KVM: x86: Add lockdep-guarded asserts on register cache usage

sean-jc · sean-jc · commit 1c932fc7620d · 2024-11-01T09:22:22.000-07:00
When lockdep is enabled, assert that KVM accesses the register caches if and only if cache fills are guaranteed to consume fresh data, i.e. when KVM when KVM is in control of the code sequence. Concretely, the caches can only be used from task context (synchronous) or when handling a PMI VM-Exit (asynchronous, but only in specific windows where the caches are in a known, stable state). Generally speaking, there are very few flows where reading register state from an asynchronous context is correct or even necessary. So, rather than trying to figure out a generic solution, simply disallow using the caches outside of task context by default, and deal with any future exceptions on a case-by-case basis _if_ they arise. Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com> Link: https://lore.kernel.org/r/20241009175002.1118178-4-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
diff --git a/arch/x86/kvm/kvm_cache_regs.h b/arch/x86/kvm/kvm_cache_regs.h
@@ -43,6 +43,18 @@ BUILD_KVM_GPR_ACCESSORS(r14, R14)
 BUILD_KVM_GPR_ACCESSORS(r15, R15)
 #endif
 
+/*
+ * Using the register cache from interrupt context is generally not allowed, as
+ * caching a register and marking it available/dirty can't be done atomically,
+ * i.e. accesses from interrupt context may clobber state or read stale data if
+ * the vCPU task is in the process of updating the cache.  The exception is if
+ * KVM is handling a PMI IRQ/NMI VM-Exit, as that bound code sequence doesn't
+ * touch the cache, it runs after the cache is reset (post VM-Exit), and PMIs
+ * need to access several registers that are cacheable.
+ */
+#define kvm_assert_register_caching_allowed(vcpu)		\
+	lockdep_assert_once(in_task() || kvm_arch_pmi_in_guest(vcpu))
+
 /*
  * avail  dirty
  * 0	  0	  register in VMCS/VMCB
@@ -53,24 +65,28 @@ BUILD_KVM_GPR_ACCESSORS(r15, R15)
 static inline bool kvm_register_is_available(struct kvm_vcpu *vcpu,
 					     enum kvm_reg reg)
 {
+	kvm_assert_register_caching_allowed(vcpu);
 	return test_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);
 }
 
 static inline bool kvm_register_is_dirty(struct kvm_vcpu *vcpu,
 					 enum kvm_reg reg)
 {
+	kvm_assert_register_caching_allowed(vcpu);
 	return test_bit(reg, (unsigned long *)&vcpu->arch.regs_dirty);
 }
 
 static inline void kvm_register_mark_available(struct kvm_vcpu *vcpu,
 					       enum kvm_reg reg)
 {
+	kvm_assert_register_caching_allowed(vcpu);
 	__set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);
 }
 
 static inline void kvm_register_mark_dirty(struct kvm_vcpu *vcpu,
 					   enum kvm_reg reg)
 {
+	kvm_assert_register_caching_allowed(vcpu);
 	__set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);
 	__set_bit(reg, (unsigned long *)&vcpu->arch.regs_dirty);
 }
@@ -84,6 +100,7 @@ static inline void kvm_register_mark_dirty(struct kvm_vcpu *vcpu,
 static __always_inline bool kvm_register_test_and_mark_available(struct kvm_vcpu *vcpu,
 								 enum kvm_reg reg)
 {
+	kvm_assert_register_caching_allowed(vcpu);
 	return arch___test_and_set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,18 @@ BUILD_KVM_GPR_ACCESSORS(r14, R14)`
`43`	`43`	`BUILD_KVM_GPR_ACCESSORS(r15, R15)`
`44`	`44`	`#endif`
`45`	`45`
	`46`	`+/*`
	`47`	`+ * Using the register cache from interrupt context is generally not allowed, as`
	`48`	`+ * caching a register and marking it available/dirty can't be done atomically,`
	`49`	`+ * i.e. accesses from interrupt context may clobber state or read stale data if`
	`50`	`+ * the vCPU task is in the process of updating the cache. The exception is if`
	`51`	`+ * KVM is handling a PMI IRQ/NMI VM-Exit, as that bound code sequence doesn't`
	`52`	`+ * touch the cache, it runs after the cache is reset (post VM-Exit), and PMIs`
	`53`	`+ * need to access several registers that are cacheable.`
	`54`	`+ */`
	`55`	`+#define kvm_assert_register_caching_allowed(vcpu) \`
	`56`	`+ lockdep_assert_once(in_task() \|\| kvm_arch_pmi_in_guest(vcpu))`
	`57`	`+`
`46`	`58`	`/*`
`47`	`59`	`* avail dirty`
`48`	`60`	`* 0 0 register in VMCS/VMCB`
`@@ -53,24 +65,28 @@ BUILD_KVM_GPR_ACCESSORS(r15, R15)`
`53`	`65`	`static inline bool kvm_register_is_available(struct kvm_vcpu *vcpu,`
`54`	`66`	`enum kvm_reg reg)`
`55`	`67`	`{`
	`68`	`+ kvm_assert_register_caching_allowed(vcpu);`
`56`	`69`	`return test_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);`
`57`	`70`	`}`
`58`	`71`
`59`	`72`	`static inline bool kvm_register_is_dirty(struct kvm_vcpu *vcpu,`
`60`	`73`	`enum kvm_reg reg)`
`61`	`74`	`{`
	`75`	`+ kvm_assert_register_caching_allowed(vcpu);`
`62`	`76`	`return test_bit(reg, (unsigned long *)&vcpu->arch.regs_dirty);`
`63`	`77`	`}`
`64`	`78`
`65`	`79`	`static inline void kvm_register_mark_available(struct kvm_vcpu *vcpu,`
`66`	`80`	`enum kvm_reg reg)`
`67`	`81`	`{`
	`82`	`+ kvm_assert_register_caching_allowed(vcpu);`
`68`	`83`	`__set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);`
`69`	`84`	`}`
`70`	`85`
`71`	`86`	`static inline void kvm_register_mark_dirty(struct kvm_vcpu *vcpu,`
`72`	`87`	`enum kvm_reg reg)`
`73`	`88`	`{`
	`89`	`+ kvm_assert_register_caching_allowed(vcpu);`
`74`	`90`	`__set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);`
`75`	`91`	`__set_bit(reg, (unsigned long *)&vcpu->arch.regs_dirty);`
`76`	`92`	`}`
`@@ -84,6 +100,7 @@ static inline void kvm_register_mark_dirty(struct kvm_vcpu *vcpu,`
`84`	`100`	`static __always_inline bool kvm_register_test_and_mark_available(struct kvm_vcpu *vcpu,`
`85`	`101`	`enum kvm_reg reg)`
`86`	`102`	`{`
	`103`	`+ kvm_assert_register_caching_allowed(vcpu);`
`87`	`104`	`return arch___test_and_set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);`
`88`	`105`	`}`
`89`	`106`