[PATCH v2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

[PATCH v2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

[Jan Beulich]

The flag is really only meant for those, both HVM and 32-bit PV tell
kernel from user mode based on CPL/RPL. Remove the all-question-marks
comment and let's be on the safe side here and also suppress clearing
for 32-bit PV (this isn't a fast path after all).

Remove no longer necessary is_pv_32bit_*() from sh_update_cr3() and
sh_walk_guest_tables(). Note that shadow_one_bit_disable() already
assumes the new behavior.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v2: Also adjust shadow code.

--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -843,9 +843,15 @@ int arch_set_info_guest(
             return -EINVAL;
     }
 
-    v->arch.flags &= ~TF_kernel_mode;
-    if ( (flags & VGCF_in_kernel) || is_hvm_domain(d)/*???*/ )
-        v->arch.flags |= TF_kernel_mode;
+    v->arch.flags |= TF_kernel_mode;
+    if ( unlikely(!(flags & VGCF_in_kernel)) &&
+         /*
+          * TF_kernel_mode is only allowed to be clear for 64-bit PV. See
+          * update_cr3(), sh_update_cr3(), sh_walk_guest_tables(), and
+          * shadow_one_bit_disable() for why that is.
+          */
+         !is_hvm_domain(d) && !is_pv_32bit_domain(d) )
+        v->arch.flags &= ~TF_kernel_mode;
 
     v->arch.vgc_flags = flags;
 
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -180,7 +180,7 @@ sh_walk_guest_tables(struct vcpu *v, uns
                              INVALID_MFN, v->arch.paging.shadow.gl3e);
 #else /* 32 or 64 */
     const struct domain *d = v->domain;
-    mfn_t root_mfn = ((v->arch.flags & TF_kernel_mode) || is_pv_32bit_domain(d)
+    mfn_t root_mfn = (v->arch.flags & TF_kernel_mode
                       ? pagetable_get_mfn(v->arch.guest_table)
                       : pagetable_get_mfn(v->arch.guest_table_user));
     void *root_map = map_domain_page(root_mfn);
@@ -4025,7 +4025,7 @@ sh_update_cr3(struct vcpu *v, int do_loc
                   v, (unsigned long)pagetable_get_pfn(v->arch.guest_table));
 
 #if GUEST_PAGING_LEVELS == 4
-    if ( !(v->arch.flags & TF_kernel_mode) && !is_pv_32bit_domain(d) )
+    if ( !(v->arch.flags & TF_kernel_mode) )
         gmfn = pagetable_get_mfn(v->arch.guest_table_user);
     else
 #endif





_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

[Wei Liu]

On Mon, Mar 11, 2019 at 10:37:44AM -0600, Jan Beulich wrote:
> The flag is really only meant for those, both HVM and 32-bit PV tell
> kernel from user mode based on CPL/RPL. Remove the all-question-marks
> comment and let's be on the safe side here and also suppress clearing
> for 32-bit PV (this isn't a fast path after all).
> 
> Remove no longer necessary is_pv_32bit_*() from sh_update_cr3() and
> sh_walk_guest_tables(). Note that shadow_one_bit_disable() already
> assumes the new behavior.
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

[George Dunlap]

On 3/11/19 4:37 PM, Jan Beulich wrote:
> The flag is really only meant for those, both HVM and 32-bit PV tell
> kernel from user mode based on CPL/RPL. Remove the all-question-marks
> comment and let's be on the safe side here and also suppress clearing
> for 32-bit PV (this isn't a fast path after all).
> 
> Remove no longer necessary is_pv_32bit_*() from sh_update_cr3() and
> sh_walk_guest_tables(). Note that shadow_one_bit_disable() already
> assumes the new behavior.
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Acked-by: George Dunlap <george.dunlap@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Ping: [PATCH v2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

[Jan Beulich]

>>> On 19.03.19 at 18:01, <george.dunlap@citrix.com> wrote:
> On 3/11/19 4:37 PM, Jan Beulich wrote:
>> The flag is really only meant for those, both HVM and 32-bit PV tell
>> kernel from user mode based on CPL/RPL. Remove the all-question-marks
>> comment and let's be on the safe side here and also suppress clearing
>> for 32-bit PV (this isn't a fast path after all).
>> 
>> Remove no longer necessary is_pv_32bit_*() from sh_update_cr3() and
>> sh_walk_guest_tables(). Note that shadow_one_bit_disable() already
>> assumes the new behavior.
>> 
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> Acked-by: George Dunlap <george.dunlap@citrix.com>

While I intend to take George's ack as being sufficient to cover
the shadow side, may I please ask for an ack or otherwise for
the non-mm part of the change? I know you've not been in full
agreement with the change, but iirc I've never heard back on a
subsequent reply of mine. And I further think that with the now
(v2) even more obvious dependency of the shadow code on
this behavior, the change should really be taken as is.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] Ping: [PATCH v2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

[Jan Beulich]

>>> On 19.03.19 at 18:01, <george.dunlap@citrix.com> wrote:
> On 3/11/19 4:37 PM, Jan Beulich wrote:
>> The flag is really only meant for those, both HVM and 32-bit PV tell
>> kernel from user mode based on CPL/RPL. Remove the all-question-marks
>> comment and let's be on the safe side here and also suppress clearing
>> for 32-bit PV (this isn't a fast path after all).
>> 
>> Remove no longer necessary is_pv_32bit_*() from sh_update_cr3() and
>> sh_walk_guest_tables(). Note that shadow_one_bit_disable() already
>> assumes the new behavior.
>> 
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> Acked-by: George Dunlap <george.dunlap@citrix.com>

While I intend to take George's ack as being sufficient to cover
the shadow side, may I please ask for an ack or otherwise for
the non-mm part of the change? I know you've not been in full
agreement with the change, but iirc I've never heard back on a
subsequent reply of mine. And I further think that with the now
(v2) even more obvious dependency of the shadow code on
this behavior, the change should really be taken as is.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: Ping: [PATCH v2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

[Andrew Cooper]

On 05/04/2019 09:12, Jan Beulich wrote:
>>>> On 19.03.19 at 18:01, <george.dunlap@citrix.com> wrote:
>> On 3/11/19 4:37 PM, Jan Beulich wrote:
>>> The flag is really only meant for those, both HVM and 32-bit PV tell
>>> kernel from user mode based on CPL/RPL. Remove the all-question-marks
>>> comment and let's be on the safe side here and also suppress clearing
>>> for 32-bit PV (this isn't a fast path after all).
>>>
>>> Remove no longer necessary is_pv_32bit_*() from sh_update_cr3() and
>>> sh_walk_guest_tables(). Note that shadow_one_bit_disable() already
>>> assumes the new behavior.
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>> Acked-by: George Dunlap <george.dunlap@citrix.com>
> While I intend to take George's ack as being sufficient to cover
> the shadow side, may I please ask for an ack or otherwise for
> the non-mm part of the change? I know you've not been in full
> agreement with the change, but iirc I've never heard back on a
> subsequent reply of mine. And I further think that with the now
> (v2) even more obvious dependency of the shadow code on
> this behavior, the change should really be taken as is.

Also, I've just managed to invalidate my own objection to this change on
the basis that it will break migration.

Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] Ping: [PATCH v2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

[Andrew Cooper]

On 05/04/2019 09:12, Jan Beulich wrote:
>>>> On 19.03.19 at 18:01, <george.dunlap@citrix.com> wrote:
>> On 3/11/19 4:37 PM, Jan Beulich wrote:
>>> The flag is really only meant for those, both HVM and 32-bit PV tell
>>> kernel from user mode based on CPL/RPL. Remove the all-question-marks
>>> comment and let's be on the safe side here and also suppress clearing
>>> for 32-bit PV (this isn't a fast path after all).
>>>
>>> Remove no longer necessary is_pv_32bit_*() from sh_update_cr3() and
>>> sh_walk_guest_tables(). Note that shadow_one_bit_disable() already
>>> assumes the new behavior.
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>> Acked-by: George Dunlap <george.dunlap@citrix.com>
> While I intend to take George's ack as being sufficient to cover
> the shadow side, may I please ask for an ack or otherwise for
> the non-mm part of the change? I know you've not been in full
> agreement with the change, but iirc I've never heard back on a
> subsequent reply of mine. And I further think that with the now
> (v2) even more obvious dependency of the shadow code on
> this behavior, the change should really be taken as is.

Also, I've just managed to invalidate my own objection to this change on
the basis that it will break migration.

Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel