Patch "KVM: x86: Signal #GP, not -EPERM, on bad WRMSR(MCi_CTL/STATUS)" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 15 Aug 2022 02:13:04 -0400

This is a note to let you know that I've just added the patch titled

    KVM: x86: Signal #GP, not -EPERM, on bad WRMSR(MCi_CTL/STATUS)

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-x86-signal-gp-not-eperm-on-bad-wrmsr-mci_ctl-sta.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 077cef63d8bd4e55745d198fd7cf2bec15c0c3e5
Author: Sean Christopherson <seanjc@xxxxxxxxxx>
Date:   Thu May 12 22:27:14 2022 +0000

    KVM: x86: Signal #GP, not -EPERM, on bad WRMSR(MCi_CTL/STATUS)
    
    [ Upstream commit 2368048bf5c2ec4b604ac3431564071e89a0bc71 ]
    
    Return '1', not '-1', when handling an illegal WRMSR to a MCi_CTL or
    MCi_STATUS MSR.  The behavior of "all zeros' or "all ones" for CTL MSRs
    is architectural, as is the "only zeros" behavior for STATUS MSRs.  I.e.
    the intent is to inject a #GP, not exit to userspace due to an unhandled
    emulation case.  Returning '-1' gets interpreted as -EPERM up the stack
    and effecitvely kills the guest.
    
    Fixes: 890ca9aefa78 ("KVM: Add MCE support")
    Fixes: 9ffd986c6e4e ("KVM: X86: #GP when guest attempts to write MCi_STATUS register w/o 0")
    Cc: stable@xxxxxxxxxxxxxxx
    Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
    Reviewed-by: Jim Mattson <jmattson@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220512222716.4112548-2-seanjc@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index dac2892d095c..f5b7a05530eb 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3109,13 +3109,13 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 			 */
 			if ((offset & 0x3) == 0 &&
 			    data != 0 && (data | (1 << 10) | 1) != ~(u64)0)
-				return -1;
+				return 1;
 
 			/* MCi_STATUS */
 			if (!msr_info->host_initiated &&
 			    (offset & 0x3) == 1 && data != 0) {
 				if (!can_set_mci_status(vcpu))
-					return -1;
+					return 1;
 			}
 
 			vcpu->arch.mce_banks[offset] = data;






