From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, qemu-stable@nongnu.org,
Haozhong Zhang <haozhong.zhang@intel.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4.9 12/39] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
Date: Mon, 16 Oct 2017 18:16:08 +0200 [thread overview]
Message-ID: <20171016161430.986020836@linuxfoundation.org> (raw)
In-Reply-To: <20171016161429.968555175@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haozhong Zhang <haozhong.zhang@intel.com>
commit 8eb3f87d903168bdbd1222776a6b1e281f50513e upstream.
When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
guest CR4. Before this CR4 loading, the guest CR4 refers to L2
CR4. Because these two CR4's are in different levels of guest, we
should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
is used to handle guest writes to its CR4, checks the guest change to
CR4 and may fail if the change is invalid.
The failure may cause trouble. Consider we start
a L1 guest with non-zero L1 PCID in use,
(i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
and
a L2 guest with L2 PCID disabled,
(i.e. L2 CR4.PCIDE == 0)
and following events may happen:
1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
vcpu->arch.cr4) is left to the value of L2 CR4.
2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
Fixes: 4704d0befb072 ("KVM: nVMX: Exiting from L2 to L1")
Cc: qemu-stable@nongnu.org
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -10690,7 +10690,7 @@ static void load_vmcs12_host_state(struc
* (KVM doesn't change it)- no reason to call set_cr4_guest_host_mask();
*/
vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
- kvm_set_cr4(vcpu, vmcs12->host_cr4);
+ vmx_set_cr4(vcpu, vmcs12->host_cr4);
nested_ept_uninit_mmu_context(vcpu);
next prev parent reply other threads:[~2017-10-16 16:16 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-16 16:15 [PATCH 4.9 00/39] 4.9.57-stable review Greg Kroah-Hartman
2017-10-16 16:15 ` [PATCH 4.9 01/39] ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets Greg Kroah-Hartman
2017-10-16 16:15 ` [PATCH 4.9 02/39] CIFS: Reconnect expired SMB sessions Greg Kroah-Hartman
2017-10-16 16:15 ` [PATCH 4.9 03/39] nl80211: Define policy for packet pattern attributes Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 04/39] rcu: Allow for page faults in NMI handlers Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 05/39] USB: dummy-hcd: Fix deadlock caused by disconnect detection Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 06/39] MIPS: math-emu: Remove pr_err() calls from fpu_emu() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 07/39] dmaengine: edma: Align the memcpy acnt array size with the transfer Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 08/39] dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 09/39] HID: usbhid: fix out-of-bounds bug Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 11/39] KVM: MMU: always terminate page walks at level 1 Greg Kroah-Hartman
2017-10-16 16:16 ` Greg Kroah-Hartman [this message]
2017-10-16 16:16 ` [PATCH 4.9 13/39] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 15/39] iommu/amd: Finish TLB flush in amd_iommu_unmap() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 16/39] device property: Track owner device of device property Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 17/39] fs/mpage.c: fix mpage_writepage() for pages with buffers Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 18/39] ALSA: usb-audio: Kill stray URB at exiting Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 19/39] ALSA: seq: Fix use-after-free at creating a port Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 20/39] ALSA: seq: Fix copy_from_user() call inside lock Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 21/39] ALSA: caiaq: Fix stray URB at probe error path Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 22/39] ALSA: line6: Fix missing initialization before " Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 23/39] ALSA: line6: Fix leftover URB at error-path during probe Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 24/39] drm/i915/edp: Get the Panel Power Off timestamp after panel is off Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 27/39] usb: gadget: configfs: Fix memory leak of interface directory data Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 28/39] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 29/39] direct-io: Prevent NULL pointer access in submit_page_section Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 30/39] fix unbalanced page refcounting in bio_map_user_iov Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 31/39] more bio_map_user_iov() leak fixes Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 32/39] bio_copy_user_iov(): dont ignore ->iov_offset Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 33/39] USB: serial: ftdi_sio: add id for Cypress WICED dev board Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 34/39] USB: serial: cp210x: add support for ELV TFD500 Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 35/39] USB: serial: option: add support for TP-Link LTE module Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 36/39] USB: serial: qcserial: add Dell DW5818, DW5819 Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 37/39] USB: serial: console: fix use-after-free after failed setup Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 38/39] x86/alternatives: Fix alt_max_short macro to really be a max() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.9 39/39] KVM: nVMX: update last_nonleaf_level when initializing nested EPT Greg Kroah-Hartman
2017-10-17 0:16 ` [PATCH 4.9 00/39] 4.9.57-stable review Shuah Khan
2017-10-17 0:25 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171016161430.986020836@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=haozhong.zhang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=qemu-stable@nongnu.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).