Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3742013imm; Mon, 18 Jun 2018 03:20:50 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKBbz+MJ20wjN2H90pFd8T6v1Hz84qonLXAwIBmd1J9z+n2cTM9jQ7lBJ6BkhPDbwCrE5Lf X-Received: by 2002:a65:508d:: with SMTP id r13-v6mr10616107pgp.143.1529317250269; Mon, 18 Jun 2018 03:20:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529317250; cv=none; d=google.com; s=arc-20160816; b=LmW45//+SzzRpmgy7QGYm9n/tCF5kJzkKOxJeFOHZ1P7N2jTi9O5W2KD431JTrmVOo zQM1bjXGea+Jqjha9Zn7cz11EcClYW+fssyxTf8ubBQEkMFL6W0d02kuWZWtJqE1fF4u 1oIuV5jn0oOHrnqu45O107zjifkIKMa05ippiqqfdTIts8P9q2EKaXdYjvBngnj6AAmC DKiugYl6hLoyw1zgZNjOg/Yl6YivslVvzb5drA81maunVG+QnaF8g9lCkB3u1rBoiPot GL2UnBtgDyCdh7ERu6C/mqTQaZh49S1idLgdM1ini+ELrNHqLYO/MYp2Sd8WrjSMtW6H 1axA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=PcWAic9AKKDhpBIpYQF03fS5LRFGkHCkUGewuCN7Z7s=; b=u8kEuEUT24UmTP6I8MBC1YDUPax/cHXWYzbJL5Im6io7Z9GLvf/R9DH+WjFtVmFvMD k499w6CjnV1KsRYzkvOKYlhZbdzDpiQF7Ho98mK0Y7Gst/7XHcehTrUrtHZbzsIsz4nq w2OvDx5lyaZ1V8+5rch0mXx6Sh3/4avEIu07N2Ujba4dD1avBmb+2fubMoFLGCmazuCf jzZJsJvbnGHOpyYU7XolROfzk9chMBSJxpMFZvb4i3LoNw3J9fTWgbB8Ec7z8NbYCXFa napRtNQJCfmXOKe6A6HQVKgHu8xLtbuwtQt7LwG9YTlzuprONiqsZywipNkfHtVM2777 WTyg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t14-v6si12025358pgr.275.2018.06.18.03.20.36; Mon, 18 Jun 2018 03:20:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934319AbeFRKSP (ORCPT + 99 others); Mon, 18 Jun 2018 06:18:15 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:52820 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933852AbeFRIPg (ORCPT ); Mon, 18 Jun 2018 04:15:36 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id AF627C77; Mon, 18 Jun 2018 08:15:35 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mihai Carabas , Konrad Rzeszutek Wilk , Jim Mattson , Wanpeng Li , Krish Sadhukhan , Paolo Bonzini , Sasha Levin Subject: [PATCH 4.16 005/279] x86: Add check for APIC access address for vmentry of L2 guests Date: Mon, 18 Jun 2018 10:09:50 +0200 Message-Id: <20180618080609.061522739@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180618080608.851973560@linuxfoundation.org> References: <20180618080608.851973560@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Krish Sadhukhan [ Upstream commit f0f4cf5b306620282db0c59ff963012e1973e025 ] According to the sub-section titled 'VM-Execution Control Fields' in the section titled 'Basic VM-Entry Checks' in Intel SDM vol. 3C, the following vmentry check must be enforced: If the 'virtualize APIC-accesses' VM-execution control is 1, the APIC-access address must satisfy the following checks: - Bits 11:0 of the address must be 0. - The address should not set any bits beyond the processor's physical-address width. This patch adds the necessary check to conform to this rule. If the check fails, we cause the L2 VMENTRY to fail which is what the associated unit test (following patch) expects. Reviewed-by: Mihai Carabas Reviewed-by: Konrad Rzeszutek Wilk Reviewed-by: Jim Mattson Reviewed-by: Wanpeng Li Signed-off-by: Krish Sadhukhan Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -10338,6 +10338,16 @@ static inline bool nested_vmx_prepare_ms return true; } +static int nested_vmx_check_apic_access_controls(struct kvm_vcpu *vcpu, + struct vmcs12 *vmcs12) +{ + if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) && + !page_address_valid(vcpu, vmcs12->apic_access_addr)) + return -EINVAL; + else + return 0; +} + static int nested_vmx_check_apicv_controls(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) { @@ -11006,6 +11016,9 @@ static int check_vmentry_prereqs(struct if (nested_vmx_check_msr_bitmap_controls(vcpu, vmcs12)) return VMXERR_ENTRY_INVALID_CONTROL_FIELD; + if (nested_vmx_check_apic_access_controls(vcpu, vmcs12)) + return VMXERR_ENTRY_INVALID_CONTROL_FIELD; + if (nested_vmx_check_tpr_shadow_controls(vcpu, vmcs12)) return VMXERR_ENTRY_INVALID_CONTROL_FIELD;