From patchwork Thu Oct 26 07:57:04 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Beulich <JBeulich@suse.com>
X-Patchwork-Id: 10027699
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	10E0A6032C for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu, 26 Oct 2017 07:59:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0122928B3B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu, 26 Oct 2017 07:59:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E8BEF28D4D; Thu, 26 Oct 2017 07:59:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 66E3128B3B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu, 26 Oct 2017 07:59:26 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1e7d2N-0006yV-LR; Thu, 26 Oct 2017 07:57:11 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <JBeulich@suse.com>) id 1e7d2M-0006yP-8B
	for xen-devel@lists.xenproject.org; Thu, 26 Oct 2017 07:57:10 +0000
Received: from [85.158.139.211] by server-5.bemta-5.messagelabs.com id
	13/39-11148-55591F95; Thu, 26 Oct 2017 07:57:09 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrEIsWRWlGSWpSXmKPExsXS6fjDSzd06sd
	Igxu2Ft+3TGZyYPQ4/OEKSwBjFGtmXlJ+RQJrxpRr4QXPRStW3V7L2MD4QqCLkZNDSCBPYtmm
	jexdjBwcvAJ2ElMmioOEJQQMJU4vvMkCYrMIqEp87V/HCGKzCahLtD3bzgpSLiJgIHHuaBJIm
	FkgXOL7o142EFtYwFXi4/ElLBDT7SQ27FjCDGJzCthLnLrUxgqxSVDi7w5hiFYtiYe/brFA2N
	oSyxa+ZgYpYRaQllj+j2MCI98shIZZSBpmIWmYhdCwgJFlFaN6cWpRWWqRroleUlFmekZJbmJ
	mjq6hgalebmpxcWJ6ak5iUrFecn7uJkZgyDEAwQ7GW33OhxglOZiURHkZ9nyIFOJLyk+pzEgs
	zogvKs1JLT7EKMPBoSTBqzTlY6SQYFFqempFWmYOMPhh0hIcPEoivNkgad7igsTc4sx0iNQpR
	mOOjpt3/zBxPJv5uoFZiCUvPy9VSpzXDKRUAKQ0ozQPbhAsKi8xykoJ8zICnSbEU5BalJtZgi
	r/ilGcg1FJmNcJZApPZl4J3L5XQKcwAZ3SpPoB5JSSRISUVAMjx6nPUnXnwuyya3lO3jh+c92
	SCy4GKkuNTG2eTMp7zbo16K2lw9Qrt9rjOPOSf7IYbl723Evy9PkDW1xPSFmp3d5dcsb+1tV5
	z59oFIanz3xsfGhx/frlVsZSxVuEriWHF27TtTLZ8ln/UH550VPTUBP5DTEx95IcMpp6LtacE
	atfXfZK6zCnEktxRqKhFnNRcSIABJ544sUCAAA=
X-Env-Sender: JBeulich@suse.com
X-Msg-Ref: server-5.tower-206.messagelabs.com!1509004627!107083795!1
X-Originating-IP: [137.65.248.74]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 43309 invoked from network); 26 Oct 2017 07:57:08 -0000
Received: from prv-mh.provo.novell.com (HELO prv-mh.provo.novell.com)
	(137.65.248.74)
	by server-5.tower-206.messagelabs.com with DHE-RSA-AES256-GCM-SHA384
	encrypted SMTP; 26 Oct 2017 07:57:08 -0000
Received: from INET-PRV-MTA by prv-mh.provo.novell.com
	with Novell_GroupWise; Thu, 26 Oct 2017 01:57:06 -0600
Message-Id: <59F1B170020000780018A1B8@prv-mh.provo.novell.com>
X-Mailer: Novell GroupWise Internet Agent 14.2.2 
Date: Thu, 26 Oct 2017 01:57:04 -0600
From: "Jan Beulich" <JBeulich@suse.com>
To: "xen-devel" <xen-devel@lists.xenproject.org>
References: <59F1AB3E020000780018A19C@prv-mh.provo.novell.com>
In-Reply-To: <59F1AB3E020000780018A19C@prv-mh.provo.novell.com>
Mime-Version: 1.0
Content-Disposition: inline
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Julien Grall <julien.grall@arm.com>
Subject: [Xen-devel] [PATCH 1/2] x86: don't latch wrong (stale) GS base
	addresses
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

load_segments() writes selector registers before doing any of the base
address updates. Any of these selector loads can cause a page fault in
case it references the LDT, and the LDT page accessed was only recently
installed. Therefore the call tree map_ldt_shadow_page() ->
guest_get_eff_kern_l1e() -> toggle_guest_mode() would in such a case
wrongly latch the outgoing vCPU's GS.base into the incoming vCPU's
recorded state.

Split page table toggling from GS handling - neither
guest_get_eff_kern_l1e() nor guest_io_okay() need more than the page
tables being the kernel ones for the memory access they want to do.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/pv/domain.c
+++ b/xen/arch/x86/pv/domain.c
@@ -233,8 +233,17 @@ void toggle_guest_mode(struct vcpu *v)
         else
             v->arch.pv_vcpu.gs_base_user = __rdgsbase();
     }
-    v->arch.flags ^= TF_kernel_mode;
     asm volatile ( "swapgs" );
+
+    toggle_guest_pt(v);
+}
+
+void toggle_guest_pt(struct vcpu *v)
+{
+    if ( is_pv_32bit_vcpu(v) )
+        return;
+
+    v->arch.flags ^= TF_kernel_mode;
     update_cr3(v);
     /* Don't flush user global mappings from the TLB. Don't tick TLB clock. */
     asm volatile ( "mov %0, %%cr3" : : "r" (v->arch.cr3) : "memory" );
--- a/xen/arch/x86/pv/emul-priv-op.c
+++ b/xen/arch/x86/pv/emul-priv-op.c
@@ -137,7 +137,7 @@ static bool guest_io_okay(unsigned int p
          * read as 0xff (no access allowed).
          */
         if ( user_mode )
-            toggle_guest_mode(v);
+            toggle_guest_pt(v);
 
         switch ( __copy_from_guest_offset(x.bytes, v->arch.pv_vcpu.iobmp,
                                           port>>3, 2) )
@@ -150,7 +150,7 @@ static bool guest_io_okay(unsigned int p
         }
 
         if ( user_mode )
-            toggle_guest_mode(v);
+            toggle_guest_pt(v);
 
         if ( (x.mask & (((1 << bytes) - 1) << (port & 7))) == 0 )
             return true;
--- a/xen/arch/x86/pv/mm.c
+++ b/xen/arch/x86/pv/mm.c
@@ -72,12 +72,12 @@ static l1_pgentry_t guest_get_eff_kern_l
     l1_pgentry_t l1e;
 
     if ( user_mode )
-        toggle_guest_mode(curr);
+        toggle_guest_pt(curr);
 
     l1e = guest_get_eff_l1e(linear);
 
     if ( user_mode )
-        toggle_guest_mode(curr);
+        toggle_guest_pt(curr);
 
     return l1e;
 }
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
@@ -76,6 +76,8 @@ void mapcache_override_current(struct vc
 
 /* x86/64: toggle guest between kernel and user modes. */
 void toggle_guest_mode(struct vcpu *);
+/* x86/64: toggle guest page tables between kernel and user modes. */
+void toggle_guest_pt(struct vcpu *);
 
 /*
  * Initialise a hypercall-transfer page. The given pointer must be mapped