Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1860764rwb;
        Fri, 19 Aug 2022 10:35:34 -0700 (PDT)
X-Google-Smtp-Source: AA6agR7V/1TB+4P1mI3bFei8mp3/3u9b+qm4G5Wqkf/4BtjVP2enJ25alniSZRI+EVRrW80tSPHV
X-Received: by 2002:a17:902:8ec7:b0:172:ac9c:4757 with SMTP id x7-20020a1709028ec700b00172ac9c4757mr8235061plo.163.1660930534063;
        Fri, 19 Aug 2022 10:35:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660930534; cv=none;
        d=google.com; s=arc-20160816;
        b=w5A1zdBeN5vjlL4tsm5bQbOsFP2/tLjE8tkGtuXtNwuGIp/wunD6A6qE2Y/CIPsFAL
         lZAkEBifeeriVzOqzxxlCwviD2r/Y2N6uyzzSyhfs/Tjfwoj9YyIs74ZcMAOK7GwFGQ2
         bwkbau1OxVQPvFCxvsfSRzMuMfAdPm9OAqQVLwn0SIgtzgHkvoRQwtbzqVwnVGM4W4p5
         Brq4uowhQAgHPVbXwBpeupYCb+Img2zJXWF0YaN7qf11LPTo1ky414oQFDbRTSvnQmyX
         QYLViZPhRqMBfFVKqK3T0wXyBVp9eoHnvkpnk4H21WdTfducFbte6iSxBNlpKNzAFUWX
         Pr3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=hTSyaijXw7n0wxudX/OA496/BVD+jdmaZrRfm39kekw=;
        b=gsPYBCtc6jeVTg+QUa0lSsWo2lqEW6ptIZjkTdgwr/Y7jNVNrg0Yk5/S7sYcOrIKkJ
         2rI39hreEpG/fyoKP0xhF8ppQ6B/7rmjkLrh3GeY3hyRW70oYMtglL9hmjBDQojbT35w
         YWNhCpCIgrisGhbUQ2JTmRsrO4E5U6c4b5UQ09zoSM5zJYa950/utKXYuTLxT3gjUCPU
         uYhm2lWd3j37CuW5LGw1lyaB/mkVvv9XXsMJtlrG2zbDZly+/q5uGGPlUJFSDFioF229
         cdO3FsL1/wKSYrRgn2h2Pn5hl36iJDA7KTtewegjjkJEEUjmg+Ytvuecr8tznuqSSx5d
         jq3Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=y11DthlY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id i8-20020a17090332c800b00172aa1ed560si4720666plr.138.2022.08.19.10.35.23;
        Fri, 19 Aug 2022 10:35:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=y11DthlY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1350129AbiHSPqj (ORCPT <rfc822;andreqb@gmail.com> + 99 others);
        Fri, 19 Aug 2022 11:46:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50792 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1349995AbiHSPqU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Aug 2022 11:46:20 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EBE6E23;
        Fri, 19 Aug 2022 08:46:18 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id CA813B8280C;
        Fri, 19 Aug 2022 15:46:16 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A35FC433D6;
        Fri, 19 Aug 2022 15:46:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660923975;
        bh=lJLzc8d9+86WEwNqDxbB97ZQFE0ncetGI6joDF2J7iY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=y11DthlYS3wD+QpKHZVZQwmXNzYYpyZYpcfNVssAulmYgrHGQnJ3KWkKDWHaX91z+
         Q9Oh20vrtAsAZ2U6AFLyAUkaUbrrAjE9Nkc9k2mw4l2wKUuXT2zovkaX7+PNDfolSd
         xUpALvSooJVHij28HnjmFewdQPGd58XizBh5sBwI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Lei Wang <lei4.wang@intel.com>,
        Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 5.10 014/545] KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case
Date:   Fri, 19 Aug 2022 17:36:24 +0200
Message-Id: <20220819153829.799467310@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220819153829.135562864@linuxfoundation.org>
References: <20220819153829.135562864@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <seanjc@google.com>

commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 upstream.

If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective
of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12.  When restoring
nested state, e.g. after migration, without a nested run pending,
prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02,
i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS.

If userspace restores nested state before MSRs, then loading garbage is a
non-issue as loading BNDCFGS will also update vmcs02.  But if usersepace
restores MSRs first, then KVM is responsible for propagating L2's value,
which is actually thrown into vmcs01, into vmcs02.

Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
is all kinds of bizarre and ideally would not be supported.  Sadly, some
VMMs do exactly that and rely on KVM to make things work.

Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS
to vmcs02 across RSM may corrupt L2's BNDCFGS.  But KVM's entire VMX+SMM
emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.

Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS")
Cc: stable@vger.kernel.org
Cc: Lei Wang <lei4.wang@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220614215831.3762138-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3340,7 +3340,8 @@ enum nvmx_vmentry_status nested_vmx_ente
 	if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
 		vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
 	if (kvm_mpx_supported() &&
-		!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
+	    (!vmx->nested.nested_run_pending ||
+	     !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
 		vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS);
 
 	/*