I don't think I believe the performance claim of the original
commit...unless the kernel build test was spewing its output onto a
serial port, in which case the performance claim is mischaracterized.
On Tue, Dec 5, 2017 at 1:32 PM, Radim Krčmář <rkrcmar@xxxxxxxxxx> wrote:
> 2017-12-01 10:21-0800, Jim Mattson:
>> From: Andrew Honig <ahonig@xxxxxxxxxx>
>>
>> This fixes CVE-2017-1000407.
>>
>> KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
>> the guest floods this port with writes it generates exceptions and
>> instability in the host kernel, leading to a crash. With this change
>> guest writes to port 0x80 on Intel will behave the same as they
>> currently behave on AMD systems.
>>
>> Prevent the flooding by removing the code that sets port 0x80 as a
>> passthrough port. This is essentially the same as upstream patch
>> 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
>> for AMD chipsets and this patch is for Intel.
>>
>> Signed-off-by: Andrew Honig <ahonig@xxxxxxxxxx>
>> Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
>
> Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
> Cc: <stable@xxxxxxxxxxxxxxx>
>
> Applied, thanks. The commit that introduced it boasted 3-5% performance
> improvements when compiling the kernel -- have you noticed regressions?
