From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Marcelo Tosatti <mtosatti@redhat.com>,
Chris Clayron <chris2553@googlemail.com>,
Avi Kivity <avi@redhat.com>
Subject: [ 42/46] KVM: VMX: Fix ds/es corruption on i386 with preemption
Date: Sun, 19 Aug 2012 20:59:18 -0700 [thread overview]
Message-ID: <20120820035838.102511580@linuxfoundation.org> (raw)
In-Reply-To: <20120820035832.274275502@linuxfoundation.org>
From: Greg KH <gregkh@linuxfoundation.org>
3.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avi Kivity <avi@redhat.com>
(cherry picked from commit aa67f6096c19bcdb1951ef88be3cf3d2118809dc)
Commit b2da15ac26a0c ("KVM: VMX: Optimize %ds, %es reload") broke i386
in the following scenario:
vcpu_load
...
vmx_save_host_state
vmx_vcpu_run
(ds.rpl, es.rpl cleared by hardware)
interrupt
push ds, es # pushes bad ds, es
schedule
vmx_vcpu_put
vmx_load_host_state
reload ds, es (with __USER_DS)
pop ds, es # of other thread's stack
iret
# other thread runs
interrupt
push ds, es
schedule # back in vcpu thread
pop ds, es # now with rpl=0
iret
...
vcpu_put
resume_userspace
iret # clears ds, es due to mismatched rpl
(instead of resume_userspace, we might return with SYSEXIT and then
take an exception; when the exception IRETs we end up with cleared
ds, es)
Fix by avoiding the optimization on i386 and reloading ds, es on the
lightweight exit path.
Reported-by: Chris Clayron <chris2553@googlemail.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1470,13 +1470,6 @@ static void __vmx_load_host_state(struct
loadsegment(ds, vmx->host_state.ds_sel);
loadsegment(es, vmx->host_state.es_sel);
}
-#else
- /*
- * The sysexit path does not restore ds/es, so we must set them to
- * a reasonable value ourselves.
- */
- loadsegment(ds, __USER_DS);
- loadsegment(es, __USER_DS);
#endif
reload_tss();
#ifdef CONFIG_X86_64
@@ -6273,6 +6266,19 @@ static void __noclone vmx_vcpu_run(struc
#endif
);
+#ifndef CONFIG_X86_64
+ /*
+ * The sysexit path does not restore ds/es, so we must set them to
+ * a reasonable value ourselves.
+ *
+ * We can't defer this to vmx_load_host_state() since that function
+ * may be executed in interrupt context, which saves and restore segments
+ * around it, nullifying its effect.
+ */
+ loadsegment(ds, __USER_DS);
+ loadsegment(es, __USER_DS);
+#endif
+
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
| (1 << VCPU_EXREG_RFLAGS)
| (1 << VCPU_EXREG_CPL)
next prev parent reply other threads:[~2012-08-20 4:03 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-20 3:58 [ 00/46] 3.5.3-stable review Greg Kroah-Hartman
2012-08-20 3:58 ` [ 01/46] s390/compat: fix compat wrappers for process_vm system calls Greg Kroah-Hartman
2012-08-20 3:58 ` [ 02/46] s390/compat: fix mmap compat " Greg Kroah-Hartman
2012-08-20 3:58 ` [ 03/46] nouveau: fixup scanout enable in nvc0_pm Greg Kroah-Hartman
2012-08-20 3:58 ` [ 04/46] drm/mgag200: fix G200ER pll picking algorithm Greg Kroah-Hartman
2012-08-20 3:58 ` [ 05/46] dma: imx-dma: Fix kernel crash due to missing clock conversion Greg Kroah-Hartman
2012-08-20 3:58 ` [ 06/46] fuse: verify all ioctl retry iov elements Greg Kroah-Hartman
2012-08-20 3:58 ` [ 07/46] xen/p2m: Reserve 8MB of _brk space for P2M leafs when populating back Greg Kroah-Hartman
2012-08-20 3:58 ` [ 08/46] drm/i915: prefer wide & slow to fast & narrow in DP configs Greg Kroah-Hartman
2012-08-20 3:58 ` [ 09/46] drm/nvd0/disp: mask off high 16 bit of negative cursor x-coordinate Greg Kroah-Hartman
2012-08-20 3:58 ` [ 10/46] drm/i915: correctly order the ring init sequence Greg Kroah-Hartman
2012-08-20 3:58 ` [ 11/46] drm/i915: ignore eDP bpc settings from vbt Greg Kroah-Hartman
2012-08-20 3:58 ` [ 12/46] drm/i915: reorder edp disabling to fix ivb MacBook Air Greg Kroah-Hartman
2012-08-20 3:58 ` [ 13/46] drm/radeon: properly handle crtc powergating Greg Kroah-Hartman
2012-08-20 3:58 ` [ 14/46] drm/radeon: do not reenable crtc after moving vram start address Greg Kroah-Hartman
2012-08-20 3:58 ` [ 15/46] drm/i915: make rc6 in sysfs functions conditional Greg Kroah-Hartman
2012-08-20 3:58 ` [ 16/46] drm/radeon: add some new SI pci ids Greg Kroah-Hartman
2012-08-20 3:58 ` [ 17/46] drm/radeon: fix bank tiling parameters on cayman Greg Kroah-Hartman
2012-08-20 3:58 ` [ 18/46] drm/radeon: fix bank tiling parameters on SI Greg Kroah-Hartman
2012-08-20 3:58 ` [ 19/46] drm/radeon: fix bank tiling parameters on evergreen Greg Kroah-Hartman
2012-08-20 3:58 ` [ 20/46] drm/radeon/kms: allow "invalid" DB formats as a means to disable DB Greg Kroah-Hartman
2012-08-20 3:58 ` [ 21/46] Yama: access task_struct->comm directly Greg Kroah-Hartman
2012-08-20 3:58 ` [ 22/46] ext4: make sure the journal sb is written in ext4_clear_journal_err() Greg Kroah-Hartman
2012-08-20 3:58 ` [ 23/46] ext4: avoid kmemcheck complaint from reading uninitialized memory Greg Kroah-Hartman
2012-08-20 3:59 ` [ 24/46] ext4: dont call ext4_error while block group is locked Greg Kroah-Hartman
2012-08-20 3:59 ` [ 25/46] ext4: fix long mount times on very big file systems Greg Kroah-Hartman
2012-08-20 3:59 ` [ 26/46] ext4: fix kernel BUG on large-scale rm -rf commands Greg Kroah-Hartman
2012-08-20 3:59 ` [ 27/46] xhci: Add Etron XHCI_TRUST_TX_LENGTH quirk Greg Kroah-Hartman
2012-08-20 3:59 ` [ 28/46] xhci: Increase reset timeout for Renesas 720201 host Greg Kroah-Hartman
2012-08-20 3:59 ` [ 29/46] xhci: Switch PPT ports to EHCI on shutdown Greg Kroah-Hartman
2012-08-20 3:59 ` [ 30/46] xhci: Fix bug after deq ptr set to link TRB Greg Kroah-Hartman
2012-08-20 3:59 ` [ 31/46] drivers-core: make structured logging play nice with dynamic-debug Greg Kroah-Hartman
2012-08-20 3:59 ` [ 32/46] staging: comedi: Fix reversed test in comedi_device_attach() Greg Kroah-Hartman
2012-08-20 3:59 ` [ 33/46] USB: add USB_VENDOR_AND_INTERFACE_INFO() macro Greg Kroah-Hartman
2012-08-20 3:59 ` [ 34/46] USB: support the new interfaces of Huawei Data Card devices in option driver Greg Kroah-Hartman
2012-08-20 3:59 ` [ 35/46] USB: option: add ZTE K5006-Z Greg Kroah-Hartman
2012-08-20 3:59 ` [ 36/46] USB: ftdi_sio: Add VID/PID for Kondo Serial USB Greg Kroah-Hartman
2012-08-20 3:59 ` [ 37/46] usb: serial: mos7840: Fixup mos7840_chars_in_buffer() Greg Kroah-Hartman
2012-08-20 3:59 ` [ 38/46] usb: gadget: u_ether: fix kworker 100% CPU issue with still used interfaces in eth_stop Greg Kroah-Hartman
2012-08-20 3:59 ` [ 39/46] rt2x00: Add support for BUFFALO WLI-UC-GNM2 to rt2800usb Greg Kroah-Hartman
2012-08-20 3:59 ` [ 40/46] KVM: PIC: call ack notifiers for irqs that are dropped form irr Greg Kroah-Hartman
2012-08-23 0:02 ` Ben Hutchings
2012-08-26 2:30 ` Greg Kroah-Hartman
2012-08-20 3:59 ` [ 41/46] KVM: x86: apply kvmclock offset to guest wall clock time Greg Kroah-Hartman
2012-08-20 3:59 ` Greg Kroah-Hartman [this message]
2012-08-20 3:59 ` [ 43/46] KVM: x86 emulator: fix byte-sized MOVZX/MOVSX Greg Kroah-Hartman
2012-08-23 0:04 ` Ben Hutchings
2012-08-20 3:59 ` [ 44/46] KVM: VMX: Fix KVM_SET_SREGS with big real mode segments Greg Kroah-Hartman
2012-08-20 3:59 ` [ 45/46] pmac_zilog,kdb: Fix console poll hook to return instead of loop Greg Kroah-Hartman
2012-08-20 3:59 ` [ 46/46] IB/srp: Fix a race condition Greg Kroah-Hartman
2012-08-20 8:26 ` [ 00/46] 3.5.3-stable review Holger Hoffstaette
2012-08-20 14:46 ` Greg KH
2012-08-20 15:01 ` J. Bruce Fields
2012-08-21 17:08 ` Heinz Diehl
2012-08-25 8:50 ` Heinz Diehl
2012-08-21 19:26 ` Sven Joachim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120820035838.102511580@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=avi@redhat.com \
--cc=chris2553@googlemail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).