On Tue, Sep 17, 2019 at 11:50:57AM -0700, Marc Orr wrote: > Allowing an unlimited number of MSRs to be specified via the VMX > load/store MSR lists (e.g., vm-entry MSR load list) is bad for two > reasons. First, a guest can specify an unreasonable number of MSRs, > forcing KVM to process all of them in software. Second, the SDM bounds > the number of MSRs allowed to be packed into the atomic switch MSR lists. > Quoting the "Miscellaneous Data" section in the "VMX Capability > Reporting Facility" appendix: > > "Bits 27:25 is used to compute the recommended maximum number of MSRs > that should appear in the VM-exit MSR-store list, the VM-exit MSR-load > list, or the VM-entry MSR-load list. Specifically, if the value bits > 27:25 of IA32_VMX_MISC is N, then 512 * (N + 1) is the recommended > maximum number of MSRs to be included in each list. If the limit is > exceeded, undefined processor behavior may result (including a machine > check during the VMX transition)." > > Because KVM needs to protect itself and can't model "undefined processor > behavior", arbitrarily force a VM-entry to fail due to MSR loading when > the MSR load list is too large. Similarly, trigger an abort during a VM > exit that encounters an MSR load list or MSR store list that is too large. > > The MSR list size is intentionally not pre-checked so as to maintain > compatibility with hardware inasmuch as possible. > > Test these new checks with the kvm-unit-test "x86: nvmx: test max atomic > switch MSRs". > > Suggested-by: Jim Mattson <jmattson@xxxxxxxxxx> > Reviewed-by: Jim Mattson <jmattson@xxxxxxxxxx> > Reviewed-by: Peter Shier <pshier@xxxxxxxxxx> > Signed-off-by: Marc Orr <marcorr@xxxxxxxxxx> > --- > v2 -> v3 > * Updated commit message. > * Removed superflous function declaration. > * Expanded in-line comment. Reviewed-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
