[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 6/6] x86/xstate: Fix latent bugs in compress_xsave_states()

To: "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Mon, 12 Sep 2016 07:47:30 -0600
Cc: Xen-devel <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Mon, 12 Sep 2016 13:47:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 12.09.16 at 14:59, <andrew.cooper3@xxxxxxxxxx> wrote:
> On 12/09/16 13:27, Jan Beulich wrote:
>>>>> On 12.09.16 at 11:51, <andrew.cooper3@xxxxxxxxxx> wrote:
>>>  void compress_xsave_states(struct vcpu *v, const void *src, unsigned int 
>>> size)
>>>  {
>>>      struct xsave_struct *xsave = v->arch.xsave_area;
>>>      uint16_t comp_offsets[sizeof(xfeature_mask)*8];
>>> -    u64 xstate_bv = ((const struct xsave_struct 
>>> *)src)->xsave_hdr.xstate_bv;
>>> -    u64 valid;
>>> +    u64 xstate_bv, valid;
>>> +
>>> +    BUG_ON(!v->arch.xcr0_accum);
>>> +    BUG_ON(size != xstate_ctxt_size(v->arch.xcr0_accum));
>>> +    BUG_ON(xsave_area_compressed(src));
>>>  
>>> -    ASSERT(!xsave_area_compressed(src));
>> Same remark here as on the earlier patch wrt BUG_ON() vs ASSERT().
> 
> Same answer.

Well, it's certainly a matter of taste how much of the above to consider
bounds checking. I for one would take only the middle one as such.

>>> +    xstate_bv = ((const struct xsave_struct *)src)->xsave_hdr.xstate_bv;
>>>  
>>>      if ( !(v->arch.xcr0_accum & XSTATE_XSAVES_ONLY) )
>>>      {
>>> +        /*
>>> +         * TODO: This logic doesn't currently handle restoration of xsave
>>> +         * state which would force the vcpu from uncompressed to 
>>> compressed.
>>> +         */
>>> +        BUG_ON(xstate_bv & XSTATE_XSAVES_ONLY);
>> I don't think this is a valid concern of yours: The function can't be
>> used to restore features not xcr0_accum anyway (or else that
>> field would need updating). Afaict validate_xstate() already prevents
>> this as intended.
> 
> This is all currently dead code.  I guess the question really depends on
> what we plan to do with compressed states.
> 
> Strictly speaking, no XSAVES state can every be present in xcr0, by
> design.  If we retroactively consider xcr0_accum to be "all states in
> use",

I think that's the only viable model, considering how the domctl works:
xcr0_accum needs to represent the combination of features ever
enabled in XCR0 and XSS.

> then the if condition in context does become relevant when Xen
> starts supporting XSAVES-only components.
> 
> In such a case, it is definitely wrong to memcpy() the uncompressed
> buffer, as Xen will try and use xrstors and corrupt all guest state.

How? If the guest never enabled any bit in XSS, how can any such
bit be set in xstate_bv (which is always a subset of XCR0|XSS).

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 6/6] x86/xstate: Fix latent bugs in compress_xsave_states()
  - From: Andrew Cooper

References:
- [Xen-devel] [PATCH 0/6] Fix multiple issues with xsave state handling on migrate
  - From: Andrew Cooper
- [Xen-devel] [PATCH 6/6] x86/xstate: Fix latent bugs in compress_xsave_states()
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH 6/6] x86/xstate: Fix latent bugs in compress_xsave_states()
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 6/6] x86/xstate: Fix latent bugs in compress_xsave_states()
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
Next by Date: Re: [Xen-devel] [PATCH v3 32/38] arm/p2m: Code movement in instr/data abort handlers
Previous by thread: Re: [Xen-devel] [PATCH 6/6] x86/xstate: Fix latent bugs in compress_xsave_states()
Next by thread: Re: [Xen-devel] [PATCH 6/6] x86/xstate: Fix latent bugs in compress_xsave_states()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.