x86/KVM/VMX: Seperate the VMX AUTOLOAD guest/host number accounting.

This allows to load a different number of MSRs depending on the context: VMEXIT or VMENTER. Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> CVE-2018-3620 CVE-2018-3646 [smb: Minor context adjustments] Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

x86/KVM/VMX: Seperate the VMX AUTOLOAD guest/host number accounting.
This allows to load a different number of MSRs depending on the context: VMEXIT or VMENTER. Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> CVE-2018-3620 CVE-2018-3646 [smb: Minor context adjustments] Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
62bb770c · Konrad Rzeszutek Wilk · Stefan Bader · 40914af6 · 62bb770c
Commit 62bb770c authored Jun 20, 2018 by Konrad Rzeszutek Wilk Committed by Stefan Bader Aug 08, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 10 deletions

arch/x86/kvm/vmx.c arch/x86/kvm/vmx.c +18 -10

No files found.
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1788,12 +1788,17 @@ static void clear_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr)
 	}
 	i = find_msr(&m->guest, msr);
 	if (i < 0)
-		return;
+		goto skip_guest;
 	--m->guest.nr;
-	--m->host.nr;
 	m->guest.val[i] = m->guest.val[m->guest.nr];
-	m->host.val[i] = m->host.val[m->host.nr];
 	vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, m->guest.nr);
+
+skip_guest:
+	i = find_msr(&m->host, msr);
+	if (i < 0)
+		return;
+	--m->host.nr;
+	m->host.val[i] = m->host.val[m->host.nr];
 	vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, m->host.nr);
 }

@@ -1811,7 +1816,7 @@ static void add_atomic_switch_msr_special(struct vcpu_vmx *vmx,
 static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
 				  u64 guest_val, u64 host_val)
 {
-	int i;
+	int i, j;
 	struct msr_autoload *m = &vmx->msr_autoload;

 	switch (msr) {
@@ -1847,21 +1852,24 @@ static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
 	}

 	i = find_msr(&m->guest, msr);
-	if (i == NR_AUTOLOAD_MSRS) {
+	j = find_msr(&m->host, msr);
+	if (i == NR_AUTOLOAD_MSRS || j == NR_AUTOLOAD_MSRS) {
 		printk_once(KERN_WARNING "Not enough msr switch entries. "
 				"Can't add msr %x\n", msr);
 		return;
-	} else if (i < 0) {
+	}
+	if (i < 0) {
 		i = m->guest.nr++;
-		++m->host.nr;
 		vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, m->guest.nr);
+	}
+	if (j < 0) {
+		j = m->host.nr++;
 		vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, m->host.nr);
 	}
-
 	m->guest.val[i].index = msr;
 	m->guest.val[i].value = guest_val;
-	m->host.val[i].index = msr;
-	m->host.val[i].value = host_val;
+	m->host.val[j].index = msr;
+	m->host.val[j].value = host_val;
 }

 static void reload_tss(void)