arch/x86/kvm/x86.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-)
Fix a explosion found via syzkaller+KASAN where KVM attempts to "put" an
FPU without first having loading the FPU. The underlying problem is the
ugly hack for dealing with INIT being processed during MP_STATE.
KVM needs to ensure the FPU state is resident in memory in order to clear
MPX and CET state. In most cases, INIT is emulated during KVM_RUN, and so
KVM needs to put the FPU. But for MP_STATE, the FPU doesn't need to be
loaded, and so isn't. Except when KVM predicts that the FPU will be
unloaded. CET enabling updated the "put" path but missed the prediction
logic in MP_STATE.
Rip out the ugly hack and instead do the obvious-in-hindsight thing of
checking if the FPU is loaded (or not). To retain a sanity check, e.g.
that the FPU is loaded as expected during KVM_RUN, WARN if the FPU being
loaded and the vCPU wanting to run aren't equal.
Sean Christopherson (2):
KVM: x86: Unload "FPU" state on INIT if and only if its currently
in-use
KVM: x86: Harden KVM against imbalanced load/put of guest FPU state
arch/x86/kvm/x86.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
base-commit: 4361f5aa8bfcecbab3fc8db987482b9e08115a6a
--
2.51.1.930.gacf6e81ea2-goog
On Thu, 30 Oct 2025 11:58:00 -0700, Sean Christopherson wrote:
> Fix a explosion found via syzkaller+KASAN where KVM attempts to "put" an
> FPU without first having loading the FPU. The underlying problem is the
> ugly hack for dealing with INIT being processed during MP_STATE.
>
> KVM needs to ensure the FPU state is resident in memory in order to clear
> MPX and CET state. In most cases, INIT is emulated during KVM_RUN, and so
> KVM needs to put the FPU. But for MP_STATE, the FPU doesn't need to be
> loaded, and so isn't. Except when KVM predicts that the FPU will be
> unloaded. CET enabling updated the "put" path but missed the prediction
> logic in MP_STATE.
>
> [...]
Applied to kvm-x86 fixes, thanks!
[1/2] KVM: x86: Unload "FPU" state on INIT if and only if its currently in-use
https://github.com/kvm-x86/linux/commit/8819a49f9ff8
[2/2] KVM: x86: Harden KVM against imbalanced load/put of guest FPU state
https://github.com/kvm-x86/linux/commit/9bc610b6a2a7
--
https://github.com/kvm-x86/linux/tree/next
On Thu, Oct 30, 2025 at 11:58:00AM +0800, Sean Christopherson wrote: > Fix a explosion found via syzkaller+KASAN where KVM attempts to "put" an > FPU without first having loading the FPU. The underlying problem is the > ugly hack for dealing with INIT being processed during MP_STATE. > > KVM needs to ensure the FPU state is resident in memory in order to clear > MPX and CET state. In most cases, INIT is emulated during KVM_RUN, and so > KVM needs to put the FPU. But for MP_STATE, the FPU doesn't need to be > loaded, and so isn't. Except when KVM predicts that the FPU will be > unloaded. CET enabling updated the "put" path but missed the prediction > logic in MP_STATE. > > Rip out the ugly hack and instead do the obvious-in-hindsight thing of > checking if the FPU is loaded (or not). To retain a sanity check, e.g. > that the FPU is loaded as expected during KVM_RUN, WARN if the FPU being > loaded and the vCPU wanting to run aren't equal. > > Sean Christopherson (2): > KVM: x86: Unload "FPU" state on INIT if and only if its currently > in-use > KVM: x86: Harden KVM against imbalanced load/put of guest FPU state > > arch/x86/kvm/x86.c | 31 +++++++++++++++++++++---------- > 1 file changed, 21 insertions(+), 10 deletions(-) > With my experience on KVM AMX related issue debugging before, and revisit the kvm_load_guest_fpu() today: Reviewed-by: Yao Yuan <yaoyuan@linux.alibaba.com> > > base-commit: 4361f5aa8bfcecbab3fc8db987482b9e08115a6a > -- > 2.51.1.930.gacf6e81ea2-goog >
© 2016 - 2026 Red Hat, Inc.