From patchwork Fri Mar 12 11:02:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 12134333 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 375BEC433E0 for ; Fri, 12 Mar 2021 11:02:54 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id F13E664FDD for ; Fri, 12 Mar 2021 11:02:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org F13E664FDD Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.97003.184066 (Exim 4.92) (envelope-from ) id 1lKfZ6-0003fT-Um; Fri, 12 Mar 2021 11:02:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 97003.184066; Fri, 12 Mar 2021 11:02:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lKfZ6-0003fM-Ri; Fri, 12 Mar 2021 11:02:44 +0000 Received: by outflank-mailman (input) for mailman id 97003; Fri, 12 Mar 2021 11:02:42 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lKfZ4-0003fF-Rc for xen-devel@lists.xenproject.org; Fri, 12 Mar 2021 11:02:42 +0000 Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id fcc57503-d894-46ae-a9dd-660d9eae5c2e; Fri, 12 Mar 2021 11:02:41 +0000 (UTC) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 1EB86B02C; Fri, 12 Mar 2021 11:02:41 +0000 (UTC) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: fcc57503-d894-46ae-a9dd-660d9eae5c2e X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1615546961; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6n0jPE7z0vDwFOBZ8/feXejyuYibfU3F2LIii07idAQ=; b=QsCW1BehTW5hw7yB0VO/bDkZf9t3ZWBvWr4Tt+C5CbWzRpyngRMpBZHaI+gZ8aEF6g3M1a OROTkyDIehqtT7A0DdMaHd8XjkQ+8yboc/MjDkLhlKBRhoGx9HVSeFq4aOcHsQqlbHVJPA 03n2fIc3JLmh9fKy5ubZUhIKQ+CTd3A= Subject: [PATCH v4 1/2][4.15] x86/PV: conditionally avoid raising #GP for early guest MSR reads From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , Wei Liu , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Ian Jackson References: <9c2e5e0e-041f-03e3-3c08-7abcc82d63c7@suse.com> Message-ID: Date: Fri, 12 Mar 2021 12:02:42 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: <9c2e5e0e-041f-03e3-3c08-7abcc82d63c7@suse.com> Content-Language: en-US Prior to 4.15 Linux, when running in PV mode, did not install a #GP handler early enough to cover for example the rdmsrl_safe() of MSR_K8_TSEG_ADDR in bsp_init_amd() (not to speak of the unguarded read of MSR_K7_HWCR later in the same function). The respective change (42b3a4cb5609 "x86/xen: Support early interrupts in xen pv guests") was backported to 4.14, but no further - presumably since it wasn't really easy because of other dependencies. Therefore, to prevent our change in the handling of guest MSR accesses to render PV Linux 4.13 and older unusable on at least AMD systems, make the raising of #GP on this paths conditional upon the guest having installed a handler, provided of course the MSR can be read in the first place (we would have raised #GP in that case even before). Producing zero for reads isn't necessarily correct and may trip code trying to detect presence of MSRs early, but since such detection logic won't work without a #GP handler anyway, this ought to be a fair workaround. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné Release-Acked-by: Ian Jackson --- v4: Re-base. Slightly adjust comment wording. v3: Use temporary variable for probing. Document the behavior (in a public header, for the lack of a better place). v2: Probe MSR read. Exclude hypervisor range. Avoid issuing two log messages (in debug builds). Don't alter WRMSR behavior. --- While I didn't myself observe or find similar WRMSR side issues, I'm nevertheless not convinced we can get away without also making the WRMSR path somewhat more permissive again, e.g. tolerating attempts to set bits which are already set. But of course this would require keeping in sync for which MSRs we "fake" reads, as then a kernel attempt to set a bit may also appear as an attempt to clear others (because of the zero value that we gave it for the read). Roger validly points out that making behavior dependent upon MSR values has its own downsides, so simply depending on MSR readability is another option (with, in turn, its own undesirable effects, e.g. for write-only MSRs). --- a/xen/arch/x86/pv/emul-priv-op.c +++ b/xen/arch/x86/pv/emul-priv-op.c @@ -874,7 +874,7 @@ static int read_msr(unsigned int reg, ui struct vcpu *curr = current; const struct domain *currd = curr->domain; const struct cpuid_policy *cp = currd->arch.cpuid; - bool vpmu_msr = false; + bool vpmu_msr = false, warn = false; uint64_t tmp; int ret; @@ -883,7 +883,7 @@ static int read_msr(unsigned int reg, ui if ( ret == X86EMUL_EXCEPTION ) x86_emul_hw_exception(TRAP_gp_fault, 0, ctxt); - return ret; + goto done; } switch ( reg ) @@ -993,7 +993,7 @@ static int read_msr(unsigned int reg, ui return X86EMUL_OKAY; } - gdprintk(XENLOG_WARNING, "RDMSR 0x%08x unimplemented\n", reg); + warn = true; break; normal: @@ -1002,7 +1002,19 @@ static int read_msr(unsigned int reg, ui return X86EMUL_OKAY; } - return X86EMUL_UNHANDLEABLE; + done: + if ( ret != X86EMUL_OKAY && !curr->arch.pv.trap_ctxt[X86_EXC_GP].address && + (reg >> 16) != 0x4000 && !rdmsr_safe(reg, tmp) ) + { + gprintk(XENLOG_WARNING, "faking RDMSR 0x%08x\n", reg); + *val = 0; + x86_emul_reset_event(ctxt); + ret = X86EMUL_OKAY; + } + else if ( warn ) + gdprintk(XENLOG_WARNING, "RDMSR 0x%08x unimplemented\n", reg); + + return ret; } static int write_msr(unsigned int reg, uint64_t val, --- a/xen/include/public/arch-x86/xen.h +++ b/xen/include/public/arch-x86/xen.h @@ -143,6 +143,12 @@ typedef unsigned long xen_ulong_t; * Level == 1: Kernel may enter * Level == 2: Kernel may enter * Level == 3: Everyone may enter + * + * Note: For compatibility with kernels not setting up exception handlers + * early enough, Xen will avoid trying to inject #GP (and hence crash + * the domain) when an RDMSR would require this, but no handler was + * set yet. The precise conditions are implementation specific, and + * new code may not rely on such behavior anyway. */ #define TI_GET_DPL(_ti) ((_ti)->flags & 3) #define TI_GET_IF(_ti) ((_ti)->flags & 4) From patchwork Fri Mar 12 11:03:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 12134335 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9BAA6C433DB for ; Fri, 12 Mar 2021 11:03:22 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5537664FEA for ; Fri, 12 Mar 2021 11:03:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5537664FEA Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.97007.184079 (Exim 4.92) (envelope-from ) id 1lKfZZ-0003lq-Cp; Fri, 12 Mar 2021 11:03:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 97007.184079; Fri, 12 Mar 2021 11:03:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lKfZZ-0003lj-8r; Fri, 12 Mar 2021 11:03:13 +0000 Received: by outflank-mailman (input) for mailman id 97007; Fri, 12 Mar 2021 11:03:11 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lKfZX-0003kX-Sd for xen-devel@lists.xenproject.org; Fri, 12 Mar 2021 11:03:11 +0000 Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 74f87939-5567-4ea0-a86a-218298e721bf; Fri, 12 Mar 2021 11:03:06 +0000 (UTC) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 7002EB02C; Fri, 12 Mar 2021 11:03:05 +0000 (UTC) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 74f87939-5567-4ea0-a86a-218298e721bf X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1615546985; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QFrMh+sBcKyoQb7P1wDYHd/74ZilGORQiERspE6maW0=; b=E7zJOJnPZJDSBqXWO2Xl7S/OH4dNjw/nn5lBDdGm1lfYu9kVqN97TkToCnJ4gdWyMbbTrz Rb76q8VHo4hpc0E4MFGaXjYB/yEejqHqRMLXdpwuvBUu6iu7pzZRFhsrxlh6p7JvDiny4k CX5O5wN8A8C+WAOZZ6wWe4F+Hv8BkoI= Subject: [PATCH v4 2/2][4.15] x86/AMD: expose HWCR.TscFreqSel to guests From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , Wei Liu , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Ian Jackson References: <9c2e5e0e-041f-03e3-3c08-7abcc82d63c7@suse.com> Message-ID: <0c8043e3-07aa-6242-19bd-07b04f574b87@suse.com> Date: Fri, 12 Mar 2021 12:03:06 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: <9c2e5e0e-041f-03e3-3c08-7abcc82d63c7@suse.com> Content-Language: en-US Linux has been warning ("firmware bug") about this bit being clear for a long time. While writable in older hardware it has been readonly on more than just most recent hardware. For simplicitly report it always set (if anything we may want to log the issue ourselves if it turns out to be clear on older hardware) on CPU families 10h and up (in family 0fh the bit is part of a larger field of different purpose). Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné --- v3: Report 0 for Fam0F. v2: New. --- There are likely more bits worthwhile to expose, but for about every one of them there would be the risk of a lengthy discussion, as there are clear downsides to exposing such information. The more that it would be tbd whether the hardware values should be surfaced, and if so what should happen when the guest gets migrated. The main risk with making the read not fault here is that guests might imply they can also write this MSR then. --- a/xen/arch/x86/msr.c +++ b/xen/arch/x86/msr.c @@ -315,6 +315,13 @@ int guest_rdmsr(struct vcpu *v, uint32_t *val = msrs->tsc_aux; break; + case MSR_K8_HWCR: + if ( !(cp->x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) ) + goto gp_fault; + *val = get_cpu_family(cp->basic.raw_fms, NULL, NULL) >= 0x10 + ? K8_HWCR_TSC_FREQ_SEL : 0; + break; + case MSR_AMD64_DE_CFG: if ( !(cp->x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) ) goto gp_fault; --- a/xen/include/asm-x86/msr-index.h +++ b/xen/include/asm-x86/msr-index.h @@ -287,6 +287,8 @@ #define MSR_K7_HWCR 0xc0010015 #define MSR_K8_HWCR 0xc0010015 +#define K8_HWCR_TSC_FREQ_SEL (1ULL << 24) + #define MSR_K7_FID_VID_CTL 0xc0010041 #define MSR_K7_FID_VID_STATUS 0xc0010042 #define MSR_K8_PSTATE_LIMIT 0xc0010061