releases/4.19.43/0011-x86-kvm-vmx-Add-MDS-protection-when-L1D-Flush-is-not.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 472d99b2864eb58a54ec66205991a64d64143390 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Wed, 27 Feb 2019 12:48:14 +0100
 Subject: [PATCH 11/30] x86/kvm/vmx: Add MDS protection when L1D Flush is not
  active

 commit 650b68a0622f933444a6d66936abb3103029413b upstream

 CPUs which are affected by L1TF and MDS mitigate MDS with the L1D Flush on
 VMENTER when updated microcode is installed.

 If a CPU is not affected by L1TF or if the L1D Flush is not in use, then
 MDS mitigation needs to be invoked explicitly.

 For these cases, follow the host mitigation state and invoke the MDS
 mitigation before VMENTER.

 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
 Reviewed-by: Borislav Petkov <bp@suse.de>
 Reviewed-by: Jon Masters <jcm@redhat.com>
 Tested-by: Jon Masters <jcm@redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  arch/x86/kernel/cpu/bugs.c | 1 +
  arch/x86/kvm/vmx.c         | 3 +++
  2 files changed, 4 insertions(+)

 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
 index 2a69046cc38c..c01468ccefc1 100644
 --- a/arch/x86/kernel/cpu/bugs.c
 +++ b/arch/x86/kernel/cpu/bugs.c
 @@ -63,6 +63,7 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);

  /* Control MDS CPU buffer clear before returning to user space */
  DEFINE_STATIC_KEY_FALSE(mds_user_clear);
 +EXPORT_SYMBOL_GPL(mds_user_clear);

  void __init check_bugs(void)
  {
 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
 index 215339c7d161..e9bf477209dc 100644
 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
 @@ -10765,8 +10765,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  	evmcs_rsp = static_branch_unlikely(&enable_evmcs) ?
  		(unsigned long)&current_evmcs->host_rsp : 0;

 +	/* L1D Flush includes CPU buffer clear to mitigate MDS */
  	if (static_branch_unlikely(&vmx_l1d_should_flush))
  		vmx_l1d_flush(vcpu);
 +	else if (static_branch_unlikely(&mds_user_clear))
 +		mds_clear_cpu_buffers();

  	asm(
  		/* Store host registers */
 --
 2.21.0
	From 472d99b2864eb58a54ec66205991a64d64143390 Mon Sep 17 00:00:00 2001
	From: Thomas Gleixner <tglx@linutronix.de>
	Date: Wed, 27 Feb 2019 12:48:14 +0100
	Subject: [PATCH 11/30] x86/kvm/vmx: Add MDS protection when L1D Flush is not
	active

	commit 650b68a0622f933444a6d66936abb3103029413b upstream

	CPUs which are affected by L1TF and MDS mitigate MDS with the L1D Flush on
	VMENTER when updated microcode is installed.

	If a CPU is not affected by L1TF or if the L1D Flush is not in use, then
	MDS mitigation needs to be invoked explicitly.

	For these cases, follow the host mitigation state and invoke the MDS
	mitigation before VMENTER.

	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
	Reviewed-by: Borislav Petkov <bp@suse.de>
	Reviewed-by: Jon Masters <jcm@redhat.com>
	Tested-by: Jon Masters <jcm@redhat.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	arch/x86/kernel/cpu/bugs.c \| 1 +
	arch/x86/kvm/vmx.c \| 3 +++
	2 files changed, 4 insertions(+)

	diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
	index 2a69046cc38c..c01468ccefc1 100644
	--- a/arch/x86/kernel/cpu/bugs.c
	+++ b/arch/x86/kernel/cpu/bugs.c
	@@ -63,6 +63,7 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);

	/* Control MDS CPU buffer clear before returning to user space */
	DEFINE_STATIC_KEY_FALSE(mds_user_clear);
	+EXPORT_SYMBOL_GPL(mds_user_clear);

	void __init check_bugs(void)
	{
	diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
	index 215339c7d161..e9bf477209dc 100644
	--- a/arch/x86/kvm/vmx.c
	+++ b/arch/x86/kvm/vmx.c
	@@ -10765,8 +10765,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
	evmcs_rsp = static_branch_unlikely(&enable_evmcs) ?
	(unsigned long)&current_evmcs->host_rsp : 0;

	+ /* L1D Flush includes CPU buffer clear to mitigate MDS */
	if (static_branch_unlikely(&vmx_l1d_should_flush))
	vmx_l1d_flush(vcpu);
	+ else if (static_branch_unlikely(&mds_user_clear))
	+ mds_clear_cpu_buffers();

	asm(
	/* Store host registers */
	--
	2.21.0