Commit 9de630ea authored by Thomas Gleixner's avatar Thomas Gleixner Committed by Stefan Bader

KVM: SVM: Move spec control call after restore of GS

svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but
before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current'
to determine the host SSBD state of the thread. 'current' is GS based, but
host GS is not yet restored and the access causes a triple fault.

Move the call after the host GS restore.

Fixes: 885f82bf x86/process: Allow runtime control of Speculative Store Bypass
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Reviewed-by: default avatarBorislav Petkov <bp@suse.de>
Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>

CVE-2018-3639 (x86)

(backported from commit 15e6c22f)
[smb: context adapted]
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
parent 693e145c
...@@ -3933,8 +3933,6 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) ...@@ -3933,8 +3933,6 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
#endif #endif
); );
x86_spec_ctrl_restore_host(svm->spec_ctrl);
/* Eliminate branch target predictions from guest mode */ /* Eliminate branch target predictions from guest mode */
vmexit_fill_RSB(); vmexit_fill_RSB();
...@@ -3947,6 +3945,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) ...@@ -3947,6 +3945,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
#endif #endif
#endif #endif
x86_spec_ctrl_restore_host(svm->spec_ctrl);
reload_tss(vcpu); reload_tss(vcpu);
local_irq_disable(); local_irq_disable();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment