From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 16:24:18 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.4.219~86 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d1fd6a83ce714a235dc589a15cba692f7996055;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch --- diff --git a/queue-4.14/kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch b/queue-4.14/kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch new file mode 100644 index 00000000000..8325c553c91 --- /dev/null +++ b/queue-4.14/kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch @@ -0,0 +1,72 @@ +From d953540430c5af57f5de97ea9e36253908204027 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 30 Aug 2022 23:15:48 +0000 +Subject: KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" + +From: Sean Christopherson + +commit d953540430c5af57f5de97ea9e36253908204027 upstream. + +Drop pending exceptions and events queued for re-injection when leaving +nested guest mode, even if the "exit" is due to VM-Fail, SMI, or forced +by host userspace. Failure to purge events could result in an event +belonging to L2 being injected into L1. + +This _should_ never happen for VM-Fail as all events should be blocked by +nested_run_pending, but it's possible if KVM, not the L1 hypervisor, is +the source of VM-Fail when running vmcs02. + +SMI is a nop (barring unknown bugs) as recognition of SMI and thus entry +to SMM is blocked by pending exceptions and re-injected events. + +Forced exit is definitely buggy, but has likely gone unnoticed because +userspace probably follows the forced exit with KVM_SET_VCPU_EVENTS (or +some other ioctl() that purges the queue). + +Fixes: 4f350c6dbcb9 ("kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Reviewed-by: Jim Mattson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-2-seanjc@google.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -11917,14 +11917,6 @@ static void prepare_vmcs12(struct kvm_vc + */ + vmcs12_save_pending_event(vcpu, vmcs12); + } +- +- /* +- * Drop what we picked up for L2 via vmx_complete_interrupts. It is +- * preserved above and would only end up incorrectly in L1. +- */ +- vcpu->arch.nmi_injected = false; +- kvm_clear_exception_queue(vcpu); +- kvm_clear_interrupt_queue(vcpu); + } + + /* +@@ -12236,6 +12228,17 @@ static void nested_vmx_vmexit(struct kvm + nested_vmx_abort(vcpu, VMX_ABORT_SAVE_GUEST_MSR_FAIL); + } + ++ /* ++ * Drop events/exceptions that were queued for re-injection to L2 ++ * (picked up via vmx_complete_interrupts()), as well as exceptions ++ * that were pending for L2. Note, this must NOT be hoisted above ++ * prepare_vmcs12(), events/exceptions queued for re-injection need to ++ * be captured in vmcs12 (see vmcs12_save_pending_event()). ++ */ ++ vcpu->arch.nmi_injected = false; ++ kvm_clear_exception_queue(vcpu); ++ kvm_clear_interrupt_queue(vcpu); ++ + vmx_switch_vmcs(vcpu, &vmx->vmcs01); + vm_entry_controls_reset_shadow(vmx); + vm_exit_controls_reset_shadow(vmx); diff --git a/queue-4.14/kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch b/queue-4.14/kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch new file mode 100644 index 00000000000..66430a5fba6 --- /dev/null +++ b/queue-4.14/kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch @@ -0,0 +1,34 @@ +From 6aa5c47c351b22c21205c87977c84809cd015fcf Mon Sep 17 00:00:00 2001 +From: Michal Luczaj +Date: Mon, 22 Aug 2022 00:06:47 +0200 +Subject: KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility + +From: Michal Luczaj + +commit 6aa5c47c351b22c21205c87977c84809cd015fcf upstream. + +The emulator checks the wrong variable while setting the CPU +interruptibility state, the target segment is embedded in the instruction +opcode, not the ModR/M register. Fix the condition. + +Signed-off-by: Michal Luczaj +Fixes: a5457e7bcf9a ("KVM: emulate: POP SS triggers a MOV SS shadow too") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20220821215900.1419215-1-mhal@rbox.co +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1988,7 +1988,7 @@ static int em_pop_sreg(struct x86_emulat + if (rc != X86EMUL_CONTINUE) + return rc; + +- if (ctxt->modrm_reg == VCPU_SREG_SS) ++ if (seg == VCPU_SREG_SS) + ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS; + if (ctxt->op_bytes > 2) + rsp_increment(ctxt, ctxt->op_bytes - 2); diff --git a/queue-4.14/series b/queue-4.14/series index 25de02067bf..ca302c2f3ad 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -74,3 +74,5 @@ ftrace-properly-unset-ftrace_hash_fl_mod.patch ring-buffer-allow-splice-to-read-previous-partially-read-pages.patch ring-buffer-check-pending-waiters-when-doing-wake-ups-as-well.patch ring-buffer-fix-race-between-reset-page-and-reading-page.patch +kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch +kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch