From nobody Mon Jun 8 19:53:24 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F8781FC10C for ; Wed, 27 May 2026 02:26:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779848780; cv=none; b=DrA2kq70W47UjSV2x/YFvF46BG+qmszRW52/Od3D//YOFE35l82s9ChDIXEbzUWrRIv0MUpg05HW3Ag0xQToSxyD8/bTvswTaFZGijGbjZ6+ZozHbonslxDG2gfKebcIA5VNH9f3ITnzmPYswxvC7HYwtkUpPj1trSbbKF9al4E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779848780; c=relaxed/simple; bh=pDivmIK8UxDTWlWa+HKMxIp+Ev7qbg1GmF8UpU0b2qo=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=qf6KfsKidYXO5LJ9JY/StOZtehrEx33OzNrfaPfI+bN5SX10O+ZoL3XvR2ootskulmYtrhrc30RYCmEMiViohMgtPwkPcSOVi4+kYqkEUMNfa2oHBf+4ZzRLDCYinQZDLmYFsWpVz5Gnfp80Q0V6nFo4HucweR++JNCAZQ/7Jx0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=azmNu9sY; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="azmNu9sY" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2b2e8bba2e6so147962075ad.1 for ; Tue, 26 May 2026 19:26:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779848778; x=1780453578; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:reply-to:from:to:cc :subject:date:message-id:reply-to; bh=FJGgy03uEutpauKs1fQ7bqRu089ezmKrTIOy21fn9cs=; b=azmNu9sYttVJucB5Q6y80GwCDdEs4srfeNromwEVTgL0037w+Fj/QUgXXmTET62hxu GJwzF0TwDcTZs8pLbhPt4fFb0EahQ4dykSWAtNulIDzBWMhC44/o3KkQq0A0X+zwrpF1 9b9wMEpmtnpjf1iNjqugHZ9tViPVerVEFKdt8VHvWPvS/gSrNwptr79PpGc1yn4SwDTE bvTk4pyJ1G41BLyp23O3AUN1gllGuxw0gvyBwSpDr4Ztc1aAJEu0c5zor79iB/cXksLh loogcArx8LBF++lqQglnlDVz33puQ+fnWNn5SpW5MmbVGS3gR7c32SOGz9QGwigUMNbF IL4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779848778; x=1780453578; h=cc:to:from:subject:message-id:mime-version:date:reply-to :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FJGgy03uEutpauKs1fQ7bqRu089ezmKrTIOy21fn9cs=; b=kMDORRZNNviFGkCq8LPGoIxH5kiyH9tYQ78DdSzYQLouENYwm1EwjE9VV/B/1N/RpP KPhZ7KkErIET4oi9XyC9iwR+yTlr7gQcSzcoq+GjL9P1Kt2VwZQmiSnh4c7kY7ovvIZN S9eSfqeQJoA0zExvpLLpHg+3TeqKMYRw3uoDrOLVgJcBgoe6JoQJGAXYHgwXophS+g/I BuSeOdbzFyAOd1yzoWZ9/8Im+5UmFMm7spA600Gr8ryLUa5jJsiIW1M4mbZypBSnBnjP ZdyeOuLWKtuHyU1Cer7zoveGKfZCcT4/aRloFEFW15N7pCgH8zrgmOZUNG3ZRZ5Nsnib M15Q== X-Forwarded-Encrypted: i=1; AFNElJ+qRIiqBx4GpUlhOwLvvxQ//NiupPNfU6vfI47QI5J1tOOD3X5eB8A870Gy7vQ6zic06AbAP1nyXbcWUS4=@vger.kernel.org X-Gm-Message-State: AOJu0YxY/8JmRTTmtkBMg5pnieCSV3rwbv0kKPs7ZXWp7HhuNM1rpfk1 FUeOF3rzZ0qjdYaxxMlVPBwwXNjAdMYpl4bAVA6I93ncIVWvy2cUhdO2Zjo3K1j7OS8CfI0/SZ0 nNnmpgw== X-Received: from pliq5.prod.google.com ([2002:a17:903:3905:b0:2bd:3dba:a4c5]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:1aae:b0:2b9:5d1b:73da with SMTP id d9443c01a7336-2beb0741079mr241708895ad.30.1779848778312; Tue, 26 May 2026 19:26:18 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 26 May 2026 19:26:17 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.54.0.823.g6e5bcc1fc9-goog Message-ID: <20260527022617.3973884-1-seanjc@google.com> Subject: [PATCH v2] KVM: VMX: Handle bad values on proxied writes to LBR MSRs From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Xuanqing Shi <1356292400@qq.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Xuanqing Shi <1356292400@qq.com> Use the "safe" WRMSR API when writing LBRs on behalf of the guest (or host userspace), and propagate any errors back to the instigator, as the value being written is untrusted. E.g. if the guest (or host userspace) attempts to set reserved bits in LBR_SELECT, then KVM needs to return an error, and not WARN on the bad value. Continue using the "unsafe" version of RDMSR, as it should be impossible to reach the helper with a completely bogus MSR, i.e. WARNing on RDMSR failure is very desirable, e.g. to make KVM bugs more visible. unchecked MSR access error: WRMSR to 0x1c8 (tried to write 0x000000000000= 4000) Call Trace: intel_pmu_set_msr+0x4e0/0x7f0 [kvm_intel] kvm_pmu_set_msr+0x17e/0x1c0 [kvm] kvm_set_msr_common+0xc76/0x1440 [kvm] vmx_set_msr+0x5e6/0x1570 [kvm_intel] kvm_emulate_wrmsr+0x54/0x1d0 [kvm] vmx_handle_exit+0x7fc/0x970 [kvm_intel] Fixes: 1b5ac3226a1a ("KVM: vmx/pmu: Pass-through LBR msrs when the guest LB= R event is ACTIVE") Cc: stable@vger.kernel.org Signed-off-by: Xuanqing Shi <1356292400@qq.com> [sean: rework changelog, only modify WRMSR path, tag for stable@] Signed-off-by: Sean Christopherson --- v2: - Rework changelog to better capture the scenario. - Keep using the "unsafe" version of RDMSR. v1: https://lore.kernel.org/all/tencent_744B87186CA59CFD106992329A6510F7F60= A@qq.com arch/x86/kvm/vmx/pmu_intel.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c index 27eb76e6b6a0..22138c487216 100644 --- a/arch/x86/kvm/vmx/pmu_intel.c +++ b/arch/x86/kvm/vmx/pmu_intel.c @@ -308,13 +308,15 @@ static bool intel_pmu_handle_lbr_msrs_access(struct k= vm_vcpu *vcpu, */ local_irq_disable(); if (lbr_desc->event->state =3D=3D PERF_EVENT_STATE_ACTIVE) { + int err =3D 0; + if (read) rdmsrq(index, msr_info->data); else - wrmsrq(index, msr_info->data); + err =3D wrmsrq_safe(index, msr_info->data); __set_bit(INTEL_PMC_IDX_FIXED_VLBR, vcpu_to_pmu(vcpu)->pmc_in_use); local_irq_enable(); - return true; + return !err; } clear_bit(INTEL_PMC_IDX_FIXED_VLBR, vcpu_to_pmu(vcpu)->pmc_in_use); local_irq_enable(); base-commit: 9f2a49c511cb05b85745e1578e4fd425bff87f58 --=20 2.54.0.823.g6e5bcc1fc9-goog