From: Greg Kroah-Hartman Date: Fri, 12 Aug 2022 14:31:31 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.15.61~206 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=642d834a91346f739eb009bc3335ec944cc69b84;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-all-fault-checks.patch --- diff --git a/queue-4.9/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-all-fault-checks.patch b/queue-4.9/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-all-fault-checks.patch new file mode 100644 index 00000000000..6d02264749f --- /dev/null +++ b/queue-4.9/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-all-fault-checks.patch @@ -0,0 +1,66 @@ +From ec6e4d863258d4bfb36d48d5e3ef68140234d688 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Mon, 11 Jul 2022 23:27:48 +0000 +Subject: KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks + +From: Sean Christopherson + +commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 upstream. + +Wait to mark the TSS as busy during LTR emulation until after all fault +checks for the LTR have passed. Specifically, don't mark the TSS busy if +the new TSS base is non-canonical. + +Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the +only reason for the early check was to avoid marking a !PRESENT TSS as +busy, i.e. the common !PRESENT is now done before setting the busy bit. + +Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR") +Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Cc: Tetsuo Handa +Cc: Hou Wenlong +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1713,16 +1713,6 @@ static int __load_segment_descriptor(str + case VCPU_SREG_TR: + if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9)) + goto exception; +- if (!seg_desc.p) { +- err_vec = NP_VECTOR; +- goto exception; +- } +- old_desc = seg_desc; +- seg_desc.type |= 2; /* busy */ +- ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, +- sizeof(seg_desc), &ctxt->exception); +- if (ret != X86EMUL_CONTINUE) +- return ret; + break; + case VCPU_SREG_LDTR: + if (seg_desc.s || seg_desc.type != 2) +@@ -1763,6 +1753,15 @@ static int __load_segment_descriptor(str + ((u64)base3 << 32))) + return emulate_gp(ctxt, 0); + } ++ ++ if (seg == VCPU_SREG_TR) { ++ old_desc = seg_desc; ++ seg_desc.type |= 2; /* busy */ ++ ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, ++ sizeof(seg_desc), &ctxt->exception); ++ if (ret != X86EMUL_CONTINUE) ++ return ret; ++ } + load: + ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg); + if (desc) diff --git a/queue-4.9/series b/queue-4.9/series index 60d75614f80..5eb784418ac 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -27,3 +27,4 @@ x86-link-vdso-and-boot-with-z-noexecstack-no-warn-rwx-segments.patch alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-probing.patch add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-with-gif-0.patch +kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-all-fault-checks.patch