Re: [PATCH kvm-unit-tests] access: change CR0/CR4/EFER before TLB flushes

Yang Weijiang <weijiang.yang@xxxxxxxxx> · Tue, 18 May 2021 16:31:36 +0800

On Sat, Apr 10, 2021 at 04:42:34PM +0200, Paolo Bonzini wrote:

Hi, Paolo,
Has this patch been merged? We need this patch to fix the issue. Thanks!

> After CR0/CR4/EFER changes a stale TLB entry can be observed, because MOV
> to CR4 only invalidates TLB entries if CR4.SMEP is changed from 0 to 1.
> 
> The TLB is already flushed in ac_set_expected_status,
> but if kvm-unit-tests is migrated to another CPU and CR4 is
> changed after the flush, a stale entry can be used.
> 
> Reported-by: Yang Weijiang <weijiang.yang@xxxxxxxxx>
> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> ---
>  x86/access.c | 25 ++++++++++++-------------
>  1 file changed, 12 insertions(+), 13 deletions(-)
> 
> diff --git a/x86/access.c b/x86/access.c
> index 66bd466..e5d5c00 100644
> --- a/x86/access.c
> +++ b/x86/access.c
> @@ -448,8 +448,6 @@ fault:
>  
>  static void ac_set_expected_status(ac_test_t *at)
>  {
> -    invlpg(at->virt);
> -
>      if (at->ptep)
>  	at->expected_pte = *at->ptep;
>      at->expected_pde = *at->pdep;
> @@ -561,6 +559,18 @@ static void __ac_setup_specific_pages(ac_test_t *at, ac_pool_t *pool,
>  	root = vroot[index];
>      }
>      ac_set_expected_status(at);
> +
> +    set_cr0_wp(F(AC_CPU_CR0_WP));
> +    set_efer_nx(F(AC_CPU_EFER_NX));
> +    set_cr4_pke(F(AC_CPU_CR4_PKE));
> +    if (F(AC_CPU_CR4_PKE)) {
> +        /* WD2=AD2=1, WD1=F(AC_PKU_WD), AD1=F(AC_PKU_AD) */
> +        write_pkru(0x30 | (F(AC_PKU_WD) ? 8 : 0) |
> +                   (F(AC_PKU_AD) ? 4 : 0));
> +    }
> +
> +    set_cr4_smep(F(AC_CPU_CR4_SMEP));
> +    invlpg(at->virt);
>  }
>  
>  static void ac_test_setup_pte(ac_test_t *at, ac_pool_t *pool)
> @@ -644,17 +654,6 @@ static int ac_test_do_access(ac_test_t *at)
>      *((unsigned char *)at->phys) = 0xc3; /* ret */
>  
>      unsigned r = unique;
> -    set_cr0_wp(F(AC_CPU_CR0_WP));
> -    set_efer_nx(F(AC_CPU_EFER_NX));
> -    set_cr4_pke(F(AC_CPU_CR4_PKE));
> -    if (F(AC_CPU_CR4_PKE)) {
> -        /* WD2=AD2=1, WD1=F(AC_PKU_WD), AD1=F(AC_PKU_AD) */
> -        write_pkru(0x30 | (F(AC_PKU_WD) ? 8 : 0) |
> -                   (F(AC_PKU_AD) ? 4 : 0));
> -    }
> -
> -    set_cr4_smep(F(AC_CPU_CR4_SMEP));
> -
>      if (F(AC_ACCESS_TWICE)) {
>  	asm volatile (
>  	    "mov $fixed2, %%rsi \n\t"
> -- 
> 2.30.1