From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, James Morse <james.morse@arm.com>,
Marc Zyngier <maz@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Andre Przywara <andre.przywara@arm.com>
Subject: [PATCH 5.8 09/17] KVM: arm64: Survive synchronous exceptions caused by AT instructions
Date: Fri, 4 Sep 2020 15:30:08 +0200 [thread overview]
Message-ID: <20200904120258.449102679@linuxfoundation.org> (raw)
In-Reply-To: <20200904120257.983551609@linuxfoundation.org>
From: James Morse <james.morse@arm.com>
commit 88a84ccccb3966bcc3f309cdb76092a9892c0260 upstream.
KVM doesn't expect any synchronous exceptions when executing, any such
exception leads to a panic(). AT instructions access the guest page
tables, and can cause a synchronous external abort to be taken.
The arm-arm is unclear on what should happen if the guest has configured
the hardware update of the access-flag, and a memory type in TCR_EL1 that
does not support atomic operations. B2.2.6 "Possible implementation
restrictions on using atomic instructions" from DDI0487F.a lists
synchronous external abort as a possible behaviour of atomic instructions
that target memory that isn't writeback cacheable, but the page table
walker may behave differently.
Make KVM robust to synchronous exceptions caused by AT instructions.
Add a get_user() style helper for AT instructions that returns -EFAULT
if an exception was generated.
While KVM's version of the exception table mixes synchronous and
asynchronous exceptions, only one of these can occur at each location.
Re-enter the guest when the AT instructions take an exception on the
assumption the guest will take the same exception. This isn't guaranteed
to make forward progress, as the AT instructions may always walk the page
tables, but guest execution may use the translation cached in the TLB.
This isn't a problem, as since commit 5dcd0fdbb492 ("KVM: arm64: Defer guest
entry when an asynchronous exception is pending"), KVM will return to the
host to process IRQs allowing the rest of the system to keep running.
Cc: stable@vger.kernel.org # <v5.3: 5dcd0fdbb492 ("KVM: arm64: Defer guest entry when an asynchronous exception is pending")
Signed-off-by: James Morse <james.morse@arm.com>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_asm.h | 28 ++++++++++++++++++++++++++++
arch/arm64/kvm/hyp/hyp-entry.S | 14 ++++++++++----
arch/arm64/kvm/hyp/switch.c | 8 ++++----
3 files changed, 42 insertions(+), 8 deletions(-)
--- a/arch/arm64/include/asm/kvm_asm.h
+++ b/arch/arm64/include/asm/kvm_asm.h
@@ -121,6 +121,34 @@ extern char __smccc_workaround_1_smc[__S
*__hyp_this_cpu_ptr(sym); \
})
+#define __KVM_EXTABLE(from, to) \
+ " .pushsection __kvm_ex_table, \"a\"\n" \
+ " .align 3\n" \
+ " .long (" #from " - .), (" #to " - .)\n" \
+ " .popsection\n"
+
+
+#define __kvm_at(at_op, addr) \
+( { \
+ int __kvm_at_err = 0; \
+ u64 spsr, elr; \
+ asm volatile( \
+ " mrs %1, spsr_el2\n" \
+ " mrs %2, elr_el2\n" \
+ "1: at "at_op", %3\n" \
+ " isb\n" \
+ " b 9f\n" \
+ "2: msr spsr_el2, %1\n" \
+ " msr elr_el2, %2\n" \
+ " mov %w0, %4\n" \
+ "9:\n" \
+ __KVM_EXTABLE(1b, 2b) \
+ : "+r" (__kvm_at_err), "=&r" (spsr), "=&r" (elr) \
+ : "r" (addr), "i" (-EFAULT)); \
+ __kvm_at_err; \
+} )
+
+
#else /* __ASSEMBLY__ */
.macro hyp_adr_this_cpu reg, sym, tmp
--- a/arch/arm64/kvm/hyp/hyp-entry.S
+++ b/arch/arm64/kvm/hyp/hyp-entry.S
@@ -166,13 +166,19 @@ el1_error:
b __guest_exit
el2_sync:
- /* Check for illegal exception return, otherwise panic */
+ /* Check for illegal exception return */
mrs x0, spsr_el2
+ tbnz x0, #20, 1f
- /* if this was something else, then panic! */
- tst x0, #PSR_IL_BIT
- b.eq __hyp_panic
+ save_caller_saved_regs_vect
+ stp x29, x30, [sp, #-16]!
+ bl kvm_unexpected_el2_exception
+ ldp x29, x30, [sp], #16
+ restore_caller_saved_regs_vect
+ eret
+
+1:
/* Let's attempt a recovery from the illegal exception return */
get_vcpu_ptr x1, x0
mov x0, #ARM_EXCEPTION_IL
--- a/arch/arm64/kvm/hyp/switch.c
+++ b/arch/arm64/kvm/hyp/switch.c
@@ -303,10 +303,10 @@ static bool __hyp_text __translate_far_t
* saved the guest context yet, and we may return early...
*/
par = read_sysreg(par_el1);
- asm volatile("at s1e1r, %0" : : "r" (far));
- isb();
-
- tmp = read_sysreg(par_el1);
+ if (!__kvm_at("s1e1r", far))
+ tmp = read_sysreg(par_el1);
+ else
+ tmp = SYS_PAR_EL1_F; /* back to the guest */
write_sysreg(par, par_el1);
if (unlikely(tmp & SYS_PAR_EL1_F))
next prev parent reply other threads:[~2020-09-04 14:22 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-04 13:29 [PATCH 5.8 00/17] 5.8.7-rc1 review Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 01/17] HID: core: Correctly handle ReportSize being zero Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 02/17] HID: core: Sanitize event code and type when mapping input Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 03/17] netfilter: nft_set_rbtree: Handle outcomes of tree rotations in overlap detection Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 04/17] mm: fix pin vs. gup mismatch with gate pages Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 05/17] selftests/x86/test_vsyscall: Improve the process_vm_readv() test Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 06/17] perf record/stat: Explicitly call out event modifiers in the documentation Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 07/17] media: media/v4l2-core: Fix kernel-infoleak in video_put_user() Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 08/17] KVM: arm64: Add kvm_extable for vaxorcism code Greg Kroah-Hartman
2020-09-04 13:30 ` Greg Kroah-Hartman [this message]
2020-09-04 13:30 ` [PATCH 5.8 10/17] dt-bindings: mmc: tegra: Add tmclk for Tegra210 and later Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 11/17] arm64: tegra: Add missing timeout clock to Tegra194 SDMMC nodes Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 12/17] arm64: tegra: Add missing timeout clock to Tegra186 " Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 13/17] arm64: tegra: Add missing timeout clock to Tegra210 SDMMC Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 14/17] sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra210 Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 15/17] sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra186 Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 16/17] nl80211: fix NL80211_ATTR_HE_6GHZ_CAPABILITY usage Greg Kroah-Hartman
2020-09-04 13:30 ` [PATCH 5.8 17/17] scsi: target: tcmu: Optimize use of flush_dcache_page Greg Kroah-Hartman
2020-09-04 19:23 ` [PATCH 5.8 00/17] 5.8.7-rc1 review Guenter Roeck
2020-09-05 9:28 ` Greg Kroah-Hartman
2020-09-04 20:11 ` Shuah Khan
2020-09-05 9:28 ` Greg Kroah-Hartman
2020-09-05 15:42 ` Dan Rue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200904120258.449102679@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andre.przywara@arm.com \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).