On 07/30/2012 07:39 PM, Avi Kivity wrote: > On 07/30/2012 05:07 PM, Chris Clayton wrote: >>> >>>>> With kernel 3.5.0 with b2da15ac26a0c00 reverted, I have just had 15 >>>>> clean invocations of vanilla qemu-kvm-1.1.1. So that commit would seem >>>>> to be the problem. >>>> >>>> Just to be sure, I've run some more tests today. No crashes occurred in >>>> 20 runs of vanilla qemu-kvm-1.1.1 on kernel 3.5.0 with b2da15ac26a0c00 >>>> reverted. >>> >>> Ok. I'm trying to reproduce it here on a nested-virt setup, since the >>> code looks correct. >>> >>> What's your preemption settings? >>> >>> >> [chris:~/kernel/linux-3.5.0]$ grep PREEMPT .config >> CONFIG_TREE_PREEMPT_RCU=y >> CONFIG_PREEMPT_RCU=y >> CONFIG_PREEMPT_NOTIFIERS=y >> # CONFIG_PREEMPT_NONE is not set >> # CONFIG_PREEMPT_VOLUNTARY is not set >> CONFIG_PREEMPT=y >> CONFIG_PREEMPT_COUNT=y > > Here's what I think that is happening > > vcpu_load > ... > vmx_save_host_state > vmx_vcpu_run > (ds.cpl, es.cpl cleared by hardware) > > interrupt > push ds, es # pushes bad ds, es > schedule > vmx_vcpu_put > vmx_load_host_state > reload ds, es > pop ds, es # of other thread's stack > iret > # other thread runs > interrupt > schedule # back in vcpu thread > interrupt return: pop ds, es # <-- problem In fact, those are fine. > iret But IRET-to-outer-privilege-level clears segment registers with the wrong RPL. Think how secure OSes would be if they used the hardware fully. Credit to Gleb for pinpointing this. > > ... > vcpu_put > > # bad ds, es, but !vmx->host_state.loaded > -- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
