Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1978550ybh; Tue, 14 Jul 2020 12:09:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxI+4BxeLeQaKXKiY8UTfBjcXLuPATb7K8/trEi1RJMrWgnfxFkDoKa98f5mBsaScMfzuEo X-Received: by 2002:aa7:ce84:: with SMTP id y4mr6098406edv.113.1594753745084; Tue, 14 Jul 2020 12:09:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594753745; cv=none; d=google.com; s=arc-20160816; b=ej5WdDuwNIskghJk3bD1FrMVmSog21983V/n1fWRO9Dqw4YfBGs+61TeJCaRA8NPLc xzUOyLTwGVomo1CbLGQgXckQstZyPiIYbl/26Hk/15zQXsXMCnsKPzYYch/8oi1OOutd aQk/+eCxeMNIl7gchoGh+pNHcz959l5I37E1JStj1xbtRREgp+s8AqlRCYc6fjwgCVRN uhl7auk8XmsrPkmqmPxxgiVXKIPOvbT1wPUUGPKYGlUMqcPK/APe1qTfYGE2Ui/u4j1Z Aop4qEfq8auVG35mNijvi8/kvViA1hymieh4f2/6H/1/yha9zfv1TSr3rc1XEwsxUPtr DRGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dhxQwRdbRsX/KRPuIKLiYlruBHRBAMJ8Q6FzlpWfmwY=; b=ZsdUrTOEGXGSNh3bMnKUwy7Mvr2MX1HiMLl5/eso9qW2wueSvr/B29v5gOaiQS6L3L XzYUlB21GhhRgeEo5LqsofAuSJXa7sowjLzO7ZEVt8xUwZ6C3WAQjxzN74pO/CXuN4Ux zF/WaMiGEw6GbCYsrd31qx6989BKwpuqxeskWi/F0kW6RklwXwchgHZcUPoyLXRKWdbQ Ma6cfjU+pXYEVCynBwN6hhJ9AjCbAOWDrFDfNlDBKGbkUlbhbSdgngC1Qvu2sDZbNw4B 5vKqS4bCSmp9O5xYVKTrE7Vrn53kijmIQ8L88GvOiadfsnUKnnxuq7AY5u0Vsf8/N2vc bJBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KMLvdWAx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g16si11184218ejf.492.2020.07.14.12.08.41; Tue, 14 Jul 2020 12:09:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KMLvdWAx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731241AbgGNTGf (ORCPT + 99 others); Tue, 14 Jul 2020 15:06:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:50316 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730609AbgGNSxT (ORCPT ); Tue, 14 Jul 2020 14:53:19 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EFF9A22C7B; Tue, 14 Jul 2020 18:53:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594752798; bh=1f1XWa2bRWx73QVevXDY5pPvGfCNRVovTwrQSxmj5kA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KMLvdWAxy2rjeuKo6GrZzLWbmBPl1QmNh6sHO9ZXiAHSHn0bmVYkRC6oDhzXTk3TC MtiFlhl9eGEl05ZmgtFm4OhuqUQQ5C0bq627jaIL2q6oRIBqbh34VDIwzEqyioDWdi A+wQTjYMDqD1xgyQxGJFr1JjHqOWd3EzpaEowVz8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sebastien Boeuf , Sean Christopherson , Paolo Bonzini Subject: [PATCH 5.4 084/109] KVM: x86: Inject #GP if guest attempts to toggle CR4.LA57 in 64-bit mode Date: Tue, 14 Jul 2020 20:44:27 +0200 Message-Id: <20200714184109.569988645@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200714184105.507384017@linuxfoundation.org> References: <20200714184105.507384017@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson commit d74fcfc1f0ff4b6c26ecef1f9e48d8089ab4eaac upstream. Inject a #GP on MOV CR4 if CR4.LA57 is toggled in 64-bit mode, which is illegal per Intel's SDM: CR4.LA57 57-bit linear addresses (bit 12 of CR4) ... blah blah blah ... This bit cannot be modified in IA-32e mode. Note, the pseudocode for MOV CR doesn't call out the fault condition, which is likely why the check was missed during initial development. This is arguably an SDM bug and will hopefully be fixed in future release of the SDM. Fixes: fd8cb433734ee ("KVM: MMU: Expose the LA57 feature to VM.") Cc: stable@vger.kernel.org Reported-by: Sebastien Boeuf Signed-off-by: Sean Christopherson Message-Id: <20200703021714.5549-1-sean.j.christopherson@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/x86.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -980,6 +980,8 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, u if (is_long_mode(vcpu)) { if (!(cr4 & X86_CR4_PAE)) return 1; + if ((cr4 ^ old_cr4) & X86_CR4_LA57) + return 1; } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE) && ((cr4 ^ old_cr4) & pdptr_bits) && !load_pdptrs(vcpu, vcpu->arch.walk_mmu,