Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3415421rwa;
        Tue, 23 Aug 2022 04:31:33 -0700 (PDT)
X-Google-Smtp-Source: AA6agR7tX+7tMPk6f2QzWwWW3IS7lIMFRRIISbdDj/3GMqLGbf2FPkfSvCQOuZ8FcM7bCEOJ5IQG
X-Received: by 2002:a17:90b:3142:b0:1f7:338a:1d38 with SMTP id ip2-20020a17090b314200b001f7338a1d38mr2737166pjb.223.1661254207670;
        Tue, 23 Aug 2022 04:30:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661254207; cv=none;
        d=google.com; s=arc-20160816;
        b=uRoil8CpqZF3TgxWP8QfXLwGcWYR7/0Hkn3nWkU5V4Yy/wk1KaVUyaVyN2GvqlVJIi
         uzgT78KwOHhRhRel3GqRy1nlNal7nitR3okgVedRdhOor75jZa3rZBN7X7L0V58zZrAx
         8giqwZBB2yobQgQqvyzKwKhb6gc9JsEJ4WqooGsBJMNQzn5iTxRQySOIWjVW9u5vXAHR
         rokTF6I+KH/DFhQjvaFb1TRgIjKn0Cg4quEz1bsSpJimES2sBwmRx+t/qerILs0x9H0+
         SqnyS0vTkcgzq6Uvl6jlqNlKg1GguaQxxuLqDiNVf7Xb+fMqzKgHfJPE6VQKqRjv/GbL
         Ubdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=rdh6wRvE0XpSHFeyypvIGDo510s9Rg7Cht+yt/iuPTE=;
        b=ggo+v5fHrh0TLPt+mxHZDAmul5VoVtV1QxIZYcMHsWGYUAGt0cNTMRCPqZokqLjm0/
         KIR8pBBieEwssL2J60/aeznR2eUiejkaGENuFLe4IBkNGf2FGEegc7OgQZcsLjcasUEy
         nZrG1DBwmUnDx9lN4WxStA28m5Q5IZO6DptwIy3kSk3xPQrKUagLT+8ILdByzZmIYVMJ
         u033TXrZAxippSvAjpaEZWyt1SBPQiwfH9WsN2eR/+ApYPIPe9WLNjtqe10xoByWwzQZ
         u8fzacJkvi/Aom2ljE7zE1jMP9a9/k4K0xf6Vvgkrdkeq0AO9jmaiL8iy9qF7tekEqki
         nCzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=UXU5eMrJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id l185-20020a6391c2000000b004215af6990dsi13040673pge.206.2022.08.23.04.29.56;
        Tue, 23 Aug 2022 04:30:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=UXU5eMrJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1353962AbiHWKeo (ORCPT <rfc822;andreqb@gmail.com> + 99 others);
        Tue, 23 Aug 2022 06:34:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60940 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1354005AbiHWKTc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Aug 2022 06:19:32 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D0DC80F40;
        Tue, 23 Aug 2022 02:01:59 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 10C3DB81C28;
        Tue, 23 Aug 2022 09:01:58 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 56772C433D6;
        Tue, 23 Aug 2022 09:01:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1661245316;
        bh=whgjBWFUtXkuvV9RsKCh/HVTrMPOsvKsBrUXdt3FZT4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=UXU5eMrJqky1KNeEFHjJ3be+4C9GF6LhB9Q43BE2LCwHLeFjzl8wBMZefrnDSBoZw
         CvHRMn2ibqQACj4coY09RogilDf6on8OqPzOYWLQFtvKqrc1GcffF/eJmTWvFLDjiE
         d8DECL61fibyAVhf09b9ukzVWz7WwrkzW62mX/wU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        Hou Wenlong <houwenlong.hwl@antgroup.com>,
        Sean Christopherson <seanjc@google.com>,
        Maxim Levitsky <mlevitsk@redhat.com>
Subject: [PATCH 4.19 010/287] KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks
Date:   Tue, 23 Aug 2022 10:22:59 +0200
Message-Id: <20220823080100.615270572@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220823080100.268827165@linuxfoundation.org>
References: <20220823080100.268827165@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <seanjc@google.com>

commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 upstream.

Wait to mark the TSS as busy during LTR emulation until after all fault
checks for the LTR have passed.  Specifically, don't mark the TSS busy if
the new TSS base is non-canonical.

Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the
only reason for the early check was to avoid marking a !PRESENT TSS as
busy, i.e. the common !PRESENT is now done before setting the busy bit.

Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR")
Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Hou Wenlong <houwenlong.hwl@antgroup.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/emulate.c |   19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1708,16 +1708,6 @@ static int __load_segment_descriptor(str
 	case VCPU_SREG_TR:
 		if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
 			goto exception;
-		if (!seg_desc.p) {
-			err_vec = NP_VECTOR;
-			goto exception;
-		}
-		old_desc = seg_desc;
-		seg_desc.type |= 2; /* busy */
-		ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
-						  sizeof(seg_desc), &ctxt->exception);
-		if (ret != X86EMUL_CONTINUE)
-			return ret;
 		break;
 	case VCPU_SREG_LDTR:
 		if (seg_desc.s || seg_desc.type != 2)
@@ -1758,6 +1748,15 @@ static int __load_segment_descriptor(str
 				((u64)base3 << 32), ctxt))
 			return emulate_gp(ctxt, 0);
 	}
+
+	if (seg == VCPU_SREG_TR) {
+		old_desc = seg_desc;
+		seg_desc.type |= 2; /* busy */
+		ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
+						  sizeof(seg_desc), &ctxt->exception);
+		if (ret != X86EMUL_CONTINUE)
+			return ret;
+	}
 load:
 	ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
 	if (desc)