From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Sander Eikelenboom <linux@eikelenboom.it>,
Xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH] x86/pv: Fix guest crashes following f75b1a5247b "x86/pv: Drop int80_bounce from struct pv_vcpu"
Date: Wed, 14 Mar 2018 14:03:59 +0000 [thread overview]
Message-ID: <a2289466-3221-0018-5941-d9de893fc68a@citrix.com> (raw)
In-Reply-To: <5AA938A602000078001B18C3@prv-mh.provo.novell.com>
On 14/03/18 13:58, Jan Beulich wrote:
>>>> On 14.03.18 at 12:51, <andrew.cooper3@citrix.com> wrote:
>> The original init_int80_direct_trap() was in fact buggy; `int $0x80` is not
>> an
>> exception. This went unnoticed for years because int80_bounce and
>> trap_bounce
>> were separate structures, but were combined by this change.
>>
>> Exception handling is different to interrupt handling for PV guests. By
>> reusing trap_bounce, the following corner case can occur:
>>
>> * Handle a guest `int $0x80` instruction. Latches TBF_EXCEPTION into
>> trap_bounce.
>> * Handle an exception, which emulates to success (such as ptwr support),
>> which leaves trap_bounce unmodified.
>> * The exception exit path sees TBF_EXCEPTION set and re-injects the `int
>> $0x80` a second time.
> Oh, and then it was the clearing of trap_bounce after consuming it
> in your conversion to C which masked the problem?
Yes.
>
>> --- a/xen/arch/x86/x86_64/entry.S
>> +++ b/xen/arch/x86/x86_64/entry.S
>> @@ -373,10 +373,10 @@ UNLIKELY_END(msi_check)
>> mov %cx, TRAPBOUNCE_cs(%rdx)
>> mov %rdi, TRAPBOUNCE_eip(%rdx)
>>
>> - /* TB_flags = TBF_EXCEPTION | (TI_GET_IF(ti) ? TBF_INTERRUPT : 0); */
>> + /* TB_flags = (TI_GET_IF(ti) ? TBF_INTERRUPT : 0); */
>> testb $4, 0x80 * TRAPINFO_sizeof + TRAPINFO_flags(%rsi)
>> setnz %cl
>> - lea TBF_EXCEPTION(, %rcx, TBF_INTERRUPT), %ecx
>> + lea (, %rcx, TBF_INTERRUPT), %ecx
> With the immediate gone I think
>
> shl $3, %ecx
>
> would be more readable and perhaps no worse code wise (the
> use of LEA was introduced in cases like this only to combine the
> shift with the ORing in of other flags). I won't insist on that
> change though (the more that there's no symbolic constant
> available for that literal 3 right now), so with or without it
>
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
I'll do a followup patch. This particular pattern exists elsewhere, so
might as well fix them all.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
prev parent reply other threads:[~2018-03-14 14:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-14 11:51 [PATCH] x86/pv: Fix guest crashes following f75b1a5247b "x86/pv: Drop int80_bounce from struct pv_vcpu" Andrew Cooper
2018-03-14 13:58 ` Jan Beulich
2018-03-14 14:03 ` Andrew Cooper [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a2289466-3221-0018-5941-d9de893fc68a@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=linux@eikelenboom.it \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.