From nobody Sat Feb 7 18:29:15 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D0A6EB64DD for ; Fri, 21 Jul 2023 22:43:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230482AbjGUWnq (ORCPT ); Fri, 21 Jul 2023 18:43:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43628 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230454AbjGUWnn (ORCPT ); Fri, 21 Jul 2023 18:43:43 -0400 Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com [IPv6:2607:f8b0:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 184BC3A86 for ; Fri, 21 Jul 2023 15:43:42 -0700 (PDT) Received: by mail-pl1-x649.google.com with SMTP id d9443c01a7336-1b89e3715acso14187345ad.3 for ; Fri, 21 Jul 2023 15:43:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689979421; x=1690584221; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=EqN+mkVwiz0JYePPsvbJE9Of00MhnNzfwNJUrTtqx34=; b=uPbc6qjTF+37bLOVeLN5oBf/3QUeWpvQQj3Os3hzKIn+9w+stgDfD/wRvHH6vvS1vz Jdb1/CGaRKexplycNPtMGXN+Tg/RyJbt630Xs8IeS3SMFNv5PCsghbo+kYJFygNjCFpF sVNhgSsW83NY1COiSao1pWUPh1AtIrckRNYwIAGc+050XIyJvUElwzdbPqwTGeusV0wO MmoVQyd6hZXWLdmSuWxhFzejY1yhd7tNiH5rpZy3iuO0rqNdjsPMj90Dn4Tac+hSKGnn 8AHG8NIUVhg6+9rueuzf1vrfPuAWZzW4D3IejKxilXlQAwYf9OjIQqNCdXkMDdc9uB2Q IB8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689979421; x=1690584221; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EqN+mkVwiz0JYePPsvbJE9Of00MhnNzfwNJUrTtqx34=; b=dW69igaIjmICSUFNCKQ+z5NFWJs4uG9eRy1nrwqbkjomzP+ibc1aIsGdjyDQXKZOeg 6PMpCXyq0h9Z7sR9aSALBnK/3YL0tSiZz/QAo8gzRDBEYQL3AaBFD3l2hSJ27UVDy0LE otQdEZG9dWhnDeuGv7MAY9jlUl6Vysk0+O2jlqdD22ZJmiBUEb0sqGox13i/Kq9bNafH SFgibSHTPTxjM9q8T9MR0Qrot2+3AIaKkKrrq6oHbkbjUR80YmcQBMZqP5bhk/K7mcmp x9+R+fmqOrTAy3ILmc9twWB6PGHWvF/DShnstM7Joftrn2VLlz6kC57YRWuxjc4wTOQB BMeQ== X-Gm-Message-State: ABy/qLZTuGL7qc3P9K0vuAdonxv+vaHxE4FJDkM6bDDnPNhCkaI/zwOw QAWnUyvwXwwMrnpIq84Kz6CKTDje33Q= X-Google-Smtp-Source: APBJJlGxj6qSv326g8m5rQzyp+BHE+VykBcM7ioa5QFILiq54tA6coBcY4UbtZwO/j7CN0cMbdg2fYkn1PA= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:903:32cd:b0:1a6:4ce8:3ed5 with SMTP id i13-20020a17090332cd00b001a64ce83ed5mr12524plr.4.1689979421568; Fri, 21 Jul 2023 15:43:41 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 21 Jul 2023 15:43:36 -0700 In-Reply-To: <20230721224337.2335137-1-seanjc@google.com> Mime-Version: 1.0 References: <20230721224337.2335137-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog Message-ID: <20230721224337.2335137-2-seanjc@google.com> Subject: [PATCH 1/2] KVM: x86: Acquire SRCU read lock when handling fastpath MSR writes From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Greg Thelen , Aaron Lewis Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Temporarily acquire kvm->srcu for read when potentially emulating WRMSR in the VM-Exit fastpath handler, as several of the common helpers used during emulation expect the caller to provide SRCU protection. E.g. if the guest is counting instructions retired, KVM will query the PMU event filter when stepping over the WRMSR. dump_stack+0x85/0xdf lockdep_rcu_suspicious+0x109/0x120 pmc_event_is_allowed+0x165/0x170 kvm_pmu_trigger_event+0xa5/0x190 handle_fastpath_set_msr_irqoff+0xca/0x1e0 svm_vcpu_run+0x5c3/0x7b0 [kvm_amd] vcpu_enter_guest+0x2108/0x2580 Alternatively, check_pmu_event_filter() could acquire kvm->srcu, but this isn't the first bug of this nature, e.g. see commit 5c30e8101e8d ("KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isn't valid"). Providing protection for the entirety of WRMSR emulation will allow reverting the aforementioned commit, and will avoid having to play whack-a-mole when new uses of SRCU-protected structures are inevitably added in common emulation helpers. Fixes: dfdeda67ea2d ("KVM: x86/pmu: Prevent the PMU from counting disallowe= d events") Reported-by: Greg Thelen Reported-by: Aaron Lewis Signed-off-by: Sean Christopherson --- arch/x86/kvm/x86.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index a6b9bea62fb8..8c073a4af484 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2172,6 +2172,8 @@ fastpath_t handle_fastpath_set_msr_irqoff(struct kvm_= vcpu *vcpu) u64 data; fastpath_t ret =3D EXIT_FASTPATH_NONE; =20 + kvm_vcpu_srcu_read_lock(vcpu); + switch (msr) { case APIC_BASE_MSR + (APIC_ICR >> 4): data =3D kvm_read_edx_eax(vcpu); @@ -2194,6 +2196,8 @@ fastpath_t handle_fastpath_set_msr_irqoff(struct kvm_= vcpu *vcpu) if (ret !=3D EXIT_FASTPATH_NONE) trace_kvm_msr_write(msr, data); =20 + kvm_vcpu_srcu_read_unlock(vcpu); + return ret; } EXPORT_SYMBOL_GPL(handle_fastpath_set_msr_irqoff); --=20 2.41.0.487.g6d72f3e995-goog From nobody Sat Feb 7 18:29:15 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7949DC00528 for ; Fri, 21 Jul 2023 22:43:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230506AbjGUWnt (ORCPT ); Fri, 21 Jul 2023 18:43:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43640 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230444AbjGUWno (ORCPT ); Fri, 21 Jul 2023 18:43:44 -0400 Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com [IPv6:2607:f8b0:4864:20::1049]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04AD13A86 for ; Fri, 21 Jul 2023 15:43:44 -0700 (PDT) Received: by mail-pj1-x1049.google.com with SMTP id 98e67ed59e1d1-2631231fed0so1289603a91.3 for ; Fri, 21 Jul 2023 15:43:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689979423; x=1690584223; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=QLdjoAuH6ny9qcAXLDVVZFI8shq7PUiJbkoQWuRMVVg=; b=r7DayOcA+ltTh6qjlaW24skIpW7xZ/eeZRZhOUL6eNDr49X0gtEPZCrp9ecJuvEyXa iyUjReMGUqms9AQmBsMakzpo5wZxxM68a5j76iaYZttCeKC4bgdGFfLa/BnQr3+jt8S+ +wXPqZcgfTEEk3m9HhS0BLqP24tj0/TPPTZGgXkBIKGL56mERUjJVbULQtda6tVhY5wQ eqhWSNgI0nNgQGqXEIaQ8wWdHVrZ1LWyxmvpoDZcT8PSdbhwYfJDwFHV3UfEtrr/WgNh /BQ+a0EeMxOH3Ukt17t90axDe3hzA33+A6yMeH5hU5EXAVwuIAeIrC8vgkArp/6Z5hks ynzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689979423; x=1690584223; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QLdjoAuH6ny9qcAXLDVVZFI8shq7PUiJbkoQWuRMVVg=; b=fGejo3Ou5OiSxu9EHwkLxXSInj9NZp1gafnIgZPVjwldneBAz7rmlD+tb0MoCA7FTG CERcKNWKUl+bxLTTgvxpxSBl5EOtT2PbmWwrvywjVW/rtLyBRxsk4/z+GjQlXeuYhQL1 MzNIQb/Xkd/EcdwC6lHqQNgwyykOxyXjKSKozS8gIzm74S62Y9yzx0bcHHedCDJpThP3 qxXwcx1nUj+IzYkHO/ZeK6rcKoH8x0hsepMeeRfdOutfkOt6r5Bg1HucU3jHWnqZCflI ++Tak0gZhFO4L6IKVThBfJ9kf4rAHUIvylKJqvkvEHTt3Aqs+nxLlErsCA0uPCOSJ96g Ze4g== X-Gm-Message-State: ABy/qLaV1t4uLsuyvbkBRlnlsg2G4Ygd0g7CmjziIGpwAv28E8DO7NJh jDXzape6+oIS2opPtXcrmJnM1svS0CY= X-Google-Smtp-Source: APBJJlGl6ZlPeg7FzuC/9y7JTBhGtcOsUDfONYfHz3CdAvqvd3nJVGgrwd6x8dJgPSW4q+12UlFCrNglprA= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:902:f691:b0:1b8:a555:385d with SMTP id l17-20020a170902f69100b001b8a555385dmr13248plg.9.1689979423484; Fri, 21 Jul 2023 15:43:43 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 21 Jul 2023 15:43:37 -0700 In-Reply-To: <20230721224337.2335137-1-seanjc@google.com> Mime-Version: 1.0 References: <20230721224337.2335137-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog Message-ID: <20230721224337.2335137-3-seanjc@google.com> Subject: [PATCH 2/2] Revert "KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isn't valid" From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Greg Thelen , Aaron Lewis Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that handle_fastpath_set_msr_irqoff() acquires kvm->srcu, i.e. allows dereferencing memslots during WRMSR emulation, drop the requirement that "next RIP" is valid. In hindsight, acquiring kvm->srcu would have been a better fix than avoiding the pastpath, but at the time it was thought that accessing SRCU-protected data in the fastpath was a one-off edge case. This reverts commit 5c30e8101e8d5d020b1d7119117889756a6ed713. Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/svm.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d381ad424554..cea08e5fa69b 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -3986,14 +3986,8 @@ static int svm_vcpu_pre_run(struct kvm_vcpu *vcpu) =20 static fastpath_t svm_exit_handlers_fastpath(struct kvm_vcpu *vcpu) { - struct vmcb_control_area *control =3D &to_svm(vcpu)->vmcb->control; - - /* - * Note, the next RIP must be provided as SRCU isn't held, i.e. KVM - * can't read guest memory (dereference memslots) to decode the WRMSR. - */ - if (control->exit_code =3D=3D SVM_EXIT_MSR && control->exit_info_1 && - nrips && control->next_rip) + if (to_svm(vcpu)->vmcb->control.exit_code =3D=3D SVM_EXIT_MSR && + to_svm(vcpu)->vmcb->control.exit_info_1) return handle_fastpath_set_msr_irqoff(vcpu); =20 return EXIT_FASTPATH_NONE; --=20 2.41.0.487.g6d72f3e995-goog