Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3021692rwb;
        Mon, 15 Aug 2022 16:19:02 -0700 (PDT)
X-Google-Smtp-Source: AA6agR5nnQoCD4ODB5HVFM8LdPK5cRt8rU3rLlh9ZBxFsr1IhXEQugPkPfFYThKqVkKmf9jdVXGK
X-Received: by 2002:a17:907:724d:b0:731:8022:94e9 with SMTP id ds13-20020a170907724d00b00731802294e9mr11861039ejc.172.1660605542722;
        Mon, 15 Aug 2022 16:19:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660605542; cv=none;
        d=google.com; s=arc-20160816;
        b=Sy8o2xZpWKFL2JKzO78A56ZcuxHKllK3P1VobJ9QfY0X/0MuoEGyL3yj9KC2YqW72w
         3+QgqXV5wxu6xj6hq+KRYE0zB0l5ysE6RH1o37EYy451oJ/y7RQPo2SFMaGmCaKFCX89
         e7Z5KFls/hKK6EhShfc3PyTIzcLCVWEjyo7SI1h+BTq/raPWq0BxSmoLhzrMbrCdQUlZ
         eByscKKVwwzHTgqFvNkxTmVc/ox7Jgj5Dr5HYIOQgm71T7uKu/zQU3ODXvd0bda25ZH7
         EoXsyTpsOt2zSxXXU4G3Nq41Bpk8YWYCxA5il95RkTahUpy3emQA2MPecDFPr7Yj4ILS
         9awg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=zKMHjtlMeHsEvjNY4b7R/drCVHuSh/IDXlyKQGTV8mI=;
        b=qM236ACfTdin4gbFbzb4HvbYGxz/pBEYcZC7RDq97IwNP7CYYGo+vCR1g/WKqigkXV
         LD7I1KbXT9h+UymKF64NYagq3tT8YFjaH7F3oUl4IPTWmoO26V/utP5vSC6og8VK3CRc
         YZU1FvgITXo47UqTZ2cPGuMkKZPgwB3YZqsyY78yb58C0xTmK1flxHmUC4+tKze3rthp
         zarvBC1XVvc00UIInm8874eIkNYvEB5DmaMk3M/F2DNB7tJL0zjxXhgXkfDg4mh4t9j9
         9D9eFTt0SZsq88FGAoWS+XSK9IANLL41Cy6O035oGwQSQoGlrU6/5Z0FWheAEIk8bDZX
         hRmg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uEw3xXVD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id jg15-20020a170907970f00b00722e3529906si8823945ejc.324.2022.08.15.16.18.36;
        Mon, 15 Aug 2022 16:19:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uEw3xXVD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346316AbiHOV60 (ORCPT <rfc822;andrey.bzh.r@gmail.com>
        + 99 others); Mon, 15 Aug 2022 17:58:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56112 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1350628AbiHOV4j (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Aug 2022 17:56:39 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 106E810AE3A;
        Mon, 15 Aug 2022 12:34:13 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id DC4416113B;
        Mon, 15 Aug 2022 19:34:12 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C98E7C433D6;
        Mon, 15 Aug 2022 19:34:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660592052;
        bh=g65Y0FS559Rvkft/CdVUJI8JMFlhXvOguP2WrPaED/g=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=uEw3xXVDSgdNfK95Zhe+sYnqr9qA4z+lCutQPdvl8EUgvZTStmDkrFSdZq3DwEBva
         6sFE45sH3duSibHZI6oEQUJFqm1qBHUfvvmeT5MEp2DicPUPBkYxhNq7sZBbMtdPEg
         YTChX4Y11fNH/LuOpv+ckYUtgJeILer8ktp1xQw0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Lei Wang <lei4.wang@intel.com>,
        Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 5.19 0023/1157] KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case
Date:   Mon, 15 Aug 2022 19:49:39 +0200
Message-Id: <20220815180440.357606776@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220815180439.416659447@linuxfoundation.org>
References: <20220815180439.416659447@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <seanjc@google.com>

commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 upstream.

If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective
of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12.  When restoring
nested state, e.g. after migration, without a nested run pending,
prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02,
i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS.

If userspace restores nested state before MSRs, then loading garbage is a
non-issue as loading BNDCFGS will also update vmcs02.  But if usersepace
restores MSRs first, then KVM is responsible for propagating L2's value,
which is actually thrown into vmcs01, into vmcs02.

Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
is all kinds of bizarre and ideally would not be supported.  Sadly, some
VMMs do exactly that and rely on KVM to make things work.

Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS
to vmcs02 across RSM may corrupt L2's BNDCFGS.  But KVM's entire VMX+SMM
emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.

Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS")
Cc: stable@vger.kernel.org
Cc: Lei Wang <lei4.wang@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220614215831.3762138-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3376,7 +3376,8 @@ enum nvmx_vmentry_status nested_vmx_ente
 	if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
 		vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
 	if (kvm_mpx_supported() &&
-		!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
+	    (!vmx->nested.nested_run_pending ||
+	     !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
 		vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS);
 
 	/*