From patchwork Thu May 11 23:59:14 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 92888
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp4744763vqo;
        Thu, 11 May 2023 17:00:56 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ54srXpnLsRESBqC5ho8XKGCS3jCI+xQd8wi5UfDOBwobFeFeE6wQt9Jf9vefGdi8P5OWSc
X-Received: by 2002:a05:6a20:12c9:b0:100:ccb8:91fd with SMTP id
 v9-20020a056a2012c900b00100ccb891fdmr17965927pzg.22.1683849655683;
        Thu, 11 May 2023 17:00:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683849655; cv=none;
        d=google.com; s=arc-20160816;
        b=KwIEJUDm+5Mcm/WQAfvvFNCSddw2LcyHhUc/uCoB1pYuLfdRfaBDSzxrrsrrLPgsP+
         f4xYc6EOr1AR5yoI45EPUX7NHc4Kmp3EGKbjajeaGsQX9B3ljAaruBPu+39QPGB3emqp
         V0PN/+JVlNcmT3zmrBc+HOekUhWfI5pttKSPZ+uuagtj3RSr/kFZNoLflhtPb10SXxE4
         DqmIV67FSSKy63hrLI6mdlReTlXBV1NJAKUujUzBT/7MQAvrqbTF5FeofJaUK1cQ+afd
         dIW8ikdq09e6UnHB+TNRCHhr3wkohuFDCHW7uwXkIyb/2B+ND0NPd246Jtred80Fq7/R
         h7Aw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=YnFuIzqD1/t6APimZk0lC1MpBWigrgfjZSdse0VQg8E=;
        b=RVskD6QIyPjSvl2lbHq4bq95oQTmnpewAurSgi61uEU1QfbH+QrCpEi0AGxX51XAhY
         CFQMcPBh2Du0S1wt0EnkGvAj4hML41lQDVvr9C4U1dMkQPgcdUhwikPMGQr9qPM+KfLg
         QtOhJ3xoLdNgtTiZG8BrdVjY1v2DKenC3GZdgiJriKrl1hF7E1vZsQ/KnY2YnmvxAFLb
         z9OSZHwxf5whvrRZt4J1/dK2f3q3vCG4fZO1p1KsODGUzfoRKsq9NrQH+OCjVM5ViHOC
         a+R2oAzHfo4VZN8d27BULKPa20cyEyT3bDCom6WJgFDPVO3EGycSFTTdejKIgVZVO9uS
         XB7g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=m6BIqiWH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 r5-20020a632b05000000b00524f08e1fdbsi7983632pgr.813.2023.05.11.17.00.40;
        Thu, 11 May 2023 17:00:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=m6BIqiWH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239663AbjEKX7p (ORCPT <rfc822;peekingduck44@gmail.com>
        + 99 others); Thu, 11 May 2023 19:59:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53380 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239660AbjEKX7h (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 May 2023 19:59:37 -0400
Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com
 [IPv6:2607:f8b0:4864:20::64a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5ADC861AF
        for <linux-kernel@vger.kernel.org>;
 Thu, 11 May 2023 16:59:30 -0700 (PDT)
Received: by mail-pl1-x64a.google.com with SMTP id
 d9443c01a7336-1ac375503deso92185225ad.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 11 May 2023 16:59:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1683849570; x=1686441570;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=YnFuIzqD1/t6APimZk0lC1MpBWigrgfjZSdse0VQg8E=;
        b=m6BIqiWHUNnwH9ZX1auPqN8qbYxGdaQTvKaKyZWwmYcUSvHMgc/cPcnsQG+xCbXjby
         uFO0RSxKkpl/MG8aAsVdgDpTocb2yEDzuEuAGyfFv5RrIuvsdjXXDZDcIbtQ8Y5Am32i
         gFk1v/oXsMP6Lc33MQcOJA9n7VbewZB9LcXu8IVxeBFYNpcpjKkSlfwzqiWMz0Iu7ZGR
         lhCSVmtX2z75ZiWwfBYjGLCRQAzx9inv2mbnDLQpsX90sfcHCU3oIVCk3ev+ej7nD45U
         Y1p7GQ91pd/Nf5ZBLMnXakp4S9DaWdR3sTMIrK3NpOO/yXJ0tuH1xgs3nV57joSjCFPp
         ABDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683849570; x=1686441570;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=YnFuIzqD1/t6APimZk0lC1MpBWigrgfjZSdse0VQg8E=;
        b=hPe87u4j/KKRUOsarKp6FVeWIt7Kh96PLn+XI8MDwGTcdq2q8MpJXFKxQ49X3GOco2
         VSrWkHXSR6Lv+iWoMgu33QkUb8mooqfvjEFyJt9McfZOEsr+SxeD1rxZ16kYjx1/VEUq
         64A61PHHEOfyeZ3ZzWJDA7UPOiTry0kGy0Wi1MhQyfmoSRQkW66wRE9abHMOu9vxiKYp
         K7ReSmNvmeXZ1kHDERtayELjfwQ0Cc22OOsCZXHHf5o60l+S3skrL1ygHOJCRxbDEA/n
         3jqxS6LaFKMDJgo2302mBDbuJ2svMBV84Xu+2OX/NDS1jgnzHm+vNdFZLrmpmquK2BCt
         gLCA==
X-Gm-Message-State: AC+VfDwIqhkTaM+i9CW1dOJgJ04JnmSGtndDPdyqgJABJ94UbdJff7IE
        0iyo7ONqZkgwtcQaE8/1Fg7yryDSD3A=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a17:902:c946:b0:1a6:a899:fe78 with SMTP id
 i6-20020a170902c94600b001a6a899fe78mr8905287pla.2.1683849569880; Thu, 11 May
 2023 16:59:29 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 11 May 2023 16:59:14 -0700
In-Reply-To: <20230511235917.639770-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230511235917.639770-1-seanjc@google.com>
X-Mailer: git-send-email 2.40.1.606.ga4b1b128d6-goog
Message-ID: <20230511235917.639770-7-seanjc@google.com>
Subject: [PATCH 6/9] KVM: x86/mmu: Bug the VM if a vCPU ends up in long mode
 without PAE enabled
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1765644336232944451?=
X-GMAIL-MSGID: =?utf-8?q?1765644336232944451?=

Promote the ASSERT(), which is quite dead code in KVM, into a KVM_BUG_ON()
for KVM's sanity check that CR4.PAE=1 if the vCPU is in long mode when
performing a walk of guest page tables.  The sanity is quite cheap since
neither EFER nor CR4.PAE requires a VMREAD, especially relative to the
cost of walking the guest page tables.

More importantly, the sanity check would have prevented the true badness
fixed by commit 112e66017bff ("KVM: nVMX: add missing consistency checks
for CR0 and CR4").  The missed consistency check resulted in some versions
of KVM corrupting the on-stack guest_walker structure due to KVM thinking
there are 4/5 levels of page tables, but wiring up the MMU hooks to point
at the paging32 implementation, which only allocates space for two levels
of page tables in "struct guest_walker32".

Queue a page fault for injection if the assertion fails, as the sole
caller, FNAME(gva_to_gpa), assumes that walker.fault contains sane info
on a walk failure, i.e. avoid making the situation worse between the time
the assertion fails and when KVM kicks the vCPU out to userspace (because
the VM is bugged).

Move the check below the initialization of "pte_access" so that the
aforementioned to-be-injected page fault doesn't consume uninitialized
stack data.  The information _shouldn't_ reach the guest or userspace,
but there's zero downside to being paranoid in this case.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/paging_tmpl.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
index a3fc7c1a7f8d..f297e9311dcd 100644
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -338,7 +338,6 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
 	}
 #endif
 	walker->max_level = walker->level;
-	ASSERT(!(is_long_mode(vcpu) && !is_pae(vcpu)));
 
 	/*
 	 * FIXME: on Intel processors, loads of the PDPTE registers for PAE paging
@@ -348,6 +347,10 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
 	nested_access = (have_ad ? PFERR_WRITE_MASK : 0) | PFERR_USER_MASK;
 
 	pte_access = ~0;
+
+	if (KVM_BUG_ON(is_long_mode(vcpu) && !is_pae(vcpu), vcpu->kvm))
+		goto error;
+
 	++walker->level;
 
 	do {