[xen stable-4.16] x86/vmx: prevent fallthrough in vmx_set_reg() for handled registers

[patchbot@xxxxxxx]

commit cd2df4561edef2c104f46f8d0998e8ccefdf9c5e
Author:     Roger Pau Monné <roger.pau@xxxxxxxxxx>
AuthorDate: Mon Apr 15 11:22:31 2024 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Mon Apr 15 11:26:00 2024 +0100

    x86/vmx: prevent fallthrough in vmx_set_reg() for handled registers
    
    vmx_set_reg() logic is split into two parts, the top one handles registers
    that don't require loading the VMCS into context (ie: don't require a
    VMWRITE).  The second half handles registers that do require the VMCS to be
    loaded.
    
    SPEC_CTRL MSR is handled differently depending on whether there's support 
for
    virtualize SPEC_CTRL.  Without hardware help for virtualizing SPEC_CTRL the
    value is handled using MSR load lists, that don't require the VMCS to be
    loaded.  When there's hardware assistance however the value is stored in the
    VMCS, and requires a VMWRITE.  The lack of a return statement when handling
    SPEC_CTRL in the first half of the function leads to SPEC_CTRL being
    unconditionally handled as if the host had virtualize SPEC_CTRL, which means
    Xen will either hit an ASSERT in debug builds, or will attempt to perform a
    VMWRITE to an unhandled VMCS field if the host doesn't support the 
virtualize
    SPEC_CTRL feature.
    
    This bug occured because the context wasn't adjusted accordingly to account
    for the absence commit 0626219dcc6a ("x86/hvm: Drop
    hvm_{get,set}_guest_bndcfgs() and use {get,set}_regs() instead") in the 4.15
    and 4.16 branches.
    
    Fix by returning early from the function if the register is handled without
    requiring the VMCS context to be loaded.
    
    Fixes: 295bf24af77c ('x86/vmx: Add support for virtualize SPEC_CTRL')
    Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/hvm/vmx/vmx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 0041fdc88b..d5112c8ecf 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2663,7 +2663,7 @@ static void vmx_set_reg(struct vcpu *v, unsigned int reg, 
uint64_t val)
                    __func__, v, reg, rc);
             domain_crash(d);
         }
-        break;
+        return;
     }
 
     /* Logic which maybe requires remote VMCS acquisition. */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.16