[PATCH] x86: fpu xstate fix memory poison overwritten

[PATCH] x86: fpu xstate fix memory poison overwritten

[Xiaotian Feng]

fpu.state is allocated from task_xstate_cachep, the size of
task_xstate_cachep is xstate_size. But fpu.state is an union
struct, which size is bigger than xstate_size if cpu_has_xsave,
so if we want to visit fpu.state->xsave, the memory we allocated
for fpu.state is not enough.

This caused many poison/redzone overwritten alerts on task_xstate while using kvm.

[ 1899.399373] =============================================================================
[ 1899.399377] BUG task_xstate: Poison overwritten
[ 1899.399378] -----------------------------------------------------------------------------
[ 1899.399379]
[ 1899.399382] INFO: 0xffff88020aca2100-0xffff88020aca217f. First byte 0x0 instead of 0x6b
[ 1899.399385] INFO: Slab 0xffffea000725c300 objects=23 used=12 fp=0xffff88020aca2100 flags=0x200000000040c1
[ 1899.399387] INFO: Object 0xffff88020aca2100 @offset=8448 fp=0xffff88020aca23c0

With this patch applied, the poison overwritten alert disappeared.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Avi Kivity <avi@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
---
 arch/x86/kernel/process.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index d401f1d..609bee5 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -59,7 +59,7 @@ void free_thread_info(struct thread_info *ti)
 void arch_task_cache_init(void)
 {
         task_xstate_cachep =
-        	kmem_cache_create("task_xstate", xstate_size,
+		kmem_cache_create("task_xstate", sizeof(union thread_xstate),
 				  __alignof__(union thread_xstate),
 				  SLAB_PANIC | SLAB_NOTRACK, NULL);
 }
-- 
1.7.2.1

Re: [PATCH] x86: fpu xstate fix memory poison overwritten

[Brian Gerst]

On Thu, Aug 12, 2010 at 6:45 AM, Xiaotian Feng <dfeng@redhat.com> wrote:
> fpu.state is allocated from task_xstate_cachep, the size of
> task_xstate_cachep is xstate_size. But fpu.state is an union
> struct, which size is bigger than xstate_size if cpu_has_xsave,
> so if we want to visit fpu.state->xsave, the memory we allocated
> for fpu.state is not enough.
>
> This caused many poison/redzone overwritten alerts on task_xstate while using kvm.
>
> [ 1899.399373] =============================================================================
> [ 1899.399377] BUG task_xstate: Poison overwritten
> [ 1899.399378] -----------------------------------------------------------------------------
> [ 1899.399379]
> [ 1899.399382] INFO: 0xffff88020aca2100-0xffff88020aca217f. First byte 0x0 instead of 0x6b
> [ 1899.399385] INFO: Slab 0xffffea000725c300 objects=23 used=12 fp=0xffff88020aca2100 flags=0x200000000040c1
> [ 1899.399387] INFO: Object 0xffff88020aca2100 @offset=8448 fp=0xffff88020aca23c0
>
> With this patch applied, the poison overwritten alert disappeared.
>
> Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Brian Gerst <brgerst@gmail.com>
> Cc: Avi Kivity <avi@redhat.com>
> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
> ---
>  arch/x86/kernel/process.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
> index d401f1d..609bee5 100644
> --- a/arch/x86/kernel/process.c
> +++ b/arch/x86/kernel/process.c
> @@ -59,7 +59,7 @@ void free_thread_info(struct thread_info *ti)
>  void arch_task_cache_init(void)
>  {
>         task_xstate_cachep =
> -               kmem_cache_create("task_xstate", xstate_size,
> +               kmem_cache_create("task_xstate", sizeof(union thread_xstate),
>                                  __alignof__(union thread_xstate),
>                                  SLAB_PANIC | SLAB_NOTRACK, NULL);
>  }

This isn't the right solution.  The point of having a variable
xstate_size is to only allocate the memory that is needed for the
capabilities of the cpu.  The real bug is that some code is trying to
use xsave_struct when it either shouldn't be (because the cpu doesn't
support xsave), or because xstate_size < sizeof(xsave_struct).

Looking at xstate_enable_boot_cpu(), the xstate_size is set from
cpuid.  It's possible that it is smaller than sizeof(xsave_strruct).
Maybe a sanity check should be added there?

--
Brian Gerst

[PATCH] kvm: fix poison overwritten caused by using wrong xstate size

[Xiaotian Feng]

fpu.state is allocated from task_xstate_cachep, the size of task_xstate_cachep
is xstate_size. xstate_size is set from cpuid instruction, which is often
smaller than sizeof(struct xsave_struct). kvm is using sizeof(struct xsave_struct)
to fill in/out fpu.state.xsave, as what we allocated for fpu.state is
xstate_size, kernel will write out of memory and caused poison/redzone/padding
overwritten warnings.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Suresh Siddha <suresh.b.siddha@intel.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Avi Kivity <avi@redhat.com>
Cc: Robert Richter <robert.richter@amd.com>
Cc: Sheng Yang <sheng@linux.intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
---
 arch/x86/kernel/i387.c |    1 +
 arch/x86/kvm/x86.c     |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
index 1f11f5c..a46cb35 100644
--- a/arch/x86/kernel/i387.c
+++ b/arch/x86/kernel/i387.c
@@ -40,6 +40,7 @@
 
 static unsigned int		mxcsr_feature_mask __read_mostly = 0xffffffffu;
 unsigned int xstate_size;
+EXPORT_SYMBOL_GPL(xstate_size);
 unsigned int sig_xstate_ia32_size = sizeof(struct _fpstate_ia32);
 static struct i387_fxsave_struct fx_scratch __cpuinitdata;
 
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 25f1907..3a09c62 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2387,7 +2387,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
 	if (cpu_has_xsave)
 		memcpy(guest_xsave->region,
 			&vcpu->arch.guest_fpu.state->xsave,
-			sizeof(struct xsave_struct));
+			xstate_size);
 	else {
 		memcpy(guest_xsave->region,
 			&vcpu->arch.guest_fpu.state->fxsave,
@@ -2405,7 +2405,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
 
 	if (cpu_has_xsave)
 		memcpy(&vcpu->arch.guest_fpu.state->xsave,
-			guest_xsave->region, sizeof(struct xsave_struct));
+			guest_xsave->region, xstate_size);
 	else {
 		if (xstate_bv & ~XSTATE_FPSSE)
 			return -EINVAL;
-- 
1.7.2.1

Re: [PATCH] kvm: fix poison overwritten caused by using wrong xstate size

[Sheng Yang]

On Friday 13 August 2010 15:19:11 Xiaotian Feng wrote:
> fpu.state is allocated from task_xstate_cachep, the size of
> task_xstate_cachep is xstate_size. xstate_size is set from cpuid
> instruction, which is often smaller than sizeof(struct xsave_struct). kvm
> is using sizeof(struct xsave_struct) to fill in/out fpu.state.xsave, as
> what we allocated for fpu.state is xstate_size, kernel will write out of
> memory and caused poison/redzone/padding overwritten warnings.
>
> Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Suresh Siddha <suresh.b.siddha@intel.com>
> Cc: Brian Gerst <brgerst@gmail.com>
> Cc: Avi Kivity <avi@redhat.com>
> Cc: Robert Richter <robert.richter@amd.com>
> Cc: Sheng Yang <sheng@linux.intel.com>
> Cc: Marcelo Tosatti <mtosatti@redhat.com>
> Cc: Gleb Natapov <gleb@redhat.com>
> Cc: Jan Kiszka <jan.kiszka@siemens.com>
 
Reviewed-by: Sheng Yang <sheng@linux.intel.com>

--
regards
Yang, Sheng

> ---
>  arch/x86/kernel/i387.c |    1 +
>  arch/x86/kvm/x86.c     |    4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
> index 1f11f5c..a46cb35 100644
> --- a/arch/x86/kernel/i387.c
> +++ b/arch/x86/kernel/i387.c
> @@ -40,6 +40,7 @@
> 
>  static unsigned int		mxcsr_feature_mask __read_mostly = 0xffffffffu;
>  unsigned int xstate_size;
> +EXPORT_SYMBOL_GPL(xstate_size);
>  unsigned int sig_xstate_ia32_size = sizeof(struct _fpstate_ia32);
>  static struct i387_fxsave_struct fx_scratch __cpuinitdata;
> 
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 25f1907..3a09c62 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -2387,7 +2387,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct
> kvm_vcpu *vcpu, if (cpu_has_xsave)
>  		memcpy(guest_xsave->region,
>  			&vcpu->arch.guest_fpu.state->xsave,
> -			sizeof(struct xsave_struct));
> +			xstate_size);
>  	else {
>  		memcpy(guest_xsave->region,
>  			&vcpu->arch.guest_fpu.state->fxsave,
> @@ -2405,7 +2405,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct
> kvm_vcpu *vcpu,
> 
>  	if (cpu_has_xsave)
>  		memcpy(&vcpu->arch.guest_fpu.state->xsave,
> -			guest_xsave->region, sizeof(struct xsave_struct));
> +			guest_xsave->region, xstate_size);
>  	else {
>  		if (xstate_bv & ~XSTATE_FPSSE)
>  			return -EINVAL;

Re: [PATCH] kvm: fix poison overwritten caused by using wrong xstate size

[H. Peter Anvin]

Avi, do you want to take this one or should I?

	-hpa

On 08/13/2010 12:19 AM, Xiaotian Feng wrote:
> fpu.state is allocated from task_xstate_cachep, the size of task_xstate_cachep
> is xstate_size. xstate_size is set from cpuid instruction, which is often
> smaller than sizeof(struct xsave_struct). kvm is using sizeof(struct xsave_struct)
> to fill in/out fpu.state.xsave, as what we allocated for fpu.state is
> xstate_size, kernel will write out of memory and caused poison/redzone/padding
> overwritten warnings.
> 
> Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Suresh Siddha <suresh.b.siddha@intel.com>
> Cc: Brian Gerst <brgerst@gmail.com>
> Cc: Avi Kivity <avi@redhat.com>
> Cc: Robert Richter <robert.richter@amd.com>
> Cc: Sheng Yang <sheng@linux.intel.com>
> Cc: Marcelo Tosatti <mtosatti@redhat.com>
> Cc: Gleb Natapov <gleb@redhat.com>
> Cc: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>  arch/x86/kernel/i387.c |    1 +
>  arch/x86/kvm/x86.c     |    4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
> index 1f11f5c..a46cb35 100644
> --- a/arch/x86/kernel/i387.c
> +++ b/arch/x86/kernel/i387.c
> @@ -40,6 +40,7 @@
>  
>  static unsigned int		mxcsr_feature_mask __read_mostly = 0xffffffffu;
>  unsigned int xstate_size;
> +EXPORT_SYMBOL_GPL(xstate_size);
>  unsigned int sig_xstate_ia32_size = sizeof(struct _fpstate_ia32);
>  static struct i387_fxsave_struct fx_scratch __cpuinitdata;
>  
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 25f1907..3a09c62 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -2387,7 +2387,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
>  	if (cpu_has_xsave)
>  		memcpy(guest_xsave->region,
>  			&vcpu->arch.guest_fpu.state->xsave,
> -			sizeof(struct xsave_struct));
> +			xstate_size);
>  	else {
>  		memcpy(guest_xsave->region,
>  			&vcpu->arch.guest_fpu.state->fxsave,
> @@ -2405,7 +2405,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
>  
>  	if (cpu_has_xsave)
>  		memcpy(&vcpu->arch.guest_fpu.state->xsave,
> -			guest_xsave->region, sizeof(struct xsave_struct));
> +			guest_xsave->region, xstate_size);
>  	else {
>  		if (xstate_bv & ~XSTATE_FPSSE)
>  			return -EINVAL;

Re: [PATCH] kvm: fix poison overwritten caused by using wrong xstate size

[Avi Kivity]

  On 08/14/2010 12:03 AM, H. Peter Anvin wrote:
> Avi, do you want to take this one or should I?

I will, thanks.

-- 
error compiling committee.c: too many arguments to function

Re: [PATCH] kvm: fix poison overwritten caused by using wrong xstate size

[H. Peter Anvin]

Feel free to add my ack.

"Avi Kivity" <avi@redhat.com> wrote:

>  On 08/14/2010 12:03 AM, H. Peter Anvin wrote:
>> Avi, do you want to take this one or should I?
>
>I will, thanks.
>
>-- 
>error compiling committee.c: too many arguments to function
>

-- 
Sent from my mobile phone.  Please pardon any lack of formatting.

Re: [PATCH] kvm: fix poison overwritten caused by using wrong xstate size

[Avi Kivity]

  On 08/13/2010 10:19 AM, Xiaotian Feng wrote:
> fpu.state is allocated from task_xstate_cachep, the size of task_xstate_cachep
> is xstate_size. xstate_size is set from cpuid instruction, which is often
> smaller than sizeof(struct xsave_struct). kvm is using sizeof(struct xsave_struct)
> to fill in/out fpu.state.xsave, as what we allocated for fpu.state is
> xstate_size, kernel will write out of memory and caused poison/redzone/padding
> overwritten warnings.

Thanks, applied.

-- 
error compiling committee.c: too many arguments to function