From a0289c3119ad892f02ef8f5bfc1ab86ed7ea5864 Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Wed, 2 Dec 2009 13:39:07 +0000 Subject: [PATCH] vmx: During task-switch, read instr-len VMCS field only when valid. Otherwise we can crash on the BUG_ON() in __get_instruction_length(). Signed-off-by: Keir Fraser --- xen/arch/x86/hvm/vmx/vmx.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 2f87760836..20c30c5612 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2521,16 +2521,18 @@ asmlinkage void vmx_vmexit_handler(struct cpu_user_regs *regs) int32_t ecode = -1, source; exit_qualification = __vmread(EXIT_QUALIFICATION); source = (exit_qualification >> 30) & 3; - inst_len = __get_instruction_length(); /* Safe: See SDM 3B 23.2.4 */ - if ( (source == 3) && (idtv_info & INTR_INFO_VALID_MASK) ) - { - /* ExtInt, NMI, HWException: no instruction to skip over. */ - if ( !(idtv_info & (1u<<10)) ) /* 0 <= IntrType <= 3? */ - inst_len = 0; - /* If there's an error code then we pass it along. */ - if ( idtv_info & INTR_INFO_DELIVER_CODE_MASK ) - ecode = __vmread(IDT_VECTORING_ERROR_CODE); - } + /* Vectored event should fill in interrupt information. */ + WARN_ON((source == 3) && !(idtv_info & INTR_INFO_VALID_MASK)); + /* + * In the following cases there is an instruction to skip over: + * - TSW is due to a CALL, IRET or JMP instruction. + * - TSW is a vectored event due to a SW exception or SW interrupt. + */ + inst_len = ((source != 3) || /* CALL, IRET, or JMP? */ + (idtv_info & (1u<<10))) /* IntrType > 3? */ + ? __get_instruction_length() /* Safe: SDM 3B 23.2.4 */ : 0; + if ( (source == 3) && (idtv_info & INTR_INFO_DELIVER_CODE_MASK) ) + ecode = __vmread(IDT_VECTORING_ERROR_CODE); regs->eip += inst_len; hvm_task_switch((uint16_t)exit_qualification, reasons[source], ecode); break; -- 2.30.2