3.2.100-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Honig ahonig@google.com
commit 75f139aaf896d6fdeec2e468ddfa4b2fe469bf40 upstream.
This adds a memory barrier when performing a lookup into the vmcs_field_to_offset_table. This is related to CVE-2017-5753.
Signed-off-by: Andrew Honig ahonig@google.com Reviewed-by: Jim Mattson jmattson@google.com Signed-off-by: Paolo Bonzini pbonzini@redhat.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -573,8 +573,18 @@ static const int max_vmcs_field = ARRAY_
static inline short vmcs_field_to_offset(unsigned long field) { - if (field >= max_vmcs_field || vmcs_field_to_offset_table[field] == 0) + if (field >= max_vmcs_field) return -1; + + /* + * FIXME: Mitigation for CVE-2017-5753. To be replaced with a + * generic mechanism. + */ + asm("lfence"); + + if (vmcs_field_to_offset_table[field] == 0) + return -1; + return vmcs_field_to_offset_table[field]; }