korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-23 06:14:42 +08:00
Code Issues Packages Projects Releases Wiki Activity
3e93467346
linux/arch/x86/kernel
History
Sean Christopherson 8647c52e95 KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2} 
Mask off xfeatures that aren't exposed to the guest only when saving guest
state via KVM_GET_XSAVE{2} instead of modifying user_xfeatures directly.
Preserving the maximal set of xfeatures in user_xfeatures restores KVM's
ABI for KVM_SET_XSAVE, which prior to commit ad856280dd ("x86/kvm/fpu:
Limit guest user_xfeatures to supported bits of XCR0") allowed userspace
to load xfeatures that are supported by the host, irrespective of what
xfeatures are exposed to the guest.

There is no known use case where userspace *intentionally* loads xfeatures
that aren't exposed to the guest, but the bug fixed by commit ad856280dd
was specifically that KVM_GET_SAVE{2} would save xfeatures that weren't
exposed to the guest, e.g. would lead to userspace unintentionally loading
guest-unsupported xfeatures when live migrating a VM.

Restricting KVM_SET_XSAVE to guest-supported xfeatures is especially
problematic for QEMU-based setups, as QEMU has a bug where instead of
terminating the VM if KVM_SET_XSAVE fails, QEMU instead simply stops
loading guest state, i.e. resumes the guest after live migration with
incomplete guest state, and ultimately results in guest data corruption.

Note, letting userspace restore all host-supported xfeatures does not fix
setups where a VM is migrated from a host *without* commit ad856280dd,
to a target with a subset of host-supported xfeatures.  However there is
no way to safely address that scenario, e.g. KVM could silently drop the
unsupported features, but that would be a clear violation of KVM's ABI and
so would require userspace to opt-in, at which point userspace could
simply be updated to sanitize the to-be-loaded XSAVE state.

Reported-by: Tyler Stachecki <stachecki.tyler@gmail.com>
Closes: https://lore.kernel.org/all/20230914010003.358162-1-tstachecki@bloomberg.net
Fixes: ad856280dd ("x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0")
Cc: stable@vger.kernel.org
Cc: Leonardo Bras <leobras@redhat.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Message-Id: <20230928001956.924301-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2023-10-12 11:08:58 -04:00
..
acpi * Rework apic callbacks, getting rid of unnecessary ones and 2023-08-30 10:44:46 -07:00
apic x86/platform/uv: Use alternate source for socket to node data 2023-09-11 10:06:22 -07:00
cpu x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race 2023-09-28 16:16:40 -07:00
fpu KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2} 2023-10-12 11:08:58 -04:00
kprobes X86 core updates: 2023-08-30 10:10:31 -07:00
.gitignore
alternative.c x86,static_call: Fix static-call vs return-thunk 2023-09-22 18:58:24 +02:00
amd_gart_64.c x86/mm: Remove P*D_PAGE_MASK and P*D_PAGE_SIZE macros 2022-12-15 10:37:27 -08:00
amd_nb.c x86/amd_nb: Add PCI IDs for AMD Family 1Ah-based models 2023-08-10 14:12:48 +02:00
aperture_64.c x86: Fix various duplicate-word comment typos 2022-08-15 19:17:52 +02:00
apm_32.c x86/APM: drop the duplicate APM_MINOR_DEV macro 2023-07-30 14:00:32 +02:00
asm-offsets_32.c
asm-offsets_64.c x86: Fixup asm-offsets duplicate 2022-10-17 16:41:06 +02:00
asm-offsets.c x86/smpboot: Remove initial_stack on 64-bit 2023-03-21 13:35:53 +01:00
audit_64.c x86/audit: Fix -Wmissing-variable-declarations warning for ia32_xyz_class 2023-08-30 10:11:16 +02:00
bootflag.c
callthunks.c x86,static_call: Fix static-call vs return-thunk 2023-09-22 18:58:24 +02:00
cet.c x86/ibt: Convert IBT selftest to asm 2023-08-17 17:07:09 +02:00
cfi.c x86: Add support for CONFIG_CFI_CLANG 2022-09-26 10:13:16 -07:00
check.c
cpuid.c x86/cpuid: make cpuid_class a static const structure 2023-08-05 08:31:41 +02:00
crash_core_32.c
crash_core_64.c
crash_dump_32.c vmcore: convert copy_oldmem_page() to take an iov_iter 2022-04-29 14:37:59 -07:00
crash_dump_64.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
crash.c ARM: 2023-09-07 13:52:20 -07:00
devicetree.c x86/apic: Make some APIC init functions bool 2023-08-09 11:58:20 -07:00
doublefault_32.c x86: Avoid missing-prototype warnings for doublefault code 2023-05-18 11:56:18 -07:00
dumpstack_32.c x86/percpu: Move irq_stack variables next to current_task 2022-10-17 16:41:05 +02:00
dumpstack_64.c x86/percpu: Move irq_stack variables next to current_task 2022-10-17 16:41:05 +02:00
dumpstack.c x86/show_trace_log_lvl: Ensure stack pointer is aligned, again 2023-05-16 06:31:04 -07:00
e820.c x86/setup: Move duplicate boot_cpu_data definition out of the ifdeffery 2023-01-11 12:45:16 +01:00
early_printk.c x86/earlyprintk: Clean up pciserial 2022-08-29 12:19:25 +02:00
early-quirks.c drm/i915/rpl-p: Add PCI IDs 2022-04-19 17:14:09 -07:00
ebda.c
eisa.c
espfix_64.c x86/espfix: Use get_random_long() rather than archrandom 2022-10-31 20:12:50 +01:00
ftrace_32.S x86/ftrace: Enable HAVE_FUNCTION_GRAPH_RETVAL 2023-06-20 18:38:38 -04:00
ftrace_64.S x86/ftrace: Enable HAVE_FUNCTION_GRAPH_RETVAL 2023-06-20 18:38:38 -04:00
ftrace.c x86/ftrace: Remove unsued extern declaration ftrace_regs_caller_ret() 2023-07-10 21:38:13 -04:00
head32.c x86: Add dummy prototype for mk_early_pgtbl_32() 2023-05-18 11:56:16 -07:00
head64.c x86/head: Mark *_start_kernel() __noreturn 2023-04-14 17:31:24 +02:00
head_32.S x86/smpboot: Restrict soft_restart_cpu() to SEV 2023-05-15 13:44:50 +02:00
head_64.S x86/head_64: Store boot_params pointer in callee save register 2023-08-07 19:20:32 +02:00
hpet.c x86/hpet: Refactor code using deprecated strncpy() interface to use strscpy() 2023-08-24 21:22:40 +02:00
hw_breakpoint.c x86/amd: Cache debug register values in percpu variables 2023-01-31 20:09:26 +01:00
i8237.c
i8253.c
i8259.c x86/irq/i8259: Fix kernel-doc annotation warning 2023-08-31 20:43:30 +02:00
ibt_selftest.S x86/ibt: Convert IBT selftest to asm 2023-08-17 17:07:09 +02:00
idt.c Add x86 shadow stack support 2023-08-31 12:20:12 -07:00
io_delay.c
ioport.c
irq_32.c x86/percpu: Move irq_stack variables next to current_task 2022-10-17 16:41:05 +02:00
irq_64.c x86/percpu: Move irq_stack variables next to current_task 2022-10-17 16:41:05 +02:00
irq_work.c x86/apic: Wrap IPI calls into helper functions 2023-08-09 12:00:55 -07:00
irq.c x86/apic: Nuke ack_APIC_irq() 2023-08-09 11:58:34 -07:00
irqflags.S
irqinit.c x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL 2023-01-16 17:24:56 +01:00
itmt.c x86/sched/itmt: Give all SMT siblings of a core the same priority 2023-05-08 10:58:38 +02:00
jailhouse.c x86/apic: Remove the pointless APIC version check 2023-08-09 11:58:19 -07:00
jump_label.c jump_label: make initial NOP patching the special case 2022-06-24 09:48:55 +02:00
kdebugfs.c
kexec-bzimage64.c docs: move x86 documentation into Documentation/arch/ 2023-03-30 12:58:51 -06:00
kgdb.c x86/kgdb: Fix a kerneldoc warning when build with W=1 2023-09-24 11:00:13 +02:00
ksysfs.c
kvm.c * Rework apic callbacks, getting rid of unnecessary ones and 2023-08-30 10:44:46 -07:00
kvmclock.c x86/tsc: Provide sched_clock_noinstr() 2023-06-05 21:11:08 +02:00
ldt.c x86: allow get_locked_pte() to fail 2023-06-19 16:19:10 -07:00
machine_kexec_32.c
machine_kexec_64.c x86/kexec: remove unnecessary arch_kexec_kernel_image_load() 2023-04-08 13:45:38 -07:00
Makefile Add x86 shadow stack support 2023-08-31 12:20:12 -07:00
mmconf-fam10h_64.c
module.c x86/alternative: Rename apply_ibt_endbr() 2023-07-10 09:52:23 +02:00
mpparse.c x86/apic: Sanitize APIC address setup 2023-08-09 11:58:20 -07:00
msr.c x86/MSR: make msr_class a static const structure 2023-08-05 08:31:42 +02:00
nmi_selftest.c x86/apic: Wrap IPI calls into helper functions 2023-08-09 12:00:55 -07:00
nmi.c locking/atomic: treewide: use raw_atomic*_<op>() 2023-06-05 09:57:20 +02:00
paravirt-spinlocks.c
paravirt.c x86/xen: move paravirt lazy code 2023-09-19 07:04:49 +02:00
pci-dma.c x86: always initialize xen-swiotlb when xen-pcifront is enabling 2023-07-31 17:54:27 +02:00
pcspeaker.c
perf_regs.c
platform-quirks.c x86/quirks: Include linux/pnp.h for arch_pnpbios_disabled() 2023-05-18 11:56:18 -07:00
pmem.c x86/pmem: Fix platform-device leak in error path 2022-06-20 18:01:16 +02:00
probe_roms.c
process_32.c x86/resctl: fix scheduler confusion with 'current' 2023-03-08 11:48:11 -08:00
process_64.c x86/shstk: Add ARCH_SHSTK_STATUS 2023-08-02 15:01:51 -07:00
process.c x86/shstk: Remove useless clone error handling 2023-09-19 09:18:34 -07:00
process.h
ptrace.c x86: Add PTRACE interface for shadow stack 2023-08-02 15:01:51 -07:00
pvclock.c locking/atomic: treewide: use raw_atomic*_<op>() 2023-06-05 09:57:20 +02:00
quirks.c
reboot_fixups_32.c
reboot.c x86/reboot: Expose VMCS crash hooks if and only if KVM_{INTEL,AMD} is enabled 2023-08-03 15:37:14 -07:00
relocate_kernel_32.S x86/kexec: Disable RET on kexec 2022-07-09 13:12:32 +02:00
relocate_kernel_64.S x86,objtool: Split UNWIND_HINT_EMPTY in two 2023-03-23 23:18:58 +01:00
resource.c x86/PCI: Tidy E820 removal messages 2022-12-10 10:33:11 -06:00
rethook.c
rtc.c x86/rtc: Simplify PNP ids check 2023-01-06 04:22:34 +01:00
setup_percpu.c x86/apic/32: Remove x86_cpu_to_logical_apicid 2023-08-09 11:58:23 -07:00
setup.c x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer() 2023-09-18 09:24:15 +02:00
sev_verify_cbit.S
sev-shared.c x86/sev: Use the GHCB protocol when available for SNP CPUID requests 2023-10-02 14:55:39 +02:00
sev.c x86/sev: Change npages to unsigned long in snp_accept_memory() 2023-10-02 14:55:41 +02:00
shstk.c x86/shstk: Add warning for shadow stack double unmap 2023-09-19 09:18:34 -07:00
signal_32.c x86/shstk: Add user control-protection fault handler 2023-08-02 15:01:50 -07:00
signal_64.c x86/shstk: Handle signals for shadow stack 2023-08-02 15:01:50 -07:00
signal.c x86/shstk: Handle signals for shadow stack 2023-08-02 15:01:50 -07:00
smp.c x86/apic: Wrap IPI calls into helper functions 2023-08-09 12:00:55 -07:00
smpboot.c Fix a performance regression on large SMT systems, an Intel SMT4 2023-09-17 11:10:23 -07:00
stacktrace.c
static_call.c x86/static_call: Fix __static_call_fixup() 2023-08-17 13:24:09 +02:00
step.c ptrace: Reimplement PTRACE_KILL by always sending SIGKILL 2022-05-11 14:34:28 -05:00
sys_ia32.c
sys_x86_64.c x86/mm: Introduce MAP_ABOVE4G 2023-07-11 14:12:19 -07:00
tboot.c mm: remove rb tree. 2022-09-26 19:46:16 -07:00
time.c
tls.c x86/gsseg: Move load_gs_index() to its own new header file 2023-01-12 13:06:36 +01:00
tls.h
topology.c x86/topology: Remove CPU0 hotplug option 2023-05-15 13:44:49 +02:00
trace_clock.c
trace.c
tracepoint.c x86/traceponit: Fix comment about irq vector tracepoints 2022-05-26 22:03:52 -04:00
traps.c Add x86 shadow stack support 2023-08-31 12:20:12 -07:00
tsc_msr.c
tsc_sync.c x86/smpboot: Make TSC synchronization function call based 2023-05-15 13:44:53 +02:00
tsc.c x86/tsc: Extend watchdog check exemption to 4-Sockets platform 2023-07-14 15:17:09 -07:00
umip.c
unwind_frame.c x86: kmsan: don't instrument stack walking functions 2022-10-03 14:03:25 -07:00
unwind_guess.c
unwind_orc.c objtool changes for v6.5: 2023-06-27 15:05:41 -07:00
uprobes.c uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix 2022-12-05 11:55:18 +01:00
verify_cpu.S
vm86_32.c x86/32: Remove lazy GS macros 2022-04-14 14:09:43 +02:00
vmlinux.lds.S x86/build: Fix linker fill bytes quirk/incompatibility for ld.lld 2023-09-06 23:49:12 +02:00
vsmp_64.c x86/apic: Get rid of hard_smp_processor_id() 2023-08-09 11:58:17 -07:00
x86_init.c - Fix a race window where load_unaligned_zeropad() could cause 2023-06-26 16:32:47 -07:00