Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1863648rwb;
        Fri, 19 Aug 2022 10:38:37 -0700 (PDT)
X-Google-Smtp-Source: AA6agR4AIMZqfVDvvoDSqQX2xJRB6TGVY84wbIStBBVO1kmj7G9MouIeJ7LpDWALqc7cmn0V2NJy
X-Received: by 2002:a63:2cc2:0:b0:41c:681d:60d2 with SMTP id s185-20020a632cc2000000b0041c681d60d2mr6889953pgs.502.1660930717137;
        Fri, 19 Aug 2022 10:38:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660930717; cv=none;
        d=google.com; s=arc-20160816;
        b=nTzjRBPwod6+6Ib3znzhVutlcxYmX+f/wzokjN9lvO6enL1ajPjpiOPediEKGZj6Ry
         kyo1jAZxr7403JLr8Sp4ydLBRB6VBHURp5Ss0mAW+IYcscBj3PYpMduPxPw2en4FQDAB
         DAMHyyLjLuzhoIVFPabMe0bvKO9mPKR/Yx9IGvkUHPyBP8hQlVQM1vN4ri6NPrV1DMDA
         2M4of3CHWE8eMqjulCJezGAUDJTKUMt9SO5dpWT6zjNaT+UTliIHGxudJyV29UKIhKOX
         f2K1uF4RYvdmMixOfh7bYg2Bvc7zefWxuWrn3i8atwLNTs4M81DkTE0TB6/1LdsY17j7
         5O2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=NQOimbOcrNZKHxl0cDM+QTSEsAJEoMhx6bhRBrcI874=;
        b=ZE+I0Xc9finMA7Jfui3S6uEYJe65CVJgTC/jdKQHVvvQoIXk2UOW4f3WcbUAnlKDHS
         9AV926AFjPpZFectABEsGebOatasmqwyJbUbj6zs1lpAJ9owvY2aCOwM0DtBKCwKmE3Q
         spAAmhkls8TGCW+tovDml1JrdfURcuKj4kNPgaKe/PZRSUVAOZqDmgXLfYb1dtC4akm4
         g5QZx/T+5uxCUVHmL5Qx2hjylFhpqEmMU3stppWCoZVzoS+e9EautmscV7KBWRNDEM+R
         vMTAICxzKyOqpMzwMfLSRPn0XNOQUH8VjIFU6ceWqo34aEqswl0XPwhTLmZ/UAoPPqzU
         fEOg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WyteRz5S;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id g13-20020a17090adb0d00b001f0fb79b75csi4464556pjv.81.2022.08.19.10.38.26;
        Fri, 19 Aug 2022 10:38:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WyteRz5S;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1350422AbiHSPv7 (ORCPT <rfc822;andreqb@gmail.com> + 99 others);
        Fri, 19 Aug 2022 11:51:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50644 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1350511AbiHSPun (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Aug 2022 11:50:43 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC8375F22B;
        Fri, 19 Aug 2022 08:48:23 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 4854EB8277D;
        Fri, 19 Aug 2022 15:48:21 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id AEBF4C433D6;
        Fri, 19 Aug 2022 15:48:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660924100;
        bh=MrywLzRZvepvLgWbMrScU8mz/BbTMxY7quaYMOQt09s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=WyteRz5SkKWXtDsR6tVcg2n5GZguit8HnjKtJvW2NkdDQnsrMFDUG/iIxbOv+6hIb
         vIUMuz92lQzSqLwtQJ3d/a0+ikpZwzxtzv608trnOzaS+8jHZKjcys4XoNs2w+yw5a
         lnPcMJLg0ARUNMkubqumBPcUTg07v/IBs9AVIYNs=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 5.10 015/545] KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case
Date:   Fri, 19 Aug 2022 17:36:25 +0200
Message-Id: <20220819153829.850639819@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220819153829.135562864@linuxfoundation.org>
References: <20220819153829.135562864@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <seanjc@google.com>

commit 764643a6be07445308e492a528197044c801b3ba upstream.

If a nested run isn't pending, snapshot vmcs01.GUEST_IA32_DEBUGCTL
irrespective of whether or not VM_ENTRY_LOAD_DEBUG_CONTROLS is set in
vmcs12.  When restoring nested state, e.g. after migration, without a
nested run pending, prepare_vmcs02() will propagate
nested.vmcs01_debugctl to vmcs02, i.e. will load garbage/zeros into
vmcs02.GUEST_IA32_DEBUGCTL.

If userspace restores nested state before MSRs, then loading garbage is a
non-issue as loading DEBUGCTL will also update vmcs02.  But if usersepace
restores MSRs first, then KVM is responsible for propagating L2's value,
which is actually thrown into vmcs01, into vmcs02.

Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
is all kinds of bizarre and ideally would not be supported.  Sadly, some
VMMs do exactly that and rely on KVM to make things work.

Note, there's still a lurking SMM bug, as propagating vmcs01's DEBUGCTL
to vmcs02 across RSM may corrupt L2's DEBUGCTL.  But KVM's entire VMX+SMM
emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.

Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
Fixes: 8fcc4b5923af ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220614215831.3762138-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3337,7 +3337,8 @@ enum nvmx_vmentry_status nested_vmx_ente
 	if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
 		evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
 
-	if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
+	if (!vmx->nested.nested_run_pending ||
+	    !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
 		vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
 	if (kvm_mpx_supported() &&
 	    (!vmx->nested.nested_run_pending ||