lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YvwODUu/rdzjzDjk@google.com>
Date:   Tue, 16 Aug 2022 21:37:17 +0000
From:   Sean Christopherson <seanjc@...gle.com>
To:     "Dr. David Alan Gilbert (git)" <dgilbert@...hat.com>
Cc:     kvm@...r.kernel.org, pbonzini@...hat.com, tglx@...utronix.de,
        leobras@...hat.com, linux-kernel@...r.kernel.org, mingo@...hat.com,
        bp@...en8.de, dave.hansen@...ux.intel.com, x86@...nel.org
Subject: Re: [PATCH] KVM: x86: Always enable legacy fp/sse

On Tue, Aug 16, 2022, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" <dgilbert@...hat.com>
> 
> A live migration under qemu is currently failing when the source
> host is ~Nehalem era (pre-xsave) and the destination is much newer,
> (configured with a guest CPU type of Nehalem).
> QEMU always calls kvm_put_xsave, even on this combination because
> KVM_CAP_CHECK_EXTENSION_VM always returns true for KVM_CAP_XSAVE.
> 
> When QEMU calls kvm_put_xsave it's rejected by
>    fpu_copy_uabi_to_guest_fpstate->
>      copy_uabi_to_xstate->
>        validate_user_xstate_header
> 
> when the validate checks the loaded xfeatures against
> user_xfeatures, which it finds to be 0.
> 
> I think our initialisation of user_xfeatures is being
> too strict here, and we should always allow the base FP/SSE.
> 
> Fixes: ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0")
> bz: https://bugzilla.redhat.com/show_bug.cgi?id=2079311
> 
> Signed-off-by: Dr. David Alan Gilbert <dgilbert@...hat.com>
> ---
>  arch/x86/kvm/cpuid.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index de6d44e07e34..3b2319cecfd1 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -298,7 +298,8 @@ static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
>  	guest_supported_xcr0 =
>  		cpuid_get_supported_xcr0(vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
>  
> -	vcpu->arch.guest_fpu.fpstate->user_xfeatures = guest_supported_xcr0;
> +	vcpu->arch.guest_fpu.fpstate->user_xfeatures = guest_supported_xcr0 |
> +		XFEATURE_MASK_FPSSE;

I don't think this is correct.  This will allow the guest to set the SSE bit
even when XSAVE isn't supported due to kvm_guest_supported_xcr0() returning
user_xfeatures.

  static inline u64 kvm_guest_supported_xcr0(struct kvm_vcpu *vcpu)
  {
	return vcpu->arch.guest_fpu.fpstate->user_xfeatures;
  }

I believe the right place to fix this is in validate_user_xstate_header().  It's
reachable if and only if XSAVE is supported in the host, and when XSAVE is _not_
supported, the kernel unconditionally allows FP+SSE.  So it follows that the kernel
should also allow FP+SSE when using XSAVE too.  That would also align the logic
with fpu_copy_guest_fpstate_to_uabi(), which fordces the FPSSE flags.  Ditto for
the non-KVM save_xstate_epilog().

Aha!  And fpu__init_system_xstate() ensure the host supports FP+SSE when XSAVE
is enabled (knew their had to be a sanity check somewhere).

---
 arch/x86/kernel/fpu/xstate.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index c8340156bfd2..83b9a9653d47 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -399,8 +399,13 @@ int xfeature_size(int xfeature_nr)
 static int validate_user_xstate_header(const struct xstate_header *hdr,
 				       struct fpstate *fpstate)
 {
-	/* No unknown or supervisor features may be set */
-	if (hdr->xfeatures & ~fpstate->user_xfeatures)
+	/*
+	 * No unknown or supervisor features may be set.  Userspace is always
+	 * allowed to restore FP+SSE state (XSAVE/XRSTOR are used by the kernel
+	 * if and only if FP+SSE are supported in xstate).
+	 */
+	if (hdr->xfeatures & ~fpstate->user_xfeatures &
+	    ~(XFEATURE_MASK_FP | XFEATURE_MASK_SSE))
 		return -EINVAL;

 	/* Userspace must use the uncompacted format */

base-commit: de3d415edca23831c5d1f24f10c74a715af7efdb
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ