cpu: x86: Check for invalid CPU data from hypervisor

Recently a kernel bug caused QEMU to report a CPU feature as enabled
while listing it in the "unavailable-features" list of features that
were requested, but could not be enabled. The feature was actually
enabled, but we marked it as disabled when starting a domain. Later when
the domain is migrated, the destination requests the feature to be
disabled, which breaks the guest ABI or if we are lucky QEMU just fails
to load the migration stream.

Let's make similar bugs more visible in the future by refusing to even
start the domain.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>

diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
index 6b2531b360028e36bd525f7ee5ba9d53a6e6db93..e8409ce616f5a6d3ce50f4c55063af610f16ba68 100644 (file)
--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
@@ -3019,6 +3019,14 @@ virCPUx86UpdateLive(virCPUDef *cpu,
                  x86DataIsSubset(&modelDisabled->data, &feature->data))
             expected = VIR_CPU_FEATURE_DISABLE;
 
+        if (x86DataIsSubset(&enabled, &feature->data) &&
+            x86DataIsSubset(&disabled, &feature->data)) {
+            virReportError(VIR_ERR_OPERATION_FAILED,
+                           _("hypervisor provided conflicting CPU data: feature '%1$s' is both enabled and disabled at the same time"),
+                           feature->name);
+            return -1;
+        }
+
         if (expected == VIR_CPU_FEATURE_DISABLE &&
             x86DataIsSubset(&enabled, &feature->data)) {
             VIR_DEBUG("Feature '%s' enabled by the hypervisor", feature->name);