[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] x86: fix a crash in SPEC_CTRL_ENTRY_FROM_INTR_IST

在 2018/2/14 16:09, Jan Beulich 写道:
In an IBRS available env, bootup panic when bti=0 like below:

(XEN) Speculative mitigation facilities:
(XEN)   Hardware features: SMEP IBRS/IBPB STIBP
(XEN) BTI mitigations: Thunk N/A, Others: IBRS- SMEP
(XEN) ----[ Xen-4.4.4OVM  x86_64  debug=n  Tainted:    C ]----
(XEN) CPU:    0
(XEN) RIP:    e008:[<ffff82d0802041bb>]
(XEN) RFLAGS: 0000000000010046   CONTEXT: hypervisor
(XEN) rax: 0000000000000000   rbx: 0000000000000000   rcx: 0000000000000048
(XEN) rdx: 0000000000000001   rsi: 0000000000000000   rdi: 0000000000000000
(XEN) rbp: 0000000000000000   rsp: ffff82d080529f58   r8:  0000000000000000
(XEN) r9:  0000000000000000   r10: 0000000000000000   r11: 0000000000000000
(XEN) r12: 0000000000000000   r13: 0000000000000000   r14: ffff82d08052ffff
(XEN) r15: 0000000000000000   cr0: 000000008005003b   cr4: 00000000001506f0
(XEN) cr3: 0000000076fbe000   cr2: 0000000000000000
(XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: 0000   cs: e008
(XEN) Xen stack trace from rsp=ffff82d080529f58:
(XEN)    0000000000000018 00000000ffffffff 0000000000000002 ffff82d080528000
(XEN)    0000000000000000 ffff82d0802a50e0 ffff82d08052fd98 ffff82d08072fc00
(XEN)    0000000000000000 0000000000010000 0000000000000400 0000000000000830
(XEN)    0000000000000000 000000000000000a ffff82d0803f0fc0 0000000200000000
(XEN)    ffff82d080298876 000000000000e008 0000000000000046 ffff82d08052fdf8
(XEN)    0000000000000000
(XEN) Xen call trace:
(XEN)    [<ffff82d0802041bb>] entry.o#handle_ist_exception+0xd1/0x176
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) [error_code=0000]
(XEN) ****************************************

It's due to %edx isn't cleared to zero before wrmsr.

DO_OVERWRITE_RSB clobbers %eax and happend to cover the bug in certain case so
we didn't reproduce without bti=0.

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@xxxxxxxxxx>

Re-do actual code change. Also drop an unused label.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

--- a/xen/include/asm-x86/spec_ctrl_asm.h
+++ b/xen/include/asm-x86/spec_ctrl_asm.h
@@ -274,7 +274,9 @@
      testb $BTI_IST_RSB, %al
      jz .L\@_skip_rsb
+ mov %eax, %edx
+    mov %edx, %eax
.L\@_skip_rsb: @@ -286,13 +288,13 @@
      setz %dl
      and %dl, STACK_CPUINFO_FIELD(use_shadow_spec_ctrl)(%r14)
       * Load Xen's intended value.  SPEC_CTRL_IBRS vs 0 is encoded in the
       * bottom bit of bti_ist_info, via a deliberate alias with BTI_IST_IBRS.
      mov $MSR_SPEC_CTRL, %ecx
      and $BTI_IST_IBRS, %eax
+    xor %edx, %edx
/* Opencoded UNLIKELY_START() with no condition. */

I just found this patch could be optimized a bit actually by only adding two instructions. Let me prepare a v3 patch, a few minutes.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.