Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3017215rwb;
        Mon, 15 Aug 2022 16:13:49 -0700 (PDT)
X-Google-Smtp-Source: AA6agR7k72dG4ZkIn6fBqzQnM/2hyqW73u6a8zoFua1FpGMlyhJRMhKCyC/m6MlF0UJDUcA8CfBI
X-Received: by 2002:a05:6402:550c:b0:443:7d15:d57f with SMTP id fi12-20020a056402550c00b004437d15d57fmr10494061edb.147.1660605229482;
        Mon, 15 Aug 2022 16:13:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660605229; cv=none;
        d=google.com; s=arc-20160816;
        b=MaBshSxjlMym1AjtLiW2bfY/XKN/KSw7dmtPDO5p1fpKnlROfMy7TGtWSTFBDlhd5b
         +DO47EdyTv6F2ZjMvyEMC5cXroWoaqVrO/8RxNOjOsn7iDU1euUqbEY46f4v0P+wxLf8
         +mxLBqSb84R5mD7sl/NoYA58D4l9L99pKenvsbDx/U3NaJwmtcK2VYPLZb6MPw6KfOY1
         EGCaMCbyIeEaawpZE1j7VxflaaQI7jTvoX4ySYM0kMYcas7J1mP9B5tzyVbl0zEatGEe
         TOXTWsloiijyuY4cjCPZoSWY8otAm9YV1mhDw4mN+rkj6gdI2Jm0qYda2mjrNr0y4x0C
         6dow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=dyHTImHj8Ou8ZeysfH9SBlbjsMMnvP3UCmAZ/dRb7oI=;
        b=yLNdQw5eTG0qyO6AVnZTVt+ekKLXPvx2crIVSizFxfgL1hb2G+iU4mUWSaCgah5OvL
         oWLA83pp2nKlQwQrOWatbeOLsWmemWumyvxiWXqmNYp9qn4fgAIaVCF3ZWkmTB1UbLbJ
         thE51yLh+xMirS03lJmEKTTnq6o+uDqaeoR2k4UYWHrmG5TPq9IVucmHqbwjyj/mrXSv
         hq7PiVG1YTYFhOTSrylNMi2fakK474UXFXkHqk1d5wiPXRkHmmFJFYPyfZDlaAsd0s54
         In/xWrXmOJyEXjhMxJYHUg3ikEbI4uKm4qT4LKa+xn1hc1u/J5LcwkjaCxxvVKoH5jPe
         SVow==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ProOOPoe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id f18-20020a056402161200b0043d01fe042dsi7705743edv.518.2022.08.15.16.13.24;
        Mon, 15 Aug 2022 16:13:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ProOOPoe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347141AbiHOV7D (ORCPT <rfc822;andrey.bzh.r@gmail.com>
        + 99 others); Mon, 15 Aug 2022 17:59:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56064 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1347295AbiHOV5n (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Aug 2022 17:57:43 -0400
Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E89E761D6E;
        Mon, 15 Aug 2022 12:34:43 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by sin.source.kernel.org (Postfix) with ESMTPS id 970DCCE1262;
        Mon, 15 Aug 2022 19:34:36 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76869C433D6;
        Mon, 15 Aug 2022 19:34:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660592074;
        bh=MuUvQMQtUS6FdxlLbNBEqXsEkyLbc/1N/PGO89GjuTc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ProOOPoe0ONWG0lbgcw3vnKzgMglyw2S7q/WjxVVivt+EGTkExuyB9anIgIJ8ukDK
         D4+DIe+xGIcIp/1rQML7cJfu2jb0OI69bYDELoVPGq3ilZz7ecoUqZ9y+WKks95719
         3TAOZCn6zXl4xDbNr4yHctE8Zi+Wqydu+6kuf0t8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 5.19 0024/1157] KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case
Date:   Mon, 15 Aug 2022 19:49:40 +0200
Message-Id: <20220815180440.389253034@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220815180439.416659447@linuxfoundation.org>
References: <20220815180439.416659447@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <seanjc@google.com>

commit 764643a6be07445308e492a528197044c801b3ba upstream.

If a nested run isn't pending, snapshot vmcs01.GUEST_IA32_DEBUGCTL
irrespective of whether or not VM_ENTRY_LOAD_DEBUG_CONTROLS is set in
vmcs12.  When restoring nested state, e.g. after migration, without a
nested run pending, prepare_vmcs02() will propagate
nested.vmcs01_debugctl to vmcs02, i.e. will load garbage/zeros into
vmcs02.GUEST_IA32_DEBUGCTL.

If userspace restores nested state before MSRs, then loading garbage is a
non-issue as loading DEBUGCTL will also update vmcs02.  But if usersepace
restores MSRs first, then KVM is responsible for propagating L2's value,
which is actually thrown into vmcs01, into vmcs02.

Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
is all kinds of bizarre and ideally would not be supported.  Sadly, some
VMMs do exactly that and rely on KVM to make things work.

Note, there's still a lurking SMM bug, as propagating vmcs01's DEBUGCTL
to vmcs02 across RSM may corrupt L2's DEBUGCTL.  But KVM's entire VMX+SMM
emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.

Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
Fixes: 8fcc4b5923af ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220614215831.3762138-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3373,7 +3373,8 @@ enum nvmx_vmentry_status nested_vmx_ente
 	if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
 		evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
 
-	if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
+	if (!vmx->nested.nested_run_pending ||
+	    !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
 		vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
 	if (kvm_mpx_supported() &&
 	    (!vmx->nested.nested_run_pending ||