This is a note to let you know that I've just added the patch titled
KVM: x86: Blindly get current x2APIC reg value on "nodecode write" traps
to the 6.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
kvm-x86-blindly-get-current-x2apic-reg-value-on-nodecode-write-traps.patch
and it can be found in the queue-6.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 0a19807b464fb10aa79b9dd7f494bc317438fada Mon Sep 17 00:00:00 2001
From: Sean Christopherson <seanjc@xxxxxxxxxx>
Date: Fri, 6 Jan 2023 01:12:34 +0000
Subject: KVM: x86: Blindly get current x2APIC reg value on "nodecode write" traps
From: Sean Christopherson <seanjc@xxxxxxxxxx>
commit 0a19807b464fb10aa79b9dd7f494bc317438fada upstream.
When emulating a x2APIC write in response to an APICv/AVIC trap, get the
the written value from the vAPIC page without checking that reads are
allowed for the target register. AVIC can generate trap-like VM-Exits on
writes to EOI, and so KVM needs to get the written value from the backing
page without running afoul of EOI's write-only behavior.
Alternatively, EOI could be special cased to always write '0', e.g. so
that the sanity check could be preserved, but x2APIC on AMD is actually
supposed to disallow non-zero writes (not emulated by KVM), and the
sanity check was a byproduct of how the KVM code was written, i.e. wasn't
added to guard against anything in particular.
Fixes: 70c8327c11c6 ("KVM: x86: Bug the VM if an accelerated x2APIC trap occurs on a "bad" reg")
Fixes: 1bd9dfec9fd4 ("KVM: x86: Do not block APIC write for non ICR registers")
Reported-by: Alejandro Jimenez <alejandro.j.jimenez@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
Message-Id: <20230106011306.85230-2-seanjc@xxxxxxxxxx>
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/x86/kvm/lapic.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2284,23 +2284,18 @@ void kvm_apic_write_nodecode(struct kvm_
struct kvm_lapic *apic = vcpu->arch.apic;
u64 val;
- if (apic_x2apic_mode(apic)) {
- if (KVM_BUG_ON(kvm_lapic_msr_read(apic, offset, &val), vcpu->kvm))
- return;
- } else {
- val = kvm_lapic_get_reg(apic, offset);
- }
-
/*
* ICR is a single 64-bit register when x2APIC is enabled. For legacy
* xAPIC, ICR writes need to go down the common (slightly slower) path
* to get the upper half from ICR2.
*/
if (apic_x2apic_mode(apic) && offset == APIC_ICR) {
+ val = kvm_lapic_get_reg64(apic, APIC_ICR);
kvm_apic_send_ipi(apic, (u32)val, (u32)(val >> 32));
trace_kvm_apic_write(APIC_ICR, val);
} else {
/* TODO: optimize to just emulate side effect w/o one more write */
+ val = kvm_lapic_get_reg(apic, offset);
kvm_lapic_reg_write(apic, offset, (u32)val);
}
}
Patches currently in stable-queue which might be from seanjc@xxxxxxxxxx are
queue-6.2/kvm-svm-hyper-v-placate-modpost-section-mismatch-error.patch
queue-6.2/kvm-svm-flush-the-current-tlb-when-activating-avic.patch
queue-6.2/x86-virt-force-gif-1-prior-to-disabling-svm-for-reboot-flows.patch
queue-6.2/kvm-x86-inject-gp-if-wrmsr-sets-reserved-bits-in-apic-self-ipi.patch
queue-6.2/x86-reboot-disable-svm-not-just-vmx-when-stopping-cpus.patch
queue-6.2/kvm-svm-process-icr-on-avic-ipi-delivery-failure-due-to-invalid-target.patch
queue-6.2/kvm-x86-don-t-inhibit-apicv-avic-if-xapic-id-mismatch-is-due-to-32-bit-id.patch
queue-6.2/x86-reboot-disable-virtualization-in-an-emergency-if-svm-is-supported.patch
queue-6.2/kvm-svm-don-t-put-load-avic-when-setting-virtual-apic-mode.patch
queue-6.2/x86-crash-disable-virt-in-core-nmi-crash-handler-to-avoid-double-shootdown.patch
queue-6.2/kvm-register-dev-kvm-as-the-_very_-last-thing-during-initialization.patch
queue-6.2/kvm-x86-don-t-inhibit-apicv-avic-on-xapic-id-change-if-apic-is-disabled.patch
queue-6.2/kvm-destroy-target-device-if-coalesced-mmio-unregistration-fails.patch
queue-6.2/kvm-svm-fix-potential-overflow-in-sev-s-send-receive_update_data.patch
queue-6.2/kvm-x86-blindly-get-current-x2apic-reg-value-on-nodecode-write-traps.patch
queue-6.2/kvm-x86-purge-highest-isr-cache-when-updating-apicv-state.patch
queue-6.2/kvm-x86-inject-gp-on-x2apic-wrmsr-that-sets-reserved-bits-63-32.patch
queue-6.2/kvm-vmx-fix-crash-due-to-uninitialized-current_vmcs.patch
