From c74f41bbcc83d12787ac42f2c74fc2be54e9f222 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 13 Sep 2013 15:55:57 +0200 Subject: [PATCH 1/3] x86: fix migration from pre-version 12 On KVM, the KVM_SET_XSAVE would be executed with a 0 xstate_bv, and not restore anything. Since FP and SSE data are always valid, set them in xstate_bv at reset time. In fact, that value is the same that KVM_GET_XSAVE returns on pre-XSAVE hosts. Signed-off-by: Paolo Bonzini Signed-off-by: Gleb Natapov --- target-i386/cpu.c | 1 + target-i386/cpu.h | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/target-i386/cpu.c b/target-i386/cpu.c index b6828022bc..ea99b2692d 100644 --- a/target-i386/cpu.c +++ b/target-i386/cpu.c @@ -2405,6 +2405,7 @@ static void x86_cpu_reset(CPUState *s) env->fpuc = 0x37f; env->mxcsr = 0x1f80; + env->xstate_bv = XSTATE_FP | XSTATE_SSE; env->pat = 0x0007040600070406ULL; env->msr_ia32_misc_enable = MSR_IA32_MISC_ENABLE_DEFAULT; diff --git a/target-i386/cpu.h b/target-i386/cpu.h index 5723eff9a8..ea373e82dc 100644 --- a/target-i386/cpu.h +++ b/target-i386/cpu.h @@ -380,6 +380,10 @@ #define MSR_VM_HSAVE_PA 0xc0010117 +#define XSTATE_FP 1 +#define XSTATE_SSE 2 +#define XSTATE_YMM 4 + /* CPUID feature words */ typedef enum FeatureWord { FEAT_1_EDX, /* CPUID[1].EDX */ From 2560f19f426aceb4f2e809d860b93e7573cb1c4e Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 2 Oct 2013 17:54:57 +0200 Subject: [PATCH 2/3] x86: cpuid: reconstruct leaf 0Dh data The data in leaf 0Dh depends on information from other feature bits. Instead of passing it blindly from the host, compute it based on whether these feature bits are enabled. Signed-off-by: Paolo Bonzini Signed-off-by: Gleb Natapov --- target-i386/cpu.c | 65 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 48 insertions(+), 17 deletions(-) diff --git a/target-i386/cpu.c b/target-i386/cpu.c index ea99b2692d..7c2584c8a1 100644 --- a/target-i386/cpu.c +++ b/target-i386/cpu.c @@ -328,6 +328,15 @@ X86RegisterInfo32 x86_reg_info_32[CPU_NB_REGS32] = { }; #undef REGISTER +typedef struct ExtSaveArea { + uint32_t feature, bits; + uint32_t offset, size; +} ExtSaveArea; + +static const ExtSaveArea ext_save_areas[] = { + [2] = { .feature = FEAT_1_ECX, .bits = CPUID_EXT_AVX, + .offset = 0x100, .size = 0x240 }, +}; const char *get_register_name_32(unsigned int reg) { @@ -2180,29 +2189,51 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, *edx = 0; } break; - case 0xD: + case 0xD: { + KVMState *s = cs->kvm_state; + uint64_t kvm_mask; + int i; + /* Processor Extended State */ - if (!(env->features[FEAT_1_ECX] & CPUID_EXT_XSAVE)) { - *eax = 0; - *ebx = 0; - *ecx = 0; - *edx = 0; + *eax = 0; + *ebx = 0; + *ecx = 0; + *edx = 0; + if (!(env->features[FEAT_1_ECX] & CPUID_EXT_XSAVE) || !kvm_enabled()) { break; } - if (kvm_enabled()) { - KVMState *s = cs->kvm_state; + kvm_mask = + kvm_arch_get_supported_cpuid(s, 0xd, 0, R_EAX) | + ((uint64_t)kvm_arch_get_supported_cpuid(s, 0xd, 0, R_EDX) << 32); - *eax = kvm_arch_get_supported_cpuid(s, 0xd, count, R_EAX); - *ebx = kvm_arch_get_supported_cpuid(s, 0xd, count, R_EBX); - *ecx = kvm_arch_get_supported_cpuid(s, 0xd, count, R_ECX); - *edx = kvm_arch_get_supported_cpuid(s, 0xd, count, R_EDX); - } else { - *eax = 0; - *ebx = 0; - *ecx = 0; - *edx = 0; + if (count == 0) { + *ecx = 0x240; + for (i = 2; i < ARRAY_SIZE(ext_save_areas); i++) { + const ExtSaveArea *esa = &ext_save_areas[i]; + if ((env->features[esa->feature] & esa->bits) == esa->bits && + (kvm_mask & (1 << i)) != 0) { + if (i < 32) { + *eax |= 1 << i; + } else { + *edx |= 1 << (i - 32); + } + *ecx = MAX(*ecx, esa->offset + esa->size); + } + } + *eax |= kvm_mask & (XSTATE_FP | XSTATE_SSE); + *ebx = *ecx; + } else if (count == 1) { + *eax = kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX); + } else if (count < ARRAY_SIZE(ext_save_areas)) { + const ExtSaveArea *esa = &ext_save_areas[count]; + if ((env->features[esa->feature] & esa->bits) == esa->bits && + (kvm_mask & (1 << count)) != 0) { + *eax = esa->offset; + *ebx = esa->size; + } } break; + } case 0x80000000: *eax = env->cpuid_xlevel; *ebx = env->cpuid_vendor1; From 7174e54cf14290233f4ae3e989ebc7b507636e77 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Mon, 30 Sep 2013 12:35:13 +0200 Subject: [PATCH 3/3] kvmvapic: Prevent reading beyond the end of guest RAM rom_state_paddr is guest provided (caller address of outw(VAPIC_PORT) + writen 16-bit value) and can be influenced to point beyond the end of the host memory backing the guest's RAM. Make sure we do not use this pointer to actually read beyond the limits. Reading arbitrary guest bytes is harmless, the guest kernel has to manage access to this I/O port anyway. Signed-off-by: Jan Kiszka Acked-by: Michael S. Tsirkin Signed-off-by: Gleb Natapov --- hw/i386/kvmvapic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c index 1c2dbf59cf..2d876009fc 100644 --- a/hw/i386/kvmvapic.c +++ b/hw/i386/kvmvapic.c @@ -596,6 +596,9 @@ static int vapic_map_rom_writable(VAPICROMState *s) section = memory_region_find(as, 0, 1); /* read ROM size from RAM region */ + if (rom_paddr + 2 >= memory_region_size(section.mr)) { + return -1; + } ram = memory_region_get_ram_ptr(section.mr); rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE; if (rom_size == 0) {