2021-09-21 01:41:01

by Jan Beulich

[permalink] [raw]
Subject: [PATCH v2] xen/x86: fix PV trap handling on secondary processors

The initial observation was that in PV mode under Xen 32-bit user space
didn't work anymore. Attempts of system calls ended in #GP(0x402). All
of the sudden the vector 0x80 handler was not in place anymore. As it
turns out up to 5.13 redundant initialization did occur: Once from
cpu_initialize_context() (through its VCPUOP_initialise hypercall) and a
2nd time while each CPU was brought fully up. This 2nd initialization is
now gone, uncovering that the 1st one was flawed: Unlike for the
set_trap_table hypercall, a full virtual IDT needs to be specified here;
the "vector" fields of the individual entries are of no interest. With
many (kernel) IDT entries still(?) (i.e. at that point at least) empty,
the syscall vector 0x80 ended up in slot 0x20 of the virtual IDT, thus
becoming the domain's handler for vector 0x20.

Make xen_convert_trap_info() fit for either purpose, leveraging the fact
that on the xen_copy_trap_info() path the table starts out zero-filled.
This includes moving out the writing of the sentinel, which would also
have lead to a buffer overrun in the xen_copy_trap_info() case if all
(kernel) IDT entries were populated. Convert the writing of the sentinel
to clearing of the entire table entry rather than just the address
field.

(I didn't bother trying to identify the commit which uncovered the issue
in 5.14; the commit named below is the one which actually introduced the
bad code.)

Fixes: f87e4cac4f4e ("xen: SMP guest support")
Cc: [email protected]
Signed-off-by: Jan Beulich <[email protected]>
---
In how far it is correct to use the current CPU's IDT is unclear to me.
Looks at least like another latent trap.
---
v2: Switch back to using xen_convert_trap_info().

--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -755,8 +755,8 @@ static void xen_write_idt_entry(gate_des
preempt_enable();
}

-static void xen_convert_trap_info(const struct desc_ptr *desc,
- struct trap_info *traps)
+static unsigned xen_convert_trap_info(const struct desc_ptr *desc,
+ struct trap_info *traps, bool full)
{
unsigned in, out, count;

@@ -766,17 +766,18 @@ static void xen_convert_trap_info(const
for (in = out = 0; in < count; in++) {
gate_desc *entry = (gate_desc *)(desc->address) + in;

- if (cvt_gate_to_trap(in, entry, &traps[out]))
+ if (cvt_gate_to_trap(in, entry, &traps[out]) || full)
out++;
}
- traps[out].address = 0;
+
+ return out;
}

void xen_copy_trap_info(struct trap_info *traps)
{
const struct desc_ptr *desc = this_cpu_ptr(&idt_desc);

- xen_convert_trap_info(desc, traps);
+ xen_convert_trap_info(desc, traps, true);
}

/* Load a new IDT into Xen. In principle this can be per-CPU, so we
@@ -786,6 +787,7 @@ static void xen_load_idt(const struct de
{
static DEFINE_SPINLOCK(lock);
static struct trap_info traps[257];
+ unsigned out;

trace_xen_cpu_load_idt(desc);

@@ -793,7 +795,8 @@ static void xen_load_idt(const struct de

memcpy(this_cpu_ptr(&idt_desc), desc, sizeof(idt_desc));

- xen_convert_trap_info(desc, traps);
+ out = xen_convert_trap_info(desc, traps, false);
+ memset(&traps[out], 0, sizeof(traps[0]));

xen_mc_flush();
if (HYPERVISOR_set_trap_table(traps))


2021-09-21 02:46:15

by Boris Ostrovsky

[permalink] [raw]
Subject: Re: [PATCH v2] xen/x86: fix PV trap handling on secondary processors


On 9/20/21 12:15 PM, Jan Beulich wrote:
> The initial observation was that in PV mode under Xen 32-bit user space
> didn't work anymore. Attempts of system calls ended in #GP(0x402). All
> of the sudden the vector 0x80 handler was not in place anymore. As it
> turns out up to 5.13 redundant initialization did occur: Once from
> cpu_initialize_context() (through its VCPUOP_initialise hypercall) and a
> 2nd time while each CPU was brought fully up. This 2nd initialization is
> now gone, uncovering that the 1st one was flawed: Unlike for the
> set_trap_table hypercall, a full virtual IDT needs to be specified here;
> the "vector" fields of the individual entries are of no interest. With
> many (kernel) IDT entries still(?) (i.e. at that point at least) empty,
> the syscall vector 0x80 ended up in slot 0x20 of the virtual IDT, thus
> becoming the domain's handler for vector 0x20.
>
> Make xen_convert_trap_info() fit for either purpose, leveraging the fact
> that on the xen_copy_trap_info() path the table starts out zero-filled.
> This includes moving out the writing of the sentinel, which would also
> have lead to a buffer overrun in the xen_copy_trap_info() case if all
> (kernel) IDT entries were populated. Convert the writing of the sentinel
> to clearing of the entire table entry rather than just the address
> field.
>
> (I didn't bother trying to identify the commit which uncovered the issue
> in 5.14; the commit named below is the one which actually introduced the
> bad code.)
>
> Fixes: f87e4cac4f4e ("xen: SMP guest support")
> Cc: [email protected]
> Signed-off-by: Jan Beulich <[email protected]>


Reviewed-by: Boris Ostrovsky <[email protected]>

2021-09-21 07:44:32

by Jürgen Groß

[permalink] [raw]
Subject: Re: [PATCH v2] xen/x86: fix PV trap handling on secondary processors

On 20.09.21 18:15, Jan Beulich wrote:
> The initial observation was that in PV mode under Xen 32-bit user space
> didn't work anymore. Attempts of system calls ended in #GP(0x402). All
> of the sudden the vector 0x80 handler was not in place anymore. As it
> turns out up to 5.13 redundant initialization did occur: Once from
> cpu_initialize_context() (through its VCPUOP_initialise hypercall) and a
> 2nd time while each CPU was brought fully up. This 2nd initialization is
> now gone, uncovering that the 1st one was flawed: Unlike for the
> set_trap_table hypercall, a full virtual IDT needs to be specified here;
> the "vector" fields of the individual entries are of no interest. With
> many (kernel) IDT entries still(?) (i.e. at that point at least) empty,
> the syscall vector 0x80 ended up in slot 0x20 of the virtual IDT, thus
> becoming the domain's handler for vector 0x20.
>
> Make xen_convert_trap_info() fit for either purpose, leveraging the fact
> that on the xen_copy_trap_info() path the table starts out zero-filled.
> This includes moving out the writing of the sentinel, which would also
> have lead to a buffer overrun in the xen_copy_trap_info() case if all
> (kernel) IDT entries were populated. Convert the writing of the sentinel
> to clearing of the entire table entry rather than just the address
> field.
>
> (I didn't bother trying to identify the commit which uncovered the issue
> in 5.14; the commit named below is the one which actually introduced the
> bad code.)
>
> Fixes: f87e4cac4f4e ("xen: SMP guest support")
> Cc: [email protected]
> Signed-off-by: Jan Beulich <[email protected]>

Pushed to xen/tip.git for-linus-5.15b


Juergen


Attachments:
OpenPGP_0xB0DE9DD628BF132F.asc (3.06 kB)
OpenPGP public key
OpenPGP_signature (505.00 B)
OpenPGP digital signature
Download all attachments