From f45755b8346f1a089ca7957dce5f4c3c6cb26e6f Mon Sep 17 00:00:00 2001 From: Xiaotian Feng Date: Fri, 13 Aug 2010 15:19:11 +0800 Subject: [PATCH 1/3] KVM: fix poison overwritten caused by using wrong xstate size fpu.state is allocated from task_xstate_cachep, the size of task_xstate_cachep is xstate_size. xstate_size is set from cpuid instruction, which is often smaller than sizeof(struct xsave_struct). kvm is using sizeof(struct xsave_struct) to fill in/out fpu.state.xsave, as what we allocated for fpu.state is xstate_size, kernel will write out of memory and caused poison/redzone/padding overwritten warnings. Signed-off-by: Xiaotian Feng Reviewed-by: Sheng Yang Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Suresh Siddha Cc: Brian Gerst Cc: Avi Kivity Cc: Robert Richter Cc: Sheng Yang Cc: Marcelo Tosatti Cc: Gleb Natapov Cc: Jan Kiszka Signed-off-by: Avi Kivity --- arch/x86/kernel/i387.c | 1 + arch/x86/kvm/x86.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c index c4444bce8469..f855658d2784 100644 --- a/arch/x86/kernel/i387.c +++ b/arch/x86/kernel/i387.c @@ -40,6 +40,7 @@ static unsigned int mxcsr_feature_mask __read_mostly = 0xffffffffu; unsigned int xstate_size; +EXPORT_SYMBOL_GPL(xstate_size); unsigned int sig_xstate_ia32_size = sizeof(struct _fpstate_ia32); static struct i387_fxsave_struct fx_scratch __cpuinitdata; diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 97aab036dabf..bb2347a69c07 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2387,7 +2387,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu, if (cpu_has_xsave) memcpy(guest_xsave->region, &vcpu->arch.guest_fpu.state->xsave, - sizeof(struct xsave_struct)); + xstate_size); else { memcpy(guest_xsave->region, &vcpu->arch.guest_fpu.state->fxsave, @@ -2405,7 +2405,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu, if (cpu_has_xsave) memcpy(&vcpu->arch.guest_fpu.state->xsave, - guest_xsave->region, sizeof(struct xsave_struct)); + guest_xsave->region, xstate_size); else { if (xstate_bv & ~XSTATE_FPSSE) return -EINVAL; From 3185bf8c23149f32d7e7363b84539ea50b26ecb1 Mon Sep 17 00:00:00 2001 From: Xiaotian Feng Date: Fri, 13 Aug 2010 16:23:06 +0800 Subject: [PATCH 2/3] KVM: destroy workqueue on kvm_create_pit() failures kernel needs to destroy workqueue if kvm_create_pit() fails, otherwise after pit is freed, the workqueue is leaked. Signed-off-by: Xiaotian Feng Cc: Avi Kivity Cc: Marcelo Tosatti Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Gleb Natapov Cc: "Michael S. Tsirkin" Cc: Gregory Haskins Signed-off-by: Avi Kivity --- arch/x86/kvm/i8254.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c index 0fd6378981f4..f539c3c2a687 100644 --- a/arch/x86/kvm/i8254.c +++ b/arch/x86/kvm/i8254.c @@ -742,7 +742,7 @@ fail: kvm_unregister_irq_mask_notifier(kvm, 0, &pit->mask_notifier); kvm_unregister_irq_ack_notifier(kvm, &pit_state->irq_ack_notifier); kvm_free_irq_source_id(kvm, pit->irq_source_id); - + destroy_workqueue(pit->wq); kfree(pit); return NULL; } From 6b5d7a9f6f7ff0e096829c1d82f70d5a6066b889 Mon Sep 17 00:00:00 2001 From: Xiao Guangrong Date: Tue, 17 Aug 2010 15:02:12 +0800 Subject: [PATCH 3/3] KVM: PIT: free irq source id in handling error path Free irq source id if create pit workqueue fail Signed-off-by: Xiao Guangrong Signed-off-by: Avi Kivity --- arch/x86/kvm/i8254.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c index f539c3c2a687..ddeb2314b522 100644 --- a/arch/x86/kvm/i8254.c +++ b/arch/x86/kvm/i8254.c @@ -697,6 +697,7 @@ struct kvm_pit *kvm_create_pit(struct kvm *kvm, u32 flags) pit->wq = create_singlethread_workqueue("kvm-pit-wq"); if (!pit->wq) { mutex_unlock(&pit->pit_state.lock); + kvm_free_irq_source_id(kvm, pit->irq_source_id); kfree(pit); return NULL; }