| From foo@baz Sun Jun 17 12:07:33 CEST 2018 |
| From: Krish Sadhukhan <krish.sadhukhan@oracle.com> |
| Date: Wed, 11 Apr 2018 01:10:16 -0400 |
| Subject: x86: Add check for APIC access address for vmentry of L2 guests |
| |
| From: Krish Sadhukhan <krish.sadhukhan@oracle.com> |
| |
| [ Upstream commit f0f4cf5b306620282db0c59ff963012e1973e025 ] |
| |
| According to the sub-section titled 'VM-Execution Control Fields' in the |
| section titled 'Basic VM-Entry Checks' in Intel SDM vol. 3C, the following |
| vmentry check must be enforced: |
| |
| If the 'virtualize APIC-accesses' VM-execution control is 1, the |
| APIC-access address must satisfy the following checks: |
| |
| - Bits 11:0 of the address must be 0. |
| - The address should not set any bits beyond the processor's |
| physical-address width. |
| |
| This patch adds the necessary check to conform to this rule. If the check |
| fails, we cause the L2 VMENTRY to fail which is what the associated unit |
| test (following patch) expects. |
| |
| Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com> |
| Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
| Reviewed-by: Jim Mattson <jmattson@google.com> |
| Reviewed-by: Wanpeng Li <wanpengli@tencent.com> |
| Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/x86/kvm/vmx.c | 13 +++++++++++++ |
| 1 file changed, 13 insertions(+) |
| |
| --- a/arch/x86/kvm/vmx.c |
| +++ b/arch/x86/kvm/vmx.c |
| @@ -10338,6 +10338,16 @@ static inline bool nested_vmx_prepare_ms |
| return true; |
| } |
| |
| +static int nested_vmx_check_apic_access_controls(struct kvm_vcpu *vcpu, |
| + struct vmcs12 *vmcs12) |
| +{ |
| + if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) && |
| + !page_address_valid(vcpu, vmcs12->apic_access_addr)) |
| + return -EINVAL; |
| + else |
| + return 0; |
| +} |
| + |
| static int nested_vmx_check_apicv_controls(struct kvm_vcpu *vcpu, |
| struct vmcs12 *vmcs12) |
| { |
| @@ -11006,6 +11016,9 @@ static int check_vmentry_prereqs(struct |
| if (nested_vmx_check_msr_bitmap_controls(vcpu, vmcs12)) |
| return VMXERR_ENTRY_INVALID_CONTROL_FIELD; |
| |
| + if (nested_vmx_check_apic_access_controls(vcpu, vmcs12)) |
| + return VMXERR_ENTRY_INVALID_CONTROL_FIELD; |
| + |
| if (nested_vmx_check_tpr_shadow_controls(vcpu, vmcs12)) |
| return VMXERR_ENTRY_INVALID_CONTROL_FIELD; |
| |