Xen project Mailing List

Re: [PATCH v2 1/4] x86/domctl: Stop using XLAT_cpu_user_regs()

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 8 Aug 2025 11:42:58 +0100

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 08 Aug 2025 10:43:05 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 08/08/2025 11:09 am, Jan Beulich wrote: > On 07.08.2025 13:16, Andrew Cooper wrote: >> In order to support FRED, we're going to have to remove the {ds..gs} fields >> from struct cpu_user_regs, meaning that it is going to have to become a >> different type to the structure embedded in vcpu_guest_context_u. >> >> In both arch_{get,set}_info_guest(), expand the memcpy()/XLAT_cpu_user_regs() >> to copy the fields individually. This will allow us to eventually make them >> different types. >> >> This does cause some minor changes in behaviour for the hypercalls. >> >> It is specifically not the case that a toolstack could set_info(); >> get_info(); >> and get an identical bit pattern back. Amongst other things, the >> architectural sticky bits in registers are applied during setting. >> >> Previously, XLAT_cpu_user_regs() omitted the _pad fields in the compat case >> whereas the non-compat case included them owing to the single memcpy(). >> >> Omit the _pad fields in the non-compat case too; for all but the oldest of >> CPUs, the segment selectors are zero-extended by hardware when pushed onto >> the >> stack, so non-zero values here get lost naturally. Furthermore, FRED reuses >> the space above cs and ss for extra state, and a PV guest for now at least >> must not be able to write the control state. >> >> Omit the error_code and entry_vector fields too. They're already identified >> as private fields in the public API, and are stale outside of Xen's >> interrupt/exception/syscall handler. They're also a very minor information >> leak of which event caused the last deschedule of a vCPU. > I think my prior remark towards tools like xenctx wasn't really addressed. > Then again that particular tool doesn't use the fields now, so apparently > no-one ever saw a need. Oh, sorry. I did specifically look (everywhere in tools, not just xenctx), and they're not used at all. Xenalyze uses an error_code, but that's a field name from the EPT/NPT fault trace record, not from cpu_user_regs. Finally, the observation about the information leak. The information present is often the timer interrupt (end of time-slice), or the event check IPI (from vcpu_pause()). gdbsx is the only utility that stands a chance of reliably using ->entry_vector, and even it doesn't because that's not how GDB works. Overall, I'd say people have been pretty good at following the /* Private */ note in the public ABI. > >> --- a/xen/arch/x86/domain.c >> +++ b/xen/arch/x86/domain.c >> @@ -1233,7 +1233,24 @@ int arch_set_info_guest( >> >> if ( !compat ) >> { >> - memcpy(&v->arch.user_regs, &c.nat->user_regs, >> sizeof(c.nat->user_regs)); >> + memset(&v->arch.user_regs, 0, sizeof(v->arch.user_regs)); > Any reason to have this and ... > >> + v->arch.user_regs.rbx = c.nat->user_regs.rbx; >> + v->arch.user_regs.rcx = c.nat->user_regs.rcx; >> + v->arch.user_regs.rdx = c.nat->user_regs.rdx; >> + v->arch.user_regs.rsi = c.nat->user_regs.rsi; >> + v->arch.user_regs.rdi = c.nat->user_regs.rdi; >> + v->arch.user_regs.rbp = c.nat->user_regs.rbp; >> + v->arch.user_regs.rax = c.nat->user_regs.rax; >> + v->arch.user_regs.rip = c.nat->user_regs.rip; >> + v->arch.user_regs.cs = c.nat->user_regs.cs; >> + v->arch.user_regs.rflags = c.nat->user_regs.rflags; >> + v->arch.user_regs.rsp = c.nat->user_regs.rsp; >> + v->arch.user_regs.ss = c.nat->user_regs.ss; >> + v->arch.user_regs.es = c.nat->user_regs.es; >> + v->arch.user_regs.ds = c.nat->user_regs.ds; >> + v->arch.user_regs.fs = c.nat->user_regs.fs; >> + v->arch.user_regs.gs = c.nat->user_regs.gs; >> + >> if ( is_pv_domain(d) ) >> memcpy(v->arch.pv.trap_ctxt, c.nat->trap_ctxt, >> sizeof(c.nat->trap_ctxt)); >> @@ -1241,7 +1258,24 @@ int arch_set_info_guest( >> #ifdef CONFIG_COMPAT >> else >> { >> - XLAT_cpu_user_regs(&v->arch.user_regs, &c.cmp->user_regs); >> + memset(&v->arch.user_regs, 0, sizeof(v->arch.user_regs)); > ... this separate, rather than putting just one ahead of the if()? Code generation. If you hoist the memset(), it can't be merged with the assignments. Although I see now it's not even attempting the mere (it was in the past), and I don't care enough to argue, so I'll change it. > Preferably with that adjustment: > Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Thanks. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.