• S
    KVM: x86: Properly reset MMU context at vCPU RESET/INIT · 1d717e40
    Sean Christopherson 提交于
    mainline inclusion
    from mainline-v5.14-rc1
    commit 0aa18375
    category: bugfix
    bugzilla: https://gitee.com/openeuler/kernel/issues/I4NP0K
    CVE: NA
    
    Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0aa1837533e5f4be8cc21bbc06314c23ba2c5447
    
    -------------------
    
    Reset the MMU context at vCPU INIT (and RESET for good measure) if CR0.PG
    was set prior to INIT.  Simply re-initializing the current MMU is not
    sufficient as the current root HPA may not be usable in the new context.
    E.g. if TDP is disabled and INIT arrives while the vCPU is in long mode,
    KVM will fail to switch to the 32-bit pae_root and bomb on the next
    VM-Enter due to running with a 64-bit CR3 in 32-bit mode.
    
    This bug was papered over in both VMX and SVM, but still managed to rear
    its head in the MMU role on VMX.  Because EFER.LMA=1 requires CR0.PG=1,
    kvm_calc_shadow_mmu_root_page_role() checks for EFER.LMA without first
    checking CR0.PG.  VMX's RESET/INIT flow writes CR0 before EFER, and so
    an INIT with the vCPU in 64-bit mode will cause the hack-a-fix to
    generate the wrong MMU role.
    
    In VMX, the INIT issue is specific to running without unrestricted guest
    since unrestricted guest is available if and only if EPT is enabled.
    Commit 8668a3c4 ("KVM: VMX: Reset mmu context when entering real
    mode") resolved the issue by forcing a reset when entering emulated real
    mode.
    
    In SVM, commit ebae871a ("kvm: svm: reset mmu on VCPU reset") forced
    a MMU reset on every INIT to workaround the flaw in common x86.  Note, at
    the time the bug was fixed, the SVM problem was exacerbated by a complete
    lack of a CR4 update.
    
    The vendor resets will be reverted in future patches, primarily to aid
    bisection in case there are non-INIT flows that rely on the existing VMX
    logic.
    
    Because CR0.PG is unconditionally cleared on INIT, and because CR0.WP and
    all CR4/EFER paging bits are ignored if CR0.PG=0, simply checking that
    CR0.PG was '1' prior to INIT/RESET is sufficient to detect a required MMU
    context reset.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: NSean Christopherson <seanjc@google.com>
    Message-Id: <20210622175739.3610207-4-seanjc@google.com>
    Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: NJingyi Wang <wangjingyi11@huawei.com>
    Reviewed-by: NZenghui Yu <yuzenghui@huawei.com>
    Reviewed-by: NWei Li <liwei391@huawei.com>
    Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
    1d717e40
x86.c 299.6 KB