Merge git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Marcelo Tosatti: - Fix for guest triggerable BUG_ON (CVE-2014-0155) - CR4.SMAP support - Spurious WARN_ON() fix * git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: remove WARN_ON from get_kernel_ns() KVM: Rename variable smep to cr4_smep KVM: expose SMAP feature to guest KVM: Disable SMAP for guests in EPT realmode and EPT unpaging mode KVM: Add SMAP support when setting CR4 KVM: Remove SMAP bit from CR4_RESERVED_BITS KVM: ioapic: try to recover if pending_eoi goes out of range KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)
author: Linus Torvalds <torvalds@linux-foundation.org> 2014-04-14 19:21:28 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-04-14 19:21:28 -0400
commit: 55101e2d6ce1c780f6ee8fee5f37306971aac6cd (patch)
tree: 348adcfd97517ee9b5041f31df15cdd7fedb8ea7 /arch
parent: dafe344d2288f0ebc0e3d4c6a5eb15bc82189c53 (diff)
parent: b351c39cc9e0151cee9b8d52a1e714928faabb38 (diff)
8 files changed, 94 insertions, 23 deletions
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index fcaf9c961265..7de069afb382 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -60,7 +60,7 @@
                          | X86_CR4_PSE | X86_CR4_PAE | X86_CR4_MCE     \
                          | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_PCIDE \
                          | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_FSGSBASE \
-                          | X86_CR4_OSXMMEXCPT | X86_CR4_VMXE))
+                          | X86_CR4_OSXMMEXCPT | X86_CR4_VMXE | X86_CR4_SMAP))
 #define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR)
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index bea60671ef8a..f47a104a749c 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -308,7 +308,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
        const u32 kvm_supported_word9_x86_features =
                F(FSGSBASE) | F(BMI1) | F(HLE) | F(AVX2) | F(SMEP) |
                F(BMI2) | F(ERMS) | f_invpcid | F(RTM) | f_mpx | F(RDSEED) |
-                F(ADX);
+                F(ADX) | F(SMAP);
        /* all calls to cpuid_count() should be made on the same cpu */
        get_cpu();
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
index a2a1bb7ed8c1..eeecbed26ac7 100644
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -48,6 +48,14 @@ static inline bool guest_cpuid_has_smep(struct kvm_vcpu *vcpu)
        return best && (best->ebx & bit(X86_FEATURE_SMEP));
 }
+static inline bool guest_cpuid_has_smap(struct kvm_vcpu *vcpu)
+{
+        struct kvm_cpuid_entry2 *best;
+        best = kvm_find_cpuid_entry(vcpu, 7, 0);
+        return best && (best->ebx & bit(X86_FEATURE_SMAP));
+}
 static inline bool guest_cpuid_has_fsgsbase(struct kvm_vcpu *vcpu)
 {
        struct kvm_cpuid_entry2 *best;
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index f5704d9e5ddc..813d31038b93 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3601,20 +3601,27 @@ static void reset_rsvds_bits_mask_ept(struct kvm_vcpu *vcpu,
        }
 }
-static void update_permission_bitmask(struct kvm_vcpu *vcpu,
+void update_permission_bitmask(struct kvm_vcpu *vcpu,
                struct kvm_mmu *mmu, bool ept)
 {
        unsigned bit, byte, pfec;
        u8 map;
-        bool fault, x, w, u, wf, uf, ff, smep;
+        bool fault, x, w, u, wf, uf, ff, smapf, cr4_smap, cr4_smep, smap = 0;
-        smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP);
+        cr4_smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP);
+        cr4_smap = kvm_read_cr4_bits(vcpu, X86_CR4_SMAP);
        for (byte = 0; byte < ARRAY_SIZE(mmu->permissions); ++byte) {
                pfec = byte << 1;
                map = 0;
                wf = pfec & PFERR_WRITE_MASK;
                uf = pfec & PFERR_USER_MASK;
                ff = pfec & PFERR_FETCH_MASK;
+                /*
+                 * PFERR_RSVD_MASK bit is set in PFEC if the access is not
+                 * subject to SMAP restrictions, and cleared otherwise. The
+                 * bit is only meaningful if the SMAP bit is set in CR4.
+                 */
+                smapf = !(pfec & PFERR_RSVD_MASK);
                for (bit = 0; bit < 8; ++bit) {
                        x = bit & ACC_EXEC_MASK;
                        w = bit & ACC_WRITE_MASK;
@@ -3626,12 +3633,33 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
                                /* Allow supervisor writes if !cr0.wp */
                                w |= !is_write_protection(vcpu) && !uf;
                                /* Disallow supervisor fetches of user code if cr4.smep */
-                                x &= !(smep && u && !uf);
+                                x &= !(cr4_smep && u && !uf);
+                                /*
+                                 * SMAP:kernel-mode data accesses from user-mode
+                                 * mappings should fault. A fault is considered
+                                 * as a SMAP violation if all of the following
+                                 * conditions are ture:
+                                 *   - X86_CR4_SMAP is set in CR4
+                                 *   - An user page is accessed
+                                 *   - Page fault in kernel mode
+                                 *   - if CPL = 3 or X86_EFLAGS_AC is clear
+                                 *
+                                 *   Here, we cover the first three conditions.
+                                 *   The fourth is computed dynamically in
+                                 *   permission_fault() and is in smapf.
+                                 *
+                                 *   Also, SMAP does not affect instruction
+                                 *   fetches, add the !ff check here to make it
+                                 *   clearer.
+                                 */
+                                smap = cr4_smap && u && !uf && !ff;
                        } else
                                /* Not really needed: no U/S accesses on ept  */
                                u = 1;
-                        fault = (ff && !x) || (uf && !u) || (wf && !w);
+                        fault = (ff && !x) || (uf && !u) || (wf && !w) ||
+                                (smapf && smap);
                        map |= fault << bit;
                }
                mmu->permissions[byte] = map;
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index 292615274358..3842e70bdb7c 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -44,11 +44,17 @@
 #define PT_DIRECTORY_LEVEL 2
 #define PT_PAGE_TABLE_LEVEL 1
-#define PFERR_PRESENT_MASK (1U << 0)
+#define PFERR_PRESENT_BIT 0
-#define PFERR_WRITE_MASK (1U << 1)
+#define PFERR_WRITE_BIT 1
-#define PFERR_USER_MASK (1U << 2)
+#define PFERR_USER_BIT 2
-#define PFERR_RSVD_MASK (1U << 3)
+#define PFERR_RSVD_BIT 3
-#define PFERR_FETCH_MASK (1U << 4)
+#define PFERR_FETCH_BIT 4
+#define PFERR_PRESENT_MASK (1U << PFERR_PRESENT_BIT)
+#define PFERR_WRITE_MASK (1U << PFERR_WRITE_BIT)
+#define PFERR_USER_MASK (1U << PFERR_USER_BIT)
+#define PFERR_RSVD_MASK (1U << PFERR_RSVD_BIT)
+#define PFERR_FETCH_MASK (1U << PFERR_FETCH_BIT)
 int kvm_mmu_get_spte_hierarchy(struct kvm_vcpu *vcpu, u64 addr, u64 sptes[4]);
 void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask);
@@ -73,6 +79,8 @@ int handle_mmio_page_fault_common(struct kvm_vcpu *vcpu, u64 addr, bool direct);
 void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context);
 void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
                bool execonly);
+void update_permission_bitmask(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
+                bool ept);
 static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
 {
@@ -110,10 +118,30 @@ static inline bool is_write_protection(struct kvm_vcpu *vcpu)
 * Will a fault with a given page-fault error code (pfec) cause a permission
 * fault with the given access (in ACC_* format)?
 */
-static inline bool permission_fault(struct kvm_mmu *mmu, unsigned pte_access,
+static inline bool permission_fault(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
-                                    unsigned pfec)
+                                    unsigned pte_access, unsigned pfec)
 {
-        return (mmu->permissions[pfec >> 1] >> pte_access) & 1;
+        int cpl = kvm_x86_ops->get_cpl(vcpu);
+        unsigned long rflags = kvm_x86_ops->get_rflags(vcpu);
+        /*
+         * If CPL < 3, SMAP prevention are disabled if EFLAGS.AC = 1.
+         *
+         * If CPL = 3, SMAP applies to all supervisor-mode data accesses
+         * (these are implicit supervisor accesses) regardless of the value
+         * of EFLAGS.AC.
+         *
+         * This computes (cpl < 3) && (rflags & X86_EFLAGS_AC), leaving
+         * the result in X86_EFLAGS_AC. We then insert it in place of
+         * the PFERR_RSVD_MASK bit; this bit will always be zero in pfec,
+         * but it will be one in index if SMAP checks are being overridden.
+         * It is important to keep this branchless.
+         */
+        unsigned long smap = (cpl - 3) & (rflags & X86_EFLAGS_AC);
+        int index = (pfec >> 1) +
+                    (smap >> (X86_EFLAGS_AC_BIT - PFERR_RSVD_BIT + 1));
+        return (mmu->permissions[index] >> pte_access) & 1;
 }
 void kvm_mmu_invalidate_zap_all_pages(struct kvm *kvm);
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index b1e6c1bf68d3..123efd3ec29f 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -353,7 +353,7 @@ retry_walk:
                walker->ptes[walker->level - 1] = pte;
        } while (!is_last_gpte(mmu, walker->level, pte));
-        if (unlikely(permission_fault(mmu, pte_access, access))) {
+        if (unlikely(permission_fault(vcpu, mmu, pte_access, access))) {
                errcode |= PFERR_PRESENT_MASK;
                goto error;
        }
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1320e0f8e611..1f68c5831924 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -3484,13 +3484,14 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
                        hw_cr4 &= ~X86_CR4_PAE;
                        hw_cr4 |= X86_CR4_PSE;
                        /*
-                         * SMEP is disabled if CPU is in non-paging mode in
+                         * SMEP/SMAP is disabled if CPU is in non-paging mode
-                         * hardware. However KVM always uses paging mode to
+                         * in hardware. However KVM always uses paging mode to
                         * emulate guest non-paging mode with TDP.
-                         * To emulate this behavior, SMEP needs to be manually
+                         * To emulate this behavior, SMEP/SMAP needs to be
-                         * disabled when guest switches to non-paging mode.
+                         * manually disabled when guest switches to non-paging
+                         * mode.
                         */
-                        hw_cr4 &= ~X86_CR4_SMEP;
+                        hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP);
                } else if (!(cr4 & X86_CR4_PAE)) {
                        hw_cr4 &= ~X86_CR4_PAE;
                }
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 9d1b5cd4d34c..8b8fc0b792ba 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -652,6 +652,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
        if (!guest_cpuid_has_smep(vcpu) && (cr4 & X86_CR4_SMEP))
                return 1;
+        if (!guest_cpuid_has_smap(vcpu) && (cr4 & X86_CR4_SMAP))
+                return 1;
        if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_FSGSBASE))
                return 1;
@@ -680,6 +683,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
            (!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE)))
                kvm_mmu_reset_context(vcpu);
+        if ((cr4 ^ old_cr4) & X86_CR4_SMAP)
+                update_permission_bitmask(vcpu, vcpu->arch.walk_mmu, false);
        if ((cr4 ^ old_cr4) & X86_CR4_OSXSAVE)
                kvm_update_cpuid(vcpu);
@@ -1117,7 +1123,6 @@ static inline u64 get_kernel_ns(void)
 {
        struct timespec ts;
-        WARN_ON(preemptible());
        ktime_get_ts(&ts);
        monotonic_to_bootbased(&ts);
        return timespec_to_ns(&ts);
@@ -4164,7 +4169,8 @@ static int vcpu_mmio_gva_to_gpa(struct kvm_vcpu *vcpu, unsigned long gva,
                | (write ? PFERR_WRITE_MASK : 0);
        if (vcpu_match_mmio_gva(vcpu, gva)
-            && !permission_fault(vcpu->arch.walk_mmu, vcpu->arch.access, access)) {
+            && !permission_fault(vcpu, vcpu->arch.walk_mmu,
+                                 vcpu->arch.access, access)) {
                *gpa = vcpu->arch.mmio_gfn << PAGE_SHIFT |
                                        (gva & (PAGE_SIZE - 1));
                trace_vcpu_match_mmio(gva, *gpa, write, false);
author	Linus Torvalds <torvalds@linux-foundation.org>	2014-04-14 19:21:28 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-04-14 19:21:28 -0400
commit	55101e2d6ce1c780f6ee8fee5f37306971aac6cd (patch)
tree	348adcfd97517ee9b5041f31df15cdd7fedb8ea7 /arch
parent	dafe344d2288f0ebc0e3d4c6a5eb15bc82189c53 (diff)
parent	b351c39cc9e0151cee9b8d52a1e714928faabb38 (diff)