diff options
| author | WANG Chao <chao.wang@ucloud.cn> | 2019-04-12 15:55:39 +0800 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2019-04-16 15:37:33 +0200 |
| commit | 1811d979c71621aafc7b879477202d286f7e863b (patch) | |
| tree | 14958b429d6523bb254c4bffe171bc84d0c93cd7 /arch/x86/kvm/pmu.c | |
| parent | 99c221796a810055974b54c02e8f53297e48d146 (diff) | |
| download | linux-1811d979c71621aafc7b879477202d286f7e863b.tar.bz2 | |
x86/kvm: move kvm_load/put_guest_xcr0 into atomic context
guest xcr0 could leak into host when MCE happens in guest mode. Because
do_machine_check() could schedule out at a few places.
For example:
kvm_load_guest_xcr0
...
kvm_x86_ops->run(vcpu) {
vmx_vcpu_run
vmx_complete_atomic_exit
kvm_machine_check
do_machine_check
do_memory_failure
memory_failure
lock_page
In this case, host_xcr0 is 0x2ff, guest vcpu xcr0 is 0xff. After schedule
out, host cpu has guest xcr0 loaded (0xff).
In __switch_to {
switch_fpu_finish
copy_kernel_to_fpregs
XRSTORS
If any bit i in XSTATE_BV[i] == 1 and xcr0[i] == 0, XRSTORS will
generate #GP (In this case, bit 9). Then ex_handler_fprestore kicks in
and tries to reinitialize fpu by restoring init fpu state. Same story as
last #GP, except we get DOUBLE FAULT this time.
Cc: stable@vger.kernel.org
Signed-off-by: WANG Chao <chao.wang@ucloud.cn>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch/x86/kvm/pmu.c')
0 files changed, 0 insertions, 0 deletions