Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1860764rwb; Fri, 19 Aug 2022 10:35:34 -0700 (PDT) X-Google-Smtp-Source: AA6agR7V/1TB+4P1mI3bFei8mp3/3u9b+qm4G5Wqkf/4BtjVP2enJ25alniSZRI+EVRrW80tSPHV X-Received: by 2002:a17:902:8ec7:b0:172:ac9c:4757 with SMTP id x7-20020a1709028ec700b00172ac9c4757mr8235061plo.163.1660930534063; Fri, 19 Aug 2022 10:35:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660930534; cv=none; d=google.com; s=arc-20160816; b=w5A1zdBeN5vjlL4tsm5bQbOsFP2/tLjE8tkGtuXtNwuGIp/wunD6A6qE2Y/CIPsFAL lZAkEBifeeriVzOqzxxlCwviD2r/Y2N6uyzzSyhfs/Tjfwoj9YyIs74ZcMAOK7GwFGQ2 bwkbau1OxVQPvFCxvsfSRzMuMfAdPm9OAqQVLwn0SIgtzgHkvoRQwtbzqVwnVGM4W4p5 Brq4uowhQAgHPVbXwBpeupYCb+Img2zJXWF0YaN7qf11LPTo1ky414oQFDbRTSvnQmyX QYLViZPhRqMBfFVKqK3T0wXyBVp9eoHnvkpnk4H21WdTfducFbte6iSxBNlpKNzAFUWX Pr3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hTSyaijXw7n0wxudX/OA496/BVD+jdmaZrRfm39kekw=; b=gsPYBCtc6jeVTg+QUa0lSsWo2lqEW6ptIZjkTdgwr/Y7jNVNrg0Yk5/S7sYcOrIKkJ 2rI39hreEpG/fyoKP0xhF8ppQ6B/7rmjkLrh3GeY3hyRW70oYMtglL9hmjBDQojbT35w YWNhCpCIgrisGhbUQ2JTmRsrO4E5U6c4b5UQ09zoSM5zJYa950/utKXYuTLxT3gjUCPU uYhm2lWd3j37CuW5LGw1lyaB/mkVvv9XXsMJtlrG2zbDZly+/q5uGGPlUJFSDFioF229 cdO3FsL1/wKSYrRgn2h2Pn5hl36iJDA7KTtewegjjkJEEUjmg+Ytvuecr8tznuqSSx5d jq3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=y11DthlY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i8-20020a17090332c800b00172aa1ed560si4720666plr.138.2022.08.19.10.35.23; Fri, 19 Aug 2022 10:35:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=y11DthlY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350129AbiHSPqj (ORCPT + 99 others); Fri, 19 Aug 2022 11:46:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349995AbiHSPqU (ORCPT ); Fri, 19 Aug 2022 11:46:20 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EBE6E23; Fri, 19 Aug 2022 08:46:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CA813B8280C; Fri, 19 Aug 2022 15:46:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A35FC433D6; Fri, 19 Aug 2022 15:46:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660923975; bh=lJLzc8d9+86WEwNqDxbB97ZQFE0ncetGI6joDF2J7iY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y11DthlYS3wD+QpKHZVZQwmXNzYYpyZYpcfNVssAulmYgrHGQnJ3KWkKDWHaX91z+ Q9Oh20vrtAsAZ2U6AFLyAUkaUbrrAjE9Nkc9k2mw4l2wKUuXT2zovkaX7+PNDfolSd xUpALvSooJVHij28HnjmFewdQPGd58XizBh5sBwI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lei Wang , Sean Christopherson , Paolo Bonzini Subject: [PATCH 5.10 014/545] KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case Date: Fri, 19 Aug 2022 17:36:24 +0200 Message-Id: <20220819153829.799467310@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220819153829.135562864@linuxfoundation.org> References: <20220819153829.135562864@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 upstream. If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12. When restoring nested state, e.g. after migration, without a nested run pending, prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02, i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS. If userspace restores nested state before MSRs, then loading garbage is a non-issue as loading BNDCFGS will also update vmcs02. But if usersepace restores MSRs first, then KVM is responsible for propagating L2's value, which is actually thrown into vmcs01, into vmcs02. Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state is all kinds of bizarre and ideally would not be supported. Sadly, some VMMs do exactly that and rely on KVM to make things work. Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS to vmcs02 across RSM may corrupt L2's BNDCFGS. But KVM's entire VMX+SMM emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the "default treatment of SMIs", i.e. when not using an SMI Transfer Monitor. Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS") Cc: stable@vger.kernel.org Cc: Lei Wang Signed-off-by: Sean Christopherson Message-Id: <20220614215831.3762138-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx/nested.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -3340,7 +3340,8 @@ enum nvmx_vmentry_status nested_vmx_ente if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); if (kvm_mpx_supported() && - !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)) + (!vmx->nested.nested_run_pending || + !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS); /*