From patchwork Thu Sep 26 18:38:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 11163241 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E39F9912 for ; Thu, 26 Sep 2019 18:39:52 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C9D06206E0 for ; Thu, 26 Sep 2019 18:39:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C9D06206E0 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iDYep-0002PQ-4r; Thu, 26 Sep 2019 18:38:27 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iDYen-0002PG-QK for xen-devel@lists.xenproject.org; Thu, 26 Sep 2019 18:38:25 +0000 X-Inumbo-ID: ce82bf0a-e08c-11e9-97fb-bc764e2007e4 Received: from foss.arm.com (unknown [217.140.110.172]) by localhost (Halon) with ESMTP id ce82bf0a-e08c-11e9-97fb-bc764e2007e4; Thu, 26 Sep 2019 18:38:17 +0000 (UTC) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6E9AB15A2; Thu, 26 Sep 2019 11:38:17 -0700 (PDT) Received: from e108454-lin.cambridge.arm.com (e108454-lin.cambridge.arm.com [10.1.196.50]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8727F3F67D; Thu, 26 Sep 2019 11:38:16 -0700 (PDT) From: Julien Grall To: xen-devel@lists.xenproject.org Date: Thu, 26 Sep 2019 19:38:02 +0100 Message-Id: <20190926183808.11630-5-julien.grall@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190926183808.11630-1-julien.grall@arm.com> References: <20190926183808.11630-1-julien.grall@arm.com> Subject: [Xen-devel] [PATCH RFC for-4.13 04/10] xen/arm: Ensure the SSBD workaround is re-enabled right after exiting a guest X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrii Anisov , Julien Grall , Stefano Stabellini , Volodymyr Babchuk , andrii.anisov@gmail.com MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" At the moment, SSBD workaround is re-enabled for Xen after interrupts are unmasked. This means we may end up to execute some part of the hypervisor if an interrupt is received before the workaround is re-enabled. As the rest of enter_hypervisor_from_guest() does not require to have interrupts masked, the function is now split in two parts: 1) enter_hypervisor_from_guest_noirq() called with interrupts masked. 2) enter_hypervisor_from_guest() called with interrupts unmasked. Note that while enter_hypervisor_from_guest_noirq() does not use the on-stack context registers, it is still passed as parameter to match the rest of the C functions called from the entry path. Fixes: a7898e4c59 ("xen/arm: Add ARCH_WORKAROUND_2 support for guests") Reported-by: Andrii Anisov Signed-off-by: Julien Grall Reviewed-by: Volodymyr Babchuk --- Note the Arm32 code has not been changed yet. I am also open on turn both enter_hypervisor_from_guest_noirq() and enter_hypervisor_from() to functions not taking any parameters. --- xen/arch/arm/arm64/entry.S | 2 ++ xen/arch/arm/traps.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S index 9eafae516b..458d12f188 100644 --- a/xen/arch/arm/arm64/entry.S +++ b/xen/arch/arm/arm64/entry.S @@ -173,6 +173,8 @@ ALTERNATIVE("bl check_pending_vserror; cbnz x0, 1f", "nop; nop", SKIP_SYNCHRONIZE_SERROR_ENTRY_EXIT) + mov x0, sp + bl enter_hypervisor_from_guest_noirq msr daifclr, \iflags mov x0, sp bl enter_hypervisor_from_guest diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index 20ba34ec91..5848dd8399 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -2007,16 +2007,26 @@ static inline bool needs_ssbd_flip(struct vcpu *v) } /* - * Actions that needs to be done after exiting the guest and before any - * request from it is handled. + * Actions that needs to be done after exiting the guest and before the + * interrupts are unmasked. */ -void enter_hypervisor_from_guest(struct cpu_user_regs *regs) +void enter_hypervisor_from_guest_noirq(struct cpu_user_regs *regs) { struct vcpu *v = current; /* If the guest has disabled the workaround, bring it back on. */ if ( needs_ssbd_flip(v) ) arm_smccc_1_1_smc(ARM_SMCCC_ARCH_WORKAROUND_2_FID, 1, NULL); +} + +/* + * Actions that needs to be done after exiting the guest and before any + * request from it is handled. Depending on the exception trap, this may + * be called with interrupts unmasked. + */ +void enter_hypervisor_from_guest(struct cpu_user_regs *regs) +{ + struct vcpu *v = current; /* * If we pended a virtual abort, preserve it until it gets cleared.