Re: [PATCH v2 03/16] KVM: x86: Always use non-compat vcpu_runstate_info size for gfn=>pfn cache

From: Paolo Bonzini
Date: Thu Oct 27 2022 - 07:11:14 EST

Next message: kernel test robot: "Re: [PATCH] thermal/core: cooling device duplicate creation check"
Previous message: Jean Delvare: "Re: [PATCH] i2c: piix4: Fix adapter not be removed in piix4_remove()"
Next in thread: Sean Christopherson: "Re: [PATCH v2 03/16] KVM: x86: Always use non-compat vcpu_runstate_info size for gfn=>pfn cache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/13/22 23:12, Sean Christopherson wrote:

Always use the size of Xen's non-compat vcpu_runstate_info struct when
checking that the GPA+size doesn't cross a page boundary. Conceptually,
using the current mode is more correct, but KVM isn't consistent with
itself as kvm_xen_vcpu_set_attr() unconditionally uses the "full" size
when activating the cache. More importantly, prior to the introduction
of the gfn_to_pfn_cache, KVM _always_ used the full size, i.e. allowing
the guest (userspace?) to use a poorly aligned GPA in 32-bit mode but not
64-bit mode is more of a bug than a feature, and fixing the bug doesn't
break KVM's historical ABI.

I'd rather not introduce additional restrictions in KVM, mostly because it's actually easy to avoid this patch by instead enforcing that attributes are set in a sensible order:

- long mode cannot be changed after the shared info page is enabled (which makes sense because the shared info page also has a compat version)

- the caches must be activated after the shared info page (which enforces that the vCPU attributes are set after the VM attributes)

This is technically a userspace API break, but nobody is really using this API outside Amazon so... Patches coming after I finish testing.

Paolo

Always using the non-compat size will allow for future gfn_to_pfn_cache
clenups as this is (was) the only case where KVM uses a different size at
check()+refresh() than at activate(). E.g. the length/size of the cache
can be made immutable and dropped from check()+refresh(), which yields a
cleaner set of APIs and avoids potential bugs that could occur if check()
where invoked with a different size than refresh().

Fixes: a795cd43c5b5 ("KVM: x86/xen: Use gfn_to_pfn_cache for runstate area")
Cc: David Woodhouse <dwmw2@xxxxxxxxxxxxx>
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
arch/x86/kvm/xen.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index b2be60c6efa4..9e79ef2cca99 100644
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -212,10 +212,7 @@ void kvm_xen_update_runstate_guest(struct kvm_vcpu *v, int state)
if (!vx->runstate_cache.active)
return;
- if (IS_ENABLED(CONFIG_64BIT) && v->kvm->arch.xen.long_mode)
- user_len = sizeof(struct vcpu_runstate_info);
- else
- user_len = sizeof(struct compat_vcpu_runstate_info);
+ user_len = sizeof(struct vcpu_runstate_info);
read_lock_irqsave(&gpc->lock, flags);
while (!kvm_gfn_to_pfn_cache_check(v->kvm, gpc, gpc->gpa,

Next message: kernel test robot: "Re: [PATCH] thermal/core: cooling device duplicate creation check"
Previous message: Jean Delvare: "Re: [PATCH] i2c: piix4: Fix adapter not be removed in piix4_remove()"
Next in thread: Sean Christopherson: "Re: [PATCH v2 03/16] KVM: x86: Always use non-compat vcpu_runstate_info size for gfn=>pfn cache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]