From patchwork Wed Apr 14 14:57:11 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 92418
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter.kernel.org (8.14.3/8.14.3) with ESMTP id o3EEvmQq000624
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed, 14 Apr 2010 14:57:49 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755920Ab0DNO52 (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Wed, 14 Apr 2010 10:57:28 -0400
Received: from thoth.sbs.de ([192.35.17.2]:18370 "EHLO thoth.sbs.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755915Ab0DNO5Z (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 14 Apr 2010 10:57:25 -0400
Received: from mail1.siemens.de (localhost [127.0.0.1])
	by thoth.sbs.de (8.12.11.20060308/8.12.11) with ESMTP id
	o3EEvCuI016858; Wed, 14 Apr 2010 16:57:12 +0200
Received: from [139.25.109.167] (mchn012c.mchp.siemens.de [139.25.109.167]
	(may be forged))
	by mail1.siemens.de (8.12.11.20060308/8.12.11) with ESMTP id
	o3EEvBb5032378; Wed, 14 Apr 2010 16:57:12 +0200
Message-ID: <4BC5D7C7.7090406@siemens.com>
Date: Wed, 14 Apr 2010 16:57:11 +0200
From: Jan Kiszka <jan.kiszka@siemens.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de;
	rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1
	Thunderbird/2.0.0.12 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Avi Kivity <avi@redhat.com>, Marcelo Tosatti <mtosatti@redhat.com>
CC: kvm <kvm@vger.kernel.org>
Subject: [PATCH][STABLE] KVM: x86: Fix TSS size check for 16-bit tasks
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter.kernel.org [140.211.167.41]);
	Wed, 14 Apr 2010 14:57:50 +0000 (UTC)


diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index e46282a..35eabd8 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5145,6 +5145,7 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int reason)
 	int ret = 0;
 	u32 old_tss_base = get_segment_base(vcpu, VCPU_SREG_TR);
 	u16 old_tss_sel = get_segment_selector(vcpu, VCPU_SREG_TR);
+	u32 desc_limit;
 
 	old_tss_base = kvm_mmu_gva_to_gpa_write(vcpu, old_tss_base, NULL);
 
@@ -5167,7 +5168,10 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int reason)
 		}
 	}
 
-	if (!nseg_desc.p || get_desc_limit(&nseg_desc) < 0x67) {
+	desc_limit = get_desc_limit(&nseg_desc);
+	if (!nseg_desc.p ||
+	    ((desc_limit < 0x67 && (nseg_desc.type & 8)) ||
+	     desc_limit < 0x2b)) {
 		kvm_queue_exception_e(vcpu, TS_VECTOR, tss_selector & 0xfffc);
 		return 1;
 	}