svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but
before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current'
to determine the host SSBD state of the thread. 'current' is GS based, but
host GS is not yet restored and the access causes a triple fault.
Move the call after the host GS restore.
OraBug:
28041771
CVE: CVE-2018-3639
Fixes: 885f82bfbc6f x86/process: Allow runtime control of Speculative Store Bypass
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
15e6c22fd8e5a42c5ed6d487b7c9fe44c2517765)
Signed-off-by: Mihai Carabas <mihai.carabas@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Conflicts:
arch/x86/kvm/svm.c
Signed-off-by: Brian Maly <brian.maly@oracle.com>
#endif
);
- if (ibrs_supported) {
- rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
-
- x86_spec_ctrl_restore_host(svm->spec_ctrl);
- }
-
/* Eliminate branch target predictions from guest mode */
vmexit_fill_RSB();
#endif
#endif
+ if (ibrs_supported) {
+ rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+
+ x86_spec_ctrl_restore_host(svm->spec_ctrl);
+ }
+
reload_tss(vcpu);
local_irq_disable();
projects / users / jedix / linux-maple.git / commitdiff