Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp2809874rwb;
        Mon, 15 Aug 2022 11:47:44 -0700 (PDT)
X-Google-Smtp-Source: AA6agR55P5zG3kZB1KP7iV+yddQOhGr8JiS3EepjKto+J+wv29YgKKnmGUXZsoPUUWJ6JDpeiAQK
X-Received: by 2002:a17:907:6da8:b0:730:8ed5:2df8 with SMTP id sb40-20020a1709076da800b007308ed52df8mr11193250ejc.75.1660589264330;
        Mon, 15 Aug 2022 11:47:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660589264; cv=none;
        d=google.com; s=arc-20160816;
        b=TEvaeTmRgnUwe1aPMsL1zmMgGtvylaEq1XHSDIxwKaBUGF8FZCUUmDbM4QG1yemQG6
         IDCcM74RiWNBjPtfA0tb6VAGrEuzh64iUqkwfCAdl3PIZcEG8l3do5RPECKhRSxXO0nH
         7M8kD/cUcVeFOtuwdrZyaUBOZUVRmdHYD4V3rW9HD+MtAmffs06JA18GN7AcnSFdinno
         KE5yWPQtJC5dphI3yrMjoI1q8+y9DSFDcbP31YZH+QtSVqpsK2Zs+VrMDmVeaEdo/NRU
         HNzRd1ESnaq/d3NIJHdvNjg1pmh5ZE3c16eQRMyTA0Xa5Nfkd1bi5T++HyMlgfeYsBCG
         oYCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=b5Fq+IsB1l8A1ky3ataKu7AO941inkQLiOKPk6ohV7s=;
        b=A6kbwfcJErrvzWFsZFWja2n1hprHyeDE5IWulnXqpCYQvFsvV0Zw9gGJWcUkMPurBH
         sdAjNEbQRfUds8kzKbCxkJnG/Hkqe0RPfhM4SAHbxtVCYAAeldsp3A4qSPj53z3xqCD4
         B9ZKbKf48csbnAkgU/aS97d7wabfNTRDf3v/a9LObU8neR/gUMgS2fFjvztdn+2DAP7F
         G3Gjh4fjhS53Av2Wxl4egOqCfeosWTiKYsUYhvgMNYWFWeb4Z7s3gOSCviPOhWtpRbTt
         j7RXcHRHDL3Re0TGUNqZl55b42wTA773LlcT3Y2GBMTC1e7KUbPHF8F12GT9edOjfYaD
         f+6w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=duwiUXdg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id sb35-20020a1709076da300b00730bc26e631si7756873ejc.739.2022.08.15.11.47.18;
        Mon, 15 Aug 2022 11:47:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=duwiUXdg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239958AbiHOSS1 (ORCPT <rfc822;andrey.bzh.r@gmail.com>
        + 99 others); Mon, 15 Aug 2022 14:18:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59284 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233440AbiHOSRz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Aug 2022 14:17:55 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4EA8963D2;
        Mon, 15 Aug 2022 11:15:22 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id A45B36126D;
        Mon, 15 Aug 2022 18:15:21 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id AC0BCC43470;
        Mon, 15 Aug 2022 18:15:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660587321;
        bh=C79IPGE5RKdYaI2Cy2l1oWgppbgDJepX/3dxzUK2F18=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=duwiUXdg8yhSgHjWfaE4eX+hyvR9saVBbin0G+J0ghvdA81upKRDlWguS43wwvGwC
         XvFCkpzs9tPIeymwAdWnOtiR0GMo9SkoriCkwL8+YUQdDgHPpde/3CiAqggMd7nOdU
         qwfpy9WwRpe+5ozrCbzYtE7YW2I0QE/E56TE5Fr8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Lei Wang <lei4.wang@intel.com>,
        Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 5.15 020/779] KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case
Date:   Mon, 15 Aug 2022 19:54:24 +0200
Message-Id: <20220815180338.063381104@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220815180337.130757997@linuxfoundation.org>
References: <20220815180337.130757997@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <seanjc@google.com>

commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 upstream.

If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective
of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12.  When restoring
nested state, e.g. after migration, without a nested run pending,
prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02,
i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS.

If userspace restores nested state before MSRs, then loading garbage is a
non-issue as loading BNDCFGS will also update vmcs02.  But if usersepace
restores MSRs first, then KVM is responsible for propagating L2's value,
which is actually thrown into vmcs01, into vmcs02.

Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
is all kinds of bizarre and ideally would not be supported.  Sadly, some
VMMs do exactly that and rely on KVM to make things work.

Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS
to vmcs02 across RSM may corrupt L2's BNDCFGS.  But KVM's entire VMX+SMM
emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.

Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS")
Cc: stable@vger.kernel.org
Cc: Lei Wang <lei4.wang@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220614215831.3762138-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3367,7 +3367,8 @@ enum nvmx_vmentry_status nested_vmx_ente
 	if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
 		vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
 	if (kvm_mpx_supported() &&
-		!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
+	    (!vmx->nested.nested_run_pending ||
+	     !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
 		vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS);
 
 	/*