Re: [PATCH] x86/fpu: Remove dynamic features from xcomp_bv for init_fpstate

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Chang S. Bae" <chang.seok.bae@intel.com>
To: "Yao, Yuan" <yuan.yao@intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: "x86@kernel.org" <x86@kernel.org>,
	"Hansen, Dave" <dave.hansen@intel.com>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH] x86/fpu: Remove dynamic features from xcomp_bv for init_fpstate
Date: Thu, 13 Oct 2022 09:23:20 -0700	[thread overview]
Message-ID: <9b198ed3-4b2d-c857-710b-3f7115bbcf74@intel.com> (raw)
In-Reply-To: <BYAPR11MB3717EDEF2351C958F2C86EED95259@BYAPR11MB3717.namprd11.prod.outlook.com>

On 10/12/2022 8:35 PM, Yao, Yuan wrote:
> 
> The reason is __copy_xstate_to_uabi_buf() copies data from &init_fpstate when the component
> is not existed in the source kernel fpstate (here is the AMX tile component), but the
> AMX TILE bit is removed from init_fpstate due to this patch, so the WARN is triggered and return
> NULL which causes kernel NULL pointer dereference later.

We have this in __copy_xstate_to_uabi_buf() [1]:

	mask = fpstate->user_xfeatures;

	for_each_extended_xfeature(i, mask) {
	...
	}

And the KVM code seems to set dynamic features regardless of the buffer 
reallocation [2]:

	vcpu->arch.guest_fpu.fpstate->user_xfeatures =
		vcpu->arch.guest_supported_xcr0 | XFEATURE_MASK_FPSSE;

The kernel code seems to be aware of this as fpstate_realloc() does [3]:

	if (!guest_fpu)
		newfps->user_xfeatures = curfps->user_xfeatures | xfeatures;

But it updates the 'xfeature' bitmask for all:

	newfps->xfeatures = curfps->xfeatures | xfeatures;

So, I think we can do something like this here:

diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index c8340156bfd2..8ea7d0e95f1a 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -1127,8 +1127,12 @@ void __copy_xstate_to_uabi_buf(struct membuf to, 
struct fpstate *fpstate,
          * non-compacted format disabled features still occupy state space,
          * but there is no state to copy from in the compacted
          * init_fpstate. The gap tracking will zero these states.
+        *
+        * In the case of guest fpstate, this user_xfeatures does not
+        * dynamically reflect the capacity of the XSAVE buffer but
+        * xfeatures does. So AND them together.
          */
-       mask = fpstate->user_xfeatures;
+       mask = fpstate->user_xfeatures & fpstate->xfeatures;

Let me also test this by running KVM.

Thanks,
Chang

[1] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/fpu/xstate.c#n1131
[2] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kvm/cpuid.c#n346
[3] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/fpu/xstate.c#n1448

next prev parent reply	other threads:[~2022-10-13 16:26 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-11 22:24 [PATCH] x86/fpu: Remove dynamic features from xcomp_bv for init_fpstate Dave Hansen
2022-10-11 22:47 ` Chang S. Bae
2022-10-13  1:33 ` Yao, Yuan
2022-10-13  1:47 ` Chang S. Bae
2022-10-13  3:35 ` Yao, Yuan
2022-10-13 16:23   ` Chang S. Bae [this message]
2022-10-13 17:21     ` Dave Hansen
2022-10-13 17:33       ` Chang S. Bae
2022-10-13 17:44         ` Dave Hansen
2022-10-14  3:53           ` Chang S. Bae
2022-10-14  4:10             ` Yao, Yuan
2022-10-14  4:26               ` Chang S. Bae
2022-10-14  4:03     ` Yao, Yuan
2022-10-13 18:04   ` Dave Hansen
2022-10-17 22:39 ` Chang S. Bae

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c8340156bfd dfblob:8ea7d0e95f1 )
 OR (
bs:"Re: [PATCH] x86/fpu: Remove dynamic features from xcomp_bv for init_fpstate" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9b198ed3-4b2d-c857-710b-3f7115bbcf74@intel.com \
    --to=chang.seok.bae@intel.com \
    --cc=dave.hansen@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    --cc=yuan.yao@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox