diff options
author | Boris Ostrovsky <boris.ostrovsky@oracle.com> | 2019-12-05 06:45:32 +0300 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2020-01-30 20:45:55 +0300 |
commit | b043138246a41064527cf019a3d51d9f015e9796 (patch) | |
tree | e702c1dec588a3c872d1c94e8e877176480b5846 /virt | |
parent | 917248144db5d7320655dbb41d3af0b8a0f3d589 (diff) | |
download | linux-b043138246a41064527cf019a3d51d9f015e9796.tar.xz |
x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed
There is a potential race in record_steal_time() between setting
host-local vcpu->arch.st.steal.preempted to zero (i.e. clearing
KVM_VCPU_PREEMPTED) and propagating this value to the guest with
kvm_write_guest_cached(). Between those two events the guest may
still see KVM_VCPU_PREEMPTED in its copy of kvm_steal_time, set
KVM_VCPU_FLUSH_TLB and assume that hypervisor will do the right
thing. Which it won't.
Instad of copying, we should map kvm_steal_time and that will
guarantee atomicity of accesses to @preempted.
This is part of CVE-2019-3016.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'virt')
0 files changed, 0 insertions, 0 deletions