From nobody Mon Feb 9 11:09:17 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 04AD729B768 for ; Tue, 10 Jun 2025 22:57:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749596273; cv=none; b=ZycN+uIN59RiW5wqRNzXdorVtk9JA5C5uZNQlshCqHZUZD0/J2PwQJ9rblQzlC+2ojePqFTnixIBdjqt+w/qyeMi361laEnHmGdrAqrnM4Pdwk3iPkaTUabKOJz/WDKk/b5Ux84Qbr4JDfFCTnRZDnZDIE1e0cTcIarXfcZ1Nhk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749596273; c=relaxed/simple; bh=c+t0aGloWvvPZWudE6chQFa0LcMP7HyKXfD+z7olri4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=NcbwgHgutVrgiYlZ8kWJ9zvlzGaC4UP42qE/+aMQ0q/94wFblDnOjMB/NeNvKYUhcUJP9uPIUhFXHGN1SC6c02rL+qm781/z78mxjEVrBHJEDUK80sQ4XZe66+T9iOYA04ecqi1tbO+JgHGObRa6lGz7rYErx8lv/aGpwCebHPY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ZyxoXWYx; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZyxoXWYx" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-235e7550f7bso56785355ad.3 for ; Tue, 10 Jun 2025 15:57:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1749596271; x=1750201071; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=XhAPhvLo2nl6sdVqTFuYJr40FL1ci1fLAEXeXTkKruM=; b=ZyxoXWYxfSvnbYcHS3/uhTfnGnP3GiR+R+TarIHG598aIBtwfhmr3nuSj7miorzO/D g451vcKWIna2jaFYHwYLsMLcyr7uYnz3TK5G+LMfQmgDzCcgJrT3leTatfLHag/Daa2I nQwrs98UDlvewePOEdtWMPj+AYrDh/Xv9S6sB5OHOQu75WjUSBW55kEj8oNd+a6JnvXL v/JSPHXm93sY2sKuZZaF9/3maK5NXrgknmGahxZJT6JB7QrjsGB67Fzrm2yQOuDJBqkb 5z6L2plj24CLk77yIqT0fVzOSJLPZ9KpqAluVmSxuCKXQsp4m/5wsbnn6d7v7z+hEC9r 97hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749596271; x=1750201071; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XhAPhvLo2nl6sdVqTFuYJr40FL1ci1fLAEXeXTkKruM=; b=lPXRFzk5iFn9p37aZvyAIMZZCZo0JYXBqfnI4gaNcU+hrsyPC7OOrcWCncsOaLFUnc /ZX67WgoVvilcq3UAecNJ3m3rmT/NGfRPVN9XC+F94bNwlVW+q9n2d/7ciQnltVJpEsW z7sSVU9aNfcoQm6oZtsx3HKeksykd/zNzLe+OD1cHN37ED9PG4E8rJBhKPS3W+Qp561P 1TVMmb07Z9prjd7crXDyz/n0eQEzVm9MlrgoaijL2UuPsihyQyezAkgbS6tAx/N83b4h 9fnvCJWIg8otUgoHy9vFsEDotKBO3NsOUQ0hfFZZq1P15wlZsou1lNHmk23vtld23aM2 Rgdg== X-Forwarded-Encrypted: i=1; AJvYcCWi9fBZxWa69Qo5oHoMYjCH7sJUGte+TdtMQA7EENdZJEg8YLosva9Wjhy8N3+/CESy5ZcD0xah8tJL0nA=@vger.kernel.org X-Gm-Message-State: AOJu0YyOMrU9wJb6iwp3mVba+gYNTgjr2VehQWFB/g1FIn1KGPCz3h01 ORRXXdvOmot+cir8N4O/JnMo/c5MutWNeXG+qQJr9okzXXxcubLy2jhnvC3Mub4mCN9iCW9LEMK 8ZnzNGw== X-Google-Smtp-Source: AGHT+IFp0iTQA2qb/rrkM2L4XBGSSDPzYUa46lgRiaFpLtNRWiXfONhK/T8YLERYwpCsdcZuiyvCj/aOGFQ= X-Received: from pjf16.prod.google.com ([2002:a17:90b:3f10:b0:313:221f:6571]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:d48c:b0:234:a992:96d9 with SMTP id d9443c01a7336-236426208b0mr6442435ad.17.1749596271429; Tue, 10 Jun 2025 15:57:51 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 10 Jun 2025 15:57:11 -0700 In-Reply-To: <20250610225737.156318-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250610225737.156318-1-seanjc@google.com> X-Mailer: git-send-email 2.50.0.rc0.642.g800a2b2222-goog Message-ID: <20250610225737.156318-7-seanjc@google.com> Subject: [PATCH v2 06/32] KVM: SVM: Kill the VM instead of the host if MSR interception is buggy From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Chao Gao , Borislav Petkov , Xin Li , Dapeng Mi , Francesco Lavra , Manali Shukla Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" WARN and kill the VM instead of panicking the host if KVM attempts to set or query MSR interception for an unsupported MSR. Accessing the MSR interception bitmaps only meaningfully affects post-VMRUN behavior, and KVM_BUG_ON() is guaranteed to prevent the current vCPU from doing VMRUN, i.e. there is no need to panic the entire host. Opportunistically move the sanity checks about their use to index into the MSRPM, e.g. so that bugs only WARN and terminate the VM, as opposed to doing that _and_ generating an out-of-bounds load. Signed-off-by: Sean Christopherson Reviewed-by: Dapeng Mi --- arch/x86/kvm/svm/svm.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index c75977ca600b..7e39b9df61f1 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -824,11 +824,12 @@ static bool msr_write_intercepted(struct kvm_vcpu *vc= pu, u32 msr) to_svm(vcpu)->msrpm; =20 offset =3D svm_msrpm_offset(msr); + if (KVM_BUG_ON(offset =3D=3D MSR_INVALID, vcpu->kvm)) + return false; + bit_write =3D 2 * (msr & 0x0f) + 1; tmp =3D msrpm[offset]; =20 - BUG_ON(offset =3D=3D MSR_INVALID); - return test_bit(bit_write, &tmp); } =20 @@ -854,12 +855,13 @@ static void set_msr_interception_bitmap(struct kvm_vc= pu *vcpu, u32 *msrpm, write =3D 0; =20 offset =3D svm_msrpm_offset(msr); + if (KVM_BUG_ON(offset =3D=3D MSR_INVALID, vcpu->kvm)) + return; + bit_read =3D 2 * (msr & 0x0f); bit_write =3D 2 * (msr & 0x0f) + 1; tmp =3D msrpm[offset]; =20 - BUG_ON(offset =3D=3D MSR_INVALID); - read ? clear_bit(bit_read, &tmp) : set_bit(bit_read, &tmp); write ? clear_bit(bit_write, &tmp) : set_bit(bit_write, &tmp); =20 --=20 2.50.0.rc0.642.g800a2b2222-goog