On 22/10/21 04:59, Hou Wenlong wrote:
When KVM_CAP_X86_USER_SPACE_MSR cap is enabled, userspace can control MSR accesses. In normal scenario, RDMSR/WRMSR can be interceped, but when kvm.force_emulation_prefix is enabled, RDMSR/WRMSR with kvm prefix would trigger an UD and cause instruction emulation. If MSR accesses is filtered, em_rdmsr()/em_wrmsr() returns X86EMUL_IO_NEEDED, but it is ignored by x86_emulate_instruction(). Then guest continues execution, but RIP has been updated to point to RDMSR/WRMSR in handle_ud(), so RDMSR/WRMSR can be interceped and guest exits to userspace finnaly by mistake. Such behaviour leads to two vm exits and wastes one instruction emulation. After let x86_emulate_instruction() returns 0 for RDMSR/WRMSR emulation, if it needs to exit to userspace, its complete_userspace_io callback would call kvm_skip_instruction() to skip instruction. But for vmx, VMX_EXIT_INSTRUCTION_LEN in vmcs is invalid for UD, it can't be used to update RIP, kvm_emulate_instruction() should be used instead. As for svm, nRIP in vmcb is 0 for UD, so kvm_emulate_instruction() is used. But for nested svm, I'm not sure, since svm_check_intercept() would change nRIP.
Hi, can you provide a testcase for this bug using the tools/testing/selftests/kvm framework?
Thanks, Paolo
