linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Tom Lendacky <thomas.lendacky@amd.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Sean Christopherson <seanjc@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 01/27] KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB
Date: Fri, 13 Aug 2021 17:06:59 +0200	[thread overview]
Message-ID: <20210813150523.409936529@linuxfoundation.org> (raw)
In-Reply-To: <20210813150523.364549385@linuxfoundation.org>

From: Sean Christopherson <seanjc@google.com>

[ Upstream commit 179c6c27bf487273652efc99acd3ba512a23c137 ]

Use the raw ASID, not ASID-1, when nullifying the last used VMCB when
freeing an SEV ASID.  The consumer, pre_sev_run(), indexes the array by
the raw ASID, thus KVM could get a false negative when checking for a
different VMCB if KVM manages to reallocate the same ASID+VMCB combo for
a new VM.

Note, this cannot cause a functional issue _in the current code_, as
pre_sev_run() also checks which pCPU last did VMRUN for the vCPU, and
last_vmentry_cpu is initialized to -1 during vCPU creation, i.e. is
guaranteed to mismatch on the first VMRUN.  However, prior to commit
8a14fe4f0c54 ("kvm: x86: Move last_cpu into kvm_vcpu_arch as
last_vmentry_cpu"), SVM tracked pCPU on its own and zero-initialized the
last_cpu variable.  Thus it's theoretically possible that older versions
of KVM could miss a TLB flush if the first VMRUN is on pCPU0 and the ASID
and VMCB exactly match those of a prior VM.

Fixes: 70cd94e60c73 ("KVM: SVM: VMRUN should use associated ASID when SEV is enabled")
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/svm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 7341d22ed04f..2a958dcc80f2 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1783,7 +1783,7 @@ static void __sev_asid_free(int asid)
 
 	for_each_possible_cpu(cpu) {
 		sd = per_cpu(svm_data, cpu);
-		sd->sev_vmcbs[pos] = NULL;
+		sd->sev_vmcbs[asid] = NULL;
 	}
 }
 
-- 
2.30.2




  reply	other threads:[~2021-08-13 15:14 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-13 15:06 [PATCH 5.4 00/27] 5.4.141-rc1 review Greg Kroah-Hartman
2021-08-13 15:06 ` Greg Kroah-Hartman [this message]
2021-08-13 15:07 ` [PATCH 5.4 02/27] tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 03/27] media: v4l2-mem2mem: always consider OUTPUT queue during poll Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 04/27] tracing: Reject string operand in the histogram expression Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 05/27] usb: dwc3: Stop active transfers before halting the controller Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 06/27] usb: dwc3: gadget: Allow runtime suspend if UDC unbinded Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 07/27] usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 08/27] usb: dwc3: gadget: Prevent EP queuing while stopping transfers Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 09/27] usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 10/27] usb: dwc3: gadget: Disable gadget IRQ during pullup disable Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 11/27] usb: dwc3: gadget: Avoid runtime resume if disabling pullup Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 12/27] KVM: X86: MMU: Use the correct inherited permissions to get shadow page Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 13/27] USB:ehci:fix Kunpeng920 ehci hardware problem Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 14/27] ALSA: hda: Add quirk for ASUS Flow x13 Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 15/27] ppp: Fix generating ppp unit id when ifname is not specified Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 16/27] ovl: prevent private clone if bind mount is not allowed Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 17/27] btrfs: make qgroup_free_reserved_data take btrfs_inode Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 18/27] btrfs: make btrfs_qgroup_reserve_data " Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 19/27] btrfs: qgroup: allow to unreserve range without releasing other ranges Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 20/27] btrfs: qgroup: try to flush qgroup space when we get -EDQUOT Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 21/27] btrfs: transaction: Cleanup unused TRANS_STATE_BLOCKED Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 22/27] btrfs: qgroup: remove ASYNC_COMMIT mechanism in favor of reserve retry-after-EDQUOT Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 23/27] btrfs: fix lockdep splat when enabling and disabling qgroups Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 24/27] net: xilinx_emaclite: Do not print real IOMEM pointer Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 25/27] btrfs: qgroup: dont commit transaction when we already hold the handle Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 26/27] btrfs: export and rename qgroup_reserve_meta Greg Kroah-Hartman
2021-08-13 15:07 ` [PATCH 5.4 27/27] btrfs: dont flush from btrfs_delayed_inode_reserve_metadata Greg Kroah-Hartman
2021-08-13 23:24 ` [PATCH 5.4 00/27] 5.4.141-rc1 review Shuah Khan
2021-08-14 11:11 ` Sudip Mukherjee
2021-08-14 11:39 ` Naresh Kamboju
2021-08-14 18:15 ` Guenter Roeck
2021-08-16  3:02 ` Samuel Zou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210813150523.409936529@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=brijesh.singh@amd.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=sashal@kernel.org \
    --cc=seanjc@google.com \
    --cc=stable@vger.kernel.org \
    --cc=thomas.lendacky@amd.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).