Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp854686pxk;
        Thu, 17 Sep 2020 19:11:24 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyNmpiLkOv1wCsyza2Dx5k1h7DtmFz2e2m0nbmwWZLgA8ZHxP8bEtYTWbG1JJH3sSeuTBRG
X-Received: by 2002:a05:6402:b68:: with SMTP id cb8mr36629259edb.350.1600395083804;
        Thu, 17 Sep 2020 19:11:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600395083; cv=none;
        d=google.com; s=arc-20160816;
        b=mME6IEdsnH7eiCNUkQXBOZgIzJvYrlrNS9pZEB0JyuEZEfVFf0zz/df1T1UWwhT7V+
         k/KPERJhYSUO64An9rXGF3JB+8MS7vixnnXFE7R/CZmEmdMY7tC0JlXdiuyiXu5UtIW1
         UhdiJP8qBknJ1WG1bGdNCl3QfPcbB5w/G6z+nbNKBzJfx1Y6QlhXK3vZHpqZZwhqW3Dj
         ak8vtSWqgLjITdQcQCQf1p42bD9NDOBbPOYbkwKU8dhFY7HsSwTty5DTfXuYFqHDAlmQ
         FSQ+gXy3FueWta5D+h0SfaP4oWNpb4k/Qa5NHqAdIYFWRI6gELXA28ta8frcRkMmv+rk
         /aQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=EX2wR4tmb2kpZzhgMyL63zQaOgGJ0u11OFC8exGn9cs=;
        b=aQ5k0FYiHUIrNeX2vbYYN3Q+w7VShKKeQGvMngyuj/xG1Y6ZztX1ZfkGQZRBU2KNG4
         0eFrxp0USAhp5MlVLNflQ4Y3ItwStf2dta0VY3bHChnDlpvwJqppXdUo/gVFxM7YtWe7
         EwD6x6UdSKfu7DR6HCKTE9nrngc90uzBVyazIDH9SSdQHVpBoEQJShanYRuEIUkkvm8G
         swXA0Cy0GPy/7c/+nVyQHx4Q/ks3q5GytIbJ7mNe+ydVFUiRWJa26wXD9OMIulZxnpqw
         iAH3BLfCvE8wj3bsCPCN64F5IJeRbcxTx3PiioD/0auPLPzxSZQC8vHnAyGaRYE0H4pu
         ywjw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=jRIUIfvy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q23si1275549ejn.400.2020.09.17.19.11.00;
        Thu, 17 Sep 2020 19:11:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=jRIUIfvy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727824AbgIRCHA (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Thu, 17 Sep 2020 22:07:00 -0400
Received: from mail.kernel.org ([198.145.29.99]:55980 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727780AbgIRCGe (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Sep 2020 22:06:34 -0400
Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 99B9E2388E;
        Fri, 18 Sep 2020 02:06:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1600394793;
        bh=FksXR0rWwjjOH9fBjLhuNrbQn0ueCl1NLji/YoW4JyE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=jRIUIfvyjbRovoEekk2ADke8CHKDtwu/TXCFCgH/GWBwkLfdeDQcV6hqHTK+IfCnb
         t2jYXqukKMIUNKjtJIQRYQQBpcUH95X2LmOC/zVjTH2qPhDn/ubG5IJOGGQWGgVyxz
         yf1K4AmKlwRH5YjP80Y/WszflEbQavVYnBxSk278=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Paolo Bonzini <pbonzini@redhat.com>,
        Nick Peterson <everdox@gmail.com>,
        Sasha Levin <sashal@kernel.org>, kvm@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 263/330] KVM: x86: handle wrap around 32-bit address space
Date:   Thu, 17 Sep 2020 22:00:03 -0400
Message-Id: <20200918020110.2063155-263-sashal@kernel.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org>
References: <20200918020110.2063155-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Paolo Bonzini <pbonzini@redhat.com>

[ Upstream commit fede8076aab4c2280c673492f8f7a2e87712e8b4 ]

KVM is not handling the case where EIP wraps around the 32-bit address
space (that is, outside long mode).  This is needed both in vmx.c
and in emulate.c.  SVM with NRIPS is okay, but it can still print
an error to dmesg due to integer overflow.

Reported-by: Nick Peterson <everdox@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/emulate.c |  2 ++
 arch/x86/kvm/svm.c     |  3 ---
 arch/x86/kvm/vmx/vmx.c | 15 ++++++++++++---
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 128d3ad46e965..cc7823e7ef96c 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -5836,6 +5836,8 @@ writeback:
 	}
 
 	ctxt->eip = ctxt->_eip;
+	if (ctxt->mode != X86EMUL_MODE_PROT64)
+		ctxt->eip = (u32)ctxt->_eip;
 
 done:
 	if (rc == X86EMUL_PROPAGATE_FAULT) {
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 3243a80ea32c0..802b5f9ab7446 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -787,9 +787,6 @@ static int skip_emulated_instruction(struct kvm_vcpu *vcpu)
 		if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP))
 			return 0;
 	} else {
-		if (svm->next_rip - kvm_rip_read(vcpu) > MAX_INST_SIZE)
-			pr_err("%s: ip 0x%lx next 0x%llx\n",
-			       __func__, kvm_rip_read(vcpu), svm->next_rip);
 		kvm_rip_write(vcpu, svm->next_rip);
 	}
 	svm_set_interrupt_shadow(vcpu, 0);
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index a071eab3bab74..14b973990d5a8 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -1541,7 +1541,7 @@ static int vmx_rtit_ctl_check(struct kvm_vcpu *vcpu, u64 data)
 
 static int skip_emulated_instruction(struct kvm_vcpu *vcpu)
 {
-	unsigned long rip;
+	unsigned long rip, orig_rip;
 
 	/*
 	 * Using VMCS.VM_EXIT_INSTRUCTION_LEN on EPT misconfig depends on
@@ -1553,8 +1553,17 @@ static int skip_emulated_instruction(struct kvm_vcpu *vcpu)
 	 */
 	if (!static_cpu_has(X86_FEATURE_HYPERVISOR) ||
 	    to_vmx(vcpu)->exit_reason != EXIT_REASON_EPT_MISCONFIG) {
-		rip = kvm_rip_read(vcpu);
-		rip += vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
+		orig_rip = kvm_rip_read(vcpu);
+		rip = orig_rip + vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
+#ifdef CONFIG_X86_64
+		/*
+		 * We need to mask out the high 32 bits of RIP if not in 64-bit
+		 * mode, but just finding out that we are in 64-bit mode is
+		 * quite expensive.  Only do it if there was a carry.
+		 */
+		if (unlikely(((rip ^ orig_rip) >> 31) == 3) && !is_64_bit_mode(vcpu))
+			rip = (u32)rip;
+#endif
 		kvm_rip_write(vcpu, rip);
 	} else {
 		if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP))
-- 
2.25.1