| Message ID | 20210816195742.12730-1-cascardo@canonical.com |
|---|---|
| Headers | show |
| Series | LP: #1940134/CVE-2021-3653 - L2 guest on AMD SVM | expand |
Ack for both the Bionic and Focal versions of this... Acked-by: Kamal Mostafa <kamal@canonical.com> -Kamal On Mon, Aug 16, 2021 at 04:57:38PM -0300, Thadeu Lima de Souza Cascardo wrote: > This patchset reverts the original fix for CVE-2021-3653, which showed the > regression, and applied the fixed version that ended up upstream. The > regression only showed on backports for kernels older than 5.8. And as the > backport was necessary, I picked up the upstream stable v5.4.y version, which > applied cleanly on both focal and bionic trees. > > The end result has been built and tested on an AMD system, where I was able to > launch an L2 Linux guest inside an L1 Linux guest. Both versions were tested. > > [Impact] > Users won't be able to run a Linux inside a Linux guest. > > [Test case] > Launch an L1 guest with libvirt, then launch an L2 guest using qemu inside that > first/L1 guest. > > [Potential regression] > There might be reduced performance due to vmexits for interrupt handling. > > Maxim Levitsky (1): > KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl > (CVE-2021-3653) > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up > unsupported bits from L2 in int_ctl" > > arch/x86/kvm/svm.c | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > > -- > 2.30.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Both Bionic and Focal patches LGTM Acked-by: Ian May <ian.may@canonical.com> On 2021-08-16 16:57:38 , Thadeu Lima de Souza Cascardo wrote: > This patchset reverts the original fix for CVE-2021-3653, which showed the > regression, and applied the fixed version that ended up upstream. The > regression only showed on backports for kernels older than 5.8. And as the > backport was necessary, I picked up the upstream stable v5.4.y version, which > applied cleanly on both focal and bionic trees. > > The end result has been built and tested on an AMD system, where I was able to > launch an L2 Linux guest inside an L1 Linux guest. Both versions were tested. > > [Impact] > Users won't be able to run a Linux inside a Linux guest. > > [Test case] > Launch an L1 guest with libvirt, then launch an L2 guest using qemu inside that > first/L1 guest. > > [Potential regression] > There might be reduced performance due to vmexits for interrupt handling. > > Maxim Levitsky (1): > KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl > (CVE-2021-3653) > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up > unsupported bits from L2 in int_ctl" > > arch/x86/kvm/svm.c | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > > -- > 2.30.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 16.08.21 21:57, Thadeu Lima de Souza Cascardo wrote: > This patchset reverts the original fix for CVE-2021-3653, which showed the > regression, and applied the fixed version that ended up upstream. The > regression only showed on backports for kernels older than 5.8. And as the > backport was necessary, I picked up the upstream stable v5.4.y version, which > applied cleanly on both focal and bionic trees. > > The end result has been built and tested on an AMD system, where I was able to > launch an L2 Linux guest inside an L1 Linux guest. Both versions were tested. > > [Impact] > Users won't be able to run a Linux inside a Linux guest. > > [Test case] > Launch an L1 guest with libvirt, then launch an L2 guest using qemu inside that > first/L1 guest. > > [Potential regression] > There might be reduced performance due to vmexits for interrupt handling. > > Maxim Levitsky (1): > KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl > (CVE-2021-3653) > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up > unsupported bits from L2 in int_ctl" > > arch/x86/kvm/svm.c | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > Applied to focal:linux/master-next. Thanks. -Stefan
On 16.08.21 21:57, Thadeu Lima de Souza Cascardo wrote: > This patchset reverts the original fix for CVE-2021-3653, which showed the > regression, and applied the fixed version that ended up upstream. The > regression only showed on backports for kernels older than 5.8. And as the > backport was necessary, I picked up the upstream stable v5.4.y version, which > applied cleanly on both focal and bionic trees. > > The end result has been built and tested on an AMD system, where I was able to > launch an L2 Linux guest inside an L1 Linux guest. Both versions were tested. > > [Impact] > Users won't be able to run a Linux inside a Linux guest. > > [Test case] > Launch an L1 guest with libvirt, then launch an L2 guest using qemu inside that > first/L1 guest. > > [Potential regression] > There might be reduced performance due to vmexits for interrupt handling. > > Maxim Levitsky (1): > KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl > (CVE-2021-3653) > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up > unsupported bits from L2 in int_ctl" > > arch/x86/kvm/svm.c | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > Applied to bionic:linux/master-next. Thanks. -Stefan
This patchset reverts the original fix for CVE-2021-3653, which showed the regression, and applied the fixed version that ended up upstream. The regression only showed on backports for kernels older than 5.8. And as the backport was necessary, I picked up the upstream stable v5.4.y version, which applied cleanly on both focal and bionic trees. The end result has been built and tested on an AMD system, where I was able to launch an L2 Linux guest inside an L1 Linux guest. Both versions were tested. [Impact] Users won't be able to run a Linux inside a Linux guest. [Test case] Launch an L1 guest with libvirt, then launch an L2 guest using qemu inside that first/L1 guest. [Potential regression] There might be reduced performance due to vmexits for interrupt handling. Maxim Levitsky (1): KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) Thadeu Lima de Souza Cascardo (1): UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl" arch/x86/kvm/svm.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-)