Re: Potential Denial-of-Service Vulnerability in KVM When Emulating 'hlt' Instruction in L2 Guests

[Sean Christopherson]

Dropping Non-KVM folks/lists.

On Fri, Jan 17, 2025, C CHI wrote:
> I roughly understand the above content.

Heh, you top posted, so it's below.

https://people.kernel.org/tglx/notes-about-netiquette

> The main reason for this phenomenon seems to be the chaotic VM memory layout
> caused by the syzkaller template settings. In fact, it’s even observable that
> the IDT region in the code doesn’t actually contain any exception handling
> code, very amusing :)
> 
> Additionally, I would like to ask about the previously mentioned point
> where the IDT is set in the emulated MMIO space. How can I verify
> this, and where can I find the relevant code for setting the MMIO
> region?

In KVM, any guest address that isn't covered by a memslot, a.k.a. a user memory
region, is treated as emulated MMIO.

>     The guest loops because the the guest's IDT is located in emulated
> MMIO space,
>     and as suspected above, KVM refuses to emulates HLT for L2.
> 
> 
> Also, I'm curious as to what technique is used to get the following
> type of logging information, and I'd like to be able to get each ENTRY
> and EXIT info on the run

The below comes from KVM's tracepoints.  E.g. if tracefs is mounted at
/sys/kernel/debug/trace, all KVM tracepoints can be enabled via:

  /sys/kernel/debug/tracing/events/kvm/enable

See Documentation/trace/tracepoints.rst for details on using tracepoints (or the
same info in the web version https://docs.kernel.org/trace/tracepoints.html).