From ed0c76cdeba7f3dbce5b26b11791b83b12172b77 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 Jul 2020 18:17:10 +0200 Subject: [PATCH] 4.19-stable patches added patches: kvm-arm64-fix-definition-of-page_hyp_device.patch kvm-arm64-stop-clobbering-x0-for-hvc_soft_restart.patch kvm-x86-bit-8-of-non-leaf-pdpes-is-not-reserved.patch kvm-x86-inject-gp-if-guest-attempts-to-toggle-cr4.la57-in-64-bit-mode.patch kvm-x86-mark-cr4.tsd-as-being-possibly-owned-by-the-guest.patch --- ...64-fix-definition-of-page_hyp_device.patch | 41 ++++++++++++++ ...p-clobbering-x0-for-hvc_soft_restart.patch | 53 +++++++++++++++++++ ...-8-of-non-leaf-pdpes-is-not-reserved.patch | 37 +++++++++++++ ...ts-to-toggle-cr4.la57-in-64-bit-mode.patch | 44 +++++++++++++++ ...as-being-possibly-owned-by-the-guest.patch | 53 +++++++++++++++++++ queue-4.19/series | 5 ++ 6 files changed, 233 insertions(+) create mode 100644 queue-4.19/kvm-arm64-fix-definition-of-page_hyp_device.patch create mode 100644 queue-4.19/kvm-arm64-stop-clobbering-x0-for-hvc_soft_restart.patch create mode 100644 queue-4.19/kvm-x86-bit-8-of-non-leaf-pdpes-is-not-reserved.patch create mode 100644 queue-4.19/kvm-x86-inject-gp-if-guest-attempts-to-toggle-cr4.la57-in-64-bit-mode.patch create mode 100644 queue-4.19/kvm-x86-mark-cr4.tsd-as-being-possibly-owned-by-the-guest.patch diff --git a/queue-4.19/kvm-arm64-fix-definition-of-page_hyp_device.patch b/queue-4.19/kvm-arm64-fix-definition-of-page_hyp_device.patch new file mode 100644 index 00000000000..2f7d9587724 --- /dev/null +++ b/queue-4.19/kvm-arm64-fix-definition-of-page_hyp_device.patch @@ -0,0 +1,41 @@ +From 68cf617309b5f6f3a651165f49f20af1494753ae Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 8 Jul 2020 17:25:46 +0100 +Subject: KVM: arm64: Fix definition of PAGE_HYP_DEVICE + +From: Will Deacon + +commit 68cf617309b5f6f3a651165f49f20af1494753ae upstream. + +PAGE_HYP_DEVICE is intended to encode attribute bits for an EL2 stage-1 +pte mapping a device. Unfortunately, it includes PROT_DEVICE_nGnRE which +encodes attributes for EL1 stage-1 mappings such as UXN and nG, which are +RES0 for EL2, and DBM which is meaningless as TCR_EL2.HD is not set. + +Fix the definition of PAGE_HYP_DEVICE so that it doesn't set RES0 bits +at EL2. + +Acked-by: Marc Zyngier +Cc: Marc Zyngier +Cc: Catalin Marinas +Cc: James Morse +Cc: +Link: https://lore.kernel.org/r/20200708162546.26176-1-will@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/pgtable-prot.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -65,7 +65,7 @@ + #define PAGE_HYP __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_HYP_XN) + #define PAGE_HYP_EXEC __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY) + #define PAGE_HYP_RO __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY | PTE_HYP_XN) +-#define PAGE_HYP_DEVICE __pgprot(PROT_DEVICE_nGnRE | PTE_HYP) ++#define PAGE_HYP_DEVICE __pgprot(_PROT_DEFAULT | PTE_ATTRINDX(MT_DEVICE_nGnRE) | PTE_HYP | PTE_HYP_XN) + + #define PAGE_S2_MEMATTR(attr) \ + ({ \ diff --git a/queue-4.19/kvm-arm64-stop-clobbering-x0-for-hvc_soft_restart.patch b/queue-4.19/kvm-arm64-stop-clobbering-x0-for-hvc_soft_restart.patch new file mode 100644 index 00000000000..82399f84668 --- /dev/null +++ b/queue-4.19/kvm-arm64-stop-clobbering-x0-for-hvc_soft_restart.patch @@ -0,0 +1,53 @@ +From b9e10d4a6c9f5cbe6369ce2c17ebc67d2e5a4be5 Mon Sep 17 00:00:00 2001 +From: Andrew Scull +Date: Mon, 6 Jul 2020 10:52:59 +0100 +Subject: KVM: arm64: Stop clobbering x0 for HVC_SOFT_RESTART + +From: Andrew Scull + +commit b9e10d4a6c9f5cbe6369ce2c17ebc67d2e5a4be5 upstream. + +HVC_SOFT_RESTART is given values for x0-2 that it should installed +before exiting to the new address so should not set x0 to stub HVC +success or failure code. + +Fixes: af42f20480bf1 ("arm64: hyp-stub: Zero x0 on successful stub handling") +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Scull +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20200706095259.1338221-1-ascull@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/hyp-init.S | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/arm64/kvm/hyp-init.S ++++ b/arch/arm64/kvm/hyp-init.S +@@ -144,11 +144,15 @@ ENTRY(__kvm_handle_stub_hvc) + + 1: cmp x0, #HVC_RESET_VECTORS + b.ne 1f +-reset: ++ + /* +- * Reset kvm back to the hyp stub. Do not clobber x0-x4 in +- * case we coming via HVC_SOFT_RESTART. ++ * Set the HVC_RESET_VECTORS return code before entering the common ++ * path so that we do not clobber x0-x2 in case we are coming via ++ * HVC_SOFT_RESTART. + */ ++ mov x0, xzr ++reset: ++ /* Reset kvm back to the hyp stub. */ + mrs x5, sctlr_el2 + ldr x6, =SCTLR_ELx_FLAGS + bic x5, x5, x6 // Clear SCTL_M and etc +@@ -159,7 +163,6 @@ reset: + /* Install stub vectors */ + adr_l x5, __hyp_stub_vectors + msr vbar_el2, x5 +- mov x0, xzr + eret + + 1: /* Bad stub call */ diff --git a/queue-4.19/kvm-x86-bit-8-of-non-leaf-pdpes-is-not-reserved.patch b/queue-4.19/kvm-x86-bit-8-of-non-leaf-pdpes-is-not-reserved.patch new file mode 100644 index 00000000000..3f4cc4d5dda --- /dev/null +++ b/queue-4.19/kvm-x86-bit-8-of-non-leaf-pdpes-is-not-reserved.patch @@ -0,0 +1,37 @@ +From 5ecad245de2ae23dc4e2dbece92f8ccfbaed2fa7 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 30 Jun 2020 07:07:20 -0400 +Subject: KVM: x86: bit 8 of non-leaf PDPEs is not reserved + +From: Paolo Bonzini + +commit 5ecad245de2ae23dc4e2dbece92f8ccfbaed2fa7 upstream. + +Bit 8 would be the "global" bit, which does not quite make sense for non-leaf +page table entries. Intel ignores it; AMD ignores it in PDEs and PDPEs, but +reserves it in PML4Es. + +Probably, earlier versions of the AMD manual documented it as reserved in PDPEs +as well, and that behavior made it into KVM as well as kvm-unit-tests; fix it. + +Cc: stable@vger.kernel.org +Reported-by: Nadav Amit +Fixes: a0c0feb57992 ("KVM: x86: reserve bit 8 of non-leaf PDPEs and PML4Es in 64-bit mode on AMD", 2014-09-03) +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4474,7 +4474,7 @@ __reset_rsvds_bits_mask(struct kvm_vcpu + nonleaf_bit8_rsvd | rsvd_bits(7, 7) | + rsvd_bits(maxphyaddr, 51); + rsvd_check->rsvd_bits_mask[0][2] = exb_bit_rsvd | +- nonleaf_bit8_rsvd | gbpages_bit_rsvd | ++ gbpages_bit_rsvd | + rsvd_bits(maxphyaddr, 51); + rsvd_check->rsvd_bits_mask[0][1] = exb_bit_rsvd | + rsvd_bits(maxphyaddr, 51); diff --git a/queue-4.19/kvm-x86-inject-gp-if-guest-attempts-to-toggle-cr4.la57-in-64-bit-mode.patch b/queue-4.19/kvm-x86-inject-gp-if-guest-attempts-to-toggle-cr4.la57-in-64-bit-mode.patch new file mode 100644 index 00000000000..9545b5d1bf8 --- /dev/null +++ b/queue-4.19/kvm-x86-inject-gp-if-guest-attempts-to-toggle-cr4.la57-in-64-bit-mode.patch @@ -0,0 +1,44 @@ +From d74fcfc1f0ff4b6c26ecef1f9e48d8089ab4eaac Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 2 Jul 2020 19:17:14 -0700 +Subject: KVM: x86: Inject #GP if guest attempts to toggle CR4.LA57 in 64-bit mode + +From: Sean Christopherson + +commit d74fcfc1f0ff4b6c26ecef1f9e48d8089ab4eaac upstream. + +Inject a #GP on MOV CR4 if CR4.LA57 is toggled in 64-bit mode, which is +illegal per Intel's SDM: + + CR4.LA57 + 57-bit linear addresses (bit 12 of CR4) ... blah blah blah ... + This bit cannot be modified in IA-32e mode. + +Note, the pseudocode for MOV CR doesn't call out the fault condition, +which is likely why the check was missed during initial development. +This is arguably an SDM bug and will hopefully be fixed in future +release of the SDM. + +Fixes: fd8cb433734ee ("KVM: MMU: Expose the LA57 feature to VM.") +Cc: stable@vger.kernel.org +Reported-by: Sebastien Boeuf +Signed-off-by: Sean Christopherson +Message-Id: <20200703021714.5549-1-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -865,6 +865,8 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, u + if (is_long_mode(vcpu)) { + if (!(cr4 & X86_CR4_PAE)) + return 1; ++ if ((cr4 ^ old_cr4) & X86_CR4_LA57) ++ return 1; + } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE) + && ((cr4 ^ old_cr4) & pdptr_bits) + && !load_pdptrs(vcpu, vcpu->arch.walk_mmu, diff --git a/queue-4.19/kvm-x86-mark-cr4.tsd-as-being-possibly-owned-by-the-guest.patch b/queue-4.19/kvm-x86-mark-cr4.tsd-as-being-possibly-owned-by-the-guest.patch new file mode 100644 index 00000000000..7cbe1e6c494 --- /dev/null +++ b/queue-4.19/kvm-x86-mark-cr4.tsd-as-being-possibly-owned-by-the-guest.patch @@ -0,0 +1,53 @@ +From 7c83d096aed055a7763a03384f92115363448b71 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 2 Jul 2020 21:04:21 -0700 +Subject: KVM: x86: Mark CR4.TSD as being possibly owned by the guest + +From: Sean Christopherson + +commit 7c83d096aed055a7763a03384f92115363448b71 upstream. + +Mark CR4.TSD as being possibly owned by the guest as that is indeed the +case on VMX. Without TSD being tagged as possibly owned by the guest, a +targeted read of CR4 to get TSD could observe a stale value. This bug +is benign in the current code base as the sole consumer of TSD is the +emulator (for RDTSC) and the emulator always "reads" the entirety of CR4 +when grabbing bits. + +Add a build-time assertion in to ensure VMX doesn't hand over more CR4 +bits without also updating x86. + +Fixes: 52ce3c21aec3 ("x86,kvm,vmx: Don't trap writes to CR4.TSD") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200703040422.31536-2-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/kvm_cache_regs.h | 2 +- + arch/x86/kvm/vmx.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/kvm_cache_regs.h ++++ b/arch/x86/kvm/kvm_cache_regs.h +@@ -5,7 +5,7 @@ + #define KVM_POSSIBLE_CR0_GUEST_BITS X86_CR0_TS + #define KVM_POSSIBLE_CR4_GUEST_BITS \ + (X86_CR4_PVI | X86_CR4_DE | X86_CR4_PCE | X86_CR4_OSFXSR \ +- | X86_CR4_OSXMMEXCPT | X86_CR4_LA57 | X86_CR4_PGE) ++ | X86_CR4_OSXMMEXCPT | X86_CR4_LA57 | X86_CR4_PGE | X86_CR4_TSD) + + static inline unsigned long kvm_register_read(struct kvm_vcpu *vcpu, + enum kvm_reg reg) +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6335,6 +6335,8 @@ static void vmx_set_constant_host_state( + + static void set_cr4_guest_host_mask(struct vcpu_vmx *vmx) + { ++ BUILD_BUG_ON(KVM_CR4_GUEST_OWNED_BITS & ~KVM_POSSIBLE_CR4_GUEST_BITS); ++ + vmx->vcpu.arch.cr4_guest_owned_bits = KVM_CR4_GUEST_OWNED_BITS; + if (enable_ept) + vmx->vcpu.arch.cr4_guest_owned_bits |= X86_CR4_PGE; diff --git a/queue-4.19/series b/queue-4.19/series index 1faa9efa229..34f8e09b8a2 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -39,3 +39,8 @@ mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch alsa-opl3-fix-infoleak-in-opl3.patch alsa-hda-let-hs_mic-be-picked-ahead-of-hp_mic.patch alsa-usb-audio-add-quirk-for-macrosilicon-ms2109.patch +kvm-arm64-fix-definition-of-page_hyp_device.patch +kvm-arm64-stop-clobbering-x0-for-hvc_soft_restart.patch +kvm-x86-bit-8-of-non-leaf-pdpes-is-not-reserved.patch +kvm-x86-inject-gp-if-guest-attempts-to-toggle-cr4.la57-in-64-bit-mode.patch +kvm-x86-mark-cr4.tsd-as-being-possibly-owned-by-the-guest.patch -- 2.47.3