From nobody Mon Feb  9 19:05:30 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C43057082D
	for <linux-kernel@vger.kernel.org>; Wed, 24 Dec 2025 00:13:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766535183; cv=none;
 b=noMdxbtMlrV0OoxevvSm7UWkymNr4leMCkZgmoLSHXx9Ckfz9pVTuSN5oY3pXl8p/TfqW45mU3Mo0pBgs/PPQLC/JeH2ivobMs8acJb+kw1RWKPvnGVPGuwv/7pj0kvMMAzw7vhQLd6/Fh4nPYH0/xZz4LXv00pVJF14YFOtVdo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766535183; c=relaxed/simple;
	bh=SUxMB9io5kUL3hiZuCM9QEc8yZLw0GrSlV7GpF2gspc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=CTMCOk27C07mqcoQev3fdJEIWpouOkT93zotqyUVD72Juy2Gdr4Z2vG4CfsYbUCe9IWabrZGG6QSjUcLgWG6iysQcm3Pm3gS5SZEXtR5AScnTL9F165UyJiMJlvX2mJt4dQn1m8k91vwWhbCcQoz19RXugMJhP3ZpLtkLHsJ+sA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=KYRwTpFm;
 dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=Jds33bok; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="KYRwTpFm";
	dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="Jds33bok"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1766535180;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Cd2rAlHvk2Fc3rUlxPP7c9W8eyWSusr3FNKcOYNwGnk=;
	b=KYRwTpFm0ZNFXdictL18Wft53MIq19Yh36Jt+Bg+5eAvNr1UhF1bpSZffISGP5SrLh4D5w
	fj/f18oABxEtJIgyxK9CBboQu7C3K+rRAYlvJqQdfVagi+q6xEfkyUd1QP15WWHxBvxTh+
	LxKLlNKC6I891Yqnh91jwb1qpJfpSDY=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-332-8Tyz2UxINRa2MnZpUV6snQ-1; Tue, 23 Dec 2025 19:12:58 -0500
X-MC-Unique: 8Tyz2UxINRa2MnZpUV6snQ-1
X-Mimecast-MFC-AGG-ID: 8Tyz2UxINRa2MnZpUV6snQ_1766535178
Received: by mail-wm1-f69.google.com with SMTP id
 5b1f17b1804b1-477771366cbso35644655e9.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 23 Dec 2025 16:12:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=redhat.com; s=google; t=1766535177; x=1767139977;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Cd2rAlHvk2Fc3rUlxPP7c9W8eyWSusr3FNKcOYNwGnk=;
        b=Jds33bok7nUlvbx3in6cNYI1t3Y/UP3b64r+trS8YhRuZTRPdxuDPvS3c+zTdlgoP/
         f06T9gAreEMqjiHvbJevRoUeFkyrDArh/7m8FN7m21myh01DTvO8jsXmj2GqQUies7gr
         hrIpcXJOF2U7ersStViJ2+WEJtsribg1dgDLKU+qRrin4XSUDutcyJLr177FXr8ULYhR
         0RaWgUmnQgN6T2uvihETJ/BEnG1wVM5fcEaTPxr0rqdxcwfXJraa9TVPnyvSDOcIJIFJ
         RF7gHBcwMvqWi5kbHo/ruItPqvDl2DGsleEtjNKXLatmzdD665M0MhKYyWcZBpbxc/l2
         1pNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766535177; x=1767139977;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=Cd2rAlHvk2Fc3rUlxPP7c9W8eyWSusr3FNKcOYNwGnk=;
        b=f3TiRoc8YQa+fyxBsOQ0uBWkMdGWpwuc2maIv/mwX10U0HEJKY4sQO4HxGgpbIS1Xg
         9b0HqUlFGstGH1SKAnMAETB/0kUXEqKDbBvR/H9/ZGVDghqVY4ZpHbMtZk1wLoSSKfqc
         FXPrTxdc8STA4qVob+c38diO6yXHqwM1zWiAOyn9YaS7stiJpH58zQfJDL+YCx2wpJTW
         BEdZZvRqJIr1kGSLyTGdbj2fy5f6I5BIozu9w15H4wxzJ0xSxywoddJ/zZMG6XvMPy3O
         w9dEnvx0WXeJG8e0x5fQzT909xe2wfa/ecD9XxdUN2rL0VrO2VHWIvA18+FaGfYWdVQL
         Kjgg==
X-Gm-Message-State: AOJu0YwzkLC8maQuTxgHfHFVExZHNtViqk+EHldRMZjenyN5Bk+DDfar
	A3piLKZRjCQdzE0Xo9tDvdImeG/FymAeS3gwHvhKbiR/AvtWwHVqlb5wihxcF4HF3Am/8tlOytp
	KK7uKsDnRh0enx98KT349ULJyST7WWLTdvkI3ZwtrvUIYSd1a/LfPJ2Byz24rpzUFDcXDU60UTh
	XW2CBhEva37CNKliE15xFE7EV6EEk1nssmWVn+JCOeWPnHhTTLuA==
X-Gm-Gg: AY/fxX5wXS7FtL3KqgwH+2ZA0WL/m7zcfjoaW7aw4Qj4tgWBAaVnLSNoA3wMmINZhL+
	up41OGkGEq2g+HzjexWn9ZK/URVYojJUigiEPV3HolNzHLJUXpuQHXQVhIjiaSkSg1HClDK5Xnh
	gQB7/iVxRe0IWxKZiwbEM2bnCJ35bbzRo7gG4Hw670BvdVxseO4SrNRQ5khuHM1T6g533Vv94U2
	wSbSO9pdTRpDwlcJBRci9Nehquncar6KL6j3scNHgRR9jH18w0PAk6XsbrUjFk27Mc5QmMm3iD0
	LoEWTgL4UU5jImRpNckAXW0V7omgvhyFqAUxxKxzImOy6xJ5xbY+stawtwnn04fKZJVRiILh25a
	bisK93u0W+3U3Qa3U9xX0N6zeyGh0h88iLznZwwdMPDvMXwca4mOv326BQ3T3OOY6aEwXBY95mR
	u0p3jRSGNiJyBwaKk=
X-Received: by 2002:a05:600c:628c:b0:47a:7fbf:d5c8 with SMTP id
 5b1f17b1804b1-47d1958296bmr142012615e9.26.1766535176850;
        Tue, 23 Dec 2025 16:12:56 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IH7q/9gwLnCQEkdKpL0Em0GJ2ocZ6ifEAr9yGLRCJjag6irdREePfiliIJO9d7U2xigRdDUJA==
X-Received: by 2002:a05:600c:628c:b0:47a:7fbf:d5c8 with SMTP id
 5b1f17b1804b1-47d1958296bmr142012415e9.26.1766535176377;
        Tue, 23 Dec 2025 16:12:56 -0800 (PST)
Received: from [192.168.10.48] ([151.95.145.106])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-4324eaa0908sm30285139f8f.31.2025.12.23.16.12.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Dec 2025 16:12:54 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	x86@kernel.org,
	stable@vger.kernel.org
Subject: [PATCH 2/5] x86, fpu: separate fpstate->xfd and guest XFD
Date: Wed, 24 Dec 2025 01:12:46 +0100
Message-ID: <20251224001249.1041934-3-pbonzini@redhat.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20251224001249.1041934-1-pbonzini@redhat.com>
References: <20251224001249.1041934-1-pbonzini@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Until now, fpstate->xfd has acted as both the guest value and the value
that the host used when executing XSAVES and XRSTORS.  This is wrong: the
data in the guest's FPU might not be initialized even if a bit is
set in XFD and, when that happens, XRSTORing the guest FPU will fail
with a #NM exception *on the host*.

Instead, store the value of XFD together with XFD_ERR in struct
fpu_guest; it will still be synchronized in fpu_load_guest_fpstate(), but
the XRSTOR(S) operation will be able to load any valid state of the FPU
independent of the XFD value.

Cc: stable@vger.kernel.org
Fixes: 820a6ee944e7 ("kvm: x86: Add emulation for IA32_XFD", 2022-01-14)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Yuan Yao <yaoyuan0329os@gmail.com>
---
 arch/x86/include/asm/fpu/api.h   |  6 ++----
 arch/x86/include/asm/fpu/types.h |  7 +++++++
 arch/x86/kernel/fpu/core.c       | 19 ++++---------------
 arch/x86/kernel/fpu/xstate.h     | 18 ++++++++++--------
 arch/x86/kvm/x86.c               |  6 +++---
 5 files changed, 26 insertions(+), 30 deletions(-)

diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h
index 0820b2621416..ee9ba06b7dbe 100644
--- a/arch/x86/include/asm/fpu/api.h
+++ b/arch/x86/include/asm/fpu/api.h
@@ -152,11 +152,9 @@ extern int fpu_swap_kvm_fpstate(struct fpu_guest *gfpu=
, bool enter_guest);
 extern int fpu_enable_guest_xfd_features(struct fpu_guest *guest_fpu, u64 =
xfeatures);
=20
 #ifdef CONFIG_X86_64
-extern void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd);
-extern void fpu_sync_guest_vmexit_xfd_state(void);
+extern void fpu_sync_guest_vmexit_xfd_state(struct fpu_guest *gfpu);
 #else
-static inline void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 x=
fd) { }
-static inline void fpu_sync_guest_vmexit_xfd_state(void) { }
+static inline void fpu_sync_guest_vmexit_xfd_state(struct fpu_guest *gfpu)=
 { }
 #endif
=20
 extern void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *b=
uf,
diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/ty=
pes.h
index 93e99d2583d6..7abe231e2ffe 100644
--- a/arch/x86/include/asm/fpu/types.h
+++ b/arch/x86/include/asm/fpu/types.h
@@ -545,6 +545,13 @@ struct fpu_guest {
 	 */
 	u64				xfeatures;
=20
+	/*
+	 * @xfd:			Save the guest value.  Note that this is
+	 *				*not* fpstate->xfd, which is the value
+	 *				the host uses when doing XSAVE/XRSTOR.
+	 */
+	u64				xfd;
+
 	/*
 	 * @xfd_err:			Save the guest value.
 	 */
diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
index a480fa8c65d5..ff17c96d290a 100644
--- a/arch/x86/kernel/fpu/core.c
+++ b/arch/x86/kernel/fpu/core.c
@@ -317,16 +317,6 @@ int fpu_enable_guest_xfd_features(struct fpu_guest *gu=
est_fpu, u64 xfeatures)
 EXPORT_SYMBOL_FOR_KVM(fpu_enable_guest_xfd_features);
=20
 #ifdef CONFIG_X86_64
-void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd)
-{
-	fpregs_lock();
-	guest_fpu->fpstate->xfd =3D xfd;
-	if (guest_fpu->fpstate->in_use)
-		xfd_update_state(guest_fpu->fpstate);
-	fpregs_unlock();
-}
-EXPORT_SYMBOL_FOR_KVM(fpu_update_guest_xfd);
-
 /**
  * fpu_sync_guest_vmexit_xfd_state - Synchronize XFD MSR and software state
  *
@@ -339,14 +329,12 @@ EXPORT_SYMBOL_FOR_KVM(fpu_update_guest_xfd);
  * Note: It can be invoked unconditionally even when write emulation is
  * enabled for the price of a then pointless MSR read.
  */
-void fpu_sync_guest_vmexit_xfd_state(void)
+void fpu_sync_guest_vmexit_xfd_state(struct fpu_guest *gfpu)
 {
-	struct fpstate *fpstate =3D x86_task_fpu(current)->fpstate;
-
 	lockdep_assert_irqs_disabled();
 	if (fpu_state_size_dynamic()) {
-		rdmsrq(MSR_IA32_XFD, fpstate->xfd);
-		__this_cpu_write(xfd_state, fpstate->xfd);
+		rdmsrq(MSR_IA32_XFD, gfpu->xfd);
+		__this_cpu_write(xfd_state, gfpu->xfd);
 	}
 }
 EXPORT_SYMBOL_FOR_KVM(fpu_sync_guest_vmexit_xfd_state);
@@ -890,6 +878,7 @@ void fpu_load_guest_fpstate(struct fpu_guest *gfpu)
 		fpregs_restore_userregs();
=20
 	fpregs_assert_state_consistent();
+	xfd_set_state(gfpu->xfd);
 	if (gfpu->xfd_err)
 		wrmsrq(MSR_IA32_XFD_ERR, gfpu->xfd_err);
 }
diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h
index 52ce19289989..c0ce05bee637 100644
--- a/arch/x86/kernel/fpu/xstate.h
+++ b/arch/x86/kernel/fpu/xstate.h
@@ -180,26 +180,28 @@ static inline void xfd_validate_state(struct fpstate =
*fpstate, u64 mask, bool rs
 #endif
=20
 #ifdef CONFIG_X86_64
-static inline void xfd_set_state(u64 xfd)
+static inline void __xfd_set_state(u64 xfd)
 {
 	wrmsrq(MSR_IA32_XFD, xfd);
 	__this_cpu_write(xfd_state, xfd);
 }
=20
+static inline void xfd_set_state(u64 xfd)
+{
+	if (__this_cpu_read(xfd_state) !=3D xfd)
+		__xfd_set_state(xfd);
+}
+
 static inline void xfd_update_state(struct fpstate *fpstate)
 {
-	if (fpu_state_size_dynamic()) {
-		u64 xfd =3D fpstate->xfd;
-
-		if (__this_cpu_read(xfd_state) !=3D xfd)
-			xfd_set_state(xfd);
-	}
+	if (fpu_state_size_dynamic())
+		xfd_set_state(fpstate->xfd);
 }
=20
 extern int __xfd_enable_feature(u64 which, struct fpu_guest *guest_fpu);
 #else
 static inline void xfd_set_state(u64 xfd) { }
-
+static inline void __xfd_set_state(u64 xfd) { }
 static inline void xfd_update_state(struct fpstate *fpstate) { }
=20
 static inline int __xfd_enable_feature(u64 which, struct fpu_guest *guest_=
fpu) {
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 01d95192dfc5..56fd082859bc 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4261,7 +4261,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct =
msr_data *msr_info)
 		if (data & ~kvm_guest_supported_xfd(vcpu))
 			return 1;
=20
-		fpu_update_guest_xfd(&vcpu->arch.guest_fpu, data);
+		vcpu->arch.guest_fpu.xfd =3D data;
 		break;
 	case MSR_IA32_XFD_ERR:
 		if (!msr_info->host_initiated &&
@@ -4617,7 +4617,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct =
msr_data *msr_info)
 		    !guest_cpu_cap_has(vcpu, X86_FEATURE_XFD))
 			return 1;
=20
-		msr_info->data =3D vcpu->arch.guest_fpu.fpstate->xfd;
+		msr_info->data =3D vcpu->arch.guest_fpu.xfd;
 		break;
 	case MSR_IA32_XFD_ERR:
 		if (!msr_info->host_initiated &&
@@ -11405,7 +11405,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
 	 * in #NM irqoff handler).
 	 */
 	if (vcpu->arch.xfd_no_write_intercept)
-		fpu_sync_guest_vmexit_xfd_state();
+		fpu_sync_guest_vmexit_xfd_state(&vcpu->arch.guest_fpu);
=20
 	kvm_x86_call(handle_exit_irqoff)(vcpu);
=20
--=20
2.52.0