[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2] xen: fix XEN_DOMCTL_gdbsx_guestmemio crash
- To: Juergen Gross <jgross@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Tue, 19 Apr 2022 12:59:24 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5ICpOObHlHH/dvab1Vd/nThqagLI2LtlAVVgs+J/SSA=; b=P7L6uFhQ4z1Y5uCyk0QDiiYJ4yp7h/yT9YiCIPHrPRtqu1NhTCqek1Fq+Vpy6FfmGUzxMA6E1t6FjrYbkVpbs2CFPCMqwGCFtUc/nDA8H5jWjJtdWOxqEchRpgYFUbGikQfMBq3JK/fqSXrZU+qQ48vb1YoJiiWacPNaG3tScRMtcuug177o4exRRYIHUnH9nfnCvJBdo2tMV9ZK4W1K1fkUsYdb8377oQNLgASSocIatDmmvXX6a+iHDFV7mlrahibYXPzXFLuNfhdMMVkkKzH5FShbjXPpG5t2X+dztPpiULAuAXB8D+s90Gg06JjTdRkHbKwvT8FBOosCgyet9Q==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SDzom3zTSTyzANHBVUz6yoTfpDQP1IDOVn3M/7Ji8aduIwBUPK0vkI3eW1TkFittxur1hwBpTcqqLhIS5bVWzZWjznJ8wEidLhSdBQ2WQP5UAATpa5rUBkjCxYdB+TbxYmZj1/QgKHIdPlIpP9Xo4EP9jdjJvByV0qPkiraewupT18pfI/dSTTXq3k8GSBU/4y7SqQEzXJJgeSKYS7TxoySW4I8X30iLjdLBpNpospstwbzIdv24Y9Ckhemiz2jNAaWTbC0pSQnJk+A8KoMVLXvOqZD3+pghBYVch2YspxUDtrZay2z/iPp4A89sVbaCN3HL7dGxrOTJ1rW/PioIow==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Elena Ufimtseva <elena.ufimtseva@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Cheyenne Wills <cheyenne.wills@xxxxxxxxx>
- Delivery-date: Tue, 19 Apr 2022 12:59:36 +0000
- Ironport-data: A9a23:mD6VD60/+g9MmlSMQfbD5TNwkn2cJEfYwER7XKvMYLTBsI5bp2dWn GIbXGmPaPyKZmL9eNhxYNyzoxsE6pTSydNmGgRspC1hF35El5HIVI+TRqvS04J+DSFhoGZPt Zh2hgzodZhsJpPkjk7xdOCn9xGQ7InQLlbGILes1htZGEk1EE/NtTo5w7Rj2tIx0IDga++wk YiaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/DaptVBoaHq 9Prl9lVyI97EyAFUbtJmp6jGqEDryW70QKm0hK6UID66vROS7BbPg/W+5PwZG8O4whlkeydx /1JvL6zchsEP5frs70XYjtdGHpSI41JreqvzXiX6aR/zmXgWl61m7BLMxtzOocVvOFqHWtJ6 PoUbigXaQyOjP63x7T9TfRwgsMkL4/gO4Z3VnNIlGmFS6p5B82eBfySu7e03x9p7ixKNd/Ya 9AUdnxEaxPYbgcUElwWFIg/jKGjgXyXnzhw9gLF/fZusje7IApZ17LBMYLoRdGxSupTnmWgg D/f8E/oHURPXDCY4X/fmp62vcfNkjn8Q5k6D6Cj+7hhh1j77nweDlgaWEW2pdG9i1WiQJRPJ koM4C0soKMuskuxQbHVUhm1pnfCoxAdXsZLHvMzwAaXw6HQ7kCSAW1sZjxLZcEitcQ2bSc3z VLPlNTsbRRwtJWFRHTb8a2bxRuwJCwUIGkqdSICCwwf7LHLu5ovhxjCStJiFq+djdDvHzz0h TeQo0AWjLUenMMN0aj94lHDhymEqZ3ATwpz7QLSNl9J9St8bY+hIom3s17S6K8YKJ7DFwHf+ n8Zh8KZ8eYCS4mXkzCAS/kMG7fv4OuZNDrbghhkGJxJGymRxkNPtLt4uFlWTHqF+O5dEdM1S Cc/YT9s2aI=
- Ironport-hdrordr: A9a23:Jk+8vKueoIbQbaWCCSEYfom97skCL4Aji2hC6mlwRA09TyXGra 2TdaUgvyMc1gx7ZJh5o6H6BEGBKUmslqKceeEqTPuftXrdyRGVxeZZnMTfKlzbamDDH4tmuZ uIHJIOb+EYYWIasS++2njBLz9C+qjIzEnLv5a5854Fd2gDBM9dBkVCe3+m+yZNNWt77O8CZf 6hD7181l+dkBosDviTNz0gZazuttfLnJXpbVotHBg88jSDijuu9frTDwWY9g12aUIO/Z4StU z+1yDp7KSqtP+2jjXG0XXI0phQkNz9jvNeGc23jNQPIDmEsHfqWG0hYczBgNkGmpDq1L8Yqq iKn/7mBbU015rlRBDxnfIq4Xi47N9h0Q679bbSuwqfnSWwfkNHNyMGv/MZTvKR0TtfgDk3up g7oF6xpt5ZCwjNkz/64MWNXxZ2llCsqX5niuILiWdDOLFuIIO5gLZvin+9Kq1wVR4SKbpXYt VGHYXZ/rJbYFmaZ3fWsi1mx8GtRG06GlODTlIZssKY3jBKlDQhpnFojvA3jzMF7tYwWpNE7+ PLPuBhk6xPVNYfaeZ4CP0aScW6B2TRSVbHMX6UI17gCKYbUki94KLf8fEw/qWnaZYIxJw9lN DIV05Zr3c7fwb0BciHzPRwg2fwqaWGLEDQI+1lluhEU+fHNcvW2AW4OSMTutrlpekDCcvGXP v2MI5KApbYXB7TJbo=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHYU9bjmHO326ELbkuQmQOwkh6+0Kz3DCaAgAADBYCAACONAA==
- Thread-topic: [PATCH v2] xen: fix XEN_DOMCTL_gdbsx_guestmemio crash
On 19/04/2022 11:51, Juergen Gross wrote:
> On 19.04.22 12:40, Andrew Cooper wrote:
>> On 19/04/2022 11:18, Juergen Gross wrote:
>>> A hypervisor built without CONFIG_GDBSX will crash in case the
>>> XEN_DOMCTL_gdbsx_guestmemio domctl is being called, as the call will
>>> end up in iommu_do_domctl() with d == NULL:
>>>
>>> (XEN) CPU: 6
>>> (XEN) RIP: e008:[<ffff82d040269984>] iommu_do_domctl+0x4/0x30
>>> (XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor (d0v0)
>>> (XEN) rax: 00000000000003e8 rbx: ffff830856277ef8 rcx:
>>> ffff830856277fff
>>> ...
>>> (XEN) Xen call trace:
>>> (XEN) [<ffff82d040269984>] R iommu_do_domctl+0x4/0x30
>>> (XEN) [<ffff82d04035cd5f>] S arch_do_domctl+0x7f/0x2330
>>> (XEN) [<ffff82d040239e46>] S do_domctl+0xe56/0x1930
>>> (XEN) [<ffff82d040238ff0>] S do_domctl+0/0x1930
>>> (XEN) [<ffff82d0402f8c59>] S pv_hypercall+0x99/0x110
>>> (XEN) [<ffff82d0402f5161>] S
>>> arch/x86/pv/domain.c#_toggle_guest_pt+0x11/0x90
>>> (XEN) [<ffff82d040366288>] S lstar_enter+0x128/0x130
>>> (XEN)
>>> (XEN) Pagetable walk from 0000000000000144:
>>> (XEN) L4[0x000] = 0000000000000000 ffffffffffffffff
>>> (XEN)
>>> (XEN) ****************************************
>>> (XEN) Panic on CPU 6:
>>> (XEN) FATAL PAGE FAULT
>>> (XEN) [error_code=0000]
>>> (XEN) Faulting linear address: 0000000000000144
>>>
>>> Fix this issue by modifying the interface of gdbsx_guest_mem_io() to
>>> take the already known domain pointer instead of the domid.
>>
>> There is some explanation missing here. The adjustments you make are
>> within CONFIG_GDBSX, with the exception of the final hunk.
>
> Yeah, and this is the one really fixing the issue, while the
> other hunks are needed to cope with the way the problem is
> fixed.
In which case the salient point needed in the commit message is "reject
the use of XEN_DOMCTL_gdbsx_guestmemio without a valid domain".
I'd go so far as to say that that ought to be a oneliner fix, which also
discusses why it's safe now (it didn't used to be IIRC), and the cleanup
in a separate patch.
This also reminds me that there's a pile of almost complete series of
debugger/gdbsx/traps cleanup in need of pushing over the line.
>
>> The actual bug is that non-IOMMU subops end up in iommu_do_domctl(), so
>> while this is good cleanup to gdbsx_guest_mem_io() it, along with Jan's
>> adjustment to iommu_do_domctl(), are not suitable fixes to the crash as
>> reported.
>
> The same way non-arch subops might end up in arch_do_domctl().
>
> What would be the right way to fix that in your opinion?
>
> IMO any subop handler called under the default label of a switch() should
> be able to handle unknown subops. This is done for iommu_do_domctl() in
> Jan's patch by not dereferencing d unconditionally.
The problem isn't (specifically) how they're chained; it's the name.
arch_do_domctl() is clearly a dumping ground for arbitrary subops.
iommu_do_domctl() is clearly not.
The bug was ultimately chaining iommu_do_domctl() in a default, which is
why it *was* reasonable for "use is_iommu_enabled() where
appropriate..." to assume that only iommu subops would reach the function.
iommu_do_domctl() either needs re-chaining under several case xxx:, or
it needs renaming to something generic like arch_do_domctl2().
Nothing else is going to leave the code in a position where it's harder
to make mistakes like this.
~Andrew
|
