Received: by 2002:a05:6500:2018:b0:1fb:9675:f89d with SMTP id t24csp315379lqh; Fri, 31 May 2024 02:05:23 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUf6xwAcyc0Hrt/JRVXysSmz8FWD1JKudXCEahTqPM8P6oquaspWKfrseEVwIaz3pTm1fVsuGbCCXc5NqQD/FtzJ+CwXT1iT+wna/MFrQ== X-Google-Smtp-Source: AGHT+IFzcM05P6y8DesuoHCqjplxHk7q6tO1hW6jAJHm0zdu/pzbcyjy+d+XV82DtllJiqaayJdp X-Received: by 2002:a05:6870:a54a:b0:250:8769:4d5c with SMTP id 586e51a60fabf-2508bc397c8mr1555370fac.53.1717146322774; Fri, 31 May 2024 02:05:22 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717146322; cv=pass; d=google.com; s=arc-20160816; b=mfYA3iEHJPwdqcuHdScMAm28gghXhu10JABq1plqu6/U+qzPhjCg31WIMiuEZRRZKe 0Bd1jCThNw7XkMNRh/LKBahru9qZlZLCtrrqzlcCRD/lJ5tmWZrMIlaw/UZ1XmMQVi1G QjMDaHMXwvIgUQcUeOOpmtKGQkS6hs84U5rYRNjmM0fLKXUJvYPpP0xmozh4HqhFfdqm dlpCPnNKw2fLvsPqnDR0SIvJsLvsF74OV0MUAE/W1eSUKJjxtcBzi9HqIEF3XQMF4qGm KyIulAegbNcx/pXN7vA8boqOWmJn3vi86HKgrhJI7f8u26GTyZVe5/FTo3wLeGszAPQR 0niw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=5EumqFv+pORtW8tG5KjTFO/uu5xcbi/qRw7sSk1Xlic=; fh=Gn6Ez/vek/7HLDCldfJO6ZTL66KrN3FVnJllppYsp0Q=; b=RBSwbmXMmdUA9q/X+DukHvYFNW/8AQVQOVQWWvA2w7rEZfIU2n6TNMx/fwFZUuhatQ zD2dFKc3h6w8PXJ5Z7eS4o3+oESxldzZVzMlmMa3xte68ezUxksvYUaYasFAwh6InNmy bbQVb/aivpCSyfNj2iOMVwykoA91gYWXTMNqOnOLCtkBfXa2u77zJPEA7DKlxSXy/QHM Epw2y4JDJsDVaJudVpruykfrL0WEB8Llw/Ykd9K70sDT3EfIPSAqvAbICykcb6WrGL3S Fgjh4ZGg6LNtbqQULIOC03fdnTTMglJIJqklmfORJjhaOWFPG5uuCF1/T7DKBIBb4hbk m+8w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=US9HditZ; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: domain of linux-kernel+bounces-196533-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196533-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d2e1a72fcca58-702497dbb65si799570b3a.291.2024.05.31.02.05.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 May 2024 02:05:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-196533-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=US9HditZ; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: domain of linux-kernel+bounces-196533-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196533-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 5F4A8288D10 for ; Fri, 31 May 2024 09:05:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DC304156C7C; Fri, 31 May 2024 09:04:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="US9HditZ" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2514E156674; Fri, 31 May 2024 09:04:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.15 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717146242; cv=none; b=WY4+MmvceVFtbegas/cgarvK0BD4rRD4xPVGM1g42ZP+OaFWAm37vH96bWu3KXpyk0vl3Nep+ibLf4cV5xjEffY0iiXoW3Pwryx4h3n0OCug6UXPfkBbOvfHGvvVTbO+Gt6QNTrqaoJO6ACOVtLyRKCcrMDciLP+pa+ELFtGFc4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717146242; c=relaxed/simple; bh=6z2KeHN5Uj3V2GX6S/+U9oo8mWQvlMrTx1zKOKi30K0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OgcxvkQLoFIP7t0djuzUa3Dpbbry664i5IOY1AC1bTSk/tHspqnpH0b1qNvBmgiY1kLU7NOc4cW0RWPQ73K13hLUB94vK0jhRY5FrsJ2yQ5dWZR/ugS1E/7Z59hLbaVa3+QsEXNW/SOIJaXhD58XjjoDwUoeDz8jOdC+guhHe+8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=US9HditZ; arc=none smtp.client-ip=198.175.65.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1717146241; x=1748682241; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=6z2KeHN5Uj3V2GX6S/+U9oo8mWQvlMrTx1zKOKi30K0=; b=US9HditZeZhB5iKvjI4/s4gTWObqyVx252pojpeA08gbBgAFtT83L+fS aFd7r7ovlfYMCuub6qqRTzsD3dFFTSTv3QjnUEt0J1/Cju2cDWTdDSD7X bCxnbQmBdVAGOshpzTwLp+P5Hq8cXn4dzBBJ01gQGfFUu+HnUP6E0CsO7 lBbn3deDfqwQSgvzFGRkD5N43wb/54s0cfuafvnAAcTy/c1CCJSz76jUe o6k10j78Uei/EFFdjLxoKuvi/l3Dks+ZW5sXzyK3oQ/sS/jvkpGVsg/oD fF7AKPK4PFbvuEi9rcbs/sV3Txx3CMtrkRA1CaMjaZayf677aDrbnyAlg w==; X-CSE-ConnectionGUID: KbfTv4neTZGOcFlVQ4CduQ== X-CSE-MsgGUID: EtNFWPIaSmyaHDHBYhRx0g== X-IronPort-AV: E=McAfee;i="6600,9927,11088"; a="17480583" X-IronPort-AV: E=Sophos;i="6.08,203,1712646000"; d="scan'208";a="17480583" Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by orvoesa107.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 May 2024 02:03:59 -0700 X-CSE-ConnectionGUID: w2604bKRTNOluHRULva0Pg== X-CSE-MsgGUID: 8wCcf+i/TtyE8BwGGqWXFA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,203,1712646000"; d="scan'208";a="36102735" Received: from jf.jf.intel.com ([10.165.9.183]) by fmviesa008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 May 2024 02:03:59 -0700 From: Yang Weijiang To: tglx@linutronix.de, dave.hansen@intel.com, x86@kernel.org, seanjc@google.com, pbonzini@redhat.com, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: peterz@infradead.org, chao.gao@intel.com, rick.p.edgecombe@intel.com, mlevitsk@redhat.com, weijiang.yang@intel.com, john.allen@amd.com Subject: [PATCH 1/6] x86/fpu/xstate: Always preserve non-user xfeatures/flags in __state_perm Date: Fri, 31 May 2024 02:03:26 -0700 Message-ID: <20240531090331.13713-2-weijiang.yang@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531090331.13713-1-weijiang.yang@intel.com> References: <20240531090331.13713-1-weijiang.yang@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Sean Christopherson When granting userspace or a KVM guest access to an xfeature, preserve the entity's existing supervisor and software-defined permissions as tracked by __state_perm, i.e. use __state_perm to track *all* permissions even though all supported supervisor xfeatures are granted to all FPUs and FPU_GUEST_PERM_LOCKED disallows changing permissions. Effectively clobbering supervisor permissions results in inconsistent behavior, as xstate_get_group_perm() will report supervisor features for process that do NOT request access to dynamic user xfeatures, whereas any and all supervisor features will be absent from the set of permissions for any process that is granted access to one or more dynamic xfeatures (which right now means AMX). The inconsistency isn't problematic because fpu_xstate_prctl() already strips out everything except user xfeatures: case ARCH_GET_XCOMP_PERM: /* * Lockless snapshot as it can also change right after the * dropping the lock. */ permitted = xstate_get_host_group_perm(); permitted &= XFEATURE_MASK_USER_SUPPORTED; return put_user(permitted, uptr); case ARCH_GET_XCOMP_GUEST_PERM: permitted = xstate_get_guest_group_perm(); permitted &= XFEATURE_MASK_USER_SUPPORTED; return put_user(permitted, uptr); and similarly KVM doesn't apply the __state_perm to supervisor states (kvm_get_filtered_xcr0() incorporates xstate_get_guest_group_perm()): case 0xd: { u64 permitted_xcr0 = kvm_get_filtered_xcr0(); u64 permitted_xss = kvm_caps.supported_xss; But if KVM in particular were to ever change, dropping supervisor permissions would result in subtle bugs in KVM's reporting of supported CPUID settings. And the above behavior also means that having supervisor xfeatures in __state_perm is correctly handled by all users. Dropping supervisor permissions also creates another landmine for KVM. If more dynamic user xfeatures are ever added, requesting access to multiple xfeatures in separate ARCH_REQ_XCOMP_GUEST_PERM calls will result in the second invocation of __xstate_request_perm() computing the wrong ksize, as as the mask passed to xstate_calculate_size() would not contain *any* supervisor features. Commit 781c64bfcb73 ("x86/fpu/xstate: Handle supervisor states in XSTATE permissions") fudged around the size issue for userspace FPUs, but for reasons unknown skipped guest FPUs. Lack of a fix for KVM "works" only because KVM doesn't yet support virtualizing features that have supervisor xfeatures, i.e. as of today, KVM guest FPUs will never need the relevant xfeatures. Simply extending the hack-a-fix for guests would temporarily solve the ksize issue, but wouldn't address the inconsistency issue and would leave another lurking pitfall for KVM. KVM support for virtualizing CET will likely add CET_KERNEL as a guest-only xfeature, i.e. CET_KERNEL will not be set in xfeatures_mask_supervisor() and would again be dropped when granting access to dynamic xfeatures. Note, the existing clobbering behavior is rather subtle. The @permitted parameter to __xstate_request_perm() comes from: permitted = xstate_get_group_perm(guest); which is either fpu->guest_perm.__state_perm or fpu->perm.__state_perm, where __state_perm is initialized to: fpu->perm.__state_perm = fpu_kernel_cfg.default_features; and copied to the guest side of things: /* Same defaults for guests */ fpu->guest_perm = fpu->perm; fpu_kernel_cfg.default_features contains everything except the dynamic xfeatures, i.e. everything except XFEATURE_MASK_XTILE_DATA: fpu_kernel_cfg.default_features = fpu_kernel_cfg.max_features; fpu_kernel_cfg.default_features &= ~XFEATURE_MASK_USER_DYNAMIC; When __xstate_request_perm() restricts the local "mask" variable to compute the user state size: mask &= XFEATURE_MASK_USER_SUPPORTED; usize = xstate_calculate_size(mask, false); it subtly overwrites the target __state_perm with "mask" containing only user xfeatures: perm = guest ? &fpu->guest_perm : &fpu->perm; /* Pairs with the READ_ONCE() in xstate_get_group_perm() */ WRITE_ONCE(perm->__state_perm, mask); Cc: Maxim Levitsky Cc: Weijiang Yang Cc: Dave Hansen Cc: Paolo Bonzini Cc: Peter Zijlstra Cc: Chao Gao Cc: Rick Edgecombe Cc: John Allen Cc: kvm@vger.kernel.org Link: https://lore.kernel.org/all/ZTqgzZl-reO1m01I@google.com Signed-off-by: Sean Christopherson Signed-off-by: Yang Weijiang Reviewed-by: Maxim Levitsky Reviewed-by: Rick Edgecombe --- arch/x86/kernel/fpu/xstate.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c index c5a026fee5e0..bc66183c7df2 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -1603,16 +1603,20 @@ static int __xstate_request_perm(u64 permitted, u64 requested, bool guest) if ((permitted & requested) == requested) return 0; - /* Calculate the resulting kernel state size */ + /* + * Calculate the resulting kernel state size. Note, @permitted also + * contains supervisor xfeatures even though supervisor are always + * permitted for kernel and guest FPUs, and never permitted for user + * FPUs. + */ mask = permitted | requested; - /* Take supervisor states into account on the host */ - if (!guest) - mask |= xfeatures_mask_supervisor(); ksize = xstate_calculate_size(mask, compacted); - /* Calculate the resulting user state size */ - mask &= XFEATURE_MASK_USER_SUPPORTED; - usize = xstate_calculate_size(mask, false); + /* + * Calculate the resulting user state size. Take care not to clobber + * the supervisor xfeatures in the new mask! + */ + usize = xstate_calculate_size(mask & XFEATURE_MASK_USER_SUPPORTED, false); if (!guest) { ret = validate_sigaltstack(usize); -- 2.43.0