On 19/05/2017 18:14, Roman Penyaev wrote: > > 1. Simple one, KVM SVM side, which makes sure that CPL is not updated > if segment is unusable: > > --- a/arch/x86/kvm/svm.c > +++ b/arch/x86/kvm/svm.c > @@ -1549,7 +1549,7 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, > * forces SS.DPL to 3 on sysret, so we ignore that case; fixing it > * would entail passing the CPL to userspace and back. > */ > - if (seg == VCPU_SREG_SS) > + if (seg == VCPU_SREG_SS && !var->unusable) > svm->vmcb->save.cpl = (s->attrib >> > SVM_SELECTOR_DPL_SHIFT) & 3; Based on the discussion between you and Andy, my understanding is that it would not be enough to ensure that the attributes are preserved across a roundtrip through KVM_GET_SEGMENT and KVM_SET_SEGMENT. We need a workaround in the hypervisor if we don't want to pass the CPL to userspace and back. Maybe if 1) in 64-bit mode 2) SS.P=0 3) SS selector != 0, then the CPL can be taken from SS.RPL? Thanks, Paolo
