cpu: x86: Check for invalid CPU data from hypervisor

Recently a kernel bug caused QEMU to report a CPU feature as enabled while listing it in the "unavailable-features" list of features that were requested, but could not be enabled. The feature was actually enabled, but we marked it as disabled when starting a domain. Later when the domain is migrated, the destination requests the feature to be disabled, which breaks the guest ABI or if we are lucky QEMU just fails to load the migration stream. Let's make similar bugs more visible in the future by refusing to even start the domain. Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2024-09-20 06:31:28 +00:00 · 2024-02-29 18:28:02 +01:00 · 2024-02-29 18:28:02 +01:00 · ac120f1855
commit ac120f1855
parent bdee774285
1 changed files with 8 additions and 0 deletions
--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
@ -3019,6 +3019,14 @@ virCPUx86UpdateLive(virCPUDef *cpu,
                 x86DataIsSubset(&modelDisabled->data, &feature->data))
            expected = VIR_CPU_FEATURE_DISABLE;

+        if (x86DataIsSubset(&enabled, &feature->data) &&
+            x86DataIsSubset(&disabled, &feature->data)) {
+            virReportError(VIR_ERR_OPERATION_FAILED,
+                           _("hypervisor provided conflicting CPU data: feature '%1$s' is both enabled and disabled at the same time"),
+                           feature->name);
+            return -1;
+        }
+
        if (expected == VIR_CPU_FEATURE_DISABLE &&
            x86DataIsSubset(&enabled, &feature->data)) {
            VIR_DEBUG("Feature '%s' enabled by the hypervisor", feature->name);