From nobody Wed Nov 27 15:32:26 2024
Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com
 [209.85.210.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E8B21E0DFA
	for <linux-kernel@vger.kernel.org>; Wed,  9 Oct 2024 17:50:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1728496211; cv=none;
 b=gkv07717+jfyEwfmePDYJMEv3vo9NU/KP+S+4JMJEPDW5gXWfklyO1grbNe6TwPBYRvB7lQGavw6znwzPZCMGHSGMXPxc+5ypamzy8j+vXBZ7YvhD7m1OzMRB5z51ycijRsQIO+hIKjqG0q/y1SuZQbcrMKa2uCtjdXiFKUtYs8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1728496211; c=relaxed/simple;
	bh=XGN8QmzWeMv16qVKiSYSJZttp2ea5qDKnmkRDQ95LS0=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=lqSndvucfBHyTVx9CiRNTZOyOH/kPxhJcjfoqzuEkie+Smt2hWQVd2H1KkvxqFGTevjbDrYf+CIIMSjEjE6m8KBGUbxqTjJXcNvFTkPOdDxfAN/uMziNiCGEF1nyYqGqvEEridWIS8dKJZ4TCTjXJXwlwXX9+JvOSzYU9l4gGVw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=N+OLYdhF; arc=none smtp.client-ip=209.85.210.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="N+OLYdhF"
Received: by mail-pf1-f202.google.com with SMTP id
 d2e1a72fcca58-71e04c42fecso77555b3a.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 09 Oct 2024 10:50:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1728496209; x=1729101009;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=+KKX3lXTCaUFVYVr2zKh6PXHZREG1pYDrjz48FgujYw=;
        b=N+OLYdhFhjRpVAneqIR7aaUH0cdtto9w74D2lARz0jNhD92MZ1YJsTBhyyzA0lCT1m
         1mKfCDaVNCi4C0ObUyw0cIEPNxAWk4BJHbZ7mLoNbs1a8+edDg+Fvva+6N9kd3GCAYZy
         Zd0ulDwrRn0D4P4VjL6gRkf2HBMsHWnRX3QOXAvNsLXCJEVfCMXI4kLDJ76vDUA9odlN
         f4svU1Vm3TD+LWGX5vdAibGjHqLS76AdQwTPfp751Q+iuKvQGu0KqvmK4TmLtUcm2jHF
         cr2vAgVZ8EpwKk8Y4kDCOksD8Zi9I1ldVyf1Z4U4csZEDQDGE2FiP70GHbgkmt8/MkCC
         zMxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728496209; x=1729101009;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+KKX3lXTCaUFVYVr2zKh6PXHZREG1pYDrjz48FgujYw=;
        b=HBokij/9q7oBKTE4zM9Dg5jbNXNKPToYEQBeUp5mJ5M8cQl81PdoT9W2aT0wUHOaU7
         /DiH53k3n9XceSScn+fvuWa5waUc3MR0NBOQaQZS403H7FhoZWLnBOlL+7uGGeZYhMc3
         AsatIfxXt37LCOnfNUyVzChb1xl2q/tn+enHfTwTKGruaGbeshC7koeNKZIdmjKSmpCd
         dCTfo381/CF387ikRmseqFc/8sxIvwjf/ATM5Y5ERYXoULjwt/InN1yFixazPKxC2jyZ
         htWz59KG2/YQIQcxNvPzMYAYCXnIjn8ClJTYMbosTi727AbhY8G3CKrezJi0daoIMeT+
         OcyQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUQp4ztJ6A3qiyiRWvGr8Mhc03okbc/ZLvCC2wUg+Hyu5h/zhWXo0vWwivls8LpiFqISNxa9oIQws/pudk=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywdscu+pXGdwbRlxiWXi7wAtCNzi74e219k9M9blqrKKSWVGtNS
	lFKVaoKpVF6mD/xJzYzGSP2+t8VDMaAiy488yyj+RL3TF2Ncb2cZC1oMuNEohlZE7OE3GmX86UO
	vHg==
X-Google-Smtp-Source: 
 AGHT+IEVGupj+lzuaWgALZWozBmfxi8I2JGdBW0Fd7qPciWqwQBnx+E5KfqkSKSPrS5ywaRa+QgHUrupAV8=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:9d:3983:ac13:c240])
 (user=seanjc job=sendgmr) by 2002:a05:6a00:6f44:b0:71e:268b:845e with SMTP id
 d2e1a72fcca58-71e26e53c16mr1169b3a.1.1728496208598; Wed, 09 Oct 2024 10:50:08
 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Wed,  9 Oct 2024 10:50:00 -0700
In-Reply-To: <20241009175002.1118178-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20241009175002.1118178-1-seanjc@google.com>
X-Mailer: git-send-email 2.47.0.rc1.288.g06298d1525-goog
Message-ID: <20241009175002.1118178-3-seanjc@google.com>
Subject: [PATCH v4 2/4] KVM: VMX: reset the segment cache after segment init
 in vmx_vcpu_reset()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Maxim Levitsky <mlevitsk@redhat.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Maxim Levitsky <mlevitsk@redhat.com>

Reset the segment cache after segment initialization in vmx_vcpu_reset()
to harden KVM against caching stale/uninitialized data.  Without the
recent fix to bypass the cache in kvm_arch_vcpu_put(), the following
scenario is possible:

 - vCPU is just created, and the vCPU thread is preempted before
   SS.AR_BYTES is written in vmx_vcpu_reset().

 - When scheduling out the vCPU task, kvm_arch_vcpu_in_kernel() =3D>
   vmx_get_cpl() reads and caches '0' for SS.AR_BYTES.

 - vmx_vcpu_reset() =3D> seg_setup() configures SS.AR_BYTES, but doesn't
   invoke vmx_segment_cache_clear() to invalidate the cache.

As a result, KVM retains a stale value in the cache, which can be read,
e.g. via KVM_GET_SREGS.  Usually this is not a problem because the VMX
segment cache is reset on each VM-Exit, but if the userspace VMM (e.g KVM
selftests) reads and writes system registers just after the vCPU was
created, _without_ modifying SS.AR_BYTES, userspace will write back the
stale '0' value and ultimately will trigger a VM-Entry failure due to
incorrect SS segment type.

Invalidating the cache after writing the VMCS doesn't address the general
issue of cache accesses from IRQ context being unsafe, but it does prevent
KVM from clobbering the VMCS, i.e. mitigates the harm done _if_ KVM has a
bug that results in an unsafe cache access.

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Fixes: 2fb92db1ec08 ("KVM: VMX: Cache vmcs segment fields")
[sean: rework changelog to account for previous patch]
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/vmx.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 12dd7009efbe..a11faab67b4a 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4901,9 +4901,6 @@ void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_=
event)
 	vmx->hv_deadline_tsc =3D -1;
 	kvm_set_cr8(vcpu, 0);
=20
-	vmx_segment_cache_clear(vmx);
-	kvm_register_mark_available(vcpu, VCPU_EXREG_SEGMENTS);
-
 	seg_setup(VCPU_SREG_CS);
 	vmcs_write16(GUEST_CS_SELECTOR, 0xf000);
 	vmcs_writel(GUEST_CS_BASE, 0xffff0000ul);
@@ -4930,6 +4927,9 @@ void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_=
event)
 	vmcs_writel(GUEST_IDTR_BASE, 0);
 	vmcs_write32(GUEST_IDTR_LIMIT, 0xffff);
=20
+	vmx_segment_cache_clear(vmx);
+	kvm_register_mark_available(vcpu, VCPU_EXREG_SEGMENTS);
+
 	vmcs_write32(GUEST_ACTIVITY_STATE, GUEST_ACTIVITY_ACTIVE);
 	vmcs_write32(GUEST_INTERRUPTIBILITY_INFO, 0);
 	vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS, 0);
--=20
2.47.0.rc1.288.g06298d1525-goog