Received: by 10.223.176.46 with SMTP id f43csp205990wra; Thu, 18 Jan 2018 16:14:04 -0800 (PST) X-Google-Smtp-Source: ACJfBosmLovwxbLF6n6KMOjV96g8O1qNxeT8tsZeI1J9Nh2v2MBzQd3zZPnDq83TIB5PRaCdQYru X-Received: by 10.101.83.195 with SMTP id z3mr26371894pgr.133.1516320844175; Thu, 18 Jan 2018 16:14:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516320844; cv=none; d=google.com; s=arc-20160816; b=zuDfY6whShi3kWm9BDKujAfYwXKpo07tZtc8oK1mi6THfThUCvRnh4NtoLLe0lh4mv bxm0NL2S3RufldwL8Gc2XSnVTGvkV/SomE+Hbp240q4mRiZ3aPAMy0q97JgkwjS3a51J BAkto6GExsAqDQ2L6CxXNNC392tz5ZjuIfIcyErgVLxsAjNMJlVcRexrNHAhjUjZpIVy U6Ec0ydUePFfOQG/AOWRFYFUPFyWXJnq0LovIPTMiKRs+MMdIZp4Rw/ALlQUKQ4OHXkD +9IetfCL1COsmEu5KWY3eVC+ti4fEHuXE1ylw6lpgAj8BmJK3KPipj4ZKm7B4V9gEnP2 HLug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:arc-authentication-results; bh=6DbMM69/4k6ZbBPlyCYT3kxyeyXZ352te6BBIL3YS18=; b=C5/LqFxDB7StY+CHSMGVhh8SM4thZZVxqYfm0D5LZSmaIfs+bRlu+siZGGlbZ9aLut JOUrEcEV+rWwZRw/JQ6EBKumpvvXsnzclrkEluIwRar6OPPcgqkgTCoeisMGALf75BvD 9cF6C695HDSBsfKmf8JeJyHmWS9WfUIBHCUnlc2+jsU0Nm6NBW78mHcmmiMdDs0qPhkd UBLbXSuFIUN36cJnZj4O0sbfXMT19ekOMUngtdbb9FYfw3m8hQs8U/S5HY+hJvGXViyc ZxGizqLmiu51XUjYXn/iE4pf8c3EZocM/cOf1MVhLFq8ZV6sUZjrUjhVS2ZSUoWzn8wF ERFg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l12si1667732pgf.344.2018.01.18.16.13.50; Thu, 18 Jan 2018 16:14:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932882AbeASAMq (ORCPT + 99 others); Thu, 18 Jan 2018 19:12:46 -0500 Received: from mga14.intel.com ([192.55.52.115]:45997 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755093AbeASALh (ORCPT ); Thu, 18 Jan 2018 19:11:37 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jan 2018 16:11:36 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,379,1511856000"; d="scan'208";a="194522002" Received: from dwillia2-desk3.jf.intel.com (HELO dwillia2-desk3.amr.corp.intel.com) ([10.54.39.16]) by orsmga005.jf.intel.com with ESMTP; 18 Jan 2018 16:11:36 -0800 Subject: [PATCH v4 09/10] kvm, x86: fix spectre-v1 mitigation From: Dan Williams To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, Andrew Honig , stable@vger.kernel.org, gregkh@linuxfoundation.org, Paolo Bonzini , tglx@linutronix.de, alan@linux.intel.com, torvalds@linux-foundation.org, akpm@linux-foundation.org, Jim Mattson Date: Thu, 18 Jan 2018 16:02:31 -0800 Message-ID: <151632015123.21271.9060883997507739532.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> User-Agent: StGit/0.17.1-9-g687f MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 75f139aaf896 "KVM: x86: Add memory barrier on vmcs field lookup" added a raw 'asm("lfence");' to prevent a bounds check bypass of 'vmcs_field_to_offset_table'. This does not work for some AMD cpus, see the 'ifence' helper, and it otherwise does not use the common 'array_ptr' helper designed for these types of fixes. Convert this to use 'array_ptr'. Cc: Andrew Honig Cc: Jim Mattson Cc: Paolo Bonzini Cc: Signed-off-by: Dan Williams --- arch/x86/kvm/vmx.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index c829d89e2e63..20b9b0b5e336 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -34,6 +34,7 @@ #include #include #include +#include #include "kvm_cache_regs.h" #include "x86.h" @@ -898,21 +899,15 @@ static const unsigned short vmcs_field_to_offset_table[] = { static inline short vmcs_field_to_offset(unsigned long field) { - BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX); - - if (field >= ARRAY_SIZE(vmcs_field_to_offset_table)) - return -ENOENT; + const unsigned short *offset; - /* - * FIXME: Mitigation for CVE-2017-5753. To be replaced with a - * generic mechanism. - */ - asm("lfence"); + BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX); - if (vmcs_field_to_offset_table[field] == 0) + offset = array_ptr(vmcs_field_to_offset_table, field, + ARRAY_SIZE(vmcs_field_to_offset_table)); + if (!offset || *offset == 0) return -ENOENT; - - return vmcs_field_to_offset_table[field]; + return *offset; } static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu)