[PATCH v4 2/4] KVM: VMX: reset the segment cache after segment init in vmx_vcpu_reset()

From: Sean Christopherson
Date: Wed Oct 09 2024 - 13:50:56 EST

Next message: Sean Christopherson: "[PATCH v4 3/4] KVM: x86: Add lockdep-guarded asserts on register cache usage"
Previous message: Sean Christopherson: "[PATCH v4 1/4] KVM: x86: Bypass register cache when querying CPL from kvm_sched_out()"
In reply to: Sean Christopherson: "[PATCH v4 1/4] KVM: x86: Bypass register cache when querying CPL from kvm_sched_out()"
Next in thread: Sean Christopherson: "[PATCH v4 3/4] KVM: x86: Add lockdep-guarded asserts on register cache usage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maxim Levitsky <mlevitsk@xxxxxxxxxx>

Reset the segment cache after segment initialization in vmx_vcpu_reset()
to harden KVM against caching stale/uninitialized data. Without the
recent fix to bypass the cache in kvm_arch_vcpu_put(), the following
scenario is possible:

- vCPU is just created, and the vCPU thread is preempted before
SS.AR_BYTES is written in vmx_vcpu_reset().

- When scheduling out the vCPU task, kvm_arch_vcpu_in_kernel() =>
vmx_get_cpl() reads and caches '0' for SS.AR_BYTES.

- vmx_vcpu_reset() => seg_setup() configures SS.AR_BYTES, but doesn't
invoke vmx_segment_cache_clear() to invalidate the cache.

As a result, KVM retains a stale value in the cache, which can be read,
e.g. via KVM_GET_SREGS. Usually this is not a problem because the VMX
segment cache is reset on each VM-Exit, but if the userspace VMM (e.g KVM
selftests) reads and writes system registers just after the vCPU was
created, _without_ modifying SS.AR_BYTES, userspace will write back the
stale '0' value and ultimately will trigger a VM-Entry failure due to
incorrect SS segment type.

Invalidating the cache after writing the VMCS doesn't address the general
issue of cache accesses from IRQ context being unsafe, but it does prevent
KVM from clobbering the VMCS, i.e. mitigates the harm done _if_ KVM has a
bug that results in an unsafe cache access.

Signed-off-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
Fixes: 2fb92db1ec08 ("KVM: VMX: Cache vmcs segment fields")
[sean: rework changelog to account for previous patch]
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
arch/x86/kvm/vmx/vmx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 12dd7009efbe..a11faab67b4a 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4901,9 +4901,6 @@ void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
vmx->hv_deadline_tsc = -1;
kvm_set_cr8(vcpu, 0);

- vmx_segment_cache_clear(vmx);
- kvm_register_mark_available(vcpu, VCPU_EXREG_SEGMENTS);
-
seg_setup(VCPU_SREG_CS);
vmcs_write16(GUEST_CS_SELECTOR, 0xf000);
vmcs_writel(GUEST_CS_BASE, 0xffff0000ul);
@@ -4930,6 +4927,9 @@ void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
vmcs_writel(GUEST_IDTR_BASE, 0);
vmcs_write32(GUEST_IDTR_LIMIT, 0xffff);

+ vmx_segment_cache_clear(vmx);
+ kvm_register_mark_available(vcpu, VCPU_EXREG_SEGMENTS);
+
vmcs_write32(GUEST_ACTIVITY_STATE, GUEST_ACTIVITY_ACTIVE);
vmcs_write32(GUEST_INTERRUPTIBILITY_INFO, 0);
vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS, 0);
--
2.47.0.rc1.288.g06298d1525-goog

Next message: Sean Christopherson: "[PATCH v4 3/4] KVM: x86: Add lockdep-guarded asserts on register cache usage"
Previous message: Sean Christopherson: "[PATCH v4 1/4] KVM: x86: Bypass register cache when querying CPL from kvm_sched_out()"
In reply to: Sean Christopherson: "[PATCH v4 1/4] KVM: x86: Bypass register cache when querying CPL from kvm_sched_out()"
Next in thread: Sean Christopherson: "[PATCH v4 3/4] KVM: x86: Add lockdep-guarded asserts on register cache usage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]