Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2018-05-18 16:49:03 +0200
committerJiri Kosina <jkosina@suse.cz>2018-05-18 16:49:03 +0200
commit81bdbb02cc5f4894a7b92feb389fec927f5dd1cd (patch)
tree62a6a28df4ba80be03693074bfa0b4f1d0bff80b
parent93e52595dc83d0ec1b5345fdc54b969318bd7a9b (diff)
parent65e82a47acd03ba01970a3c9dc90fefbfdee5b31 (diff)
Merge remote-tracking branch 'origin/users/jroedel/SLE15/ssb' into users/jkosina/SLE15/ssb
Pull amd-kvm fix from Joerg Roedel
-rw-r--r--patches.arch/KVM--SVM--Move-spec-control-call-after-restore-of-GS.patch59
-rw-r--r--series.conf1
2 files changed, 60 insertions, 0 deletions
diff --git a/patches.arch/KVM--SVM--Move-spec-control-call-after-restore-of-GS.patch b/patches.arch/KVM--SVM--Move-spec-control-call-after-restore-of-GS.patch
new file mode 100644
index 0000000000..621857759e
--- /dev/null
+++ b/patches.arch/KVM--SVM--Move-spec-control-call-after-restore-of-GS.patch
@@ -0,0 +1,59 @@
+From: Thomas Gleixner <tglx@linutronix.de>
+Subject: KVM: SVM: Move spec control call after restore of GS
+Patch-mainline: not yet, queued in subsystem tree
+References: bsc#1087082 CVE-2018-3639
+
+svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but
+before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current'
+to determine the host SSBD state of the thread. 'current' is GS based, but
+host GS is not yet restored and the access causes a triple fault.
+
+Move the call after the host GS restore.
+
+Fixes: 5cf687548705 ("x86/bugs, KVM: Support the combination of guest and host IBRS")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/svm.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -5449,6 +5449,18 @@ static void svm_vcpu_run(struct kvm_vcpu
+ #endif
+ );
+
++ /* Eliminate branch target predictions from guest mode */
++ vmexit_fill_RSB();
++
++#ifdef CONFIG_X86_64
++ wrmsrl(MSR_GS_BASE, svm->host.gs_base);
++#else
++ loadsegment(fs, svm->host.fs);
++#ifndef CONFIG_X86_32_LAZY_GS
++ loadsegment(gs, svm->host.gs);
++#endif
++#endif
++
+ /*
+ * We do not use IBRS in the kernel. If this vCPU has used the
+ * SPEC_CTRL MSR it may have left it on; save the value and
+@@ -5469,18 +5481,6 @@ static void svm_vcpu_run(struct kvm_vcpu
+
+ x86_spec_ctrl_restore_host(svm->spec_ctrl);
+
+- /* Eliminate branch target predictions from guest mode */
+- vmexit_fill_RSB();
+-
+-#ifdef CONFIG_X86_64
+- wrmsrl(MSR_GS_BASE, svm->host.gs_base);
+-#else
+- loadsegment(fs, svm->host.fs);
+-#ifndef CONFIG_X86_32_LAZY_GS
+- loadsegment(gs, svm->host.gs);
+-#endif
+-#endif
+-
+ reload_tss(vcpu);
+
+ local_irq_disable();
diff --git a/series.conf b/series.conf
index 0c9fac109d..953ea2c27a 100644
--- a/series.conf
+++ b/series.conf
@@ -12467,6 +12467,7 @@
patches.suse/25-x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch
patches.suse/26-x86-bugs-rename-rds-to-ssbd.patch
patches.suse/27-proc-use-underscores-for-ssbd-in-status.patch
+ patches.arch/KVM--SVM--Move-spec-control-call-after-restore-of-GS.patch
########################################################
# You'd better have a good reason for adding a patch