From patchwork Tue Feb 12 14:44:11 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Brijesh Singh <brijesh.singh@amd.com>
X-Patchwork-Id: 10808075
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F05F21575
	for <patchwork-kvm@patchwork.kernel.org>;
 Tue, 12 Feb 2019 14:44:16 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DE9CB2BAF9
	for <patchwork-kvm@patchwork.kernel.org>;
 Tue, 12 Feb 2019 14:44:16 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D26BE2BADB; Tue, 12 Feb 2019 14:44:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A4DB62BAA0
	for <patchwork-kvm@patchwork.kernel.org>;
 Tue, 12 Feb 2019 14:44:15 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730184AbfBLOoO (ORCPT
        <rfc822;patchwork-kvm@patchwork.kernel.org>);
        Tue, 12 Feb 2019 09:44:14 -0500
Received: from mail-eopbgr780072.outbound.protection.outlook.com
 ([40.107.78.72]:2128
        "EHLO NAM03-BY2-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1730096AbfBLOoN (ORCPT <rfc822;kvm@vger.kernel.org>);
        Tue, 12 Feb 2019 09:44:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=amdcloud.onmicrosoft.com; s=selector1-amd-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=m0hnC+kiGZUEyk4qg6gUf5MjRX7gfnRJXAt1O4Bccoc=;
 b=vbO2BR6O2sligh/kzNq7zz5lqYl1EZ6urReFG/0vVRCwNTE67qrMlQlB02V9E94bgGKrL28QOx/OGrdZyQKy4MxqSDSxQ5kMPKKCpsLDSXpv9YX74jio5FapAQTMP8O1E/4ZA1VC8OCiRfGPpiLYoYl2b+4BK/L5Ya4uoBiv2fY=
Received: from DM6PR12MB2682.namprd12.prod.outlook.com (20.176.116.31) by
 DM6PR12MB2665.namprd12.prod.outlook.com (20.176.116.26) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1601.22; Tue, 12 Feb 2019 14:44:11 +0000
Received: from DM6PR12MB2682.namprd12.prod.outlook.com
 ([fe80::2073:3d8a:bf05:4686]) by DM6PR12MB2682.namprd12.prod.outlook.com
 ([fe80::2073:3d8a:bf05:4686%4]) with mapi id 15.20.1601.016; Tue, 12 Feb 2019
 14:44:11 +0000
From: "Singh, Brijesh" <brijesh.singh@amd.com>
To: "kvm@vger.kernel.org" <kvm@vger.kernel.org>
CC: "Singh, Brijesh" <brijesh.singh@amd.com>,
 Jim Mattson <jmattson@google.com>, "Lendacky,
 Thomas" <Thomas.Lendacky@amd.com>, Borislav Petkov <bp@alien8.de>,
 Joerg Roedel <joro@8bytes.org>,
 =?utf-8?b?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH] KVM: SVM: Workaround errata#1096 (insn_len maybe zero on SMAP
 violation)
Thread-Topic: [PATCH] KVM: SVM: Workaround errata#1096 (insn_len maybe zero on
 SMAP violation)
Thread-Index: AQHUwuFqqQDph5uCEUylS2GGFXGBKw==
Date: Tue, 12 Feb 2019 14:44:11 +0000
Message-ID: <20190212144354.7694-1-brijesh.singh@amd.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-clientproxiedby: SN1PR12CA0096.namprd12.prod.outlook.com
 (2603:10b6:802:21::31) To DM6PR12MB2682.namprd12.prod.outlook.com
 (2603:10b6:5:4a::31)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=brijesh.singh@amd.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.17.1
x-originating-ip: [165.204.77.1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f3b06738-c784-437f-a346-08d690f88ce0
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: 
 BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4618075)(2017052603328)(7153060)(7193020);SRVR:DM6PR12MB2665;
x-ms-traffictypediagnostic: DM6PR12MB2665:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: 
 1;DM6PR12MB2665;20:fNOoDuwYvjNd1beebrgNgwnxT1z+WXoNiFvYrB3ski0eIZNgV6XxpIb0LtVXdiP5L6Rw/heXVkvBWr2Biu5U+WjwgRK/g1W8mJ0j4yAo1IC9ZoRPbzvTyteaeLC7ud7oWtqAW6Tjp/v4oW3EX9TPQs7zrh6V3XlGWGkEFT5Z6tM801Tfb3Y93mTsZ9nX9P8poUL+ZUugvAwiLfqO/0tpBlZw5yrwE0GfzVwSBhOKfXrsKl6I8q/+5PekxaXTnkiP
x-microsoft-antispam-prvs: 
 <DM6PR12MB26656A27118C77048ACF9594E5650@DM6PR12MB2665.namprd12.prod.outlook.com>
x-forefront-prvs: 0946DC87A1
x-forefront-antispam-report: 
 SFV:NSPM;SFS:(10009020)(136003)(376002)(346002)(396003)(39860400002)(366004)(189003)(199004)(25786009)(305945005)(8936002)(97736004)(52116002)(8676002)(50226002)(6512007)(6306002)(2906002)(7736002)(5640700003)(86362001)(66066001)(36756003)(6506007)(386003)(6916009)(81166006)(81156014)(1730700003)(66574012)(486006)(54906003)(102836004)(3846002)(105586002)(1076003)(6436002)(2501003)(256004)(2351001)(71190400001)(106356001)(68736007)(316002)(4326008)(26005)(2616005)(186003)(6116002)(14454004)(476003)(71200400001)(6486002)(478600001)(99286004)(966005)(14444005)(53936002);DIR:OUT;SFP:1101;SCL:1;SRVR:DM6PR12MB2665;H:DM6PR12MB2682.namprd12.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: amd.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 
 K21CgCd8pEEneyJw0cjCiCnFzMmiZInW+jd+U+Tk6ojnm/0X/ejCgbA2+UXjj/jZDCjzxHA3jXvmgMSzDtlY6fig2Nkr4wtlCUOgMeoEuY/VpzGyFqZBC19QSOFYqjvJP6mMpd/6bHS67GXBYgpA+E4jUv007Z2XsXPUhb+976TOTPYNOey31UP2+yn2TiLa+Oki/R4M1rW5c3IFV1cw4IdHOtrWxgRj9sSLAaZ/JuC8qGq9EOpEJZW2h4ycZOuwoQk8Rv7ED4kB1eGeZTVq4nNE46I+yNsGXiURUxaZpDohQKmRtqvil0w8oHvJXWtxoM7lx9PcLySXA0NCC7kjDJb6EdGAu/73D1Wm2+ssNOcHx3Y1K7kKGJV5IcfvqWx0Bygpz67eOrZlX4s8+Gk2zEH74cptiFlRCUzDuFJbJME=
Content-ID: <144F867E3015E24C9D83A390490FE262@namprd12.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 f3b06738-c784-437f-a346-08d690f88ce0
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2019 14:44:10.4611
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB2665
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Errata#1090:

On a nested data page fault when CR.SMAP=1 and the guest data read
generates a SMAP violation, GuestInstrBytes field of the VMCB on a
VMEXIT will incorrectly return 0h instead the correct guest
instruction bytes .

Recommend Workaround:

To determine what instruction the guest was executing the hypervisor
will have to decode the instruction at the instruction pointer.

The recommended workaround can not be implemented for the SEV
guest because guest memory is encrypted with the guest specific key,
and instruction decoder will not be able to decode the instruction
bytes. If we hit this errata in the SEV guest then inject #GP into
the guest and log the message.

Cc: Jim Mattson <jmattson@google.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reported-by: Venkatesh Srinivas <venkateshs@google.com>
---

Errata link:
https://www.amd.com/system/files/TechDocs/55449_Fam_17h_M_00h-0Fh_Rev_Guide.pdf

 arch/x86/include/asm/kvm_host.h |  2 ++
 arch/x86/kvm/mmu.c              |  6 ++++--
 arch/x86/kvm/svm.c              | 32 ++++++++++++++++++++++++++++++++
 arch/x86/kvm/vmx/vmx.c          |  6 ++++++
 4 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 4660ce90de7f..536acf622af9 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1194,6 +1194,8 @@ struct kvm_x86_ops {
 	int (*nested_enable_evmcs)(struct kvm_vcpu *vcpu,
 				   uint16_t *vmcs_version);
 	uint16_t (*nested_get_evmcs_version)(struct kvm_vcpu *vcpu);
+
+	bool (*emulate_instruction_possible)(struct kvm_vcpu *vcpu);
 };
 
 struct kvm_arch_async_pf {
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index da9c42349b1f..8ebc1bfcabd3 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -5384,8 +5384,10 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
 	 * page is not present in memory). In those cases we simply restart the
 	 * guest.
 	 */
-	if (unlikely(insn && !insn_len))
-		return 1;
+	if (unlikely(insn && !insn_len)) {
+		if (!kvm_x86_ops->emulate_instruction_possible(vcpu))
+			return 1;
+	}
 
 	er = x86_emulate_instruction(vcpu, cr2, emulation_type, insn, insn_len);
 
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index f13a3a24d360..1f359667e529 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -7098,6 +7098,36 @@ static int nested_enable_evmcs(struct kvm_vcpu *vcpu,
 	return -ENODEV;
 }
 
+static bool emulate_instruction_possible(struct kvm_vcpu *vcpu)
+{
+	bool is_user, smap;
+
+	is_user = svm_get_cpl(vcpu) == 3;
+	smap = !kvm_read_cr4_bits(vcpu, X86_CR4_SMAP);
+
+	/*
+	 * Detect and workaround Errata 1090 Fam_17h_00_0Fh
+	 *
+	 * In non SEV guest, hypervisor will be able to read the guest
+	 * memory to decode the instruction pointer when insn_len is zero
+	 * so we return true to indicate that decoding is possible.
+	 *
+	 * But in the SEV guest, the guest memory is encrypted with the
+	 * guest specific key and hypervisor will not be able to decode the
+	 * instruction pointer so we will not able to workaround it. Lets
+	 * print the error and inject a #GP in the guest.
+	 */
+	if (is_user && smap) {
+		if (!sev_guest(vcpu->kvm))
+			return true;
+
+		pr_err("ERROR: encountered errata #1090, injecting #GP\n");
+		kvm_inject_gp(vcpu, 0);
+	}
+
+	return false;
+}
+
 static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
 	.cpu_has_kvm_support = has_svm,
 	.disabled_by_bios = is_disabled,
@@ -7231,6 +7261,8 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
 
 	.nested_enable_evmcs = nested_enable_evmcs,
 	.nested_get_evmcs_version = nested_get_evmcs_version,
+
+	.emulate_instruction_possible = emulate_instruction_possible,
 };
 
 static int __init svm_init(void)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 95d618045001..6767bad8367e 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7530,6 +7530,11 @@ static int enable_smi_window(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+static bool emulate_instruction_possible(struct kvm_vcpu *vcpu)
+{
+	return 1;
+}
+
 static __init int hardware_setup(void)
 {
 	unsigned long host_bndcfgs;
@@ -7832,6 +7837,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = {
 	.set_nested_state = NULL,
 	.get_vmcs12_pages = NULL,
 	.nested_enable_evmcs = NULL,
+	.emulate_instruction_possible = emulate_instruction_possible,
 };
 
 static void vmx_cleanup_l1d_flush(void)