From nobody Tue Jun 30 08:09:27 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8747CC4332F for ; Sat, 22 Jan 2022 01:52:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231952AbiAVBwR (ORCPT ); Fri, 21 Jan 2022 20:52:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230093AbiAVBwP (ORCPT ); Fri, 21 Jan 2022 20:52:15 -0500 Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com [IPv6:2607:f8b0:4864:20::1049]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80F3EC06173D for ; Fri, 21 Jan 2022 17:52:15 -0800 (PST) Received: by mail-pj1-x1049.google.com with SMTP id i2-20020a17090a4b8200b001b426d8be4eso7288991pjh.4 for ; Fri, 21 Jan 2022 17:52:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=reply-to:date:message-id:mime-version:subject:from:to:cc; bh=z+3EWiN+IOa2yb8TQhQaeWhNbe8EUxoWdUuFJ8ZwbGs=; b=NaKcTihZ99kBInGtf3wfQbs8x/mgdqZ6UeRCa85pMtbgbH9h0AsGf7VHIkPCuVA43n QMWe71diKz3CfQrVlu/n21cyO6X8yo+3b3iXo7HCwHiUWXY8kJvQwrdwziVUkFn6CUAH w8qRIdv3qK8bHfIeOOuLVrUAdRabSurkJ4UviaEVSMwSb+xCuBaD1fvxrLdjx8zlj8kR thbyBooHecsMChdltRwHTL4N6ou+nX0mO2Rf23Fx3Xib7lg3Rg0+Ic45EhdeLadY7XHl 3Y4Wmtn4szqIahkNkkIXsBUDP5dYarhjFFFVzIKmR2THHco9tnT41inmJGfe74YaFBMq +KYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:reply-to:date:message-id:mime-version:subject :from:to:cc; bh=z+3EWiN+IOa2yb8TQhQaeWhNbe8EUxoWdUuFJ8ZwbGs=; b=pnL49l6gjHPnXf5hteNO7A8LOnXMDPFroqKJcECaWfgoL9ortFJ29Kar/u8pvMG6I0 cpGhgaXK3g/JJld8+36mvaKNewfgwvOuUoQXs6bpje1T8oFIrYyyhZ5TwrHkZAaFPrH3 IoWWVUnufcMZFcHucLThPlc6v9rPD8aiOzuoy2xrhiKcBTi3qNk3HhVkplX4jaVmkp2d fsaLpSxGm5NZ8qYxHLGlBMuBqDRXL5mxpYDL1R9DaoHvLiT164jCRcZjXAxTkSTH4ZYv 7HihQeCWVUpkX7DebhZ+bsI6L+qS6ysR5PEnkOymVcWc0/RBSMeFxEFbC2f8/6Ja3m8V MzKQ== X-Gm-Message-State: AOAM530m9HBdkG47/uW4t8uCuN8MB4Kay3XQSHq+la1PTAXzsw5EZgTw cAkKftpE12la7BRAuSD2bf4Bimx4wAg= X-Google-Smtp-Source: ABdhPJxGjzzW6EvGfkNdQzYrixlt8QLnhmW3eK8m717GT5kCrjEBi4Xmt4tD+VoR75mMUBFDRhEmzbQZPOY= X-Received: from seanjc.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:3e5]) (user=seanjc job=sendgmr) by 2002:a17:90a:7786:: with SMTP id v6mr3308141pjk.11.1642816333665; Fri, 21 Jan 2022 17:52:13 -0800 (PST) Reply-To: Sean Christopherson Date: Sat, 22 Jan 2022 01:52:11 +0000 Message-Id: <20220122015211.1468758-1-seanjc@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.35.0.rc0.227.g00780c9af4-goog Subject: [PATCH] KVM: VMX: Zero host's SYSENTER_ESP iff SYSENTER is NOT used From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Lai Jiangshan Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Zero vmcs.HOST_IA32_SYSENTER_ESP when initializing *constant* host state if and only if SYSENTER cannot be used, i.e. the kernel is a 64-bit kernel and is not emulating 32-bit syscalls. As the name suggests, vmx_set_constant_host_state() is intended for state that is *constant*. When SYSENTER is used, SYSENTER_ESP isn't constant because stacks are per-CPU, and the VMCS must be updated whenever the vCPU is migrated to a new CPU. The logic in vmx_vcpu_load_vmcs() doesn't differentiate between "never loaded" and "loaded on a different CPU", i.e. setting SYSENTER_ESP on VMCS load also handles setting correct host state when the VMCS is first loaded. Because a VMCS must be loaded before it is initialized during vCPU RESET, zeroing the field in vmx_set_constant_host_state() obliterates the value that was written when the VMCS was loaded. If the vCPU is run before it is migrated, the subsequent VM-Exit will zero out MSR_IA32_SYSENTER_ESP, leading to a #DF on the next 32-bit syscall. double fault: 0000 [#1] SMP CPU: 0 PID: 990 Comm: stable Not tainted 5.16.0+ #97 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 EIP: entry_SYSENTER_32+0x0/0xe7 Code: <9c> 50 eb 17 0f 20 d8 a9 00 10 00 00 74 0d 25 ff ef ff ff 0f 22 d8 EAX: 000000a2 EBX: a8d1300c ECX: a8d13014 EDX: 00000000 ESI: a8f87000 EDI: a8d13014 EBP: a8d12fc0 ESP: 00000000 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00210093 CR0: 80050033 CR2: fffffffc CR3: 02c3b000 CR4: 00152e90 Fixes: 6ab8a4053f71 ("KVM: VMX: Avoid to rdmsrl(MSR_IA32_SYSENTER_ESP)") Cc: Lai Jiangshan Signed-off-by: Sean Christopherson Reviewed-by: Vitaly Kuznetsov --- arch/x86/kvm/vmx/vmx.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index a02a28ce7cc3..ce2aae12fcc5 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -4094,10 +4094,13 @@ void vmx_set_constant_host_state(struct vcpu_vmx *v= mx) vmcs_write32(HOST_IA32_SYSENTER_CS, low32); =20 /* - * If 32-bit syscall is enabled, vmx_vcpu_load_vcms rewrites - * HOST_IA32_SYSENTER_ESP. + * SYSENTER is used only for (emulating) 32-bit kernels, zero out + * SYSENTER.ESP if it is NOT used. When SYSENTER is used, the per-CPU + * stack is set when the VMCS is loaded (and may already be set!). */ - vmcs_writel(HOST_IA32_SYSENTER_ESP, 0); + if (!IS_ENABLED(CONFIG_IA32_EMULATION) && !IS_ENABLED(CONFIG_X86_32)) + vmcs_writel(HOST_IA32_SYSENTER_ESP, 0); + rdmsrl(MSR_IA32_SYSENTER_EIP, tmpl); vmcs_writel(HOST_IA32_SYSENTER_EIP, tmpl); /* 22.2.3 */ =20 base-commit: e2e83a73d7ce66f62c7830a85619542ef59c90e4 --=20 2.35.0.rc0.227.g00780c9af4-goog