This is a note to let you know that I've just added the patch titled
KVM: SEV-ES: fix another issue with string I/O VMGEXITs
to the 5.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
kvm-sev-es-fix-another-issue-with-string-i-o-vmgexits.patch
and it can be found in the queue-5.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 9b0971ca7fc75daca80c0bb6c02e96059daea90a Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Date: Mon, 25 Oct 2021 12:14:31 -0400
Subject: KVM: SEV-ES: fix another issue with string I/O VMGEXITs
From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
commit 9b0971ca7fc75daca80c0bb6c02e96059daea90a upstream.
If the guest requests string I/O from the hypervisor via VMGEXIT,
SW_EXITINFO2 will contain the REP count. However, sev_es_string_io
was incorrectly treating it as the size of the GHCB buffer in
bytes.
This fixes the "outsw" test in the experimental SEV tests of
kvm-unit-tests.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 7ed9abfe8e9f ("KVM: SVM: Support string IO operations for an SEV-ES guest")
Reported-by: Marc Orr <marcorr@xxxxxxxxxx>
Tested-by: Marc Orr <marcorr@xxxxxxxxxx>
Reviewed-by: Marc Orr <marcorr@xxxxxxxxxx>
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/x86/kvm/svm/sev.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2592,11 +2592,20 @@ int sev_handle_vmgexit(struct kvm_vcpu *
int sev_es_string_io(struct vcpu_svm *svm, int size, unsigned int port, int in)
{
- if (!setup_vmgexit_scratch(svm, in, svm->vmcb->control.exit_info_2))
+ int count;
+ int bytes;
+
+ if (svm->vmcb->control.exit_info_2 > INT_MAX)
+ return -EINVAL;
+
+ count = svm->vmcb->control.exit_info_2;
+ if (unlikely(check_mul_overflow(count, size, &bytes)))
+ return -EINVAL;
+
+ if (!setup_vmgexit_scratch(svm, in, bytes))
return -EINVAL;
- return kvm_sev_es_string_io(&svm->vcpu, size, port,
- svm->ghcb_sa, svm->ghcb_sa_len / size, in);
+ return kvm_sev_es_string_io(&svm->vcpu, size, port, svm->ghcb_sa, count, in);
}
void sev_es_init_vmcb(struct vcpu_svm *svm)
Patches currently in stable-queue which might be from pbonzini@xxxxxxxxxx are
queue-5.14/kvm-x86-take-srcu-lock-in-post_kvm_run_save.patch
queue-5.14/kvm-x86-switch-pvclock_gtod_sync_lock-to-a-raw-spinlock.patch
queue-5.14/kvm-sev-es-fix-another-issue-with-string-i-o-vmgexits.patch
queue-5.14/kvm-x86-xen-fix-kvm_xen_has_interrupt-sleeping-in-kvm_vcpu_block.patch
