From nobody Thu Apr  2 18:46:13 2026
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94D892DE6F3
	for <linux-kernel@vger.kernel.org>; Thu, 12 Feb 2026 10:29:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770892147; cv=none;
 b=j6LFnRXbPvc966AJplkOF0SLzGKYOMUwivYgEKR5lmqBn8lSYQvEs2WzlPeLoo85gkmv10gbUhh+6g1/Mtq/5YdyG/tIUqgvgu33kfQiutZKNxORm6q8jAPiIyjYuyXTLxORDH+RujkXxRkSCuOYPaoTWY8DlJUJBgzaidA5FS0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770892147; c=relaxed/simple;
	bh=OJmNjBofLJOddVm/FKRMh+3l2G7M2Vx8ilcqxiy8HAo=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=Vdec27nTUGLqKcVUab5PEhz/RTXwRCQH0OdHAejyjGMtaV4sP1/J1VIEFLpRm6ROuEVKQ48fcLMM6h4oIvtAsWddsZmo4dCmVkzk9/9JLYYb1TLgYtKAFOCVO0J5bPel8xmyJodCUBUGGXKB85yjq7JWFbqollWIGa7D6DuEMik=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=PXShR+sm; arc=none smtp.client-ip=209.85.128.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="PXShR+sm"
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-4833115090dso27200015e9.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Feb 2026 02:29:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770892143; x=1771496943;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=4ukC8L7aMMcFiC9OBGhE3kC51+n1YuHXGUHKK89uyTY=;
        b=PXShR+smA5bb5z6JWrNAca3rl2fF04eH/iN7kcVRZ74cfS3cXlbGjv0Glti6QlEXAb
         yGXWfq9aJcUcck1WWY/ZL4fX1sGCobXWLLq5p7jjvLFlroHNn4hD9DRuXbzeyKoszZ3B
         pAmYZv467dNV4L0e3JUxw6d5C9QxYWtW1KvNvY5k5Kxzb3mal02La/JmPoQkaS6otdVL
         yzMH/W2x4bJykTIdn2ds72TK/bndi0Q0F+YwoFpufdBK5QKutN7zZ3mKTPpOIEpbNF6h
         odhnF1ST6HqxlnFYIrBim/jVOgfwxmkikaubcuLqAM45HZNlmB8WARf8CT1ezt/Q3YGr
         2A/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770892143; x=1771496943;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4ukC8L7aMMcFiC9OBGhE3kC51+n1YuHXGUHKK89uyTY=;
        b=NXfi8ifIru1LUPx1Leu+rjJ8y+rOn0kfTYfQbmJuv6VBZf9xern1OC7zUgPn6JkqD3
         WPZibZIPFCyL2DYRME+h9ww6iiIE0LvJFO1czyi9bIYGgo9wnDaAlSZ0/FQoVlnK1YG1
         ceXHG/utVKTMyItjUusOzDNEJLRCel9sdEm4Pk72sonHipupeU4rub9HJKbLUet2Z7TO
         VqWNpstQJAqQGWM3eMr6EMjDhNW04Me4C/y179SUt3IEa+bQXGg4NBT9FtthSIaxr8hI
         R4i51rgEDM8HG557LsIeBYDg7EWtDY5TBf0RwaqBnYn+cJqWc6RyuwqshTVYg62IRlYT
         4VFQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWoAES6189Cgik5FvxJcOS8vgazSZziZTnU4xe7hW3SUdJnvW2F982EcwkoqVzr3OIYp40AIU1n160TASE=@vger.kernel.org
X-Gm-Message-State: AOJu0YzZwzw712Zmx5Sto9+dFL1fsYdXCISV8P83eWZJhNJgaE06jSNH
	FOx+lja7Ok1zwX2O6SE+2N9lPJB2WjvIUOzrH1lwing31wK/0CyeGs8i
X-Gm-Gg: AZuq6aIm1PWiwgHOpWQUakOseGrZ9+/4i4XqwaeOw0RbltXSgI9w6Mlr+/SZgeBiu0t
	95TawyV04SoZqykGHwh9gNLYfqziHPPfckDMvm7FsAs23KxvLCN2oeEnDGjDZ1d672fGWnYPktZ
	Pkv6eGqjrLMjbMzGOkBKcvnRA1DYzmQT8E0bVgE2EetJYtrFdPzaKLd6Rawim9/CpMVMeUgRzNq
	Zd96hVguXXAT7PnHavXikcSI+vS3XXcTT5KM/0zvfKYdBwXCU+U0+5ZaAp3TYPqejqhXQK3xUuY
	30TYlJRIf29+BQItpobnxLh+w6C6Ezq4lk7TTT3i4/xLIL1x6EaxJ1Fq9Vrk9YgR2lroje3qTBO
	Mcrne5kur/aIUzyA9sLbphxdpVXFJyrzwWvaRmfX9lKip/aoNKCdNDT2nc+tgtzh0/G+nZhgIpW
	ariIKOu6h3nKD7KhwPEeiaJUN+dqfkF42YPWOJJ6wumGj5/crd3WnBM5E=
X-Received: by 2002:a05:600c:64c9:b0:477:76bf:e1fb with SMTP id
 5b1f17b1804b1-48367113bfbmr27264285e9.16.1770892142588;
        Thu, 12 Feb 2026 02:29:02 -0800 (PST)
Received: from fedora ([193.77.86.199])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4834d5d77f9sm200650115e9.3.2026.02.12.02.29.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 12 Feb 2026 02:29:02 -0800 (PST)
From: Uros Bizjak <ubizjak@gmail.com>
To: kvm@vger.kernel.org,
	x86@kernel.org,
	linux-kernel@vger.kernel.org
Cc: Uros Bizjak <ubizjak@gmail.com>,
	Sean Christopherson <seanjc@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Gleixner <tglx@kernel.org>,
	Ingo Molnar <mingo@kernel.org>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"H. Peter Anvin" <hpa@zytor.com>
Subject: [PATCH] KVM: x86: Fix incorrect memory constraint for FXSAVE in
 emulator
Date: Thu, 12 Feb 2026 11:27:59 +0100
Message-ID: <20260212102854.15790-1-ubizjak@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

The inline asm used to invoke FXSAVE in em_fxsave() and fxregs_fixup()
incorrectly specifies the memory operand as read-write ("+m"). FXSAVE
does not read from the destination operand; it only writes the current
FPU state to memory.

Using a read-write constraint is incorrect and misleading, as it tells
the compiler that the previous contents of the buffer are consumed by
the instruction. In both cases, the buffer passed to FXSAVE is
uninitialized, and marking it as read-write can therefore create a
false dependency on uninitialized memory.

Fix the constraint to write-only ("=3Dm") to accurately describe the
instruction=E2=80=99s behavior and avoid implying that the buffer is read.

No functional change intended.

Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Thomas Gleixner <tglx@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
---
 arch/x86/kvm/emulate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index c8e292e9a24d..d60094080e3f 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -3717,7 +3717,7 @@ static int em_fxsave(struct x86_emulate_ctxt *ctxt)
=20
 	kvm_fpu_get();
=20
-	rc =3D asm_safe("fxsave %[fx]", , [fx] "+m"(fx_state));
+	rc =3D asm_safe("fxsave %[fx]", , [fx] "=3Dm"(fx_state));
=20
 	kvm_fpu_put();
=20
@@ -3741,7 +3741,7 @@ static noinline int fxregs_fixup(struct fxregs_state =
*fx_state,
 	struct fxregs_state fx_tmp;
 	int rc;
=20
-	rc =3D asm_safe("fxsave %[fx]", , [fx] "+m"(fx_tmp));
+	rc =3D asm_safe("fxsave %[fx]", , [fx] "=3Dm"(fx_tmp));
 	memcpy((void *)fx_state + used_size, (void *)&fx_tmp + used_size,
 	       __fxstate_size(16) - used_size);
=20
--=20
2.53.0