Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755475AbcDGTDw (ORCPT <rfc822;w@1wt.eu>);
	Thu, 7 Apr 2016 15:03:52 -0400
Received: from mx6-phx2.redhat.com ([209.132.183.39]:39696 "EHLO
	mx6-phx2.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932402AbcDGTDs (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 7 Apr 2016 15:03:48 -0400
Date: Thu, 7 Apr 2016 15:03:39 -0400 (EDT)
From: Paolo Bonzini <pbonzini@redhat.com>
To: David Matlack <dmatlack@google.com>
Cc: kvm list <kvm@vger.kernel.org>, linux-kernel@vger.kernel.org,
        Andy Lutomirski <luto@amacapital.net>, stable@vger.kernel.org
Message-ID: <1516493578.821675.1460055819108.JavaMail.zimbra@redhat.com>
In-Reply-To: <CALzav=e_e9qV5+csaQOT0fmi8U4_VGa_9thg=D-V=v12wKbC-w@mail.gmail.com>
References: <1459365887-146735-1-git-send-email-dmatlack@google.com> <5703A175.4000005@redhat.com> <CALzav=d98+Y4FzVi-U_cJ7CboabRK8CQpkdvsEG6PpgjMMYQTQ@mail.gmail.com> <57062382.6070005@redhat.com> <CALzav=e_e9qV5+csaQOT0fmi8U4_VGa_9thg=D-V=v12wKbC-w@mail.gmail.com>
Subject: Re: [PATCH] kvm: x86: do not leak guest xcr0 into host interrupt
 handlers
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.4.164.1, 10.5.100.50]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF45 (Linux)/8.0.6_GA_5922)
Thread-Topic: x86: do not leak guest xcr0 into host interrupt handlers
Thread-Index: vEwA3qgU6dCUfMMl1pPRblO5pdrOFg==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1225
Lines: 36



----- Original Message -----
> >>> While running my acceptance tests, in one case I got one CPU whose xcr0
> >>> had leaked into the host.  This showed up as a SIGILL in strncasecmp's
> >>> AVX code, and a simple program confirmed it:
> >>>
> >>>     $ cat xgetbv.c
> >>>     #include <stdio.h>
> >>>     int main(void)
> >>>     {
> >>>         unsigned xcr0_h, xcr0_l;
> >>>         asm("xgetbv" : "=d"(xcr0_h), "=a"(xcr0_l) : "c"(0));
> >>>         printf("%08x:%08x\n", xcr0_h, xcr0_l);
> >>>     }
> >>>     $ gcc xgetbv.c -O2
> >>>     $ for i in `seq 0 55`; do echo $i `taskset -c $i ./a.out`; done|grep
> >>>     -v 007
> >>>     19 00000000:00000003
> >>>
> >>> I'm going to rerun the tests without this patch, as it seems the most
> >>> likely culprit, and leave it out of the pull request if they pass.
> >>
> >> Agreed this is a very likely culprit. I think I see one way the
> >> guest's xcr0 can leak into the host.
> >
> > That's cancel_injection, right?  If it's just about moving the load call
> > below, I can do that.  Hmm, I will even test that today. :)
> 
> Yes that's what I was thinking, move kvm_load_guest_xcr0 below that if.
> 
> Thank you :). Let me know how testing goes.

It went well.

Paolo