[PATCH 1/1] x86/CPU/AMD: Avoid racy updates to MSR_K7_HWCR in set_cpuid_faulting()

Next message: Rosen Penev: "Re: [PATCH 1/4] ata: pata_mpc52xx: switch to non-devm request_irq for proper ordering"
Previous message: Jim Mattson: "[PATCH 0/1] Fix an HWCR RMW race"
In reply to: Jim Mattson: "[PATCH 0/1] Fix an HWCR RMW race"
Next in thread: Borislav Petkov: "Re: [PATCH 1/1] x86/CPU/AMD: Avoid racy updates to MSR_K7_HWCR in set_cpuid_faulting()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jim Mattson

Date: Tue Jun 09 2026 - 17:21:10 EST

Since msr_set_bit() and msr_clear_bit() perform a non-atomic update to an
MSR, they can race with a write to the same MSR from interrupt context. On
AMD CPUs, set_cpuid_faulting() uses these functions to modify MSR_K7_HWCR
from process context, and boost_set_msr() modifies MSR_K7_HWCR from
interrupt context.

To prevent the race, disable interrupts on the AMD path through
set_cpuid_faulting(). Note that when set_cpuid_faulting() is called from
__switch_to_xtra(), interrupts are already disabled.

Reported-by: Sashiko (gemini/gemini-3.1-pro-preview)
Fixes: 65f55a301766 ("x86/CPU/AMD: Add CPUID faulting support")
Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
---
arch/x86/kernel/process.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 4c718f8adc59..92492a63108f 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -354,10 +354,14 @@ static void set_cpuid_faulting(bool on)
this_cpu_write(msr_misc_features_shadow, msrval);
wrmsrq(MSR_MISC_FEATURES_ENABLES, msrval);
} else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) {
+ unsigned long flags;
+
+ local_irq_save(flags);
if (on)
msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_CPUID_USER_DIS_BIT);
else
msr_clear_bit(MSR_K7_HWCR, MSR_K7_HWCR_CPUID_USER_DIS_BIT);
+ local_irq_restore(flags);
}
}

--
2.54.0.1099.g489fc7bff1-goog