Re: qemu-kvm-1.1.0 crashing with kernel 3.5.0-rc6

[Avi Kivity <avi@redhat.com>]

On 07/30/2012 07:39 PM, Avi Kivity wrote:
> On 07/30/2012 05:07 PM, Chris Clayton wrote:
>>>
>>>>> With kernel 3.5.0 with b2da15ac26a0c00 reverted, I have just had 15
>>>>> clean invocations of vanilla qemu-kvm-1.1.1. So that commit would seem
>>>>> to be the problem.
>>>>
>>>> Just to be sure, I've run some more tests today. No crashes occurred in
>>>> 20 runs of vanilla qemu-kvm-1.1.1 on kernel 3.5.0 with b2da15ac26a0c00
>>>> reverted.
>>>
>>> Ok.  I'm trying to reproduce it here on a nested-virt setup, since the
>>> code looks correct.
>>>
>>> What's your preemption settings?
>>>
>>>
>> [chris:~/kernel/linux-3.5.0]$ grep PREEMPT .config
>> CONFIG_TREE_PREEMPT_RCU=y
>> CONFIG_PREEMPT_RCU=y
>> CONFIG_PREEMPT_NOTIFIERS=y
>> # CONFIG_PREEMPT_NONE is not set
>> # CONFIG_PREEMPT_VOLUNTARY is not set
>> CONFIG_PREEMPT=y
>> CONFIG_PREEMPT_COUNT=y
> 
> Here's what I think that is happening
> 
>   vcpu_load
>   ...
>   vmx_save_host_state
>   vmx_vcpu_run
>   (ds.cpl, es.cpl cleared by hardware)
> 
>   interrupt
>     push ds, es  # pushes bad ds, es
>     schedule
>       vmx_vcpu_put
>         vmx_load_host_state
>           reload ds, es
>     pop ds, es  # of other thread's stack
>     iret
>   # other thread runs
>   interrupt
>     schedule  # back in vcpu thread
>     interrupt return: pop ds, es  # <-- problem

In fact, those are fine.

>     iret

But IRET-to-outer-privilege-level clears segment registers with the
wrong RPL.  Think how secure OSes would be if they used the hardware
fully.  Credit to Gleb for pinpointing this.

> 
>    ...
>    vcpu_put
> 
>    # bad ds, es, but !vmx->host_state.loaded
> 


-- 
error compiling committee.c: too many arguments to function