Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-02-12 22:18:26 +0100
committerJiri Slaby <jslaby@suse.cz>2019-02-12 22:21:28 +0100
commit697de96d7d14a107540bd6f38d4a72f824702fd9 (patch)
treeb333eb4a43c9f631802d60e3855c741fb97f0df1
parentdda0bf60bb628c78c69f3bfe3f3106b6a19a6f69 (diff)
KVM: nVMX: unconditionally cancel preemption timer in
free_nested (CVE-2019-7221) (bnc#1012628).
-rw-r--r--patches.kernel.org/4.20.8-332-KVM-nVMX-unconditionally-cancel-preemption-tim.patch47
-rw-r--r--series.conf1
2 files changed, 48 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.8-332-KVM-nVMX-unconditionally-cancel-preemption-tim.patch b/patches.kernel.org/4.20.8-332-KVM-nVMX-unconditionally-cancel-preemption-tim.patch
new file mode 100644
index 0000000000..9b111b2941
--- /dev/null
+++ b/patches.kernel.org/4.20.8-332-KVM-nVMX-unconditionally-cancel-preemption-tim.patch
@@ -0,0 +1,47 @@
+From: Peter Shier <pshier@google.com>
+Date: Thu, 11 Oct 2018 11:46:46 -0700
+Subject: [PATCH] KVM: nVMX: unconditionally cancel preemption timer in
+ free_nested (CVE-2019-7221)
+References: bnc#1012628
+Patch-mainline: 4.20.8
+Git-commit: ecec76885bcfe3294685dc363fd1273df0d5d65f
+
+commit ecec76885bcfe3294685dc363fd1273df0d5d65f upstream.
+
+Bugzilla: 1671904
+
+There are multiple code paths where an hrtimer may have been started to
+emulate an L1 VMX preemption timer that can result in a call to free_nested
+without an intervening L2 exit where the hrtimer is normally
+cancelled. Unconditionally cancel in free_nested to cover all cases.
+
+Embargoed until Feb 7th 2019.
+
+Signed-off-by: Peter Shier <pshier@google.com>
+Reported-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Reported-by: Felix Wilhelm <fwilhelm@google.com>
+Cc: stable@kernel.org
+Message-Id: <20181011184646.154065-1-pshier@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kvm/vmx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 5a2c87552122..7f73d91de41f 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -8509,6 +8509,7 @@ static void free_nested(struct kvm_vcpu *vcpu)
+ if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
+ return;
+
++ hrtimer_cancel(&vmx->nested.preemption_timer);
+ vmx->nested.vmxon = false;
+ vmx->nested.smm.vmxon = false;
+ free_vpid(vmx->nested.vpid02);
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index c4d53280b2..85b2607908 100644
--- a/series.conf
+++ b/series.conf
@@ -1068,6 +1068,7 @@
patches.kernel.org/4.20.8-329-scsi-aic94xx-fix-module-loading.patch
patches.kernel.org/4.20.8-330-KVM-x86-work-around-leak-of-uninitialized-stac.patch
patches.kernel.org/4.20.8-331-kvm-fix-kvm_ioctl_create_device-reference-coun.patch
+ patches.kernel.org/4.20.8-332-KVM-nVMX-unconditionally-cancel-preemption-tim.patch
########################################################
# Build fixes that apply to the vanilla kernel too.