Re: [PATCH 1/4] x86/fpu: Clear XSTATE_BV[i] in save state whenever XFD[i]=1

Next message: Herve Codina: "Re: [PATCH] ARM: dts: renesas: r9a06g032: Add support for CPU frequency scaling"
Previous message: Sean Christopherson: "Re: [PATCH v3 00/24] KVM: TDX huge page support for private memory"
In reply to: Paolo Bonzini: "Re: [PATCH 1/4] x86/fpu: Clear XSTATE_BV[i] in save state whenever XFD[i]=1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Hansen

Date: Thu Jan 15 2026 - 11:27:49 EST

On 1/15/26 08:12, Paolo Bonzini wrote:
...
>> I'm _sure_ they discussed tying XFD[i] and XINUSE[i] together and there
>> was a good reason they did not.
>
> Is there anything that prevents an SMM handler (or more likely, an SMI
> transfer monitor) to do an XSAVE/XRSTOR and destroy tile data?

I think you're saying: let's assume XFD[18]=1 and XINUSE[18]=1 and
there's an SMI. The SMI handler does:

XSAVE(RFBM=-1, &buf)
... run some gunk
XRSTOR(RFBM=-1, &buf)

to try and save everything. But, that XSAVE is subject to this behavior
from the SDM:

If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state
component i, the instruction does not generate #NM when XCR0[i]
= IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and
the state component was in its initial state)

So 'buf' will end up having XFEATURES[18]=0. The XRSTOR will see
XFEATURES[18]=0 and set feature 18 to its init state, effectively
zapping its contents.

I guess the only thing preventing that in practice is the lack of XSAVE
use in SMM handlers. But I see your point.