc7smkjJQEO3N8kocY5PfDzcequDCkFCyzL6gfnNbuEVSQLev7AY tEbQ== X-Forwarded-Encrypted: i=1; AJvYcCXTtv5+9tIPELCU0Girx01EYhXyolaKgQaRMHB+K+HyXZfkhB3naPZcDnRAlBWT4OfCGKKvUmeJd2d+zKN52BdCw4fGRuk611Xoj6BY X-Gm-Message-State: AOJu0Yzxdukw/zAHvP6kbLBfedH9dXcRCXuNqGqh7h0c4daABFGfeiDb ShDa7ghV0lKC1z20VF1qrC1iwhhW7ETkYDXOup0EfzQFze7L97WG4TSSHeQKvTPxWe8UJFef3Xq pIw== X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a0d:e202:0:b0:615:1579:8660 with SMTP id l2-20020a0de202000000b0061515798660mr246209ywe.7.1712010580188; Mon, 01 Apr 2024 15:29:40 -0700 (PDT) Date: Mon, 1 Apr 2024 15:29:38 -0700 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240309010929.1403984-1-seanjc@google.com> <20240309010929.1403984-6-seanjc@google.com> Message-ID: Subject: Re: [PATCH 5/5] KVM: VMX: Always honor guest PAT on CPUs that support self-snoop From: Sean Christopherson To: Chao Gao Cc: Paolo Bonzini , Lai Jiangshan , "Paul E. McKenney" , Josh Triplett , kvm@vger.kernel.org, rcu@vger.kernel.org, linux-kernel@vger.kernel.org, Kevin Tian , Yan Zhao , Yiwei Zhang Content-Type: text/plain; charset="us-ascii" On Mon, Mar 25, 2024, Chao Gao wrote: > On Fri, Mar 08, 2024 at 05:09:29PM -0800, Sean Christopherson wrote: > >Unconditionally honor guest PAT on CPUs that support self-snoop, as > >Intel has confirmed that CPUs that support self-snoop always snoop caches > >and store buffers. I.e. CPUs with self-snoop maintain cache coherency > >even in the presence of aliased memtypes, thus there is no need to trust > >the guest behaves and only honor PAT as a last resort, as KVM does today. > > > >Honoring guest PAT is desirable for use cases where the guest has access > >to non-coherent DMA _without_ bouncing through VFIO, e.g. when a virtual > >(mediated, for all intents and purposes) GPU is exposed to the guest, along > >with buffers that are consumed directly by the physical GPU, i.e. which > >can't be proxied by the host to ensure writes from the guest are performed > >with the correct memory type for the GPU. .. > > int kvm_tdp_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault) > >diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c > >index 17a8e4fdf9c4..5dc4c24ae203 100644 > >--- a/arch/x86/kvm/vmx/vmx.c > >+++ b/arch/x86/kvm/vmx/vmx.c > >@@ -7605,11 +7605,13 @@ static u8 vmx_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio) > > > > /* > > * Force WB and ignore guest PAT if the VM does NOT have a non-coherent > >- * device attached. Letting the guest control memory types on Intel > >- * CPUs may result in unexpected behavior, and so KVM's ABI is to trust > >- * the guest to behave only as a last resort. > >+ * device attached and the CPU doesn't support self-snoop. Letting the > >+ * guest control memory types on Intel CPUs without self-snoop may > >+ * result in unexpected behavior, and so KVM's (historical) ABI is to > >+ * trust the guest to behave only as a last resort. > > */ > >- if (!kvm_arch_has_noncoherent_dma(vcpu->kvm)) > >+ if (!static_cpu_has(X86_FEATURE_SELFSNOOP) && > >+ !kvm_arch_has_noncoherent_dma(vcpu->kvm)) > > return (MTRR_TYPE_WRBACK << VMX_EPT_MT_EPTE_SHIFT) | VMX_EPT_IPAT_BIT; > > W/ this change, guests w/o pass-thru devices can also access UC memory. Locking > UC memory leads to bus lock. So, guests w/o pass-thru devices can potentially > launch DOS attacks on other CPUs on host. isn't it a problem? Guests can already trigger bus locks with atomic accesses that split cache lines. And SPR adds bus lock detection. So practically speaking, I'm pretty sure ICX is the only CPU where anything close to a novel attack is possible. And FWIW, such an attack is already possible on AMD.