From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: James Hogan <james.hogan@imgtec.com>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Paolo Bonzini <pbonzini@redhat.com>,
Ralf Baechle <ralf@linux-mips.org>,
Sanjay Lal <sanjayl@kymasys.com>, Gleb Natapov <gleb@kernel.org>,
kvm@vger.kernel.org, linux-mips@linux-mips.org
Subject: Re: [PATCH 3.14 58/73] KVM: MIPS: Dont leak FPU/DSP to guest
Date: Wed, 4 Mar 2015 10:22:06 -0800 [thread overview]
Message-ID: <20150304182206.GG13218@kroah.com> (raw)
In-Reply-To: <20150304081040.GA28401@jhogan-linux.le.imgtec.org>
On Wed, Mar 04, 2015 at 08:10:40AM +0000, James Hogan wrote:
> Hi Greg,
>
> On Tue, Mar 03, 2015 at 10:13:26PM -0800, Greg Kroah-Hartman wrote:
> > 3.14-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: James Hogan <james.hogan@imgtec.com>
> >
> > commit f798217dfd038af981a18bbe4bc57027a08bb182 upstream.
> >
> > The FPU and DSP are enabled via the CP0 Status CU1 and MX bits by
> > kvm_mips_set_c0_status() on a guest exit, presumably in case there is
> > active state that needs saving if pre-emption occurs. However neither of
> > these bits are cleared again when returning to the guest.
> >
> > This effectively gives the guest access to the FPU/DSP hardware after
> > the first guest exit even though it is not aware of its presence,
> > allowing FP instructions in guest user code to intermittently actually
> > execute instead of trapping into the guest OS for emulation. It will
> > then read & manipulate the hardware FP registers which technically
> > belong to the user process (e.g. QEMU), or are stale from another user
> > process. It can also crash the guest OS by causing an FP exception, for
> > which a guest exception handler won't have been registered.
> >
> > First lets save and disable the FPU (and MSA) state with lose_fpu(1)
> > before entering the guest. This simplifies the problem, especially for
> > when guest FPU/MSA support is added in the future, and prevents FR=1 FPU
> > state being live when the FR bit gets cleared for the guest, which
> > according to the architecture causes the contents of the FPU and vector
> > registers to become UNPREDICTABLE.
> >
> > We can then safely remove the enabling of the FPU in
> > kvm_mips_set_c0_status(), since there should never be any active FPU or
> > MSA state to save at pre-emption, which should plug the FPU leak.
> >
> > DSP state is always live rather than being lazily restored, so for that
> > it is simpler to just clear the MX bit again when re-entering the guest.
> >
> > Signed-off-by: James Hogan <james.hogan@imgtec.com>
> > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > Cc: Ralf Baechle <ralf@linux-mips.org>
> > Cc: Sanjay Lal <sanjayl@kymasys.com>
> > Cc: Gleb Natapov <gleb@kernel.org>
> > Cc: kvm@vger.kernel.org
> > Cc: linux-mips@linux-mips.org
> > Cc: <stable@vger.kernel.org> # v3.10+: 044f0f03eca0: MIPS: KVM: Deliver guest interrupts
>
> The original 3.10 and 3.12/3.14 backports had this added:
> Cc: <stable@vger.kernel.org> # v3.10+: 3ce465e04bfd: MIPS: Export FP functions used by lose_fpu(1) for KVM
> Which I can't see included in the v3.10 stable queue or branch. It fixes
> a build error with MIPS malta_kvm_defconfig (MIPS=y, KVM=m) after this
> patch is applied.
>
> Same applies to the 3.14 queue too I think.
Odd, I remember having problems in this area and thought I had queued
this up. It's now applied to both trees, thanks.
greg k-h
next prev parent reply other threads:[~2015-03-04 18:22 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-04 6:12 [PATCH 3.14 00/73] 3.14.35-stable review Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 01/73] Bluetooth: ath3k: workaround the compatibility issue with xHCI controller Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 02/73] xfs: ensure buffer types are set correctly Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 03/73] xfs: inode unlink does not set AGI buffer type Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 04/73] xfs: set superblock buffer type correctly Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 05/73] fsnotify: fix handling of renames in audit Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 06/73] iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 07/73] iwlwifi: mvm: validate tid and sta_id in ba_notif Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 08/73] iwlwifi: mvm: fix failure path when power_update fails in add_interface Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 09/73] iwlwifi: mvm: always use mac color zero Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 10/73] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 11/73] PCI: Generate uppercase hex for modalias var in uevent Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 13/73] cpufreq: Set cpufreq_cpu_data to NULL before putting kobject Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 15/73] cpufreq: s3c: remove incorrect __init annotations Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 16/73] xen/manage: Fix USB interaction issues when resuming Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 17/73] [media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 18/73] ALSA: off by one bug in snd_riptide_joystick_probe() Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 19/73] ALSA: hdspm - Constrain periods to 2 on older cards Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 20/73] power_supply: 88pm860x: Fix leaked power supply on probe fail Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 21/73] power: bq24190: Fix ignored supplicants Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 22/73] power: gpio-charger: balance enable/disable_irq_wake calls Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 23/73] megaraid_sas: disable interrupt_mask before enabling hardware interrupts Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 26/73] mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 27/73] nfs: dont call blocking operations while !TASK_RUNNING Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 28/73] MIPS: KVM: Deliver guest interrupts after local_irq_disable() Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 29/73] mm/hugetlb: pmd_huge() returns true for non-present hugepage Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 30/73] tracing: Fix unmapping loop in tracing_mark_write Greg Kroah-Hartman
2015-03-04 6:12 ` [PATCH 3.14 31/73] ARM: 8284/1: sa1100: clear RCSR_SMR on resume Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 32/73] ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3 Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 33/73] ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 34/73] ARM: dts: am335x-bone*: usb0 is hardwired for peripheral Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 35/73] tpm_tis: verify interrupt during init Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 36/73] TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 37/73] char: tpm: Add missing error check for devm_kzalloc Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 38/73] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 39/73] tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 40/73] Added Little Endian support to vtpm module Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 41/73] NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 42/73] iscsi-target: Drop problematic active_ts_list usage Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 43/73] cfq-iosched: handle failure of cfq group allocation Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 44/73] cfq-iosched: fix incorrect filing of rt async cfqq Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 45/73] axonram: Fix bug in direct_access Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 46/73] tty: Prevent untrappable signals from malicious program Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 47/73] tty/serial: at91: fix error handling in atmel_serial_probe() Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 48/73] USB: cp210x: add ID for RUGGEDCOM USB Serial Console Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 49/73] USB: fix use-after-free bug in usb_hcd_unlink_urb() Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 50/73] usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 51/73] vt: provide notifications on selection changes Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 52/73] ARM: pxa: add regulator_has_full_constraints to corgi board file Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 53/73] ARM: pxa: add regulator_has_full_constraints to poodle " Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 54/73] kdb: fix incorrect counts in KDB summary command output Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 55/73] ntp: Fixup adjtimex freq validation on 32-bit systems Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 56/73] ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 57/73] KVM: s390: floating irqs: fix user triggerable endless loop Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 58/73] KVM: MIPS: Dont leak FPU/DSP to guest Greg Kroah-Hartman
2015-03-04 8:10 ` James Hogan
2015-03-04 8:10 ` James Hogan
2015-03-04 18:22 ` Greg Kroah-Hartman [this message]
2015-03-04 6:13 ` [PATCH 3.14 59/73] KVM: x86: update masterclock values on TSC writes Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 60/73] hx4700: regulator: declare full constraints Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 61/73] arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 62/73] gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 63/73] gpio: tps65912: fix wrong container_of arguments Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 64/73] xfs: Fix quota type in quota structures when reusing quota file Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 65/73] metag: Fix KSTK_EIP() and KSTK_ESP() macros Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 66/73] md/raid5: Fix livelock when array is both resyncing and degraded Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 68/73] EDAC, amd64_edac: Prevent OOPS with >16 memory controllers Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 69/73] jffs2: fix handling of corrupted summary length Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 70/73] btrfs: set proper message level for skinny metadata Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 71/73] btrfs: fix leak of path in btrfs_find_item Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 72/73] blk-throttle: check stats_cpu before reading it from sysfs Greg Kroah-Hartman
2015-03-04 6:13 ` [PATCH 3.14 73/73] x86, mm/ASLR: Fix stack randomization on 64-bit systems Greg Kroah-Hartman
2015-03-04 14:11 ` [PATCH 3.14 00/73] 3.14.35-stable review Guenter Roeck
2015-03-04 18:16 ` Greg Kroah-Hartman
2015-03-05 2:23 ` Guenter Roeck
2015-03-05 16:08 ` [PATCH stable 3.10, 3.12, 3.14] MIPS: Export FP functions used by lose_fpu(1) for KVM James Hogan
2015-03-05 16:08 ` James Hogan
2015-03-06 6:30 ` Greg Kroah-Hartman
2015-03-06 16:22 ` Guenter Roeck
2015-03-06 17:45 ` Greg Kroah-Hartman
2015-03-06 20:42 ` Guenter Roeck
2015-03-07 13:30 ` Jiri Slaby
2015-03-04 23:41 ` [PATCH 3.14 00/73] 3.14.35-stable review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150304182206.GG13218@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=gleb@kernel.org \
--cc=james.hogan@imgtec.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=pbonzini@redhat.com \
--cc=ralf@linux-mips.org \
--cc=sanjayl@kymasys.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.