Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3679263pxv; Mon, 26 Jul 2021 09:14:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwSGUQsljP2b7QT0XBPg7a72r9/APbtEDLc9xiJOzJSOzoRzPeovSsJr+jXVG2fb1O3qgIv X-Received: by 2002:a05:6402:502:: with SMTP id m2mr22878680edv.57.1627316078379; Mon, 26 Jul 2021 09:14:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627316078; cv=none; d=google.com; s=arc-20160816; b=hwMJl+V52z1dR9SjivEOsNHMfsrZaYFI7UK+C4t3pyuuiBES67OqJ8sLVAlTNAGacu QjH7aPHlI67MnDaiFsdvbqqEjZAAmh2/r1XmcpgaKFglTylQ02Asj+Mex29FrQ+IUJCd Iqi/FLdlqDq1MvhPkKdtpdgmDIslq7Bo8WeoFSJczrvU0jAopmkkoBBP3R2138rhpHO4 msLtyoDJl+dhOGx2DbUict5xDUKsMZF0g3ZRW1CjE8Yu4Lqvxkxa/YE1Om5Mc4L9qxWr y56XxwqhZrTBh7O3KV1p6FmhDqOG0AJJI1JEyPvtzak4h3b2acvnlvfjC1C9rKVGKQiY OLig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OD/GYZQiX2aR4PEXZltupcaw8atFxLWgf801tfwH5kY=; b=cSHmU6OqQr9sfIAeuAUSGF1ZXT94jgzOUrCE9nKIHVp/y32JycPzba42g6f1mDzHWH bqltdJ5IyvYVS5xvpLhjVB9ByL9/G2FjlJixw6WGUB0UqfE9I2BaiOakOdLGaz5Htt1C l+AGqBPwK8Wb2VITRaZfI59C19ViKpUVmgGaNXgaRvzyhZ/vPEJ2p/d0aApmjANowhTg NAa8HweaCZU9ETaSHNcNpeLBNKH9u57K7DSeiaL2RHEU/+6r71wkuMjrXIJnDX5CxA3b Qzx8fzlR4L0XgkJcLmngxwG6PGUcyeuwC1v02yYvHCHx6LihsEwepiVJZj7tf9cG3h2/ sgkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=NmZXRUmU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o13si276277ejy.231.2021.07.26.09.14.12; Mon, 26 Jul 2021 09:14:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=NmZXRUmU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232842AbhGZPba (ORCPT + 99 others); Mon, 26 Jul 2021 11:31:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:58086 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236884AbhGZPRr (ORCPT ); Mon, 26 Jul 2021 11:17:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 178DF60F57; Mon, 26 Jul 2021 15:58:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627315095; bh=r2/TrHRwbUkzfY+OedYR+SYDR417kD429k5/wptAKoE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NmZXRUmUT45rCEb286mYRrszlxoWIqPubWDynXzd0Q4zZJ3z/DGIrTgA/WxtjI4wM fl/jsorYuXg17ChYhlhRRnNVQZUigmWiSyRgTbXp0ql4ILfZIa9zo+D2L5l9zP7XAS KjvLnumv/c9lMmVJUFZdNf3dfYcpqrV/OZuCrqmk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexey Kardashevskiy , Michael Neuling , Nicholas Piggin , Michael Ellerman Subject: [PATCH 5.4 078/108] KVM: PPC: Book3S HV Nested: Sanitise H_ENTER_NESTED TM state Date: Mon, 26 Jul 2021 17:39:19 +0200 Message-Id: <20210726153834.179563394@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210726153831.696295003@linuxfoundation.org> References: <20210726153831.696295003@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nicholas Piggin commit d9c57d3ed52a92536f5fa59dc5ccdd58b4875076 upstream. The H_ENTER_NESTED hypercall is handled by the L0, and it is a request by the L1 to switch the context of the vCPU over to that of its L2 guest, and return with an interrupt indication. The L1 is responsible for switching some registers to guest context, and the L0 switches others (including all the hypervisor privileged state). If the L2 MSR has TM active, then the L1 is responsible for recheckpointing the L2 TM state. Then the L1 exits to L0 via the H_ENTER_NESTED hcall, and the L0 saves the TM state as part of the exit, and then it recheckpoints the TM state as part of the nested entry and finally HRFIDs into the L2 with TM active MSR. Not efficient, but about the simplest approach for something that's horrendously complicated. Problems arise if the L1 exits to the L0 with a TM state which does not match the L2 TM state being requested. For example if the L1 is transactional but the L2 MSR is non-transactional, or vice versa. The L0's HRFID can take a TM Bad Thing interrupt and crash. Fix this by disallowing H_ENTER_NESTED in TM[T] state entirely, and then ensuring that if the L1 is suspended then the L2 must have TM active, and if the L1 is not suspended then the L2 must not have TM active. Fixes: 360cae313702 ("KVM: PPC: Book3S HV: Nested guest entry via hypercall") Cc: stable@vger.kernel.org # v4.20+ Reported-by: Alexey Kardashevskiy Acked-by: Michael Neuling Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/kvm/book3s_hv_nested.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) --- a/arch/powerpc/kvm/book3s_hv_nested.c +++ b/arch/powerpc/kvm/book3s_hv_nested.c @@ -232,6 +232,9 @@ long kvmhv_enter_nested_guest(struct kvm if (vcpu->kvm->arch.l1_ptcr == 0) return H_NOT_AVAILABLE; + if (MSR_TM_TRANSACTIONAL(vcpu->arch.shregs.msr)) + return H_BAD_MODE; + /* copy parameters in */ hv_ptr = kvmppc_get_gpr(vcpu, 4); err = kvm_vcpu_read_guest(vcpu, hv_ptr, &l2_hv, @@ -253,6 +256,23 @@ long kvmhv_enter_nested_guest(struct kvm if (l2_hv.vcpu_token >= NR_CPUS) return H_PARAMETER; + /* + * L1 must have set up a suspended state to enter the L2 in a + * transactional state, and only in that case. These have to be + * filtered out here to prevent causing a TM Bad Thing in the + * host HRFID. We could synthesize a TM Bad Thing back to the L1 + * here but there doesn't seem like much point. + */ + if (MSR_TM_SUSPENDED(vcpu->arch.shregs.msr)) { + if (!MSR_TM_ACTIVE(l2_regs.msr)) + return H_BAD_MODE; + } else { + if (l2_regs.msr & MSR_TS_MASK) + return H_BAD_MODE; + if (WARN_ON_ONCE(vcpu->arch.shregs.msr & MSR_TS_MASK)) + return H_BAD_MODE; + } + /* translate lpid */ l2 = kvmhv_get_nested(vcpu->kvm, l2_hv.lpid, true); if (!l2)