On Wed, Mar 04, 2015 at 08:10:40AM +0000, James Hogan wrote: > Hi Greg, > > On Tue, Mar 03, 2015 at 10:13:26PM -0800, Greg Kroah-Hartman wrote: > > 3.14-stable review patch. If anyone has any objections, please let me know. > > > > ------------------ > > > > From: James Hogan <james.hogan@xxxxxxxxxx> > > > > commit f798217dfd038af981a18bbe4bc57027a08bb182 upstream. > > > > The FPU and DSP are enabled via the CP0 Status CU1 and MX bits by > > kvm_mips_set_c0_status() on a guest exit, presumably in case there is > > active state that needs saving if pre-emption occurs. However neither of > > these bits are cleared again when returning to the guest. > > > > This effectively gives the guest access to the FPU/DSP hardware after > > the first guest exit even though it is not aware of its presence, > > allowing FP instructions in guest user code to intermittently actually > > execute instead of trapping into the guest OS for emulation. It will > > then read & manipulate the hardware FP registers which technically > > belong to the user process (e.g. QEMU), or are stale from another user > > process. It can also crash the guest OS by causing an FP exception, for > > which a guest exception handler won't have been registered. > > > > First lets save and disable the FPU (and MSA) state with lose_fpu(1) > > before entering the guest. This simplifies the problem, especially for > > when guest FPU/MSA support is added in the future, and prevents FR=1 FPU > > state being live when the FR bit gets cleared for the guest, which > > according to the architecture causes the contents of the FPU and vector > > registers to become UNPREDICTABLE. > > > > We can then safely remove the enabling of the FPU in > > kvm_mips_set_c0_status(), since there should never be any active FPU or > > MSA state to save at pre-emption, which should plug the FPU leak. > > > > DSP state is always live rather than being lazily restored, so for that > > it is simpler to just clear the MX bit again when re-entering the guest. > > > > Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx> > > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > > Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx> > > Cc: Sanjay Lal <sanjayl@xxxxxxxxxxx> > > Cc: Gleb Natapov <gleb@xxxxxxxxxx> > > Cc: kvm@xxxxxxxxxxxxxxx > > Cc: linux-mips@xxxxxxxxxxxxxx > > Cc: <stable@xxxxxxxxxxxxxxx> # v3.10+: 044f0f03eca0: MIPS: KVM: Deliver guest interrupts > > The original 3.10 and 3.12/3.14 backports had this added: > Cc: <stable@xxxxxxxxxxxxxxx> # v3.10+: 3ce465e04bfd: MIPS: Export FP functions used by lose_fpu(1) for KVM > Which I can't see included in the v3.10 stable queue or branch. It fixes > a build error with MIPS malta_kvm_defconfig (MIPS=y, KVM=m) after this > patch is applied. > > Same applies to the 3.14 queue too I think. Odd, I remember having problems in this area and thought I had queued this up. It's now applied to both trees, thanks. greg k-h