KVM: x86: Protect userspace MSR filter with SRCU, and set atomically-ish

author Sean Christopherson <seanjc@google.com>

Tue, 16 Mar 2021 18:44:33 +0000 (11:44 -0700)

committer Paolo Bonzini <pbonzini@redhat.com>

Thu, 18 Mar 2021 17:55:14 +0000 (13:55 -0400)
author Sean Christopherson <seanjc@google.com>
Tue, 16 Mar 2021 18:44:33 +0000 (11:44 -0700)
committer Paolo Bonzini <pbonzini@redhat.com>
Thu, 18 Mar 2021 17:55:14 +0000 (13:55 -0400)
diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst

index 38e327d4b479037e0dfcd9ace47ea59b6c50cb22..2898d3e86b08b80a9d61fb9a77f02177db1ab8bd 100644 (file)
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -4806,8 +4806,10 @@ If an MSR access is not permitted through the filtering, it generates a
  allows user space to deflect and potentially handle various MSR accesses
  into user space.
  
-If a vCPU is in running state while this ioctl is invoked, the vCPU may
-experience inconsistent filtering behavior on MSR accesses.
+Note, invoking this ioctl with a vCPU is running is inherently racy.  However,
+KVM does guarantee that vCPUs will see either the previous filter or the new
+filter, e.g. MSRs with identical settings in both the old and new filter will
+have deterministic behavior.
  
  4.127 KVM_XEN_HVM_SET_ATTR
  --------------------------
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h

index e1b6e2edc828269b7d150b51d600aaa9313f34a6..3768819693e5c8a59da539b8f2907c1c75c729db 100644 (file)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -948,6 +948,12 @@ enum kvm_irqchip_mode {
         KVM_IRQCHIP_SPLIT,        /* created with KVM_CAP_SPLIT_IRQCHIP */
  };
  
+struct kvm_x86_msr_filter {
+       u8 count;
+       bool default_allow:1;
+       struct msr_bitmap_range ranges[16];
+};
+
  #define APICV_INHIBIT_REASON_DISABLE    0
  #define APICV_INHIBIT_REASON_HYPERV     1
  #define APICV_INHIBIT_REASON_NESTED     2
@@ -1042,16 +1048,11 @@ struct kvm_arch {
         bool guest_can_read_msr_platform_info;
         bool exception_payload_enabled;
  
+       bool bus_lock_detection_enabled;
+
         /* Deflect RDMSR and WRMSR to user space when they trigger a #GP */
         u32 user_space_msr_mask;
-
-       struct {
-               u8 count;
-               bool default_allow:1;
-               struct msr_bitmap_range ranges[16];
-       } msr_filter;
-
-       bool bus_lock_detection_enabled;
+       struct kvm_x86_msr_filter __rcu *msr_filter;
  
         struct kvm_pmu_event_filter __rcu *pmu_event_filter;
         struct task_struct *nx_lpage_recovery_thread;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c

index a5c5b38735e196bc091fee0ad165254c12e0f48c..a04e78b896370aa049c4b68d3c9bc5ae0160975f 100644 (file)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1526,35 +1526,44 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
  
  bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type)
  {
+       struct kvm_x86_msr_filter *msr_filter;
+       struct msr_bitmap_range *ranges;
         struct kvm *kvm = vcpu->kvm;
-       struct msr_bitmap_range *ranges = kvm->arch.msr_filter.ranges;
-       u32 count = kvm->arch.msr_filter.count;
-       u32 i;
-       bool r = kvm->arch.msr_filter.default_allow;
+       bool allowed;
         int idx;
+       u32 i;
  
-       /* MSR filtering not set up or x2APIC enabled, allow everything */
-       if (!count || (index >= 0x800 && index <= 0x8ff))
+       /* x2APIC MSRs do not support filtering. */
+       if (index >= 0x800 && index <= 0x8ff)
                 return true;
  
-       /* Prevent collision with set_msr_filter */
         idx = srcu_read_lock(&kvm->srcu);
  
-       for (i = 0; i < count; i++) {
+       msr_filter = srcu_dereference(kvm->arch.msr_filter, &kvm->srcu);
+       if (!msr_filter) {
+               allowed = true;
+               goto out;
+       }
+
+       allowed = msr_filter->default_allow;
+       ranges = msr_filter->ranges;
+
+       for (i = 0; i < msr_filter->count; i++) {
                 u32 start = ranges[i].base;
                 u32 end = start + ranges[i].nmsrs;
                 u32 flags = ranges[i].flags;
                 unsigned long *bitmap = ranges[i].bitmap;
  
                 if ((index >= start) && (index < end) && (flags & type)) {
-                       r = !!test_bit(index - start, bitmap);
+                       allowed = !!test_bit(index - start, bitmap);
                         break;
                 }
         }
  
+out:
         srcu_read_unlock(&kvm->srcu, idx);
  
-       return r;
+       return allowed;
  }
  EXPORT_SYMBOL_GPL(kvm_msr_allowed);
  
@@ -5354,25 +5363,34 @@ split_irqchip_unlock:
         return r;
  }
  
-static void kvm_clear_msr_filter(struct kvm *kvm)
+static struct kvm_x86_msr_filter *kvm_alloc_msr_filter(bool default_allow)
+{
+       struct kvm_x86_msr_filter *msr_filter;
+
+       msr_filter = kzalloc(sizeof(*msr_filter), GFP_KERNEL_ACCOUNT);
+       if (!msr_filter)
+               return NULL;
+
+       msr_filter->default_allow = default_allow;
+       return msr_filter;
+}
+
+static void kvm_free_msr_filter(struct kvm_x86_msr_filter *msr_filter)
  {
         u32 i;
-       u32 count = kvm->arch.msr_filter.count;
-       struct msr_bitmap_range ranges[16];
  
-       mutex_lock(&kvm->lock);
-       kvm->arch.msr_filter.count = 0;
-       memcpy(ranges, kvm->arch.msr_filter.ranges, count * sizeof(ranges[0]));
-       mutex_unlock(&kvm->lock);
-       synchronize_srcu(&kvm->srcu);
+       if (!msr_filter)
+               return;
+
+       for (i = 0; i < msr_filter->count; i++)
+               kfree(msr_filter->ranges[i].bitmap);
  
-       for (i = 0; i < count; i++)
-               kfree(ranges[i].bitmap);
+       kfree(msr_filter);
  }
  
-static int kvm_add_msr_filter(struct kvm *kvm, struct kvm_msr_filter_range *user_range)
+static int kvm_add_msr_filter(struct kvm_x86_msr_filter *msr_filter,
+                             struct kvm_msr_filter_range *user_range)
  {
-       struct msr_bitmap_range *ranges = kvm->arch.msr_filter.ranges;
         struct msr_bitmap_range range;
         unsigned long *bitmap = NULL;
         size_t bitmap_size;
@@ -5406,11 +5424,9 @@ static int kvm_add_msr_filter(struct kvm *kvm, struct kvm_msr_filter_range *user
                 goto err;
         }
  
-       /* Everything ok, add this range identifier to our global pool */
-       ranges[kvm->arch.msr_filter.count] = range;
-       /* Make sure we filled the array before we tell anyone to walk it */
-       smp_wmb();
-       kvm->arch.msr_filter.count++;
+       /* Everything ok, add this range identifier. */
+       msr_filter->ranges[msr_filter->count] = range;
+       msr_filter->count++;
  
         return 0;
  err:
@@ -5421,10 +5437,11 @@ err:
  static int kvm_vm_ioctl_set_msr_filter(struct kvm *kvm, void __user *argp)
  {
         struct kvm_msr_filter __user *user_msr_filter = argp;
+       struct kvm_x86_msr_filter *new_filter, *old_filter;
         struct kvm_msr_filter filter;
         bool default_allow;
-       int r = 0;
         bool empty = true;
+       int r = 0;
         u32 i;
  
         if (copy_from_user(&filter, user_msr_filter, sizeof(filter)))
@@ -5437,25 +5454,32 @@ static int kvm_vm_ioctl_set_msr_filter(struct kvm *kvm, void __user *argp)
         if (empty && !default_allow)
                 return -EINVAL;
  
-       kvm_clear_msr_filter(kvm);
-
-       kvm->arch.msr_filter.default_allow = default_allow;
+       new_filter = kvm_alloc_msr_filter(default_allow);
+       if (!new_filter)
+               return -ENOMEM;
  
-       /*
-        * Protect from concurrent calls to this function that could trigger
-        * a TOCTOU violation on kvm->arch.msr_filter.count.
-        */
-       mutex_lock(&kvm->lock);
         for (i = 0; i < ARRAY_SIZE(filter.ranges); i++) {
-               r = kvm_add_msr_filter(kvm, &filter.ranges[i]);
-               if (r)
-                       break;
+               r = kvm_add_msr_filter(new_filter, &filter.ranges[i]);
+               if (r) {
+                       kvm_free_msr_filter(new_filter);
+                       return r;
+               }
         }
  
+       mutex_lock(&kvm->lock);
+
+       /* The per-VM filter is protected by kvm->lock... */
+       old_filter = srcu_dereference_check(kvm->arch.msr_filter, &kvm->srcu, 1);
+
+       rcu_assign_pointer(kvm->arch.msr_filter, new_filter);
+       synchronize_srcu(&kvm->srcu);
+
+       kvm_free_msr_filter(old_filter);
+
         kvm_make_all_cpus_request(kvm, KVM_REQ_MSR_FILTER_CHANGED);
         mutex_unlock(&kvm->lock);
  
-       return r;
+       return 0;
  }
  
  long kvm_arch_vm_ioctl(struct file *filp,
@@ -10636,8 +10660,6 @@ void kvm_arch_pre_destroy_vm(struct kvm *kvm)
  
  void kvm_arch_destroy_vm(struct kvm *kvm)
  {
-       u32 i;
-
         if (current->mm == kvm->mm) {
                 /*
                  * Free memory regions allocated on behalf of userspace,
@@ -10653,8 +10675,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
                 mutex_unlock(&kvm->slots_lock);
         }
         static_call_cond(kvm_x86_vm_destroy)(kvm);
-       for (i = 0; i < kvm->arch.msr_filter.count; i++)
-               kfree(kvm->arch.msr_filter.ranges[i].bitmap);
+       kvm_free_msr_filter(srcu_dereference_check(kvm->arch.msr_filter, &kvm->srcu, 1));
         kvm_pic_destroy(kvm);
         kvm_ioapic_destroy(kvm);
         kvm_free_vcpus(kvm);
author	Sean Christopherson <seanjc@google.com>
	Tue, 16 Mar 2021 18:44:33 +0000 (11:44 -0700)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Thu, 18 Mar 2021 17:55:14 +0000 (13:55 -0400)
Documentation/virt/kvm/api.rst		patch \| blob \| history
arch/x86/include/asm/kvm_host.h		patch \| blob \| history
arch/x86/kvm/x86.c		patch \| blob \| history