• James Hogan's avatar
    KVM: MIPS: Don't leak FPU/DSP to guest · b4db76b6
    James Hogan authored
    commit f798217d upstream.
    
    The FPU and DSP are enabled via the CP0 Status CU1 and MX bits by
    kvm_mips_set_c0_status() on a guest exit, presumably in case there is
    active state that needs saving if pre-emption occurs. However neither of
    these bits are cleared again when returning to the guest.
    
    This effectively gives the guest access to the FPU/DSP hardware after
    the first guest exit even though it is not aware of its presence,
    allowing FP instructions in guest user code to intermittently actually
    execute instead of trapping into the guest OS for emulation. It will
    then read & manipulate the hardware FP registers which technically
    belong to the user process (e.g. QEMU), or are stale from another user
    process. It can also crash the guest OS by causing an FP exception, for
    which a guest exception handler won't have been registered.
    
    First lets save and disable the FPU (and MSA) state with lose_fpu(1)
    before entering the guest. This simplifies the problem, especially for
    when guest FPU/MSA support is added in the future, and prevents FR=1 FPU
    state being live when the FR bit gets cleared for the guest, which
    according to the architecture causes the contents of the FPU and vector
    registers to become UNPREDICTABLE.
    
    We can then safely remove the enabling of the FPU in
    kvm_mips_set_c0_status(), since there should never be any active FPU or
    MSA state to save at pre-emption, which should plug the FPU leak.
    
    DSP state is always live rather than being lazily restored, so for that
    it is simpler to just clear the MX bit again when re-entering the guest.
    Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Sanjay Lal <sanjayl@kymasys.com>
    Cc: Gleb Natapov <gleb@kernel.org>
    Cc: kvm@vger.kernel.org
    Cc: linux-mips@linux-mips.org
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    [ luis: backported to 3.16: files rename:
      - locore.S -> kvm_locore.S
      - mips.c -> kvm_mips.c ]
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    b4db76b6
kvm_locore.S 14.3 KB