On 06/05/20 05:53, Sean Christopherson wrote:
> Clear CF and ZF in the VM-Exit path after doing __FILL_RETURN_BUFFER so
> that KVM doesn't interpret clobbered RFLAGS as a VM-Fail. Filling the
> RSB has always clobbered RFLAGS, its current incarnation just happens
> clear CF and ZF in the processs. Relying on the macro to clear CF and
> ZF is extremely fragile, e.g. commit 089dd8e53126e ("x86/speculation:
> Change FILL_RETURN_BUFFER to work with objtool") tweaks the loop such
> that the ZF flag is always set.
>
> Reported-by: Qian Cai <cai@xxxxxx>
> Cc: Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx>
> Cc: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: f2fde6a5bcfcf ("KVM: VMX: Move RSB stuffing to before the first RET after VM-Exit")
> Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
> ---
> arch/x86/kvm/vmx/vmenter.S | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S
> index 87f3f24fef37b..51d1a82742fd5 100644
> --- a/arch/x86/kvm/vmx/vmenter.S
> +++ b/arch/x86/kvm/vmx/vmenter.S
> @@ -82,6 +82,9 @@ SYM_FUNC_START(vmx_vmexit)
> /* IMPORTANT: Stuff the RSB immediately after VM-Exit, before RET! */
> FILL_RETURN_BUFFER %_ASM_AX, RSB_CLEAR_LOOPS, X86_FEATURE_RETPOLINE
>
> + /* Clear RFLAGS.CF and RFLAGS.ZF to preserve VM-Exit, i.e. !VM-Fail. */
> + or $1, %_ASM_AX
> +
> pop %_ASM_AX
> .Lvmexit_skip_rsb:
> #endif
>
Queued, thanks (for 5.7 so that it will never be broken in Linus's tree).
Paolo
