KVM: VMX: Mark VMXArea with revision_id of physical CPU even when eVMCS enabled

When eVMCS is enabled, all VMCS allocated to be used by KVM are marked
with revision_id of KVM_EVMCS_VERSION instead of revision_id reported
by MSR_IA32_VMX_BASIC.

However, even though not explictly documented by TLFS, VMXArea passed
as VMXON argument should still be marked with revision_id reported by
physical CPU.

This issue was found by the following setup:
* L0 = KVM which expose eVMCS to it's L1 guest.
* L1 = KVM which consume eVMCS reported by L0.
This setup caused the following to occur:
1) L1 execute hardware_enable().
2) hardware_enable() calls kvm_cpu_vmxon() to execute VMXON.
3) L0 intercept L1 VMXON and execute handle_vmon() which notes
vmxarea->revision_id != VMCS12_REVISION and therefore fails with
nested_vmx_failInvalid() which sets RFLAGS.CF.
4) L1 kvm_cpu_vmxon() don't check RFLAGS.CF for failure and therefore
hardware_enable() continues as usual.
5) L1 hardware_enable() then calls ept_sync_global() which executes
INVEPT.
6) L0 intercept INVEPT and execute handle_invept() which notes
!vmx->nested.vmxon and thus raise a #UD to L1.
7) Raised #UD caused L1 to panic.

Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Cc: stable@vger.kernel.org
Fixes: 773e8a0425c923bc02668a2d6534a5ef5a43cc69
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

1 files changed, 21 insertions, 6 deletions

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index ba981459d706..c3c85908b8de 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4108,11 +4108,7 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
         vmcs_conf->order = get_order(vmcs_conf->size);
         vmcs_conf->basic_cap = vmx_msr_high & ~0x1fff;
 
-        /* KVM supports Enlightened VMCS v1 only */
-        if (static_branch_unlikely(&enable_evmcs))
-                vmcs_conf->revision_id = KVM_EVMCS_VERSION;
-        else
-                vmcs_conf->revision_id = vmx_msr_low;
+        vmcs_conf->revision_id = vmx_msr_low;
 
         vmcs_conf->pin_based_exec_ctrl = _pin_based_exec_control;
         vmcs_conf->cpu_based_exec_ctrl = _cpu_based_exec_control;
@@ -4182,7 +4178,13 @@ static struct vmcs *alloc_vmcs_cpu(int cpu)
                 return NULL;
         vmcs = page_address(pages);
         memset(vmcs, 0, vmcs_config.size);
-        vmcs->revision_id = vmcs_config.revision_id; /* vmcs revision id */
+
+        /* KVM supports Enlightened VMCS v1 only */
+        if (static_branch_unlikely(&enable_evmcs))
+                vmcs->revision_id = KVM_EVMCS_VERSION;
+        else
+                vmcs->revision_id = vmcs_config.revision_id;
+
         return vmcs;
 }
 
@@ -4341,6 +4343,19 @@ static __init int alloc_kvm_area(void)
                         return -ENOMEM;
                 }
 
+                /*
+                 * When eVMCS is enabled, alloc_vmcs_cpu() sets
+                 * vmcs->revision_id to KVM_EVMCS_VERSION instead of
+                 * revision_id reported by MSR_IA32_VMX_BASIC.
+                 *
+                 * However, even though not explictly documented by
+                 * TLFS, VMXArea passed as VMXON argument should
+                 * still be marked with revision_id reported by
+                 * physical CPU.
+                 */
+                if (static_branch_unlikely(&enable_evmcs))
+                        vmcs->revision_id = vmcs_config.revision_id;
+
                 per_cpu(vmxarea, cpu) = vmcs;
         }
         return 0;