KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS

commit fc02735b14fff8c6678b521d324ade27b1a3d4cf upstream. On eIBRS systems, the returns in the vmexit return path from __vmx_vcpu_run() to vmx_vcpu_run() are exposed to RSB poisoning attacks. Fix that by moving the post-vmexit spec_ctrl handling to immediately after the vmexit. Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Josh Poimboeuf <jpoimboe@kernel.org> 2022-06-14 23:16:13 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-23 12:54:08 +0200
commit: 0cbd5905c8f3b5da498c21c4deee347622b3420b (patch)
tree: acba3b23f3a41aeac63ee17ea6c5fa2d81e4ff9f /arch/x86/kernel/cpu/bugs.c
parent: 5fde25284dfe9d3f12afdceec410cddb8d4b889a (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 2d89f8eab6c6..cef4f1fa7b7f 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -195,6 +195,10 @@ void __init check_bugs(void)
 #endif
 }
 
+/*
+ * NOTE: For VMX, this function is not called in the vmexit path.
+ * It uses vmx_spec_ctrl_restore_host() instead.
+ */
 void
 x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
 {
author	Josh Poimboeuf <jpoimboe@kernel.org>	2022-06-14 23:16:13 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-07-23 12:54:08 +0200
commit	0cbd5905c8f3b5da498c21c4deee347622b3420b (patch)
tree	acba3b23f3a41aeac63ee17ea6c5fa2d81e4ff9f /arch/x86/kernel/cpu/bugs.c
parent	5fde25284dfe9d3f12afdceec410cddb8d4b889a (diff)