tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

KVM: SVM: Filter out 64-bit exit codes when invoking exit handlers on bare metal

Explicitly filter out 64-bit exit codes when invoking exit handlers, as
svm_exit_handlers[] will never be sized with entries that use bits 63:32.

Processing the non-failing exit code as a 32-bit value will allow tracking
exit_code as a single 64-bit value (which it is, architecturally). This
will also allow hardening KVM against Spectre-like attacks without needing
to do silly things to avoid build failures on 32-bit kernels
(array_index_nospec() rightly asserts that the index fits in an "unsigned
long").

Omit the check when running as a VM, as KVM has historically failed to set
bits 63:32 appropriately when synthesizing VM-Exits, i.e. KVM could get
false positives when running as a VM on an older, broken KVM/kernel. From
a functional perspective, omitting the check is "fine", as any unwanted
collision between e.g. VMEXIT_INVALID and a 32-bit exit code will be
fatal to KVM-on-KVM regardless of what KVM-as-L1 does.

Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251230211347.4099600-5-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

Sean Christopherson 405fce69 194c17bf

+16 -2
+16 -2
arch/x86/kvm/svm/svm.c
··· 3467 3467 sev_free_decrypted_vmsa(vcpu, save); 3468 3468 } 3469 3469 3470 - int svm_invoke_exit_handler(struct kvm_vcpu *vcpu, u64 exit_code) 3470 + int svm_invoke_exit_handler(struct kvm_vcpu *vcpu, u64 __exit_code) 3471 3471 { 3472 + u32 exit_code = __exit_code; 3473 + 3474 + /* 3475 + * SVM uses negative values, i.e. 64-bit values, to indicate that VMRUN 3476 + * failed. Report all such errors to userspace (note, VMEXIT_INVALID, 3477 + * a.k.a. SVM_EXIT_ERR, is special cased by svm_handle_exit()). Skip 3478 + * the check when running as a VM, as KVM has historically left garbage 3479 + * in bits 63:32, i.e. running KVM-on-KVM would hit false positives if 3480 + * the underlying kernel is buggy. 3481 + */ 3482 + if (!cpu_feature_enabled(X86_FEATURE_HYPERVISOR) && 3483 + (u64)exit_code != __exit_code) 3484 + goto unexpected_vmexit; 3485 + 3472 3486 #ifdef CONFIG_MITIGATION_RETPOLINE 3473 3487 if (exit_code == SVM_EXIT_MSR) 3474 3488 return msr_interception(vcpu); ··· 3509 3495 3510 3496 unexpected_vmexit: 3511 3497 dump_vmcb(vcpu); 3512 - kvm_prepare_unexpected_reason_exit(vcpu, exit_code); 3498 + kvm_prepare_unexpected_reason_exit(vcpu, __exit_code); 3513 3499 return 0; 3514 3500 } 3515 3501