Commit d5a4e408e69b ("KVM: x86: Add infrastructure for secure TSC") added the guest_tsc_protected flag to prevent KVM from changing the TSC offset/multiplier of vCPUs whose TSC is managed by a confidential computing module (e.g. TDX, SEV-SNP Secure TSC). However only the TSC offset write path was guarded; kvm_vcpu_write_tsc_multiplier() was left unprotected. As a result, userspace can still change the TSC scaling ratio of a TDX vCPU via the KVM_SET_TSC_KHZ ioctl path: KVM_SET_TSC_KHZ -> kvm_arch_vcpu_ioctl() -> kvm_set_tsc_khz() -> set_tsc_khz() -> kvm_vcpu_write_tsc_multiplier() <-- not guarded and similarly during kvm_arch_vcpu_create() -> kvm_set_tsc_khz() which can reset the multiplier to default_tsc_scaling_ratio. Make kvm_vcpu_write_tsc_multiplier() symmetric with kvm_vcpu_write_tsc_offset() by skipping the update when guest_tsc_protected is set. This single chokepoint covers all existing callers (set_tsc_khz() in both ioctl and vCPU create paths). Fixes: d5a4e408e69b ("KVM: x86: Add infrastructure for secure TSC") Signed-off-by: Jun Miao --- arch/x86/kvm/x86.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 0a1b63c63d1a..e935fe33d9c2 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2736,6 +2736,9 @@ static void kvm_vcpu_write_tsc_offset(struct kvm_vcpu *vcpu, u64 l1_offset) static void kvm_vcpu_write_tsc_multiplier(struct kvm_vcpu *vcpu, u64 l1_multiplier) { + if (vcpu->arch.guest_tsc_protected) + return; + vcpu->arch.l1_tsc_scaling_ratio = l1_multiplier; /* Userspace is changing the multiplier while L2 is active */ -- 2.43.0