| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251107223807.860845-1-seanjc@google.com>
Date: Fri, 7 Nov 2025 14:38:07 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
Sean Christopherson <seanjc@...gle.com>
Subject: [GIT PULL] KVM: x86 fixes and a guest_memd fix for 6.18
Please pull a variety of fixes that fall into one of three categories:
- Recent-ish TDX-induced bugs (VM death on SEAMCALL/TDCALL, and my
paperbag GVA_IS_VALID goof).
- Long-standing issues that were exposed and/or are made releavnt by
6.18 (guest_memfd UAF race, GALog unregister and ir_list_lock from AVIC).
- Bugs introduce in 6.18 (splat when emulating INIT for CET XSTATE).
The following changes since commit 4361f5aa8bfcecbab3fc8db987482b9e08115a6a:
Merge tag 'kvm-x86-fixes-6.18-rc2' of https://github.com/kvm-x86/linux into HEAD (2025-10-18 10:25:43 +0200)
are available in the Git repository at:
https://github.com/kvm-x86/linux.git tags/kvm-x86-fixes-6.18-rc5
for you to fetch changes up to d0164c161923ac303bd843e04ebe95cfd03c6e19:
KVM: VMX: Fix check for valid GVA on an EPT violation (2025-11-06 06:06:18 -0800)
----------------------------------------------------------------
KVM x86 fixes for 6.18:
- Inject #UD if the guest attempts to execute SEAMCALL or TDCALL as KVM
doesn't support virtualization the instructions, but the instructions
are gated only by VMXON, i.e. will VM-Exit instead of taking a #UD and
thus result in KVM exiting to userspace with an emulation error.
- Unload the "FPU" when emulating INIT of XSTATE features if and only if
the FPU is actually loaded, instead of trying to predict when KVM will
emulate an INIT (CET support missed the MP_STATE path). Add sanity
checks to detect and harden against similar bugs in the future.
- Unregister KVM's GALog notifier (for AVIC) when kvm-amd.ko is unloaded.
- Use a raw spinlock for svm->ir_list_lock as the lock is taken during
schedule(), and "normal" spinlocks are sleepable locks when PREEMPT_RT=y.
- Remove guest_memfd bindings on memslot deletion when a gmem file is dying
to fix a use-after-free race found by syzkaller.
- Fix a goof in the EPT Violation handler where KVM checks the wrong
variable when determining if the reported GVA is valid.
----------------------------------------------------------------
Chao Gao (1):
KVM: x86: Call out MSR_IA32_S_CET is not handled by XSAVES
Maxim Levitsky (1):
KVM: SVM: switch to raw spinlock for svm->ir_list_lock
Sean Christopherson (7):
KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL
KVM: x86: Unload "FPU" state on INIT if and only if its currently in-use
KVM: x86: Harden KVM against imbalanced load/put of guest FPU state
KVM: SVM: Initialize per-CPU svm_data at the end of hardware setup
KVM: SVM: Unregister KVM's GALog notifier on kvm-amd.ko exit
KVM: SVM: Make avic_ga_log_notifier() local to avic.c
KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying
Sukrit Bhatnagar (1):
KVM: VMX: Fix check for valid GVA on an EPT violation
arch/x86/include/uapi/asm/vmx.h | 1 +
arch/x86/kvm/svm/avic.c | 24 +++++++++++++--------
arch/x86/kvm/svm/svm.c | 15 +++++++------
arch/x86/kvm/svm/svm.h | 4 ++--
arch/x86/kvm/vmx/common.h | 2 +-
arch/x86/kvm/vmx/nested.c | 8 +++++++
arch/x86/kvm/vmx/vmx.c | 8 +++++++
arch/x86/kvm/x86.c | 48 +++++++++++++++++++++++++----------------
virt/kvm/guest_memfd.c | 47 ++++++++++++++++++++++++++++------------
9 files changed, 106 insertions(+), 51 deletions(-)
Powered by blists - more mailing lists