Make sure that KVM uses vmcb01 before freeing nested state, and warn if
that is not the case.

This is a minimal fix for CVE-2022-3344 making the kernel print a warning
instead of a kernel panic.

Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
---
 arch/x86/kvm/svm/nested.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index b258d6988f5dde..b74da40c1fc40c 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1126,6 +1126,9 @@ void svm_free_nested(struct vcpu_svm *svm)
 	if (!svm->nested.initialized)
 		return;
 
+	if (WARN_ON_ONCE(svm->vmcb != svm->vmcb01.ptr))
+		svm_switch_vmcb(svm, &svm->vmcb01);
+
 	svm_vcpu_free_msrpm(svm->nested.msrpm);
 	svm->nested.msrpm = NULL;
 
-- 
2.34.3

On 03/11/2022 14:13, Maxim Levitsky wrote:
> Make sure that KVM uses vmcb01 before freeing nested state, and warn if
> that is not the case.
> 
> This is a minimal fix for CVE-2022-3344 making the kernel print a warning
> instead of a kernel panic.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>

Reviewed-by: Liam Merwick <liam.merwick@oracle.com>


> ---
>   arch/x86/kvm/svm/nested.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
> index b258d6988f5dde..b74da40c1fc40c 100644
> --- a/arch/x86/kvm/svm/nested.c
> +++ b/arch/x86/kvm/svm/nested.c
> @@ -1126,6 +1126,9 @@ void svm_free_nested(struct vcpu_svm *svm)
>   	if (!svm->nested.initialized)
>   		return;
>   
> +	if (WARN_ON_ONCE(svm->vmcb != svm->vmcb01.ptr))
> +		svm_switch_vmcb(svm, &svm->vmcb01);
> +
>   	svm_vcpu_free_msrpm(svm->nested.msrpm);
>   	svm->nested.msrpm = NULL;
>