x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit

[ Upstream commit 8c6de56a42e0c657955e12b882a81ef07d1d073e ] kvm_steal_time_set_preempted() may accidentally clear KVM_VCPU_FLUSH_TLB bit if it is called more than once while VCPU is preempted. This is part of CVE-2019-3016. (This bug was also independently discovered by Jim Mattson <jmattson@google.com>) Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Joao Martins <joao.m.martins@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Sasha Levin <sashal@kernel.org> 2020-07-31 02:33:48 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-08-05 11:06:48 +0300
commit: fd4a641bb5731c0ce5397698560a823602dbaac2 (patch)
tree: 81d6ee9fa77c289b883d2e0ed5cf79324b25c4d0 /arch
parent: 83c212df7794563a2f45a3be8fbc097e352b2c3a (diff)
download: linux-fd4a641bb5731c0ce5397698560a823602dbaac2.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 09f47c837c25..3aed03942d7d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3075,6 +3075,9 @@ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu)
 	if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
 		return;
 
+	if (vcpu->arch.st.steal.preempted)
+		return;
+
 	vcpu->arch.st.steal.preempted = 1;
 
 	kvm_write_guest_offset_cached(vcpu->kvm, &vcpu->arch.st.stime,
author	Sasha Levin <sashal@kernel.org>	2020-07-31 02:33:48 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-08-05 11:06:48 +0300
commit	fd4a641bb5731c0ce5397698560a823602dbaac2 (patch)
tree	81d6ee9fa77c289b883d2e0ed5cf79324b25c4d0 /arch
parent	83c212df7794563a2f45a3be8fbc097e352b2c3a (diff)
download	linux-fd4a641bb5731c0ce5397698560a823602dbaac2.tar.xz