Re: [PATCH] kvm: x86: do not leak guest xcr0 into host interrupt handlers

From: Paolo Bonzini
Date: Thu Apr 07 2016 - 15:03:59 EST

Next message: Mike Galbraith: "Re: [PATCH RT 4/6] rt/locking: Reenable migration accross schedule"
Previous message: Gregory CLEMENT: "Re: [PATCH 1/4] arm64: dts: marvell: Clean up armada-3720-db"
In reply to: David Matlack: "Re: [PATCH] kvm: x86: do not leak guest xcr0 into host interrupt handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
> >>> While running my acceptance tests, in one case I got one CPU whose xcr0
> >>> had leaked into the host. This showed up as a SIGILL in strncasecmp's
> >>> AVX code, and a simple program confirmed it:
> >>>
> >>> $ cat xgetbv.c
> >>> #include <stdio.h>
> >>> int main(void)
> >>> {
> >>> unsigned xcr0_h, xcr0_l;
> >>> asm("xgetbv" : "=d"(xcr0_h), "=a"(xcr0_l) : "c"(0));
> >>> printf("%08x:%08x\n", xcr0_h, xcr0_l);
> >>> }
> >>> $ gcc xgetbv.c -O2
> >>> $ for i in `seq 0 55`; do echo $i `taskset -c $i ./a.out`; done|grep
> >>> -v 007
> >>> 19 00000000:00000003
> >>>
> >>> I'm going to rerun the tests without this patch, as it seems the most
> >>> likely culprit, and leave it out of the pull request if they pass.
> >>
> >> Agreed this is a very likely culprit. I think I see one way the
> >> guest's xcr0 can leak into the host.
> >
> > That's cancel_injection, right? If it's just about moving the load call
> > below, I can do that. Hmm, I will even test that today. :)
>
> Yes that's what I was thinking, move kvm_load_guest_xcr0 below that if.
>
> Thank you :). Let me know how testing goes.

It went well.

Paolo

Next message: Mike Galbraith: "Re: [PATCH RT 4/6] rt/locking: Reenable migration accross schedule"
Previous message: Gregory CLEMENT: "Re: [PATCH 1/4] arm64: dts: marvell: Clean up armada-3720-db"
In reply to: David Matlack: "Re: [PATCH] kvm: x86: do not leak guest xcr0 into host interrupt handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]