Commit b062b794 authored by Vitaly Kuznetsov's avatar Vitaly Kuznetsov Committed by Paolo Bonzini

x86/kvm/vmx: don't read current->thread.{fs,gs}base of legacy tasks

When we switched from doing rdmsr() to reading FS/GS base values from
current->thread we completely forgot about legacy 32-bit userspaces which
we still support in KVM (why?). task->thread.{fsbase,gsbase} are only
synced for 64-bit processes, calling save_fsgs_for_kvm() and using
its result from current is illegal for legacy processes.

There's no ARCH_SET_FS/GS prctls for legacy applications. Base MSRs are,
however, not always equal to zero. Intel's manual says (3.4.4 Segment
Loading Instructions in IA-32e Mode):

"In order to set up compatibility mode for an application, segment-load
instructions (MOV to Sreg, POP Sreg) work normally in 64-bit mode. An
entry is read from the system descriptor table (GDT or LDT) and is loaded
in the hidden portion of the segment register.
...
The hidden descriptor register fields for FS.base and GS.base are
physically mapped to MSRs in order to load all address bits supported by
a 64-bit implementation.
"

The issue was found by strace test suite where 32-bit ioctl_kvm_run test
started segfaulting.
Reported-by: default avatarDmitry V. Levin <ldv@altlinux.org>
Bisected-by: default avatarMasatake YAMATO <yamato@redhat.com>
Fixes: 42b933b5 ("x86/kvm/vmx: read MSR_{FS,KERNEL_GS}_BASE from current->thread")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent cd283252
...@@ -2365,6 +2365,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu) ...@@ -2365,6 +2365,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
struct vcpu_vmx *vmx = to_vmx(vcpu); struct vcpu_vmx *vmx = to_vmx(vcpu);
#ifdef CONFIG_X86_64 #ifdef CONFIG_X86_64
int cpu = raw_smp_processor_id(); int cpu = raw_smp_processor_id();
unsigned long fs_base, kernel_gs_base;
#endif #endif
int i; int i;
...@@ -2380,12 +2381,20 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu) ...@@ -2380,12 +2381,20 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel; vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel;
#ifdef CONFIG_X86_64 #ifdef CONFIG_X86_64
if (likely(is_64bit_mm(current->mm))) {
save_fsgs_for_kvm(); save_fsgs_for_kvm();
vmx->host_state.fs_sel = current->thread.fsindex; vmx->host_state.fs_sel = current->thread.fsindex;
vmx->host_state.gs_sel = current->thread.gsindex; vmx->host_state.gs_sel = current->thread.gsindex;
#else fs_base = current->thread.fsbase;
kernel_gs_base = current->thread.gsbase;
} else {
#endif
savesegment(fs, vmx->host_state.fs_sel); savesegment(fs, vmx->host_state.fs_sel);
savesegment(gs, vmx->host_state.gs_sel); savesegment(gs, vmx->host_state.gs_sel);
#ifdef CONFIG_X86_64
fs_base = read_msr(MSR_FS_BASE);
kernel_gs_base = read_msr(MSR_KERNEL_GS_BASE);
}
#endif #endif
if (!(vmx->host_state.fs_sel & 7)) { if (!(vmx->host_state.fs_sel & 7)) {
vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel); vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel);
...@@ -2405,10 +2414,10 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu) ...@@ -2405,10 +2414,10 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
savesegment(ds, vmx->host_state.ds_sel); savesegment(ds, vmx->host_state.ds_sel);
savesegment(es, vmx->host_state.es_sel); savesegment(es, vmx->host_state.es_sel);
vmcs_writel(HOST_FS_BASE, current->thread.fsbase); vmcs_writel(HOST_FS_BASE, fs_base);
vmcs_writel(HOST_GS_BASE, cpu_kernelmode_gs_base(cpu)); vmcs_writel(HOST_GS_BASE, cpu_kernelmode_gs_base(cpu));
vmx->msr_host_kernel_gs_base = current->thread.gsbase; vmx->msr_host_kernel_gs_base = kernel_gs_base;
if (is_long_mode(&vmx->vcpu)) if (is_long_mode(&vmx->vcpu))
wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base); wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
#else #else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment