git.baikalelectronics.ru Git - kernel.git/commit

author	Jim Mattson <jmattson@google.com>
	Fri, 8 Jul 2016 22:36:06 +0000 (15:36 -0700)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Thu, 14 Jul 2016 17:11:20 +0000 (19:11 +0200)
commit	8ddd2a503375c5d6a63508e44ed4399b55e9629c
tree	8fead675d92c2fbdc180db2231fd47e6ff067984	tree \| snapshot
parent	be51e94dd71c4b8723942140d4323337ba3c06e1	commit \| diff

KVM: nVMX: Fix memory corruption when using VMCS shadowing

When freeing the nested resources of a vcpu, there is an assumption that
the vcpu's vmcs01 is the current VMCS on the CPU that executes
nested_release_vmcs12(). If this assumption is violated, the vcpu's
vmcs01 may be made active on multiple CPUs at the same time, in
violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
not VMCLEARed on every CPU on which it is active, it can linger in a
CPU's VMCS cache after it has been freed and potentially
repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
miss can result in memory corruption.

It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
the vcpu in question was last loaded on a different CPU, it must be
migrated to the current CPU before calling vmx_load_vmcs01().

Signed-off-by: Jim Mattson <jmattson@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

arch/x86/kvm/vmx.c		diff \| blob \| history
virt/kvm/kvm_main.c		diff \| blob \| history