• Paolo Bonzini's avatar
    KVM: x86: disallow pre-fault for SNP VMs before initialization · 5932ca41
    Paolo Bonzini authored
    KVM_PRE_FAULT_MEMORY for an SNP guest can race with
    sev_gmem_post_populate() in bad ways. The following sequence for
    instance can potentially trigger an RMP fault:
    
      thread A, sev_gmem_post_populate: called
      thread B, sev_gmem_prepare: places below 'pfn' in a private state in RMP
      thread A, sev_gmem_post_populate: *vaddr = kmap_local_pfn(pfn + i);
      thread A, sev_gmem_post_populate: copy_from_user(vaddr, src + i * PAGE_SIZE, PAGE_SIZE);
      RMP #PF
    
    Fix this by only allowing KVM_PRE_FAULT_MEMORY to run after a guest's
    initial private memory contents have been finalized via
    KVM_SEV_SNP_LAUNCH_FINISH.
    
    Beyond fixing this issue, it just sort of makes sense to enforce this,
    since the KVM_PRE_FAULT_MEMORY documentation states:
    
      "KVM maps memory as if the vCPU generated a stage-2 read page fault"
    
    which sort of implies we should be acting on the same guest state that a
    vCPU would see post-launch after the initial guest memory is all set up.
    Co-developed-by: default avatarMichael Roth <michael.roth@amd.com>
    Signed-off-by: default avatarMichael Roth <michael.roth@amd.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    5932ca41
x86.c 374 KB