| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABgObfZD_twm6hgP6BuHt39pK0M6nShVFFszA8SaT8c1h-2N+A@mail.gmail.com> Date: Sun, 9 Nov 2025 08:11:17 +0100 From: Paolo Bonzini <pbonzini@...hat.com> To: Sean Christopherson <seanjc@...gle.com> Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [GIT PULL] KVM: x86 fixes and a guest_memd fix for 6.18 On Fri, Nov 7, 2025 at 11:38 PM Sean Christopherson <seanjc@...gle.com> wrote: > > Please pull a variety of fixes that fall into one of three categories: > > - Recent-ish TDX-induced bugs (VM death on SEAMCALL/TDCALL, and my > paperbag GVA_IS_VALID goof). > > - Long-standing issues that were exposed and/or are made releavnt by > 6.18 (guest_memfd UAF race, GALog unregister and ir_list_lock from AVIC). > > - Bugs introduce in 6.18 (splat when emulating INIT for CET XSTATE). Pulled, thanks. Paolo > The following changes since commit 4361f5aa8bfcecbab3fc8db987482b9e08115a6a: > > Merge tag 'kvm-x86-fixes-6.18-rc2' of https://github.com/kvm-x86/linux into HEAD (2025-10-18 10:25:43 +0200) > > are available in the Git repository at: > > https://github.com/kvm-x86/linux.git tags/kvm-x86-fixes-6.18-rc5 > > for you to fetch changes up to d0164c161923ac303bd843e04ebe95cfd03c6e19: > > KVM: VMX: Fix check for valid GVA on an EPT violation (2025-11-06 06:06:18 -0800) > > ---------------------------------------------------------------- > KVM x86 fixes for 6.18: > > - Inject #UD if the guest attempts to execute SEAMCALL or TDCALL as KVM > doesn't support virtualization the instructions, but the instructions > are gated only by VMXON, i.e. will VM-Exit instead of taking a #UD and > thus result in KVM exiting to userspace with an emulation error. > > - Unload the "FPU" when emulating INIT of XSTATE features if and only if > the FPU is actually loaded, instead of trying to predict when KVM will > emulate an INIT (CET support missed the MP_STATE path). Add sanity > checks to detect and harden against similar bugs in the future. > > - Unregister KVM's GALog notifier (for AVIC) when kvm-amd.ko is unloaded. > > - Use a raw spinlock for svm->ir_list_lock as the lock is taken during > schedule(), and "normal" spinlocks are sleepable locks when PREEMPT_RT=y. > > - Remove guest_memfd bindings on memslot deletion when a gmem file is dying > to fix a use-after-free race found by syzkaller. > > - Fix a goof in the EPT Violation handler where KVM checks the wrong > variable when determining if the reported GVA is valid. > > ---------------------------------------------------------------- > Chao Gao (1): > KVM: x86: Call out MSR_IA32_S_CET is not handled by XSAVES > > Maxim Levitsky (1): > KVM: SVM: switch to raw spinlock for svm->ir_list_lock > > Sean Christopherson (7): > KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL > KVM: x86: Unload "FPU" state on INIT if and only if its currently in-use > KVM: x86: Harden KVM against imbalanced load/put of guest FPU state > KVM: SVM: Initialize per-CPU svm_data at the end of hardware setup > KVM: SVM: Unregister KVM's GALog notifier on kvm-amd.ko exit > KVM: SVM: Make avic_ga_log_notifier() local to avic.c > KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying > > Sukrit Bhatnagar (1): > KVM: VMX: Fix check for valid GVA on an EPT violation > > arch/x86/include/uapi/asm/vmx.h | 1 + > arch/x86/kvm/svm/avic.c | 24 +++++++++++++-------- > arch/x86/kvm/svm/svm.c | 15 +++++++------ > arch/x86/kvm/svm/svm.h | 4 ++-- > arch/x86/kvm/vmx/common.h | 2 +- > arch/x86/kvm/vmx/nested.c | 8 +++++++ > arch/x86/kvm/vmx/vmx.c | 8 +++++++ > arch/x86/kvm/x86.c | 48 +++++++++++++++++++++++++---------------- > virt/kvm/guest_memfd.c | 47 ++++++++++++++++++++++++++++------------ > 9 files changed, 106 insertions(+), 51 deletions(-) >
Powered by blists - more mailing lists