KVM: x86/pmu: Zero out LBR capabilities during PMU refresh

Zero out the LBR capabilities during PMU refresh to avoid exposing LBRs
to the guest against userspace's wishes. If userspace modifies the
guest's CPUID model or invokes KVM_CAP_PMU_CAPABILITY to disable vPMU
after an initial KVM_SET_CPUID2, but before the first KVM_RUN, KVM will
retain the previous LBR info due to bailing before refreshing the LBR
descriptor.

Note, this is a very theoretical bug, there is no known use case where a
VMM would deliberately enable the vPMU via KVM_SET_CPUID2, and then later
disable the vPMU.

Link: https://lore.kernel.org/r/20230311004618.920745-9-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
index e8a3be0b9df9b2ff29a22bd0261a361353a63233..d889bb2a1de5568d3d7dbd02eea17eccd8f600b9 100644 (file)
--- a/arch/x86/kvm/vmx/pmu_intel.c
+++ b/arch/x86/kvm/vmx/pmu_intel.c
@@ -531,6 +531,16 @@ static void intel_pmu_refresh(struct kvm_vcpu *vcpu)
        pmu->pebs_enable_mask = ~0ull;
        pmu->pebs_data_cfg_mask = ~0ull;
 
+       memset(&lbr_desc->records, 0, sizeof(lbr_desc->records));
+
+       /*
+        * Setting passthrough of LBR MSRs is done only in the VM-Entry loop,
+        * and PMU refresh is disallowed after the vCPU has run, i.e. this code
+        * should never be reached while KVM is passing through MSRs.
+        */
+       if (KVM_BUG_ON(lbr_desc->msr_passthrough, vcpu->kvm))
+               return;
+
        entry = kvm_find_cpuid_entry(vcpu, 0xa);
        if (!entry || !vcpu->kvm->arch.enable_pmu)
                return;