From patchwork Sat Jul 29 00:51:55 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 12796
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:918b:0:b0:3e4:2afc:c1 with SMTP id s11csp791298vqg;
        Fri, 28 Jul 2023 18:36:39 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlHdHovvgXOqkomXbud71F1ZyYorILUgkFeUcx306YXiyZhUH/bLaigxCkj9N6lQdWP5jBA9
X-Received: by 2002:aa7:d6cb:0:b0:522:aa7b:1543 with SMTP id
 x11-20020aa7d6cb000000b00522aa7b1543mr1785836edr.11.1690594599460;
        Fri, 28 Jul 2023 18:36:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690594599; cv=none;
        d=google.com; s=arc-20160816;
        b=hS5Ekgmsem5dT707iVfxH+2sq1cQenYU+pUeSfc6wky4VtQCmiRTyAJVJH+jn7gVZ1
         Q4CLedV2YV5/EvspEmsMY7oJ5QHAYcQ523pPPGDiMiIejpz/cNGkhVvOj4m1j3hehcNd
         Qz0Ap+E9TgwJmI4o2zs24CTQAouH7FlxJESiax6JJqUUTZN4tQmWOXac1yLXYpfCtqY6
         W+mZ895ZsJ6zVgDouiaB/s5UG28L1et8sxClLtojo/PT1ejya1uKajHvJP/S0btl5NZm
         WkCfNS5MQ+1mU3nFpLMEEWbsTlY6nx7YwprQhtVrGyZtUBQLp3jQwDkpxOSX9fKJh1qd
         C0Jg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
         :reply-to:dkim-signature;
        bh=lIsPLR75IfB3JQf8Z+33pDlT1yw0PZd301tVrP5gvCM=;
        fh=5ox/zlAFQPnl383vszwIhsQYFuHPJFmQzI3udqQ+nUw=;
        b=znkq8mCQK7WyLZj6GZLchsbBaypBdTXae15efVhMH7I/IwnIeUZ0+buCK0hkcgLdG2
         M2MbhXjvhZZhgfHNwBCBjMZHcCGhkFAubSWzilbrvq8nBxsvluN5Mb3+1+IplRxZPnug
         xMjGrwzyPHaR6d0z16U4Nchj9/ndTvB0R5OGRcQ+8Ix8Dy7YLfOmz7duWH8OU8IWbOVE
         4Dk306b8nRJyA/lw2+1gHZ4LbX79t1bjPjU57uxzOQ0JJ6XpAmyQ8aAMaJdgjqr0siLK
         G7QN7/9X6bSztLcnVsASFeiNz5p5hF8wC6YyhLb48HtQsG1++z1CrImXSDOD8LAjPClB
         hsiw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=7KdGmMY5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 b18-20020aa7c6d2000000b00522414b4882si237789eds.187.2023.07.28.18.36.13;
        Fri, 28 Jul 2023 18:36:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=7KdGmMY5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237278AbjG2AyQ (ORCPT <rfc822;hanasaki@gmail.com> + 99 others);
        Fri, 28 Jul 2023 20:54:16 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45606 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237108AbjG2Axa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 28 Jul 2023 20:53:30 -0400
Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com
 [IPv6:2607:f8b0:4864:20::64a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 794CA49DE
        for <linux-kernel@vger.kernel.org>;
 Fri, 28 Jul 2023 17:53:03 -0700 (PDT)
Received: by mail-pl1-x64a.google.com with SMTP id
 d9443c01a7336-1bbd4f526caso20213635ad.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 28 Jul 2023 17:53:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1690591922; x=1691196722;
        h=cc:to:from:subject:message-id:mime-version:date:reply-to:from:to:cc
         :subject:date:message-id:reply-to;
        bh=lIsPLR75IfB3JQf8Z+33pDlT1yw0PZd301tVrP5gvCM=;
        b=7KdGmMY5gKQGXEht2MsoPWA9VQxDB6g9aeZPGnmi8UB6DI3xtFVBM18gkZXW/z2TdV
         exnwvwBF7mluV4f39UE9b1r9i0aY4XbPDNhz5KPdG9yWBra6DITJTWp6HlZrSYtq1dxm
         mhKQysvgDZRdO8j+0kRrEbHrjxNj8y7kLNPI5UCtQS+poddT1ka1hPZY+OzgLEN1N2dx
         mZjzyx8/YekRbA4omz2PWpqFavfTZpv6wAT31EfvVbJoJNjhoV2BqJhmAxMjZ+N9P5Lr
         bRbWsQk61VBfePCSa8u1k2d19uDvEwGMiACuIzmWjddSPjKy+9vIQzCZIzgv43AmEKLA
         9QBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1690591922; x=1691196722;
        h=cc:to:from:subject:message-id:mime-version:date:reply-to
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=lIsPLR75IfB3JQf8Z+33pDlT1yw0PZd301tVrP5gvCM=;
        b=Dpi9O5KiFEqXbWbC5Kqumw9i2ivkfQP4Auxzz2tQUpV8OkCKeHbb236nD80pax9d50
         N7q9aXS3vWRq2K33p2JKuZz2kj5X4nWxvXjM946Mlq8aXtSE9AOBQR40SZyjLxH3F/yv
         tgvNyJCPKQx4CtIwUvdz1gZwS17lDJRkkpFpJlxrIsRE6hUkIfOjAR1eEWJuwRyC9Ezw
         F6RCFCYBuq23Vt4IU1PtXZ9uPvrSguzorxdMQIC0MCv8+ABepEVgHiyQUS+kVENk954h
         G5vPojs7WugN/YSuI6Udu9EYXZ5Br5l/g0PtExYFooBEZsrZ83LOllydWwQl2XCoN0BA
         A4Ig==
X-Gm-Message-State: ABy/qLazda+ubfYQ93oaB2BR/HRYkLFS8+JtAcFAA/GYZGwM5uILcVOm
        PEzbZ1z3tnjlUlQ7nSsGwmdlF3rtbvg=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a17:902:e80a:b0:1b8:5541:9d4d with SMTP id
 u10-20020a170902e80a00b001b855419d4dmr13713plg.6.1690591922733; Fri, 28 Jul
 2023 17:52:02 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 28 Jul 2023 17:51:55 -0700
Mime-Version: 1.0
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230729005200.1057358-1-seanjc@google.com>
Subject: [PATCH v2 0/5] KVM: x86/mmu: Don't synthesize triple fault on bad
 root
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Yu Zhang <yu.c.zhang@linux.intel.com>,
        Reima Ishii <ishiir@g.ecc.u-tokyo.ac.jp>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RISK_FREE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,
        USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1772716923104833161
X-GMAIL-MSGID: 1772716923104833161

Rework the handling of !visible guest root gfns to wait until the guest
actually tries to access memory before synthesizing a fault.  KVM currently
just immediately synthesizes triple fault, which causes problems for nVMX
and nSVM as immediately injecting a fault causes KVM to try and forward the
fault to L1 (as a VM-Exit) before completing nested VM-Enter, e.g. if L1
runs L2 with a "bad" nested TDP root.

To get around the conundrum of not wanting to shadow garbage, load a dummy
root, backed by the zero page, into CR3/EPTP/nCR3, and then inject an
appropriate page fault when the guest (likely) hits a !PRESENT fault.

Note, KVM's behavior is still not strictly correct with respect to x86
architecture, the primary goal is purely to prevent triggering KVM's WARN
at will.  No real world guest intentionally loads CR3 (or EPTP or nCR3)
with a GPA that points at MMIO and expects it to work (and KVM has a long
and storied history of punting on emulated MMIO corner cases).

I didn't Cc any of this for stable because syzkaller is really the only
thing that I expect to care, and the whole dummy root thing isn't exactly
risk free.  If someone _really_ wants to squash the WARN in LTS kernels,
the way to do that would be to exempt triple fault shutdown VM-Exits from
the sanity checks in nVMX and nSVM, i.e. sweep the problem under the rug.

I have a KUT test for this that'll I'll post next week (I said that about
v1 and then forgot).

v2: 
 - Finish writing the changelog for patch 3. [Yu]
 - Use KVM_REQ_MMU_FREE_OBSOLETE_ROOTS instead of directly unloading
   all roots. [Yu]

v1: https://lore.kernel.org/all/20230722012350.2371049-1-seanjc@google.com

Sean Christopherson (5):
  KVM: x86/mmu: Add helper to convert root hpa to shadow page
  KVM: x86/mmu: Harden new PGD against roots without shadow pages
  KVM: x86/mmu: Harden TDP MMU iteration against root w/o shadow page
  KVM: x86/mmu: Disallow guest from using !visible slots for page tables
  KVM: x86/mmu: Use dummy root, backed by zero page, for !visible guest
    roots

 arch/x86/kvm/mmu/mmu.c          | 94 ++++++++++++++++++---------------
 arch/x86/kvm/mmu/mmu_internal.h | 10 ++++
 arch/x86/kvm/mmu/paging_tmpl.h  | 18 ++++++-
 arch/x86/kvm/mmu/spte.h         | 12 +++++
 arch/x86/kvm/mmu/tdp_iter.c     | 11 ++--
 arch/x86/kvm/mmu/tdp_mmu.c      |  2 +-
 6 files changed, 98 insertions(+), 49 deletions(-)


base-commit: fdf0eaf11452d72945af31804e2a1048ee1b574c