Commit 2bf3e74d authored Feb 26, 2018 by Justin Terry (VM) Committed by Paolo Bonzini Mar 06, 2018

Fix WHPX issue leaking tpr values

Fixes an issue where if the tpr is assigned to the array but not a different
value from what is already expected on the vp the code will skip incrementing
the reg_count. In this case its possible that we set an invalid memory section
of the next call for DeliverabilityNotifications that was not expected.

The fix is to use a local variable to store the temporary tpr and only update
the array if the local tpr value is different than the vp context.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
Message-Id: <1519665216-1078-7-git-send-email-juterry@microsoft.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Justin Terry (VM) via Qemu-devel <qemu-devel@nongnu.org>

parent f875f04c

target/i386/whpx-all.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -687,6 +687,7 @@ static void whpx_vcpu_pre_run(CPUState *cpu)
		struct CPUX86State env = (CPUArchState )(cpu->env_ptr);
		X86CPU *x86_cpu = X86_CPU(cpu);
		int irq;
		uint8_t tpr;
		WHV_X64_PENDING_INTERRUPTION_REGISTER new_int = {0};
		UINT32 reg_count = 0;
		WHV_REGISTER_VALUE reg_values[3] = {0};
		@@ -746,9 +747,10 @@ static void whpx_vcpu_pre_run(CPUState *cpu)
		}

		/* Sync the TPR to the CR8 if was modified during the intercept */
		reg_values[reg_count].Reg64 = cpu_get_apic_tpr(x86_cpu->apic_state);
		if (reg_values[reg_count].Reg64 != vcpu->tpr) {
		vcpu->tpr = reg_values[reg_count].Reg64;
		tpr = cpu_get_apic_tpr(x86_cpu->apic_state);
		if (tpr != vcpu->tpr) {
		vcpu->tpr = tpr;
		reg_values[reg_count].Reg64 = tpr;
		cpu->exit_request = 1;
		reg_names[reg_count] = WHvX64RegisterCr8;
		reg_count += 1;