From patchwork Wed Mar 15 16:04:42 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Razvan Cojocaru <rcojocaru@bitdefender.com>
X-Patchwork-Id: 9626091
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	3C36960244 for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 15 Mar 2017 16:07:15 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2D2222679B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 15 Mar 2017 16:07:15 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 205C426E64; Wed, 15 Mar 2017 16:07:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 435BC2679B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 15 Mar 2017 16:07:14 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1coBQ0-00071t-Gq; Wed, 15 Mar 2017 16:04:56 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <rcojocaru@bitdefender.com>) id 1coBPy-00071g-Mx
	for xen-devel@lists.xen.org; Wed, 15 Mar 2017 16:04:54 +0000
Received: from [85.158.139.211] by server-6.bemta-5.messagelabs.com id
	24/4E-16497-52669C85; Wed, 15 Mar 2017 16:04:53 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIIsWRWlGSWpSXmKPExsUSfTxjoa5q2sk
	Igz+n2SyWfFzM4sDocXT3b6YAxijWzLyk/IoE1ozOc7eYC155V3z5NYulgbHHpouRk0NIwEPi
	04VnbF2MXED2WkaJDU2rmCGcq4wSjZ9bWWGq1q37wgKR2M8o8fzkWjaQBJuAocTqjS1gtoiAt
	MS1z5cZQYqYBa4zSmxraWMBSQgLeEq8WzydCcRmEVCVeHNiD9hUXqD4j6+nGEFsCQE5iZPHJr
	NC2DkS8/feBbI5gGwpif+tSiAzJQTWs0isPLGIGaJGRuLRxJtsExgFFjAyrGLUKE4tKkst0jU
	y00sqykzPKMlNzMzRNTQw1ctNLS5OTE/NSUwq1kvOz93ECAyuegYGxh2Mtyf7HWKU5GBSEuVV
	ETwRIcSXlJ9SmZFYnBFfVJqTWnyIUYaDQ0mCt2obUE6wKDU9tSItMwcY5jBpCQ4eJRHeD1uB0
	rzFBYm5xZnpEKlTjLocc2bvfsMkxJKXn5cqJc7rDjJDAKQoozQPbgQs5i4xykoJ8zIyMDAI8R
	SkFuVmlqDKv2IU52BUEuatAJnCk5lXArfpFdARTEBHJP48AnJESSJCSqqB0X+RTv9tvzvOGiI
	PXh3nEW4qEZj3+OCUfR8WJ7ecnhZ2zZ7rYZbjmekSUy+/0Lt6IHj531PMe4S6Mj7oz123UvBb
	QuFiMQc2pU+NFUtdGYXDr2bOmsUveG3vsd6nH1d+fWR2dv6WioK2P06rfy17Mckp2Pfwg4cSi
	t4PX0fOqD84Re7u3uWeDlFKLMUZiYZazEXFiQA/VaUbtAIAAA==
X-Env-Sender: rcojocaru@bitdefender.com
X-Msg-Ref: server-2.tower-206.messagelabs.com!1489593892!69012237!1
X-Originating-IP: [91.199.104.161]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 9.2.3; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 64492 invoked from network); 15 Mar 2017 16:04:53 -0000
Received: from mx01.bbu.dsd.mx.bitdefender.com (HELO
	mx01.bbu.dsd.mx.bitdefender.com) (91.199.104.161)
	by server-2.tower-206.messagelabs.com with DHE-RSA-AES128-GCM-SHA256
	encrypted SMTP; 15 Mar 2017 16:04:53 -0000
Received: (qmail 26777 invoked from network); 15 Mar 2017 18:04:51 +0200
Received: from unknown (HELO mx-sr.buh.bitdefender.com) (10.17.80.103)
	by mx01.bbu.dsd.mx.bitdefender.com with AES256-GCM-SHA384 encrypted
	SMTP; 15 Mar 2017 18:04:51 +0200
Received: from smtp01.buh.bitdefender.com (smtp.bitdefender.biz
	[10.17.80.75])
	by mx-sr.buh.bitdefender.com (Postfix) with ESMTP id B44547FEE5
	for <xen-devel@lists.xen.org>; Wed, 15 Mar 2017 18:04:51 +0200 (EET)
Received: (qmail 22577 invoked from network); 15 Mar 2017 18:04:51 +0200
Received: from xen.dsd.ro (HELO xen.dsd.bitdefender.biz)
	(rcojocaru@bitdefender.com@10.10.14.109)
	by smtp01.buh.bitdefender.com with AES128-SHA256 encrypted SMTP;
	15 Mar 2017 18:04:51 +0200
From: Razvan Cojocaru <rcojocaru@bitdefender.com>
To: xen-devel@lists.xen.org
Date: Wed, 15 Mar 2017 18:04:42 +0200
Message-Id: <1489593882-18025-1-git-send-email-rcojocaru@bitdefender.com>
X-Mailer: git-send-email 1.9.1
X-BitDefender-Scanner: Clean, Agent: BitDefender qmail 3.1.6 on
	smtp01.buh.bitdefender.com, sigver: 7.70179
X-BitDefender-Spam: No (0)
X-BitDefender-SpamStamp: Build: [Engines: 2.15.8.1074, Dats: 443314,
	Stamp: 3], Multi: [Enabled, t: (0.000014, 0.045603)], BW: [Enabled, t:
	(0.000009,0.000001)], RBL DNSBL: [Disabled], APM: [Enabled, Score:
	500, t: (0.011270), Flags: 85D2ED72; NN_NO_CONTENT_TYPE;
	NN_LEGIT_SUMM_400_WORDS; NN_NO_LINK_NMD; NN_LEGIT_BITDEFENDER;
	NN_LEGIT_S_SQARE_BRACKETS; NN_LEGIT_MAILING_LIST_TO], SGN: [Enabled,
	t: (0.015659,0.000485)], URL: [Enabled, t: (0.000006)], RTDA:
	[Enabled, t: (0.052959), Hit: No, Details: v2.4.4; Id:
	11.5eu609.1bb9akuhm.7bt], total: 0(775)
X-BitDefender-CF-Stamp: none
Cc: wei.liu2@citrix.com, Razvan Cojocaru <rcojocaru@bitdefender.com>,
	george.dunlap@eu.citrix.com, andrew.cooper3@citrix.com,
	ian.jackson@eu.citrix.com, tim@xen.org, paul.durrant@citrix.com,
	jbeulich@suse.com
Subject: [Xen-devel] [PATCH V2] x86/emulate: synchronize LOCKed instruction
	emulation
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

LOCK-prefixed instructions are currenly allowed to run in parallel
in x86_emulate(), which can lead the guest into an undefined state.
This patch fixes the issue.

Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
Changes since V1:
 - Added Andrew Cooper's credit, as he's kept the patch current
   througout non-trivial code changes since the initial patch.
 - Significantly more patch testing (with XenServer).
 - Restricted lock scope.
 - Logic fixes.
---
 tools/tests/x86_emulator/test_x86_emulator.c | 10 ++++++++++
 xen/arch/x86/domain.c                        |  2 ++
 xen/arch/x86/hvm/emulate.c                   | 26 ++++++++++++++++++++++++++
 xen/arch/x86/mm.c                            |  6 ++++++
 xen/arch/x86/mm/shadow/common.c              |  2 ++
 xen/arch/x86/traps.c                         |  2 ++
 xen/arch/x86/x86_emulate/x86_emulate.c       | 14 ++++++++++++--
 xen/arch/x86/x86_emulate/x86_emulate.h       |  8 ++++++++
 xen/include/asm-x86/domain.h                 |  4 ++++
 xen/include/asm-x86/hvm/emulate.h            |  3 +++
 10 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/tools/tests/x86_emulator/test_x86_emulator.c b/tools/tests/x86_emulator/test_x86_emulator.c
index 04332bb..86b79a1 100644
--- a/tools/tests/x86_emulator/test_x86_emulator.c
+++ b/tools/tests/x86_emulator/test_x86_emulator.c
@@ -283,6 +283,14 @@ static int read_msr(
     return X86EMUL_UNHANDLEABLE;
 }
 
+static void smp_lock(bool locked)
+{
+}
+
+static void smp_unlock(bool locked)
+{
+}
+
 static struct x86_emulate_ops emulops = {
     .read       = read,
     .insn_fetch = fetch,
@@ -293,6 +301,8 @@ static struct x86_emulate_ops emulops = {
     .read_cr    = emul_test_read_cr,
     .read_msr   = read_msr,
     .get_fpu    = emul_test_get_fpu,
+    .smp_lock   = smp_lock,
+    .smp_unlock = smp_unlock,
 };
 
 int main(int argc, char **argv)
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 479aee6..55010f4 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -529,6 +529,8 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags,
     if ( config == NULL && !is_idle_domain(d) )
         return -EINVAL;
 
+    percpu_rwlock_resource_init(&d->arch.emulate_lock, emulate_locked_rwlock);
+
     d->arch.s3_integrity = !!(domcr_flags & DOMCRF_s3_integrity);
 
     INIT_LIST_HEAD(&d->arch.pdev_list);
diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
index f36d7c9..d5bfbf1 100644
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -24,6 +24,8 @@
 #include <asm/hvm/svm/svm.h>
 #include <asm/vm_event.h>
 
+DEFINE_PERCPU_RWLOCK_GLOBAL(emulate_locked_rwlock);
+
 static void hvmtrace_io_assist(const ioreq_t *p)
 {
     unsigned int size, event;
@@ -1682,6 +1684,26 @@ static int hvmemul_vmfunc(
     return rc;
 }
 
+void emulate_smp_lock(bool locked)
+{
+    struct domain *d = current->domain;
+
+    if ( locked )
+        percpu_write_lock(emulate_locked_rwlock, &d->arch.emulate_lock);
+    else
+        percpu_read_lock(emulate_locked_rwlock, &d->arch.emulate_lock);
+}
+
+void emulate_smp_unlock(bool locked)
+{
+    struct domain *d = current->domain;
+
+    if ( locked )
+        percpu_write_unlock(emulate_locked_rwlock, &d->arch.emulate_lock);
+    else
+        percpu_read_unlock(emulate_locked_rwlock, &d->arch.emulate_lock);
+}
+
 static const struct x86_emulate_ops hvm_emulate_ops = {
     .read          = hvmemul_read,
     .insn_fetch    = hvmemul_insn_fetch,
@@ -1706,6 +1728,8 @@ static const struct x86_emulate_ops hvm_emulate_ops = {
     .put_fpu       = hvmemul_put_fpu,
     .invlpg        = hvmemul_invlpg,
     .vmfunc        = hvmemul_vmfunc,
+    .smp_lock      = emulate_smp_lock,
+    .smp_unlock    = emulate_smp_unlock,
 };
 
 static const struct x86_emulate_ops hvm_emulate_ops_no_write = {
@@ -1731,6 +1755,8 @@ static const struct x86_emulate_ops hvm_emulate_ops_no_write = {
     .put_fpu       = hvmemul_put_fpu,
     .invlpg        = hvmemul_invlpg,
     .vmfunc        = hvmemul_vmfunc,
+    .smp_lock      = emulate_smp_lock,
+    .smp_unlock    = emulate_smp_unlock,
 };
 
 static int _hvm_emulate_one(struct hvm_emulate_ctxt *hvmemul_ctxt,
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 7bc951d..2fb3325 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -5369,6 +5369,8 @@ static const struct x86_emulate_ops ptwr_emulate_ops = {
     .cmpxchg    = ptwr_emulated_cmpxchg,
     .validate   = pv_emul_is_mem_write,
     .cpuid      = pv_emul_cpuid,
+    .smp_lock   = emulate_smp_lock,
+    .smp_unlock = emulate_smp_unlock,
 };
 
 /* Write page fault handler: check if guest is trying to modify a PTE. */
@@ -5485,6 +5487,8 @@ static const struct x86_emulate_ops mmio_ro_emulate_ops = {
     .write      = mmio_ro_emulated_write,
     .validate   = pv_emul_is_mem_write,
     .cpuid      = pv_emul_cpuid,
+    .smp_lock   = emulate_smp_lock,
+    .smp_unlock = emulate_smp_unlock,
 };
 
 int mmcfg_intercept_write(
@@ -5524,6 +5528,8 @@ static const struct x86_emulate_ops mmcfg_intercept_ops = {
     .write      = mmcfg_intercept_write,
     .validate   = pv_emul_is_mem_write,
     .cpuid      = pv_emul_cpuid,
+    .smp_lock   = emulate_smp_lock,
+    .smp_unlock = emulate_smp_unlock,
 };
 
 /* Check if guest is trying to modify a r/o MMIO page. */
diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
index d078d78..3a2f02e 100644
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -310,6 +310,8 @@ static const struct x86_emulate_ops hvm_shadow_emulator_ops = {
     .write      = hvm_emulate_write,
     .cmpxchg    = hvm_emulate_cmpxchg,
     .cpuid      = hvmemul_cpuid,
+    .smp_lock   = emulate_smp_lock,
+    .smp_unlock = emulate_smp_unlock,
 };
 
 const struct x86_emulate_ops *shadow_init_emulation(
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 08b0070..8bdc8c8 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2957,6 +2957,8 @@ static const struct x86_emulate_ops priv_op_ops = {
     .write_msr           = priv_op_write_msr,
     .cpuid               = pv_emul_cpuid,
     .wbinvd              = priv_op_wbinvd,
+    .smp_lock            = emulate_smp_lock,
+    .smp_unlock          = emulate_smp_unlock,
 };
 
 static int emulate_privileged_op(struct cpu_user_regs *regs)
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 4872f19..bec4af7 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -3037,7 +3037,7 @@ x86_emulate(
     struct x86_emulate_stub stub = {};
     DECLARE_ALIGNED(mmval_t, mmval);
 
-    ASSERT(ops->read);
+    ASSERT(ops->read && ops->smp_lock && ops->smp_unlock);
 
     rc = x86_decode(&state, ctxt, ops);
     if ( rc != X86EMUL_OKAY )
@@ -3065,6 +3065,8 @@ x86_emulate(
     d = state.desc;
 #define state (&state)
 
+    ops->smp_lock(lock_prefix);
+
     generate_exception_if(state->not_64bit && mode_64bit(), EXC_UD);
 
     if ( ea.type == OP_REG )
@@ -3593,6 +3595,12 @@ x86_emulate(
         break;
 
     case 0x86 ... 0x87: xchg: /* xchg */
+        if ( !lock_prefix )
+        {
+            ops->smp_unlock(lock_prefix);
+            lock_prefix = 1;
+            ops->smp_lock(lock_prefix);
+        }
         /* Write back the register source. */
         switch ( dst.bytes )
         {
@@ -3603,7 +3611,6 @@ x86_emulate(
         }
         /* Write back the memory destination with implicit LOCK prefix. */
         dst.val = src.val;
-        lock_prefix = 1;
         break;
 
     case 0xc6: /* Grp11: mov / xabort */
@@ -7925,8 +7932,11 @@ x86_emulate(
     ctxt->regs->eflags &= ~X86_EFLAGS_RF;
 
  done:
+    ops->smp_unlock(lock_prefix);
+
     _put_fpu();
     put_stub(stub);
+
     return rc;
 #undef state
 }
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.h b/xen/arch/x86/x86_emulate/x86_emulate.h
index 6e98453..3f8bb38 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.h
+++ b/xen/arch/x86/x86_emulate/x86_emulate.h
@@ -448,6 +448,14 @@ struct x86_emulate_ops
     /* vmfunc: Emulate VMFUNC via given set of EAX ECX inputs */
     int (*vmfunc)(
         struct x86_emulate_ctxt *ctxt);
+
+    /* smp_lock: Take a write lock if locked, read lock otherwise. */
+    void (*smp_lock)(
+        bool locked);
+
+    /* smp_unlock: Write unlock if locked, read unlock otherwise. */
+    void (*smp_unlock)(
+        bool locked);
 };
 
 struct cpu_user_regs;
diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
index ff5267f..2afccab 100644
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
@@ -271,6 +271,8 @@ struct monitor_write_data {
     uint64_t cr4;
 };
 
+DECLARE_PERCPU_RWLOCK_GLOBAL(emulate_locked_rwlock);
+
 struct arch_domain
 {
     struct page_info *perdomain_l3_pg;
@@ -413,6 +415,8 @@ struct arch_domain
 
     /* Emulated devices enabled bitmap. */
     uint32_t emulation_flags;
+
+    percpu_rwlock_t emulate_lock;
 } __cacheline_aligned;
 
 #define has_vlapic(d)      (!!((d)->arch.emulation_flags & XEN_X86_EMU_LAPIC))
diff --git a/xen/include/asm-x86/hvm/emulate.h b/xen/include/asm-x86/hvm/emulate.h
index 88d6b70..b29a47e 100644
--- a/xen/include/asm-x86/hvm/emulate.h
+++ b/xen/include/asm-x86/hvm/emulate.h
@@ -93,6 +93,9 @@ int hvmemul_do_pio_buffer(uint16_t port,
 void hvm_dump_emulation_state(const char *prefix,
                               struct hvm_emulate_ctxt *hvmemul_ctxt);
 
+void emulate_smp_lock(bool locked);
+void emulate_smp_unlock(bool locked);
+
 #endif /* __ASM_X86_HVM_EMULATE_H__ */
 
 /*