From: Sean Christopherson <seanjc@google.com>
To: Yao Yuan <yaoyuan0329os@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
x86@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH 1/4] x86/fpu: Clear XSTATE_BV[i] in save state whenever XFD[i]=1
Date: Mon, 5 Jan 2026 09:31:05 -0800 [thread overview]
Message-ID: <aVv1WTR9Zsx2FpZ0@google.com> (raw)
In-Reply-To: <aig6cfdj7vxmm5yt6lvfsyqwlnavrcl2n4z3gzomqydce5suxm@ydomfhhmwd7y>
On Sat, Jan 03, 2026, Yao Yuan wrote:
> On Thu, Jan 01, 2026 at 10:05:13AM +0100, Paolo Bonzini wrote:
> > diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
> > index da233f20ae6f..166c380b0161 100644
> > --- a/arch/x86/kernel/fpu/core.c
> > +++ b/arch/x86/kernel/fpu/core.c
> > @@ -319,10 +319,29 @@ EXPORT_SYMBOL_FOR_KVM(fpu_enable_guest_xfd_features);
> > #ifdef CONFIG_X86_64
> > void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd)
> > {
> > + struct fpstate *fpstate = guest_fpu->fpstate;
> > +
> > fpregs_lock();
> > - guest_fpu->fpstate->xfd = xfd;
> > - if (guest_fpu->fpstate->in_use)
> > - xfd_update_state(guest_fpu->fpstate);
> > +
> > + /*
> > + * KVM's guest ABI is that setting XFD[i]=1 *can* immediately revert
> > + * the save state to initialized. Likewise, KVM_GET_XSAVE does the
> > + * same as XSAVE and returns XSTATE_BV[i]=0 whenever XFD[i]=1.
> > + *
> > + * If the guest's FPU state is in hardware, just update XFD: the XSAVE
> > + * in fpu_swap_kvm_fpstate will clear XSTATE_BV[i] whenever XFD[i]=1.
> > + *
> > + * If however the guest's FPU state is NOT resident in hardware, clear
> > + * disabled components in XSTATE_BV now, or a subsequent XRSTOR will
> > + * attempt to load disabled components and generate #NM _in the host_.
> > + */
>
> Hi Sean and Paolo,
>
> > + if (xfd && test_thread_flag(TIF_NEED_FPU_LOAD))
> > + fpstate->regs.xsave.header.xfeatures &= ~xfd;
> > +
> > + fpstate->xfd = xfd;
> > + if (fpstate->in_use)
> > + xfd_update_state(fpstate);
>
> I see a *small* window that the Host IRQ can happen just after above
> TIF_NEED_FPU_LOAD checking, which could set TIF_NEED_FPU_LOAD
Only if the code using FPU from IRQ context is buggy. More below.
> but w/o clear the xfd from fpstate->regs.xsave.header.xfeatures.
>
> But there's WARN in in kernel_fpu_begin_mask():
>
> WARN_ON_FPU(!irq_fpu_usable());
>
> irq_fpu_usable()
> {
> ...
> /*
> * In hard interrupt context it's safe when soft interrupts
> * are enabled, which means the interrupt did not hit in
> * a fpregs_lock()'ed critical region.
> */
> return !softirq_count();
> }
>
> Looks we are relying on this to catch the above *small* window
> yet, we're in fpregs_lock() region yet.
Kernel use of FPU from (soft) IRQ context is required to check irq_fpu_usable()
(e.g. via may_use_simd()), i.e. calling fpregs_lock() protects against the kernel
using the FPU and thus setting TIF_NEED_FPU_LOAD.
The WARN in kernel_fpu_begin_mask() is purely a sanity check to help detect and
debug buggy users.
next prev parent reply other threads:[~2026-01-05 17:31 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-01 9:05 [PATCH v2 0/4] x86, fpu/kvm: fix crash with AMX Paolo Bonzini
2026-01-01 9:05 ` [PATCH 1/4] x86/fpu: Clear XSTATE_BV[i] in save state whenever XFD[i]=1 Paolo Bonzini
2026-01-03 2:06 ` Yao Yuan
2026-01-05 17:31 ` Sean Christopherson [this message]
2026-01-06 5:25 ` Yao Yuan
2026-01-06 0:54 ` Jim Mattson
2026-01-06 1:17 ` Sean Christopherson
2026-01-06 17:56 ` Jim Mattson
2026-01-15 16:07 ` Dave Hansen
2026-01-15 16:12 ` Paolo Bonzini
2026-01-15 16:27 ` Dave Hansen
2026-01-07 0:28 ` Chang S. Bae
2026-01-07 22:33 ` Paolo Bonzini
2026-01-08 3:06 ` Binbin Wu
2026-01-08 16:26 ` Paolo Bonzini
2026-01-15 15:54 ` Dave Hansen
2026-01-15 16:22 ` Paolo Bonzini
2026-01-15 18:19 ` Dave Hansen
2026-01-15 18:26 ` Paolo Bonzini
2026-01-15 23:43 ` Chang S. Bae
2026-01-01 9:05 ` [PATCH 2/4] selftests: kvm: replace numbered sync points with actions Paolo Bonzini
2026-01-06 0:02 ` Sean Christopherson
2026-01-07 22:28 ` Paolo Bonzini
2026-01-08 20:26 ` Sean Christopherson
2026-01-01 9:05 ` [PATCH 3/4] selftests: kvm: try getting XFD and XSAVE state out of sync Paolo Bonzini
2026-01-01 9:05 ` [PATCH 4/4] selftests: kvm: Verify TILELOADD actually #NM faults when XFD[18]=1 Paolo Bonzini
2026-01-06 1:18 ` [PATCH v2 0/4] x86, fpu/kvm: fix crash with AMX Sean Christopherson
2026-01-15 12:22 ` Borislav Petkov
2026-01-15 13:49 ` Paolo Bonzini
2026-01-15 16:39 ` Sean Christopherson
2026-01-15 17:05 ` Borislav Petkov
2026-01-15 17:12 ` Sean Christopherson
2026-01-16 12:22 ` Borislav Petkov
2026-01-21 11:35 ` Paolo Bonzini
2026-01-22 11:12 ` Borislav Petkov
2026-01-22 12:00 ` Paolo Bonzini
2026-01-23 13:23 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVv1WTR9Zsx2FpZ0@google.com \
--to=seanjc@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
--cc=x86@kernel.org \
--cc=yaoyuan0329os@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.