From nobody Sun Feb 8 13:38:41 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 369A5392830 for ; Thu, 22 Jan 2026 03:22:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769052175; cv=none; b=SzyLiFZDEqQTVtDzx20LTRrz8Z2nGZUPfXPzvbt4LPKFWIWpBvUpnyaWzMr/C32Tk1dvKefvE1ueD9QOgCGUB7yal2UtvsiKrDPMK7zZQoIkBhYozvhPONHwNfYyEXRagJ6TgdxQ8UCeTAy9+SObUK+FCv7MCjtHQft/FwlNCec= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769052175; c=relaxed/simple; bh=gWnk5DApdpLUvEV5FwZt3GL67kc3Eg/pEY9R25h8Yas=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=nImZnQ1PeesSqas8PSmGjPnn26FtitM58Cg/UpF5cKyOYsNXvf2qxoSIDWUBuGJdYTgyfBPhmZBbroL6qi5umykV1Y0NQ8mSDQVR3trfm86YEMth9bauJUopKUM5RwvS8BiV6ZutqXY2cgaRx10To6l/GU9jFvwA/HeYV8ABDew= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dLgnGI/x; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dLgnGI/x" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6ACDFC116C6; Thu, 22 Jan 2026 03:22:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1769052174; bh=gWnk5DApdpLUvEV5FwZt3GL67kc3Eg/pEY9R25h8Yas=; h=From:To:Cc:Subject:Date:From; b=dLgnGI/xjJr3ZYkxD5E9O+WG3mlxqTfdreb2MsRVA9tKiVYROJiIyzaKtuHN373BH sq0XSRLnpO2ptqwvtZPMB7QN+D2z7dYw/w/KbSkMJs2S9Ym9lWd2XSpLnyDWvC/BW/ TDAut6bPe/OZH9tL+rJWFnkJlASdUo1ccY83jbfKiKR3PfmPtFCHn92d9YhWvGFqU/ jEtONeOS1Hi/ldfXu8cRMQeet42yRkF+ykyDDZCL7YfEeSbg8MTgROko6cAv/2662B zJi373VFkJkeOk5g4p+TMiKs6yONx5hVbKUQVhz+Gt8nRu40R6svhuU6f01VWUXO2h HiBl9GLLbUXVw== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Ajay Kaher , Alexey Makhalov , bcm-kernel-feedback-list@broadcom.com, Peter Zijlstra , Justin Forbes Subject: [PATCH] x86/vmware: Fix hypercall clobbers Date: Wed, 21 Jan 2026 19:18:51 -0800 Message-ID: X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fedora QA reported the following panic: BUG: unable to handle page fault for address: 0000000040003e54 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 1082ec067 P4D 0 Oops: Oops: 0002 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.19.0-0.rc4.260108gf0b9= d8eb98df.34.fc43.x86_64 #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.= fc43 11/19/2025 RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90 Code: 48 83 c4 20 5b e9 69 f0 fc fe 8b 05 a0 c1 b2 01 85 c0 74 23 b8 68 5= 8 4d 56 b9 27 00 00 00 31 d2 bb 04 00 00 00 66 ba 58 56 ed <89> 1f 89 0e 41= 89 10 5b e9 3c f0 fc fe 6a 00 49 89 f9 45 31 c0 31 RSP: 0018:ff5eeb3240003e40 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 000000000000ffca RCX: 000000000000ffac RDX: 0000000000000000 RSI: 0000000040003e58 RDI: 0000000040003e54 RBP: ff1e05f3c1204800 R08: ff5eeb3240003e5c R09: 000000009d899c41 R10: 000000000000003d R11: ff5eeb3240003ff8 R12: 0000000000000000 R13: 00000000000000ff R14: ff1e05f3c02f9e00 R15: 000000000000000c FS: 0000000000000000(0000) GS:ff1e05f489e40000(0000) knlGS:0000000000000= 000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000040003e54 CR3: 000000010841d002 CR4: 0000000000771ef0 PKRU: 55555554 Call Trace: vmmouse_report_events+0x13e/0x1b0 psmouse_handle_byte+0x15/0x60 ps2_interrupt+0x8a/0xd0 ... The panic was triggered by dereferencing a bad pointer (in RDI) immediately after a VMware hypercall: ffffffff82135070 : ... ffffffff821350ac: b8 68 58 4d 56 mov $0x564d5868,%eax ffffffff821350b1: b9 27 00 00 00 mov $0x27,%ecx ffffffff821350b6: 31 d2 xor %edx,%edx ffffffff821350b8: bb 04 00 00 00 mov $0x4,%ebx ffffffff821350bd: 66 ba 58 56 mov $0x5658,%dx ffffffff821350c1: ed in (%dx),%eax <-- hyp= ercall ffffffff821350c2: 89 1f mov %ebx,(%rdi) <-- cr= ash Reading the disassembly shows that RDI should contain the value of a valid kernel stack address here (0xff5eeb3240003e54). Instead it contains 0x40003e54, suggesting the hypervisor cleared the upper 32 bits. This issue was bisected to commit aca282ab7e75 ("x86/asm: Annotate special section entries"), which added annotations to the ALTERNATIVE() macro. Despite the use of asm_inline, that commit caused the compiler to un-inline and const-propagate vmware_hypercall4(). That made RDI live across the hypercall, making the hypervisor's register clobbering visible and exposing this latent bug. The open-vm-tools reference implementation treats all six registers as clobbered for all hypercalls. Match that behavior here. Fixes: 34bf25e820ae ("x86/vmware: Introduce VMware hypercall API") Fixes: aca282ab7e75 ("x86/asm: Annotate special section entries") Reported-by: Justin Forbes Signed-off-by: Josh Poimboeuf --- arch/x86/include/asm/vmware.h | 72 +++++++++++++++++------------------ 1 file changed, 34 insertions(+), 38 deletions(-) diff --git a/arch/x86/include/asm/vmware.h b/arch/x86/include/asm/vmware.h index c9cf43d5ef23..372173d4ea27 100644 --- a/arch/x86/include/asm/vmware.h +++ b/arch/x86/include/asm/vmware.h @@ -98,7 +98,7 @@ extern unsigned long vmware_tdx_hypercall(unsigned long c= md, static inline unsigned long vmware_hypercall1(unsigned long cmd, unsigned long in1) { - unsigned long out0; + unsigned long out0, tmp =3D 0; =20 if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST)) return vmware_tdx_hypercall(cmd, in1, 0, 0, 0, @@ -109,13 +109,11 @@ unsigned long vmware_hypercall1(unsigned long cmd, un= signed long in1) NULL, NULL, NULL, NULL, NULL); =20 asm_inline volatile (VMWARE_HYPERCALL - : "=3Da" (out0) + : "=3Da" (out0), "+b" (in1), "+c" (cmd), "+d" (tmp) : [port] "i" (VMWARE_HYPERVISOR_PORT), - "a" (VMWARE_HYPERVISOR_MAGIC), - "b" (in1), - "c" (cmd), - "d" (0) - : "cc", "memory"); + "a" (VMWARE_HYPERVISOR_MAGIC) + : "di", "si", "cc", "memory"); + return out0; } =20 @@ -123,7 +121,7 @@ static inline unsigned long vmware_hypercall3(unsigned long cmd, unsigned long in1, u32 *out1, u32 *out2) { - unsigned long out0; + unsigned long out0, tmp =3D 0; =20 if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST)) return vmware_tdx_hypercall(cmd, in1, 0, 0, 0, @@ -134,13 +132,13 @@ unsigned long vmware_hypercall3(unsigned long cmd, un= signed long in1, out1, out2, NULL, NULL, NULL); =20 asm_inline volatile (VMWARE_HYPERCALL - : "=3Da" (out0), "=3Db" (*out1), "=3Dc" (*out2) + : "=3Da" (out0), "=3Db" (*out1), "=3Dc" (*out2), "+d" (tmp) : [port] "i" (VMWARE_HYPERVISOR_PORT), "a" (VMWARE_HYPERVISOR_MAGIC), "b" (in1), - "c" (cmd), - "d" (0) - : "cc", "memory"); + "c" (cmd) + : "di", "si", "cc", "memory"); + return out0; } =20 @@ -165,7 +163,8 @@ unsigned long vmware_hypercall4(unsigned long cmd, unsi= gned long in1, "b" (in1), "c" (cmd), "d" (0) - : "cc", "memory"); + : "di", "si", "cc", "memory"); + return out0; } =20 @@ -185,15 +184,13 @@ unsigned long vmware_hypercall5(unsigned long cmd, un= signed long in1, NULL, out2, NULL, NULL, NULL); =20 asm_inline volatile (VMWARE_HYPERCALL - : "=3Da" (out0), "=3Dc" (*out2) + : "=3Da" (out0), "+b" (in1), "=3Dc" (*out2), "+d" (in3), + "+S" (in4), "+D" (in5) : [port] "i" (VMWARE_HYPERVISOR_PORT), "a" (VMWARE_HYPERVISOR_MAGIC), - "b" (in1), - "c" (cmd), - "d" (in3), - "S" (in4), - "D" (in5) + "c" (cmd) : "cc", "memory"); + return out0; } =20 @@ -213,14 +210,14 @@ unsigned long vmware_hypercall6(unsigned long cmd, un= signed long in1, NULL, out2, out3, out4, out5); =20 asm_inline volatile (VMWARE_HYPERCALL - : "=3Da" (out0), "=3Dc" (*out2), "=3Dd" (*out3), "=3DS" (*out4), - "=3DD" (*out5) + : "=3Da" (out0), "+b" (in1), "=3Dc" (*out2), "=3Dd" (*out3), + "=3DS" (*out4), "=3DD" (*out5) : [port] "i" (VMWARE_HYPERVISOR_PORT), "a" (VMWARE_HYPERVISOR_MAGIC), - "b" (in1), "c" (cmd), "d" (in3) : "cc", "memory"); + return out0; } =20 @@ -241,15 +238,15 @@ unsigned long vmware_hypercall7(unsigned long cmd, un= signed long in1, out1, out2, out3, NULL, NULL); =20 asm_inline volatile (VMWARE_HYPERCALL - : "=3Da" (out0), "=3Db" (*out1), "=3Dc" (*out2), "=3Dd" (*out3) + : "=3Da" (out0), "=3Db" (*out1), "=3Dc" (*out2), "=3Dd" (*out3), + "+S" (in4), "+D" (in5) : [port] "i" (VMWARE_HYPERVISOR_PORT), "a" (VMWARE_HYPERVISOR_MAGIC), "b" (in1), "c" (cmd), - "d" (in3), - "S" (in4), - "D" (in5) + "d" (in3) : "cc", "memory"); + return out0; } =20 @@ -272,7 +269,9 @@ unsigned long vmware_hypercall_hb_out(unsigned long cmd= , unsigned long in2, unsigned long in5, unsigned long in6, u32 *out1) { - unsigned long out0; + unsigned long out0, port; + + port =3D in3 | VMWARE_HYPERVISOR_PORT_HB; =20 asm_inline volatile ( UNWIND_HINT_SAVE @@ -282,15 +281,13 @@ unsigned long vmware_hypercall_hb_out(unsigned long c= md, unsigned long in2, "rep outsb\n\t" "pop %%" _ASM_BP "\n\t" UNWIND_HINT_RESTORE - : "=3Da" (out0), "=3Db" (*out1) + : "=3Da" (out0), "=3Db" (*out1), "+c" (in2), "+d" (port), + "+S" (in4), "+D" (in5) : "a" (VMWARE_HYPERVISOR_MAGIC), "b" (cmd), - "c" (in2), - "d" (in3 | VMWARE_HYPERVISOR_PORT_HB), - "S" (in4), - "D" (in5), [in6] VMW_BP_CONSTRAINT (in6) : "cc", "memory"); + return out0; } =20 @@ -300,7 +297,9 @@ unsigned long vmware_hypercall_hb_in(unsigned long cmd,= unsigned long in2, unsigned long in5, unsigned long in6, u32 *out1) { - unsigned long out0; + unsigned long out0, port; + + port =3D in3 | VMWARE_HYPERVISOR_PORT_HB; =20 asm_inline volatile ( UNWIND_HINT_SAVE @@ -310,13 +309,10 @@ unsigned long vmware_hypercall_hb_in(unsigned long cm= d, unsigned long in2, "rep insb\n\t" "pop %%" _ASM_BP "\n\t" UNWIND_HINT_RESTORE - : "=3Da" (out0), "=3Db" (*out1) + : "=3Da" (out0), "=3Db" (*out1), "+c" (in2), "+d" (port), + "+S" (in4), "+D" (in5) : "a" (VMWARE_HYPERVISOR_MAGIC), "b" (cmd), - "c" (in2), - "d" (in3 | VMWARE_HYPERVISOR_PORT_HB), - "S" (in4), - "D" (in5), [in6] VMW_BP_CONSTRAINT (in6) : "cc", "memory"); return out0; --=20 2.52.0