x86/kvm: Set IBRS on VMEXIT if guest disabled it.

If the guest writes does not write FEATURE_ENABLE_IBRS to
MSR_IA32_SPEC_CTRL, then KVM will not issue such write after
(Indirect Branch Prediction Injection).

Right before VMENTER we set the MSR to zero (if the guest
had it set to zero), or leave it at 1 (if the guest
had it set to 1).

But on the VMEXIT if the guest decided to set it to _zero_
before an VMEXIT, then we will leave it at zero and _not_
set the wrmsl to 1!

That is wrong.

And also if the guest did set to 1, then we write 1 to it again.

This fix turns the check around so that the MSR will always
be at MSR 1 - with the optimization that if the guest had
set it, we just keep it at 1.

Orabug: 27364900

Reported-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 4a60333d322c2e2bbdc3c18d845b64cd819e7b95..20483acf60eb906f0843b1ef6050d2ed15726a0a 100644 (file)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8319,7 +8319,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 
        if (ibpb_inuse) {
                rdmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
-               if (vmx->spec_ctrl)
+               if (!vmx->spec_ctrl)
                        wrmsrl(MSR_IA32_SPEC_CTRL, SPEC_CTRL_FEATURE_ENABLE_IBRS);
        }
        stuff_RSB();