diff mbox series

[Disco,06/10] UBUNTU: SAUCE: x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit

Message ID 20200131111035.38050-7-cascardo@canonical.com
State New
Headers show
Series CVE-2019-3016 | expand

Commit Message

Thadeu Lima de Souza Cascardo Jan. 31, 2020, 11:10 a.m. UTC
From: Boris Ostrovsky <boris.ostrovsky@oracle.com>


kvm_steal_time_set_preempted() may accidentally clear KVM_VCPU_FLUSH_TLB
bit if it is called more than once while VCPU is preempted.

This is part of CVE-2019-3016.

(This bug was also independently discovered by Jim Mattson

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
 arch/x86/kvm/x86.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series


diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 43e9f01229e4..19461f2de496 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3330,6 +3330,9 @@  static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu)
 	if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
+	if (vcpu->arch.st.steal.preempted)
+		return;
 	vcpu->arch.st.steal.preempted = KVM_VCPU_PREEMPTED;
 	kvm_write_guest_offset_cached(vcpu->kvm, &vcpu->arch.st.stime,