Hi Greg, I just want to share this patch with my colleague and then I did git send-email. But obviously I forgot to use "ignore-cc". Sorry for this noise... Thanks, Lizhen -----Original Message----- From: Greg KH [mailto:greg@xxxxxxxxx] Sent: Thursday, September 7, 2017 10:41 PM To: You, Lizhen <lizhen.you@xxxxxxxxx> Cc: Ruan, Shuai <shuai.ruan@xxxxxxxxx>; David Matlack <dmatlack@xxxxxxxxxx>; stable@xxxxxxxxxxxxxxx; Paolo Bonzini <pbonzini@xxxxxxxxxx> Subject: Re: [PATCH] kvm: x86: do not leak guest xcr0 into host interrupt handlers On Tue, Sep 05, 2017 at 03:46:31PM +0800, Lizhen You wrote: > From: David Matlack <dmatlack@xxxxxxxxxx> > > An interrupt handler that uses the fpu can kill a KVM VM, if it runs > under the following conditions: > - the guest's xcr0 register is loaded on the cpu > - the guest's fpu context is not loaded > - the host is using eagerfpu > > Note that the guest's xcr0 register and fpu context are not loaded as > part of the atomic world switch into "guest mode". They are loaded by > KVM while the cpu is still in "host mode". > > Usage of the fpu in interrupt context is gated by irq_fpu_usable(). > The interrupt handler will look something like this: > > if (irq_fpu_usable()) { > kernel_fpu_begin(); > > [... code that uses the fpu ...] > > kernel_fpu_end(); > } > > As long as the guest's fpu is not loaded and the host is using eager > fpu, irq_fpu_usable() returns true (interrupted_kernel_fpu_idle() > returns true). The interrupt handler proceeds to use the fpu with the > guest's xcr0 live. > > kernel_fpu_begin() saves the current fpu context. If this uses > XSAVE[OPT], it may leave the xsave area in an undesirable state. > According to the SDM, during XSAVE bit i of XSTATE_BV is not modified > if bit i is 0 in xcr0. So it's possible that XSTATE_BV[i] == 1 and > xcr0[i] == 0 following an XSAVE. > > kernel_fpu_end() restores the fpu context. Now if any bit i in > XSTATE_BV == 1 while xcr0[i] == 0, XRSTOR generates a #GP. The fault > is trapped and SIGSEGV is delivered to the current process. > > Only pre-4.2 kernels appear to be vulnerable to this sequence of > events. Commit 653f52c ("kvm,x86: load guest FPU context more > eagerly") from 4.2 forces the guest's fpu to always be loaded on eagerfpu hosts. > > This patch fixes the bug by keeping the host's xcr0 loaded outside of > the interrupts-disabled region where KVM switches into guest mode. > > Cc: stable@xxxxxxxxxxxxxxx > Suggested-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> > Signed-off-by: David Matlack <dmatlack@xxxxxxxxxx> [Move load after > goto cancel_injection. - Paolo] > Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> > --- > arch/x86/kvm/x86.c | 10 ++++------ > 1 file changed, 4 insertions(+), 6 deletions(-) What kernel tree(s) do you want this applied to? It's already in 4.4-stable, right? confused, greg k-h