Xen project Mailing List

Re: [PATCH 3/3] x86/spec-ctrl: Fix NMI race condition with VT-x MSR_SPEC_CTRL handling

To: Andrew Cooper <amc96@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 18 Jan 2022 08:57:09 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JIs5Oyn/us1ATLGHw0TuZHph47YdgDQJxfIkbWG/fFY=; b=YE1X1VyadONk1lYnjYlhuDhUMCWQGCguijMy+unKltFJlSVxr0WGzVkwltWlQMG6qP9ep4bmWjkwBbe+yn+KPoZNSGFF35JQnaFPLbEij9+O6eAdsjWKlUez0otzC0fVJPfXnDhdCdsQdBBScictpwVGeWWFlJADAMdoMAFxwkVhhVDaljknkx6dikeK8KXYGXxamA8Dubi98KgEIHpqyrSMMIGN5myxVQWYEU5z81xSt1Jx4e/IiNlPLkraSsTnjlCTcu5M14yJs5NGwADrX4bwbOPxvS/iM0aYhbs+KodhIBedGxYxpC3DtGQUjmTNUW/i7gOpqY1mCbDmIJ6w8g==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kTuCB9HRAnJXlUEDsY0DG0h2zbLV45O/dvth1W3UXLFo4ggBmReBwrg0RxmBa5/zYE5HOPUDUL59qjN7Tgzf3iesx7mTmQsrAzEl7nw9KM9J1t9BLT3EAcKnLjeehhH1CqHAX/OiUUC2lVyU1fiEWMER2OMG+GYRBebgl040wIc8bH3PXdjYgUJXCCbRIXsysVxOJVDCTFmI73eGdyXSa+5DJAcuSehFBO/uYGoCtFKkAKSfmEa8za4oqYrfwMha8HhtbDo8gf1Rl9pMX/VgiXjIUlsZvEpMNw0xpJ0tP1NMJkM7qoHDCBlV8P7ugWu0jDCzTrgUwFKWWDWEvucc0A==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 18 Jan 2022 07:57:27 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 17.01.2022 18:23, Andrew Cooper wrote: > On 17/01/2022 11:51, Jan Beulich wrote: >> On 13.01.2022 17:38, Andrew Cooper wrote: >>> @@ -119,12 +125,11 @@ UNLIKELY_END(realmode) >>> SAVE_ALL >>> >>> /* >>> - * PV variant needed here as no guest code has executed (so >>> - * MSR_SPEC_CTRL can't have changed value), and NMIs/MCEs are >>> liable >>> - * to hit (in which case the HVM variant might corrupt things). >>> + * SPEC_CTRL_ENTRY notes >>> + * >>> + * If we end up here, no guest code has executed. We still have >>> Xen's >>> + * choice of MSR_SPEC_CTRL in context, and the RSB is safe. >>> */ >>> - SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo Clob: acd */ >>> - /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ >> Is "no guest code has executed" actually enough here? If VM entry failed >> due to a later MSR-load-list entry, SPEC_CTRL could have changed value >> already, couldn't it? > > No, it can't. > > See the very start of SDM Chapter 25 "VMEntries" for the distinction > between early and late entry failures. (i.e. those which cause > execution to continue beyond VMLAUNCH/VMRESUME, and those which cause > execution to continue from the vmexit handler.) > > Early failures are conditions such as `pop %ss; vmlaunch`, and bad host > state in the VMCS. > > Everything pertaining to guest state is late failure, so by the time we > get to processing the MSR load/save list, we're definitely not taking > this path. I see. This still means that the answer to my 1st question is "yes". In which case I'd like to ask to extend the comment to include "no MSRs have been loaded from the load list" or something equivalent, despite realizing that such an amendment would have helped already before your change. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.