• Avi Kivity's avatar
    KVM: VMX: Fix ds/es corruption on i386 with preemption · aa67f609
    Avi Kivity authored
    Commit b2da15ac ("KVM: VMX: Optimize %ds, %es reload") broke i386
    in the following scenario:
    
      vcpu_load
      ...
      vmx_save_host_state
      vmx_vcpu_run
      (ds.rpl, es.rpl cleared by hardware)
    
      interrupt
        push ds, es  # pushes bad ds, es
        schedule
          vmx_vcpu_put
            vmx_load_host_state
              reload ds, es (with __USER_DS)
        pop ds, es  # of other thread's stack
        iret
      # other thread runs
      interrupt
        push ds, es
        schedule  # back in vcpu thread
        pop ds, es  # now with rpl=0
        iret
      ...
      vcpu_put
      resume_userspace
      iret  # clears ds, es due to mismatched rpl
    
    (instead of resume_userspace, we might return with SYSEXIT and then
    take an exception; when the exception IRETs we end up with cleared
    ds, es)
    
    Fix by avoiding the optimization on i386 and reloading ds, es on the
    lightweight exit path.
    Reported-by: default avatarChris Clayron <chris2553@googlemail.com>
    Signed-off-by: default avatarAvi Kivity <avi@redhat.com>
    Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
    aa67f609
vmx.c 210 KB