From: Greg Kroah-Hartman Date: Thu, 11 Aug 2022 15:27:01 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v5.15.61~208 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=38caf59871b954e917c4f0c37b09078021808fbc;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_run_pending-case.patch kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_run_pending-case.patch kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-with-gif-0.patch --- diff --git a/queue-5.18/kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_run_pending-case.patch b/queue-5.18/kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_run_pending-case.patch new file mode 100644 index 00000000000..38ae0302d13 --- /dev/null +++ b/queue-5.18/kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_run_pending-case.patch @@ -0,0 +1,53 @@ +From fa578398a0ba2c079fa1170da21fa5baae0cedb2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 14 Jun 2022 21:58:27 +0000 +Subject: KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case + +From: Sean Christopherson + +commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 upstream. + +If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective +of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12. When restoring +nested state, e.g. after migration, without a nested run pending, +prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02, +i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS. + +If userspace restores nested state before MSRs, then loading garbage is a +non-issue as loading BNDCFGS will also update vmcs02. But if usersepace +restores MSRs first, then KVM is responsible for propagating L2's value, +which is actually thrown into vmcs01, into vmcs02. + +Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state +is all kinds of bizarre and ideally would not be supported. Sadly, some +VMMs do exactly that and rely on KVM to make things work. + +Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS +to vmcs02 across RSM may corrupt L2's BNDCFGS. But KVM's entire VMX+SMM +emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the +"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor. + +Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com +Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS") +Cc: stable@vger.kernel.org +Cc: Lei Wang +Signed-off-by: Sean Christopherson +Message-Id: <20220614215831.3762138-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/nested.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3381,7 +3381,8 @@ enum nvmx_vmentry_status nested_vmx_ente + if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) + vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); + if (kvm_mpx_supported() && +- !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)) ++ (!vmx->nested.nested_run_pending || ++ !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) + vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS); + + /* diff --git a/queue-5.18/kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_run_pending-case.patch b/queue-5.18/kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_run_pending-case.patch new file mode 100644 index 00000000000..e21262a617a --- /dev/null +++ b/queue-5.18/kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_run_pending-case.patch @@ -0,0 +1,53 @@ +From 764643a6be07445308e492a528197044c801b3ba Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 14 Jun 2022 21:58:28 +0000 +Subject: KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case + +From: Sean Christopherson + +commit 764643a6be07445308e492a528197044c801b3ba upstream. + +If a nested run isn't pending, snapshot vmcs01.GUEST_IA32_DEBUGCTL +irrespective of whether or not VM_ENTRY_LOAD_DEBUG_CONTROLS is set in +vmcs12. When restoring nested state, e.g. after migration, without a +nested run pending, prepare_vmcs02() will propagate +nested.vmcs01_debugctl to vmcs02, i.e. will load garbage/zeros into +vmcs02.GUEST_IA32_DEBUGCTL. + +If userspace restores nested state before MSRs, then loading garbage is a +non-issue as loading DEBUGCTL will also update vmcs02. But if usersepace +restores MSRs first, then KVM is responsible for propagating L2's value, +which is actually thrown into vmcs01, into vmcs02. + +Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state +is all kinds of bizarre and ideally would not be supported. Sadly, some +VMMs do exactly that and rely on KVM to make things work. + +Note, there's still a lurking SMM bug, as propagating vmcs01's DEBUGCTL +to vmcs02 across RSM may corrupt L2's DEBUGCTL. But KVM's entire VMX+SMM +emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the +"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor. + +Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com +Fixes: 8fcc4b5923af ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20220614215831.3762138-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/nested.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3378,7 +3378,8 @@ enum nvmx_vmentry_status nested_vmx_ente + if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu)) + evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu); + +- if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) ++ if (!vmx->nested.nested_run_pending || ++ !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) + vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); + if (kvm_mpx_supported() && + (!vmx->nested.nested_run_pending || diff --git a/queue-5.18/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-with-gif-0.patch b/queue-5.18/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-with-gif-0.patch new file mode 100644 index 00000000000..da752f6e8ca --- /dev/null +++ b/queue-5.18/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-with-gif-0.patch @@ -0,0 +1,62 @@ +From f17c31c48e5cde9895a491d91c424eeeada3e134 Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Mon, 2 May 2022 00:07:26 +0200 +Subject: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 + +From: Maciej S. Szmigiero + +commit f17c31c48e5cde9895a491d91c424eeeada3e134 upstream. + +Don't BUG/WARN on interrupt injection due to GIF being cleared, +since it's trivial for userspace to force the situation via +KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct +for KVM internally generated injections). + + kernel BUG at arch/x86/kvm/svm/svm.c:3386! + invalid opcode: 0000 [#1] SMP + CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd] + Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53 + RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006 + RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0 + RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000 + FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0 + Call Trace: + + inject_pending_event+0x2f7/0x4c0 [kvm] + kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm] + kvm_vcpu_ioctl+0x26d/0x650 [kvm] + __x64_sys_ioctl+0x82/0xb0 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + +Fixes: 219b65dcf6c0 ("KVM: SVM: Improve nested interrupt injection") +Cc: stable@vger.kernel.org +Co-developed-by: Sean Christopherson +Signed-off-by: Sean Christopherson +Signed-off-by: Maciej S. Szmigiero +Message-Id: <35426af6e123cbe91ec7ce5132ce72521f02b1b5.1651440202.git.maciej.szmigiero@oracle.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/svm.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -3305,8 +3305,6 @@ static void svm_inject_irq(struct kvm_vc + { + struct vcpu_svm *svm = to_svm(vcpu); + +- BUG_ON(!(gif_set(svm))); +- + trace_kvm_inj_virq(vcpu->arch.interrupt.nr); + ++vcpu->stat.irq_injections; + diff --git a/queue-5.18/series b/queue-5.18/series index d3c233015da..e033813c557 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -20,3 +20,6 @@ hid-hid-input-add-surface-go-battery-quirk.patch hid-nintendo-add-missing-array-termination.patch hid-wacom-only-report-rotation-for-art-pen.patch hid-wacom-don-t-register-pad_input-for-touch-switch.patch +kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_run_pending-case.patch +kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_run_pending-case.patch +kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-with-gif-0.patch