From: Thomas Gleixner Date: Fri, 11 May 2018 13:21:01 +0000 (+0200) Subject: KVM: SVM: Move spec control call after restore of GS X-Git-Tag: v4.1.12-124.31.3~748 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=a024bafad216c5a7798a5adfe15eb297bd52e933;p=users%2Fjedix%2Flinux-maple.git KVM: SVM: Move spec control call after restore of GS svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current' to determine the host SSBD state of the thread. 'current' is GS based, but host GS is not yet restored and the access causes a triple fault. Move the call after the host GS restore. OraBug: 28041771 CVE: CVE-2018-3639 Fixes: 885f82bfbc6f x86/process: Allow runtime control of Speculative Store Bypass Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Reviewed-by: Konrad Rzeszutek Wilk Acked-by: Paolo Bonzini (cherry picked from commit 15e6c22fd8e5a42c5ed6d487b7c9fe44c2517765) Signed-off-by: Mihai Carabas Reviewed-by: Konrad Rzeszutek Wilk Signed-off-by: Brian Maly Conflicts: arch/x86/kvm/svm.c Signed-off-by: Brian Maly --- diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index 1f6b962449695..51a54cfe6d083 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -4022,12 +4022,6 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) #endif ); - if (ibrs_supported) { - rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl); - - x86_spec_ctrl_restore_host(svm->spec_ctrl); - } - /* Eliminate branch target predictions from guest mode */ vmexit_fill_RSB(); @@ -4040,6 +4034,12 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) #endif #endif + if (ibrs_supported) { + rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl); + + x86_spec_ctrl_restore_host(svm->spec_ctrl); + } + reload_tss(vcpu); local_irq_disable();