| From 920e1cc4bf155de925aa642005bcabf642dbe261 Mon Sep 17 00:00:00 2001 |
| From: Sean Christopherson <sean.j.christopherson@intel.com> |
| Date: Tue, 5 May 2020 20:53:55 -0700 |
| Subject: [PATCH] KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit |
| RSB path |
| |
| commit c7cb2d650c9e78c03bd2d1c0db89891825f8c0f4 upstream. |
| |
| Clear CF and ZF in the VM-Exit path after doing __FILL_RETURN_BUFFER so |
| that KVM doesn't interpret clobbered RFLAGS as a VM-Fail. Filling the |
| RSB has always clobbered RFLAGS, its current incarnation just happens |
| clear CF and ZF in the processs. Relying on the macro to clear CF and |
| ZF is extremely fragile, e.g. commit 089dd8e53126e ("x86/speculation: |
| Change FILL_RETURN_BUFFER to work with objtool") tweaks the loop such |
| that the ZF flag is always set. |
| |
| Reported-by: Qian Cai <cai@lca.pw> |
| Cc: Rick Edgecombe <rick.p.edgecombe@intel.com> |
| Cc: Peter Zijlstra (Intel) <peterz@infradead.org> |
| Cc: Josh Poimboeuf <jpoimboe@redhat.com> |
| Cc: stable@vger.kernel.org |
| Fixes: f2fde6a5bcfcf ("KVM: VMX: Move RSB stuffing to before the first RET after VM-Exit") |
| Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> |
| Message-Id: <20200506035355.2242-1-sean.j.christopherson@intel.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S |
| index d4cb1945b2e3..f83368b5af87 100644 |
| --- a/arch/x86/kvm/vmx/vmenter.S |
| +++ b/arch/x86/kvm/vmx/vmenter.S |
| @@ -86,6 +86,9 @@ ENTRY(vmx_vmexit) |
| /* IMPORTANT: Stuff the RSB immediately after VM-Exit, before RET! */ |
| FILL_RETURN_BUFFER %_ASM_AX, RSB_CLEAR_LOOPS, X86_FEATURE_RETPOLINE |
| |
| + /* Clear RFLAGS.CF and RFLAGS.ZF to preserve VM-Exit, i.e. !VM-Fail. */ |
| + or $1, %_ASM_AX |
| + |
| pop %_ASM_AX |
| .Lvmexit_skip_rsb: |
| #endif |
| -- |
| 2.7.4 |
| |
