[PATCH v2 0/4] vvmx: fix L1 vmxon

[PATCH v2 0/4] vvmx: fix L1 vmxon

[Haozhong Zhang]

This patchset fixes bugs and adds missing checks in nvmx_handle_vmxon(),
in order to make it more consistent to Intel SDM (section "VMXON - Enter
VMX Operation" in Vol 3).

Changes in v2:
 * Add necessary 'const' in patch 1. (Andrew Cooper)
 * Use the existing INVALID_PADDR rather than introducing a new
   one in patch 1. (Jan Beulich)
 * Add patch 4 to replace VMCX_EADDR by INVALID_PADDR. (Jan Beulich)

Haozhong Zhang (4):
  vvmx: set vmxon_region_pa of vcpu out of VMX operation to an invalid address
  vvmx: return VMfail to L1 if L1 vmxon is executed in VMX operation
  vvmx: check the operand of L1 vmxon
  nestedhvm: replace VMCX_EADDR by INVALID_PADDR

 xen/arch/x86/hvm/nestedhvm.c       |  2 +-
 xen/arch/x86/hvm/svm/nestedsvm.c   | 18 ++++++-------
 xen/arch/x86/hvm/svm/vmcb.c        |  2 +-
 xen/arch/x86/hvm/vmx/vvmx.c        | 52 ++++++++++++++++++++++++++++----------
 xen/include/asm-x86/hvm/vcpu.h     |  2 --
 xen/include/asm-x86/hvm/vmx/vvmx.h |  7 +++++
 6 files changed, 56 insertions(+), 27 deletions(-)

-- 
2.10.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 1/4] vvmx: set vmxon_region_pa of vcpu out of VMX operation to an invalid address

[Haozhong Zhang]

nvmx_handle_vmxon() previously checks whether a vcpu is in VMX
operation by comparing its vmxon_region_pa with GPA 0. However, 0 is
also a valid VMXON region address. If L1 hypervisor had set the VMXON
region address to 0, the check in nvmx_handle_vmxon() will be skipped.
Fix this problem by using an invalid VMXON region address for vcpu
out of VMX operation.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
---
 xen/arch/x86/hvm/vmx/vvmx.c        | 13 +++++++++----
 xen/include/asm-x86/hvm/vmx/vvmx.h |  7 +++++++
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index e6e9ebd..eae8150 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -32,6 +32,11 @@ static DEFINE_PER_CPU(u64 *, vvmcs_buf);
 
 static void nvmx_purge_vvmcs(struct vcpu *v);
 
+static bool nvmx_vcpu_in_vmx(const struct vcpu *v)
+{
+    return vcpu_2_nvmx(v).vmxon_region_pa != INVALID_PADDR;
+}
+
 #define VMCS_BUF_SIZE 100
 
 int nvmx_cpu_up_prepare(unsigned int cpu)
@@ -107,7 +112,7 @@ int nvmx_vcpu_initialise(struct vcpu *v)
 
     nvmx->ept.enabled = 0;
     nvmx->guest_vpid = 0;
-    nvmx->vmxon_region_pa = 0;
+    nvmx->vmxon_region_pa = INVALID_PADDR;
     nvcpu->nv_vvmcx = NULL;
     nvcpu->nv_vvmcxaddr = VMCX_EADDR;
     nvmx->intr.intr_info = 0;
@@ -357,7 +362,7 @@ static int vmx_inst_check_privilege(struct cpu_user_regs *regs, int vmxop_check)
              !(v->arch.hvm_vcpu.guest_cr[4] & X86_CR4_VMXE) )
             goto invalid_op;
     }
-    else if ( !vcpu_2_nvmx(v).vmxon_region_pa )
+    else if ( !nvmx_vcpu_in_vmx(v) )
         goto invalid_op;
 
     hvm_get_segment_register(v, x86_seg_cs, &cs);
@@ -1384,7 +1389,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
     if ( rc != X86EMUL_OKAY )
         return rc;
 
-    if ( nvmx->vmxon_region_pa )
+    if ( nvmx_vcpu_in_vmx(v) )
         gdprintk(XENLOG_WARNING, 
                  "vmxon again: orig %"PRIpaddr" new %lx\n",
                  nvmx->vmxon_region_pa, gpa);
@@ -1417,7 +1422,7 @@ int nvmx_handle_vmxoff(struct cpu_user_regs *regs)
         return rc;
 
     nvmx_purge_vvmcs(v);
-    nvmx->vmxon_region_pa = 0;
+    nvmx->vmxon_region_pa = INVALID_PADDR;
 
     vmreturn(regs, VMSUCCEED);
     return X86EMUL_OKAY;
diff --git a/xen/include/asm-x86/hvm/vmx/vvmx.h b/xen/include/asm-x86/hvm/vmx/vvmx.h
index ead586e..af7702b 100644
--- a/xen/include/asm-x86/hvm/vmx/vvmx.h
+++ b/xen/include/asm-x86/hvm/vmx/vvmx.h
@@ -28,6 +28,13 @@ struct vvmcs_list {
 };
 
 struct nestedvmx {
+    /*
+     * vmxon_region_pa is also used to indicate whether a vcpu is in
+     * the VMX operation. When a vcpu is out of the VMX operation, its
+     * vmxon_region_pa is set to an invalid address INVALID_PADDR. We
+     * cannot use 0 for this purpose, because it's a valid VMXON region
+     * address.
+     */
     paddr_t    vmxon_region_pa;
     void       *iobitmap[2];		/* map (va) of L1 guest I/O bitmap */
     void       *msrbitmap;		/* map (va) of L1 guest MSR bitmap */
-- 
2.10.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 2/4] vvmx: return VMfail to L1 if L1 vmxon is executed in VMX operation

[Haozhong Zhang]

According to Intel SDM, section "VMXON - Enter VMX Operation", a
VMfail should be returned to L1 hypervisor if L1 vmxon is executed in
VMX operation, rather than just print a warning message.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
---
 xen/arch/x86/hvm/vmx/vvmx.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index eae8150..e765b60 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1390,9 +1390,12 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
         return rc;
 
     if ( nvmx_vcpu_in_vmx(v) )
-        gdprintk(XENLOG_WARNING, 
-                 "vmxon again: orig %"PRIpaddr" new %lx\n",
-                 nvmx->vmxon_region_pa, gpa);
+    {
+        vmreturn(regs,
+                 nvcpu->nv_vvmcxaddr != VMCX_EADDR ?
+                 VMFAIL_VALID : VMFAIL_INVALID);
+        return X86EMUL_OKAY;
+    }
 
     nvmx->vmxon_region_pa = gpa;
 
-- 
2.10.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 3/4] vvmx: check the operand of L1 vmxon

[Haozhong Zhang]

Check whether the operand of L1 vmxon is a valid VMXON region address
and whether the VMXON region at that address contains a valid revision
ID.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
---
 xen/arch/x86/hvm/vmx/vvmx.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index e765b60..5523146 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1383,6 +1383,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
     struct vmx_inst_decoded decode;
     unsigned long gpa = 0;
+    uint32_t nvmcs_revid;
     int rc;
 
     rc = decode_vmx_inst(regs, &decode, &gpa, 1);
@@ -1397,6 +1398,21 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
         return X86EMUL_OKAY;
     }
 
+    if ( (gpa & ~PAGE_MASK) || (gpa >> v->domain->arch.paging.gfn_bits) )
+    {
+        vmreturn(regs, VMFAIL_INVALID);
+        return X86EMUL_OKAY;
+    }
+
+    rc = hvm_copy_from_guest_phys(&nvmcs_revid, gpa, sizeof(nvmcs_revid));
+    if ( rc != HVMCOPY_okay ||
+         (nvmcs_revid & ~VMX_BASIC_REVISION_MASK) ||
+         ((nvmcs_revid ^ vmx_basic_msr) & VMX_BASIC_REVISION_MASK) )
+    {
+        vmreturn(regs, VMFAIL_INVALID);
+        return X86EMUL_OKAY;
+    }
+
     nvmx->vmxon_region_pa = gpa;
 
     /*
-- 
2.10.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 4/4] nestedhvm: replace VMCX_EADDR by INVALID_PADDR

[Haozhong Zhang]

... because INVALID_PADDR is a more general one.

Suggested-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
---
 xen/arch/x86/hvm/nestedhvm.c     |  2 +-
 xen/arch/x86/hvm/svm/nestedsvm.c | 18 +++++++++---------
 xen/arch/x86/hvm/svm/vmcb.c      |  2 +-
 xen/arch/x86/hvm/vmx/vvmx.c      | 16 ++++++++--------
 xen/include/asm-x86/hvm/vcpu.h   |  2 --
 5 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/xen/arch/x86/hvm/nestedhvm.c b/xen/arch/x86/hvm/nestedhvm.c
index c4671d8..c09c5b2 100644
--- a/xen/arch/x86/hvm/nestedhvm.c
+++ b/xen/arch/x86/hvm/nestedhvm.c
@@ -54,7 +54,7 @@ nestedhvm_vcpu_reset(struct vcpu *v)
 
     hvm_unmap_guest_frame(nv->nv_vvmcx, 1);
     nv->nv_vvmcx = NULL;
-    nv->nv_vvmcxaddr = VMCX_EADDR;
+    nv->nv_vvmcxaddr = INVALID_PADDR;
     nv->nv_flushp2m = 0;
     nv->nv_p2m = NULL;
 
diff --git a/xen/arch/x86/hvm/svm/nestedsvm.c b/xen/arch/x86/hvm/svm/nestedsvm.c
index 8c9b073..4d9de86 100644
--- a/xen/arch/x86/hvm/svm/nestedsvm.c
+++ b/xen/arch/x86/hvm/svm/nestedsvm.c
@@ -68,10 +68,10 @@ int nestedsvm_vmcb_map(struct vcpu *v, uint64_t vmcbaddr)
     struct nestedvcpu *nv = &vcpu_nestedhvm(v);
 
     if (nv->nv_vvmcx != NULL && nv->nv_vvmcxaddr != vmcbaddr) {
-        ASSERT(nv->nv_vvmcxaddr != VMCX_EADDR);
+        ASSERT(nv->nv_vvmcxaddr != INVALID_PADDR);
         hvm_unmap_guest_frame(nv->nv_vvmcx, 1);
         nv->nv_vvmcx = NULL;
-        nv->nv_vvmcxaddr = VMCX_EADDR;
+        nv->nv_vvmcxaddr = INVALID_PADDR;
     }
 
     if ( !nv->nv_vvmcx )
@@ -154,7 +154,7 @@ void nsvm_vcpu_destroy(struct vcpu *v)
     if (nv->nv_n2vmcx) {
         free_vmcb(nv->nv_n2vmcx);
         nv->nv_n2vmcx = NULL;
-        nv->nv_n2vmcx_pa = VMCX_EADDR;
+        nv->nv_n2vmcx_pa = INVALID_PADDR;
     }
     if (svm->ns_iomap)
         svm->ns_iomap = NULL;
@@ -164,8 +164,8 @@ int nsvm_vcpu_reset(struct vcpu *v)
 {
     struct nestedsvm *svm = &vcpu_nestedsvm(v);
 
-    svm->ns_msr_hsavepa = VMCX_EADDR;
-    svm->ns_ovvmcb_pa = VMCX_EADDR;
+    svm->ns_msr_hsavepa = INVALID_PADDR;
+    svm->ns_ovvmcb_pa = INVALID_PADDR;
 
     svm->ns_tscratio = DEFAULT_TSC_RATIO;
 
@@ -425,7 +425,7 @@ static int nsvm_vmcb_prepare4vmrun(struct vcpu *v, struct cpu_user_regs *regs)
 
     /* Check if virtual VMCB cleanbits are valid */
     vcleanbits_valid = 1;
-    if (svm->ns_ovvmcb_pa == VMCX_EADDR)
+    if ( svm->ns_ovvmcb_pa == INVALID_PADDR )
         vcleanbits_valid = 0;
     if (svm->ns_ovvmcb_pa != nv->nv_vvmcxaddr)
         vcleanbits_valid = 0;
@@ -674,7 +674,7 @@ nsvm_vcpu_vmentry(struct vcpu *v, struct cpu_user_regs *regs,
     ns_vmcb = nv->nv_vvmcx;
     ASSERT(ns_vmcb != NULL);
     ASSERT(nv->nv_n2vmcx != NULL);
-    ASSERT(nv->nv_n2vmcx_pa != VMCX_EADDR);
+    ASSERT(nv->nv_n2vmcx_pa != INVALID_PADDR);
 
     /* Save values for later use. Needed for Nested-on-Nested and
      * Shadow-on-Shadow paging.
@@ -1490,8 +1490,8 @@ void nsvm_vcpu_switch(struct cpu_user_regs *regs)
     ASSERT(v->arch.hvm_svm.vmcb != NULL);
     ASSERT(nv->nv_n1vmcx != NULL);
     ASSERT(nv->nv_n2vmcx != NULL);
-    ASSERT(nv->nv_n1vmcx_pa != VMCX_EADDR);
-    ASSERT(nv->nv_n2vmcx_pa != VMCX_EADDR);
+    ASSERT(nv->nv_n1vmcx_pa != INVALID_PADDR);
+    ASSERT(nv->nv_n2vmcx_pa != INVALID_PADDR);
 
     if (nv->nv_vmexit_pending) {
  vmexit:
diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c
index 9ea014f..70d75e7 100644
--- a/xen/arch/x86/hvm/svm/vmcb.c
+++ b/xen/arch/x86/hvm/svm/vmcb.c
@@ -273,7 +273,7 @@ void svm_destroy_vmcb(struct vcpu *v)
     }
 
     nv->nv_n1vmcx = NULL;
-    nv->nv_n1vmcx_pa = VMCX_EADDR;
+    nv->nv_n1vmcx_pa = INVALID_PADDR;
     arch_svm->vmcb = NULL;
 }
 
diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index 5523146..c4f19a0 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -114,7 +114,7 @@ int nvmx_vcpu_initialise(struct vcpu *v)
     nvmx->guest_vpid = 0;
     nvmx->vmxon_region_pa = INVALID_PADDR;
     nvcpu->nv_vvmcx = NULL;
-    nvcpu->nv_vvmcxaddr = VMCX_EADDR;
+    nvcpu->nv_vvmcxaddr = INVALID_PADDR;
     nvmx->intr.intr_info = 0;
     nvmx->intr.error_code = 0;
     nvmx->iobitmap[0] = NULL;
@@ -766,10 +766,10 @@ static void nvmx_purge_vvmcs(struct vcpu *v)
     int i;
 
     __clear_current_vvmcs(v);
-    if ( nvcpu->nv_vvmcxaddr != VMCX_EADDR )
+    if ( nvcpu->nv_vvmcxaddr != INVALID_PADDR )
         hvm_unmap_guest_frame(nvcpu->nv_vvmcx, 1);
     nvcpu->nv_vvmcx = NULL;
-    nvcpu->nv_vvmcxaddr = VMCX_EADDR;
+    nvcpu->nv_vvmcxaddr = INVALID_PADDR;
     v->arch.hvm_vmx.vmcs_shadow_maddr = 0;
     for (i=0; i<2; i++) {
         if ( nvmx->iobitmap[i] ) {
@@ -1393,7 +1393,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
     if ( nvmx_vcpu_in_vmx(v) )
     {
         vmreturn(regs,
-                 nvcpu->nv_vvmcxaddr != VMCX_EADDR ?
+                 nvcpu->nv_vvmcxaddr != INVALID_PADDR ?
                  VMFAIL_VALID : VMFAIL_INVALID);
         return X86EMUL_OKAY;
     }
@@ -1509,7 +1509,7 @@ static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
 
     /* check VMCS is valid and IO BITMAP is set */
-    if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
+    if ( (nvcpu->nv_vvmcxaddr != INVALID_PADDR) &&
             ((nvmx->iobitmap[0] && nvmx->iobitmap[1]) ||
             !(__n2_exec_control(v) & CPU_BASED_ACTIVATE_IO_BITMAP) ) )
         nvcpu->nv_vmentry_pending = 1;
@@ -1529,7 +1529,7 @@ int nvmx_handle_vmresume(struct cpu_user_regs *regs)
     if ( rc != X86EMUL_OKAY )
         return rc;
 
-    if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
+    if ( vcpu_nestedhvm(v).nv_vvmcxaddr == INVALID_PADDR )
     {
         vmreturn (regs, VMFAIL_INVALID);
         return X86EMUL_OKAY;        
@@ -1554,7 +1554,7 @@ int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
     if ( rc != X86EMUL_OKAY )
         return rc;
 
-    if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
+    if ( vcpu_nestedhvm(v).nv_vvmcxaddr == INVALID_PADDR )
     {
         vmreturn (regs, VMFAIL_INVALID);
         return X86EMUL_OKAY;
@@ -1599,7 +1599,7 @@ int nvmx_handle_vmptrld(struct cpu_user_regs *regs)
     if ( nvcpu->nv_vvmcxaddr != gpa )
         nvmx_purge_vvmcs(v);
 
-    if ( nvcpu->nv_vvmcxaddr == VMCX_EADDR )
+    if ( nvcpu->nv_vvmcxaddr == INVALID_PADDR )
     {
         bool_t writable;
         void *vvmcx = hvm_map_guest_frame_rw(paddr_to_pfn(gpa), 1, &writable);
diff --git a/xen/include/asm-x86/hvm/vcpu.h b/xen/include/asm-x86/hvm/vcpu.h
index d485536..7b411a8 100644
--- a/xen/include/asm-x86/hvm/vcpu.h
+++ b/xen/include/asm-x86/hvm/vcpu.h
@@ -97,8 +97,6 @@ static inline bool_t hvm_vcpu_io_need_completion(const struct hvm_vcpu_io *vio)
            !vio->io_req.data_is_ptr;
 }
 
-#define VMCX_EADDR    (~0ULL)
-
 struct nestedvcpu {
     bool_t nv_guestmode; /* vcpu in guestmode? */
     void *nv_vvmcx; /* l1 guest virtual VMCB/VMCS */
-- 
2.10.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 4/4] nestedhvm: replace VMCX_EADDR by INVALID_PADDR

[Jan Beulich]

>>> On 14.12.16 at 11:11, <haozhong.zhang@intel.com> wrote:
> ... because INVALID_PADDR is a more general one.
> 
> Suggested-by: Jan Beulich <JBeulich@suse.com>
> Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>

Thanks for doing this!

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 4/4] nestedhvm: replace VMCX_EADDR by INVALID_PADDR

[Haozhong Zhang]

On 12/14/16 18:11 +0800, Haozhong Zhang wrote:
>... because INVALID_PADDR is a more general one.
>
>Suggested-by: Jan Beulich <JBeulich@suse.com>
>Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
>---
> xen/arch/x86/hvm/nestedhvm.c     |  2 +-
> xen/arch/x86/hvm/svm/nestedsvm.c | 18 +++++++++---------
> xen/arch/x86/hvm/svm/vmcb.c      |  2 +-
> xen/arch/x86/hvm/vmx/vvmx.c      | 16 ++++++++--------
> xen/include/asm-x86/hvm/vcpu.h   |  2 --
> 5 files changed, 19 insertions(+), 21 deletions(-)
>

Forgot to cc AMD maintainers.

>diff --git a/xen/arch/x86/hvm/nestedhvm.c b/xen/arch/x86/hvm/nestedhvm.c
>index c4671d8..c09c5b2 100644
>--- a/xen/arch/x86/hvm/nestedhvm.c
>+++ b/xen/arch/x86/hvm/nestedhvm.c
>@@ -54,7 +54,7 @@ nestedhvm_vcpu_reset(struct vcpu *v)
>
>     hvm_unmap_guest_frame(nv->nv_vvmcx, 1);
>     nv->nv_vvmcx = NULL;
>-    nv->nv_vvmcxaddr = VMCX_EADDR;
>+    nv->nv_vvmcxaddr = INVALID_PADDR;
>     nv->nv_flushp2m = 0;
>     nv->nv_p2m = NULL;
>
>diff --git a/xen/arch/x86/hvm/svm/nestedsvm.c b/xen/arch/x86/hvm/svm/nestedsvm.c
>index 8c9b073..4d9de86 100644
>--- a/xen/arch/x86/hvm/svm/nestedsvm.c
>+++ b/xen/arch/x86/hvm/svm/nestedsvm.c
>@@ -68,10 +68,10 @@ int nestedsvm_vmcb_map(struct vcpu *v, uint64_t vmcbaddr)
>     struct nestedvcpu *nv = &vcpu_nestedhvm(v);
>
>     if (nv->nv_vvmcx != NULL && nv->nv_vvmcxaddr != vmcbaddr) {
>-        ASSERT(nv->nv_vvmcxaddr != VMCX_EADDR);
>+        ASSERT(nv->nv_vvmcxaddr != INVALID_PADDR);
>         hvm_unmap_guest_frame(nv->nv_vvmcx, 1);
>         nv->nv_vvmcx = NULL;
>-        nv->nv_vvmcxaddr = VMCX_EADDR;
>+        nv->nv_vvmcxaddr = INVALID_PADDR;
>     }
>
>     if ( !nv->nv_vvmcx )
>@@ -154,7 +154,7 @@ void nsvm_vcpu_destroy(struct vcpu *v)
>     if (nv->nv_n2vmcx) {
>         free_vmcb(nv->nv_n2vmcx);
>         nv->nv_n2vmcx = NULL;
>-        nv->nv_n2vmcx_pa = VMCX_EADDR;
>+        nv->nv_n2vmcx_pa = INVALID_PADDR;
>     }
>     if (svm->ns_iomap)
>         svm->ns_iomap = NULL;
>@@ -164,8 +164,8 @@ int nsvm_vcpu_reset(struct vcpu *v)
> {
>     struct nestedsvm *svm = &vcpu_nestedsvm(v);
>
>-    svm->ns_msr_hsavepa = VMCX_EADDR;
>-    svm->ns_ovvmcb_pa = VMCX_EADDR;
>+    svm->ns_msr_hsavepa = INVALID_PADDR;
>+    svm->ns_ovvmcb_pa = INVALID_PADDR;
>
>     svm->ns_tscratio = DEFAULT_TSC_RATIO;
>
>@@ -425,7 +425,7 @@ static int nsvm_vmcb_prepare4vmrun(struct vcpu *v, struct cpu_user_regs *regs)
>
>     /* Check if virtual VMCB cleanbits are valid */
>     vcleanbits_valid = 1;
>-    if (svm->ns_ovvmcb_pa == VMCX_EADDR)
>+    if ( svm->ns_ovvmcb_pa == INVALID_PADDR )
>         vcleanbits_valid = 0;
>     if (svm->ns_ovvmcb_pa != nv->nv_vvmcxaddr)
>         vcleanbits_valid = 0;
>@@ -674,7 +674,7 @@ nsvm_vcpu_vmentry(struct vcpu *v, struct cpu_user_regs *regs,
>     ns_vmcb = nv->nv_vvmcx;
>     ASSERT(ns_vmcb != NULL);
>     ASSERT(nv->nv_n2vmcx != NULL);
>-    ASSERT(nv->nv_n2vmcx_pa != VMCX_EADDR);
>+    ASSERT(nv->nv_n2vmcx_pa != INVALID_PADDR);
>
>     /* Save values for later use. Needed for Nested-on-Nested and
>      * Shadow-on-Shadow paging.
>@@ -1490,8 +1490,8 @@ void nsvm_vcpu_switch(struct cpu_user_regs *regs)
>     ASSERT(v->arch.hvm_svm.vmcb != NULL);
>     ASSERT(nv->nv_n1vmcx != NULL);
>     ASSERT(nv->nv_n2vmcx != NULL);
>-    ASSERT(nv->nv_n1vmcx_pa != VMCX_EADDR);
>-    ASSERT(nv->nv_n2vmcx_pa != VMCX_EADDR);
>+    ASSERT(nv->nv_n1vmcx_pa != INVALID_PADDR);
>+    ASSERT(nv->nv_n2vmcx_pa != INVALID_PADDR);
>
>     if (nv->nv_vmexit_pending) {
>  vmexit:
>diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c
>index 9ea014f..70d75e7 100644
>--- a/xen/arch/x86/hvm/svm/vmcb.c
>+++ b/xen/arch/x86/hvm/svm/vmcb.c
>@@ -273,7 +273,7 @@ void svm_destroy_vmcb(struct vcpu *v)
>     }
>
>     nv->nv_n1vmcx = NULL;
>-    nv->nv_n1vmcx_pa = VMCX_EADDR;
>+    nv->nv_n1vmcx_pa = INVALID_PADDR;
>     arch_svm->vmcb = NULL;
> }
>
>diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
>index 5523146..c4f19a0 100644
>--- a/xen/arch/x86/hvm/vmx/vvmx.c
>+++ b/xen/arch/x86/hvm/vmx/vvmx.c
>@@ -114,7 +114,7 @@ int nvmx_vcpu_initialise(struct vcpu *v)
>     nvmx->guest_vpid = 0;
>     nvmx->vmxon_region_pa = INVALID_PADDR;
>     nvcpu->nv_vvmcx = NULL;
>-    nvcpu->nv_vvmcxaddr = VMCX_EADDR;
>+    nvcpu->nv_vvmcxaddr = INVALID_PADDR;
>     nvmx->intr.intr_info = 0;
>     nvmx->intr.error_code = 0;
>     nvmx->iobitmap[0] = NULL;
>@@ -766,10 +766,10 @@ static void nvmx_purge_vvmcs(struct vcpu *v)
>     int i;
>
>     __clear_current_vvmcs(v);
>-    if ( nvcpu->nv_vvmcxaddr != VMCX_EADDR )
>+    if ( nvcpu->nv_vvmcxaddr != INVALID_PADDR )
>         hvm_unmap_guest_frame(nvcpu->nv_vvmcx, 1);
>     nvcpu->nv_vvmcx = NULL;
>-    nvcpu->nv_vvmcxaddr = VMCX_EADDR;
>+    nvcpu->nv_vvmcxaddr = INVALID_PADDR;
>     v->arch.hvm_vmx.vmcs_shadow_maddr = 0;
>     for (i=0; i<2; i++) {
>         if ( nvmx->iobitmap[i] ) {
>@@ -1393,7 +1393,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
>     if ( nvmx_vcpu_in_vmx(v) )
>     {
>         vmreturn(regs,
>-                 nvcpu->nv_vvmcxaddr != VMCX_EADDR ?
>+                 nvcpu->nv_vvmcxaddr != INVALID_PADDR ?
>                  VMFAIL_VALID : VMFAIL_INVALID);
>         return X86EMUL_OKAY;
>     }
>@@ -1509,7 +1509,7 @@ static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
>     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
>
>     /* check VMCS is valid and IO BITMAP is set */
>-    if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
>+    if ( (nvcpu->nv_vvmcxaddr != INVALID_PADDR) &&
>             ((nvmx->iobitmap[0] && nvmx->iobitmap[1]) ||
>             !(__n2_exec_control(v) & CPU_BASED_ACTIVATE_IO_BITMAP) ) )
>         nvcpu->nv_vmentry_pending = 1;
>@@ -1529,7 +1529,7 @@ int nvmx_handle_vmresume(struct cpu_user_regs *regs)
>     if ( rc != X86EMUL_OKAY )
>         return rc;
>
>-    if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
>+    if ( vcpu_nestedhvm(v).nv_vvmcxaddr == INVALID_PADDR )
>     {
>         vmreturn (regs, VMFAIL_INVALID);
>         return X86EMUL_OKAY;
>@@ -1554,7 +1554,7 @@ int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
>     if ( rc != X86EMUL_OKAY )
>         return rc;
>
>-    if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
>+    if ( vcpu_nestedhvm(v).nv_vvmcxaddr == INVALID_PADDR )
>     {
>         vmreturn (regs, VMFAIL_INVALID);
>         return X86EMUL_OKAY;
>@@ -1599,7 +1599,7 @@ int nvmx_handle_vmptrld(struct cpu_user_regs *regs)
>     if ( nvcpu->nv_vvmcxaddr != gpa )
>         nvmx_purge_vvmcs(v);
>
>-    if ( nvcpu->nv_vvmcxaddr == VMCX_EADDR )
>+    if ( nvcpu->nv_vvmcxaddr == INVALID_PADDR )
>     {
>         bool_t writable;
>         void *vvmcx = hvm_map_guest_frame_rw(paddr_to_pfn(gpa), 1, &writable);
>diff --git a/xen/include/asm-x86/hvm/vcpu.h b/xen/include/asm-x86/hvm/vcpu.h
>index d485536..7b411a8 100644
>--- a/xen/include/asm-x86/hvm/vcpu.h
>+++ b/xen/include/asm-x86/hvm/vcpu.h
>@@ -97,8 +97,6 @@ static inline bool_t hvm_vcpu_io_need_completion(const struct hvm_vcpu_io *vio)
>            !vio->io_req.data_is_ptr;
> }
>
>-#define VMCX_EADDR    (~0ULL)
>-
> struct nestedvcpu {
>     bool_t nv_guestmode; /* vcpu in guestmode? */
>     void *nv_vvmcx; /* l1 guest virtual VMCB/VMCS */
>-- 
>2.10.1
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 4/4] nestedhvm: replace VMCX_EADDR by INVALID_PADDR

[Tian, Kevin]

> From: Zhang, Haozhong
> Sent: Wednesday, December 14, 2016 6:12 PM
> 
> ... because INVALID_PADDR is a more general one.
> 
> Suggested-by: Jan Beulich <JBeulich@suse.com>
> Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>

Reviewed-by: Kevin Tian <kevin.tian@intel.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 4/4] nestedhvm: replace VMCX_EADDR by INVALID_PADDR

[Konrad Rzeszutek Wilk]

On Wed, Dec 14, 2016 at 03:16:33AM -0700, Jan Beulich wrote:
> >>> On 14.12.16 at 11:11, <haozhong.zhang@intel.com> wrote:
> > ... because INVALID_PADDR is a more general one.
> > 
> > Suggested-by: Jan Beulich <JBeulich@suse.com>
> > Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
> 
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> 
> Thanks for doing this!

Indeed! Thank you.


And Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

as well.
> 
> Jan
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 4/4] nestedhvm: replace VMCX_EADDR by INVALID_PADDR

[Boris Ostrovsky]

On 12/14/2016 05:18 AM, Haozhong Zhang wrote:
> On 12/14/16 18:11 +0800, Haozhong Zhang wrote:
>> ... because INVALID_PADDR is a more general one.
>>
>> Suggested-by: Jan Beulich <JBeulich@suse.com>
>> Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
>> ---
>> xen/arch/x86/hvm/nestedhvm.c     |  2 +-
>> xen/arch/x86/hvm/svm/nestedsvm.c | 18 +++++++++---------
>> xen/arch/x86/hvm/svm/vmcb.c      |  2 +-
>> xen/arch/x86/hvm/vmx/vvmx.c      | 16 ++++++++--------
>> xen/include/asm-x86/hvm/vcpu.h   |  2 --
>> 5 files changed, 19 insertions(+), 21 deletions(-)
>>
>
> Forgot to cc AMD maintainers.


Reviewed-by:  Boris Ostrovsky <boris.ostrovsky@oracle.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 3/4] vvmx: check the operand of L1 vmxon

[Haozhong Zhang]

[-- Attachment #1: Type: text/plain, Size: 1540 bytes --]

On 12/14/16 18:11 +0800, Haozhong Zhang wrote:
>Check whether the operand of L1 vmxon is a valid VMXON region address
>and whether the VMXON region at that address contains a valid revision
>ID.
>
>Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
>Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
>Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>Acked-by: Kevin Tian <kevin.tian@intel.com>
>---
> xen/arch/x86/hvm/vmx/vvmx.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
>diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
>index e765b60..5523146 100644
>--- a/xen/arch/x86/hvm/vmx/vvmx.c
>+++ b/xen/arch/x86/hvm/vmx/vvmx.c
>@@ -1383,6 +1383,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
>     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
>     struct vmx_inst_decoded decode;
>     unsigned long gpa = 0;
>+    uint32_t nvmcs_revid;
>     int rc;
>
>     rc = decode_vmx_inst(regs, &decode, &gpa, 1);
>@@ -1397,6 +1398,21 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
>         return X86EMUL_OKAY;
>     }
>
>+    if ( (gpa & ~PAGE_MASK) || (gpa >> v->domain->arch.paging.gfn_bits) )
                                                                 ^^^^^^^^

I mistaken it as the number of valid bits of physical address and
therefore missed adding PAGE_SHIFT here. The correct patch should be
the one attached. I notice the wrong patch has been in the staging
branch, so should I send a patch(set) to fix my mistake on the staging
branch?

Thanks,
Haozhong



[-- Attachment #2: v2-0003-vvmx-check-the-operand-of-L1-vmxon.patch --]
[-- Type: text/x-diff, Size: 1645 bytes --]

>From 809cf1ee317527d2eb8c2d8bac3be46b4d446b63 Mon Sep 17 00:00:00 2001
From: Haozhong Zhang <haozhong.zhang@intel.com>
Date: Tue, 13 Dec 2016 19:49:48 +0800
Subject: [RESEND PATCH v2 3/5] vvmx: check the operand of L1 vmxon

Check whether the operand of L1 vmxon is a valid VMXON region address
and whether the VMXON region at that address contains a valid revision
ID.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
---
 xen/arch/x86/hvm/vmx/vvmx.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index e765b60..a1f8e16 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1383,6 +1383,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
     struct vmx_inst_decoded decode;
     unsigned long gpa = 0;
+    uint32_t nvmcs_revid;
     int rc;
 
     rc = decode_vmx_inst(regs, &decode, &gpa, 1);
@@ -1397,6 +1398,22 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
         return X86EMUL_OKAY;
     }
 
+    if ( (gpa & ~PAGE_MASK) ||
+         (gpa >> (v->domain->arch.paging.gfn_bits + PAGE_SHIFT)) )
+    {
+        vmreturn(regs, VMFAIL_INVALID);
+        return X86EMUL_OKAY;
+    }
+
+    rc = hvm_copy_from_guest_phys(&nvmcs_revid, gpa, sizeof(nvmcs_revid));
+    if ( rc != HVMCOPY_okay ||
+         (nvmcs_revid & ~VMX_BASIC_REVISION_MASK) ||
+         ((nvmcs_revid ^ vmx_basic_msr) & VMX_BASIC_REVISION_MASK) )
+    {
+        vmreturn(regs, VMFAIL_INVALID);
+        return X86EMUL_OKAY;
+    }
+
     nvmx->vmxon_region_pa = gpa;
 
     /*
-- 
2.10.1


[-- Attachment #3: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 3/4] vvmx: check the operand of L1 vmxon

[Andrew Cooper]

On 18/12/16 14:02, Haozhong Zhang wrote:
> On 12/14/16 18:11 +0800, Haozhong Zhang wrote:
>> Check whether the operand of L1 vmxon is a valid VMXON region address
>> and whether the VMXON region at that address contains a valid revision
>> ID.
>>
>> Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
>> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>> Acked-by: Kevin Tian <kevin.tian@intel.com>
>> ---
>> xen/arch/x86/hvm/vmx/vvmx.c | 16 ++++++++++++++++
>> 1 file changed, 16 insertions(+)
>>
>> diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
>> index e765b60..5523146 100644
>> --- a/xen/arch/x86/hvm/vmx/vvmx.c
>> +++ b/xen/arch/x86/hvm/vmx/vvmx.c
>> @@ -1383,6 +1383,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
>>     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
>>     struct vmx_inst_decoded decode;
>>     unsigned long gpa = 0;
>> +    uint32_t nvmcs_revid;
>>     int rc;
>>
>>     rc = decode_vmx_inst(regs, &decode, &gpa, 1);
>> @@ -1397,6 +1398,21 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs)
>>         return X86EMUL_OKAY;
>>     }
>>
>> +    if ( (gpa & ~PAGE_MASK) || (gpa >>
>> v->domain->arch.paging.gfn_bits) )
>                                                                 ^^^^^^^^
>
> I mistaken it as the number of valid bits of physical address and
> therefore missed adding PAGE_SHIFT here. The correct patch should be
> the one attached. I notice the wrong patch has been in the staging
> branch, so should I send a patch(set) to fix my mistake on the staging
> branch?

Yes please.  All new code gets committed into staging.

master is fast-forwarded into staging when OSSTest is happy that no
regressions have occurred.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel