• Jim Mattson's avatar
    KVM: nVMX: Fix memory corruption when using VMCS shadowing · 6c2ca216
    Jim Mattson authored
    [ Upstream commit 2f1fe811 ]
    
    When freeing the nested resources of a vcpu, there is an assumption that
    the vcpu's vmcs01 is the current VMCS on the CPU that executes
    nested_release_vmcs12(). If this assumption is violated, the vcpu's
    vmcs01 may be made active on multiple CPUs at the same time, in
    violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
    not VMCLEARed on every CPU on which it is active, it can linger in a
    CPU's VMCS cache after it has been freed and potentially
    repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
    miss can result in memory corruption.
    
    It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
    the vcpu in question was last loaded on a different CPU, it must be
    migrated to the current CPU before calling vmx_load_vmcs01().
    Signed-off-by: default avatarJim Mattson <jmattson@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
    6c2ca216
kvm_main.c 77.9 KB