From patchwork Mon Apr 17 12:23:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 13213763 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0ADDEC77B70 for ; Mon, 17 Apr 2023 12:23:33 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.522047.811184 (Exim 4.92) (envelope-from ) id 1poNt4-0003dI-SY; Mon, 17 Apr 2023 12:23:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 522047.811184; Mon, 17 Apr 2023 12:23:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1poNt4-0003dB-Ps; Mon, 17 Apr 2023 12:23:14 +0000 Received: by outflank-mailman (input) for mailman id 522047; Mon, 17 Apr 2023 12:23:14 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1poNt4-0003d2-2B for xen-devel@lists.xenproject.org; Mon, 17 Apr 2023 12:23:14 +0000 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20629.outbound.protection.outlook.com [2a01:111:f400:7d00::629]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 9eff3954-dd1a-11ed-b21e-6b7b168915f2; Mon, 17 Apr 2023 14:23:12 +0200 (CEST) Received: from VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) by PAXPR04MB9203.eurprd04.prod.outlook.com (2603:10a6:102:222::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.45; Mon, 17 Apr 2023 12:23:10 +0000 Received: from VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::52b2:f58:e19:56ae]) by VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::52b2:f58:e19:56ae%2]) with mapi id 15.20.6298.045; Mon, 17 Apr 2023 12:23:10 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 9eff3954-dd1a-11ed-b21e-6b7b168915f2 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GvpLhi4pyV8hQ4j5kz7PtvVAmo7RpMOfkTwbM0gl1ZN8N/Sx8Q705nuQdnQ9H+QBuW7BYFu3xWt+U2yUWjQFZ5PmzQ+xI5nfU1dfq3KhlJT+/WwjtR3wpkKFYYckJG3FJrG8IZqEf+Qkjs2lb3cGhkQIRWu6oobFgIoUD6BAjKfSPLT9L+6t80tJ2YXyFcqsFMreVaRGhYywKgZmJypyvCrtArHXLiFwe4OqsRNHehlkinAjLpF+lr2AewEG/uDdhDQed/7S+cy92ueBQdFkQ2Edv5ALTztcn6rra5sfTHXXbttGmeFQG6anhPdkIth7pYiSdNHC9DCUTG15E6tShQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/MDRsRSp2EhX9RYEDn8zJnZs0T2Su6y3I5rhe+9sQRg=; b=hul+Q6xRx4IlInfqQZ1AJatsh/vESFLDPYPOp3wlWA4sGhVzH0ynf7wNa+idlMXpqtSDPF+ff6f/mjSkYf6zeVR7mDY4dmuA1n1YyaE9rIICTRtMWwSc6i0sr5XlpuavLuUQp4fCpdiBsgu7nL4ja1mp0ZEYZYHfDMJ6R1l4ISoO3d0zcYMW8CrBeWVW9s+yEliRSOJiey2rLTVZkCg9qJmnAbbargHblvRVGvUw7gt8QT3H+lkJMnHf169LRaapkZAFSgWAIhNdyKr/3woIE7Hl5cDIHh0hfoXsB7mkx2YTdPrXsaDb6Ydd7Y0WokPJKfGN44K2bGs4HV46+/Dcrw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/MDRsRSp2EhX9RYEDn8zJnZs0T2Su6y3I5rhe+9sQRg=; b=UxqK6wqMmx9aFSJPUddGqXjHMmw5CZtM53EJbXpo1bOCrijAeRaEN+TfvAIcPSYSIG0Dn2rkEv1ehmTKu7jnsbj0yjRS7AHrGA8ZPr/KK08fALcFyIiv6hWabHLJAfPLXN//HFfPbKJSkgkr6zQxMw+NlmqzFYXQJKXMiTJgiuh2KlrMlccxt5hnPp23GaR4xRmtdjSbqu6geBd18GD9Yp8XqqE7TkB/TMDfZ6eo3lIRXs9/PSmwE+sr7FcnLLH+a/FAuYBDr2kPOTaydg0P/TD/oHyBt8CquMFtGxcpV+LgsN0m/PeEZZiu5pJy1qnjDqAoyovGMRACAqe9xG+cjQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Message-ID: Date: Mon, 17 Apr 2023 14:23:08 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 From: Jan Beulich Subject: [PATCH v2] x86emul: avoid triggering event related assertions To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , Wei Liu , =?utf-8?q?Roger_Pau_Monn=C3=A9?= Content-Language: en-US X-ClientProxiedBy: FR0P281CA0058.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:49::19) To VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: VE1PR04MB6560:EE_|PAXPR04MB9203:EE_ X-MS-Office365-Filtering-Correlation-Id: f8b57309-4107-4807-245f-08db3f3e81b8 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: d+N1tjEJNsAA+rCmzz4WN4v/WwwGo7Q7OLqw+gi8F4drXfDWv4LPvs7ZcYvW9gDuuRglgMjn8huSBknOAd/tzkGbKBRCI8zog0ao8bL6ePrAxliE8iQt59/nXYXm5ATJOD1//9YM3/UUPwczwPfklq7X2DBD9MX1A9O9xx3HTDFMSq57fGNf8DllAbobU7NX9oDcxD9VNTElMiuepotizdXDoIujZ3ZFM4Fab+k/zEQehY1RGrIJskqnqjWOYwuzv/CcTxV1btVxF7A/ev2cbEbRUybLpRue0kcHs2QmDI9XIEDrTD4NqCHug4efe93VT3SMZiCYDLwLpo33okh4WSbdbag6J9ynfDXlq5hQOWgRi/1DBSmW35Rtd/2ay/hSq4oh6WDlaBbSwFyIODs8SICS3ifevM1WHUWkvTXgaRg6OZwoF9zEKUbvUbcccmGcHUX2KDfdhbyUhOSCOkDjq/d4KoYX97OxQYZzcSY+RTa9pl1RGuKdEwEp50zyfzs3SDqjJwmtuH2AUVCimXi3ulSHJZO9uY+kIrpWWRXQd+aiN+X0Oi7fCpuGTeCZrm+yCqnotDZMA+pbGUeDwcU6HsRPOrdr2l1G9BMm9rGxKk7VVwXNqIg/xhHKTq9KFjyhcJMfWqU2q6v2L3zlscFwwA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VE1PR04MB6560.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(346002)(136003)(39860400002)(396003)(366004)(376002)(451199021)(38100700002)(8676002)(8936002)(5660300002)(2906002)(36756003)(86362001)(31696002)(478600001)(6486002)(54906003)(31686004)(186003)(2616005)(26005)(6506007)(6512007)(66946007)(66476007)(83380400001)(316002)(41300700001)(4326008)(6916009)(66556008)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?IFm6fKuR8uHdmUy1fwO/vIEB2cG6?= =?utf-8?q?dZEzs4dO71i3ncl5owQfl/Mnwa8ibCVo5r/JcCiv3Hzzr394p8jJHZgQpdWF/pUUy?= =?utf-8?q?3M+ZfwKwOr2acKqpqnPMXDA9kivRfB5JdL/52Zpsvp193e8HAPVrvWZHPl5R5AbjZ?= =?utf-8?q?eRFQPeNvG5rgzrSbriUjyhFfVJtPCghwLIrL8gYJ0GEw20yjN91CpBRVm2Fj+Trsl?= =?utf-8?q?2k12x9XXxrVH1+IjryQGVw3mUlQAKdD1TglNLsHb0G7/ZqR0HZ37SgQ1HC0YkQS8p?= =?utf-8?q?6yWPY8/go4t8wmmE5KczMnMxGhwxPQPPtgKdumg6K1F/pstaooXsbKde8O7/Hu8BS?= =?utf-8?q?EaAk8pEQt13A8d4vSUcEQdwFyW00hUPvUexlD8G09z2kgPx7m5uA+YnYi3TPULMw6?= =?utf-8?q?kU6BLJmzmQnnT5JWPN/eEM1/pqaIPCFv3tKPPjjJiMsikX54b4KmaD+6Yc7XfsKN2?= =?utf-8?q?mrxkqnZ255t95qi5mfhmMrLOuKi9G2ljsHySsWpZ6yf0CQDC7Z5IkRPdPS5vhhxRr?= =?utf-8?q?eF/62DknYqcJWnTDymJ34SIG/eQ1fWGjBm7ERUpoxpvAKRDkfookH/pWSjs1e4BUM?= =?utf-8?q?Hrwkyz66UlrH1hpiRbIf+3KiqhIbqmwB5wPiBE2trvhU6xL27KhLwBfi3QUzaJoeH?= =?utf-8?q?2AETYsl3IXZAwWXi2mEhvzYnh2hRmhzSznaHQA6+8OSpb5JDjPl8paCZmhx2ccGJy?= =?utf-8?q?mLDlcj0e0fzmXjLGW54svvVOTsBFlLiixlG6iH477Qzu4xgWSUYlIG4qQRfRyUdcL?= =?utf-8?q?6C0D09foU+5Pa191I6PhGl0tXdkiO1+0d3trMtlc/u9g4pygiz03iwrYuhDJvj51f?= =?utf-8?q?e+DngY17Y2ji/2HYgKiNmkE4RsjUd77UWte7uQtzs2+6JBs6Tbj5k8prUrn3kKQnZ?= =?utf-8?q?1YMkpYbwEMrH7hnS7dxkhRvp+im2TZ0jjbbqC6FUtTYvighr1Fp4VeODy4thy0tCQ?= =?utf-8?q?6QgGP/u0et/Ax/9vMMzNrW7w+besp2SQ4RAcna22O6ZCzZBO+ycSbEXjzNQ7kVDUK?= =?utf-8?q?QOt40iRPbJMJ3cZd+vU7GFKCqiDqcwFaBrL/o2EzCZm7BE9SnnrblMiZREkJA3gAt?= =?utf-8?q?AaJ8nhaXZFgV9CatHpQvTcYFYT/ZimNnObsiBL5gHFvbiu39mYJc8aru7fKOgrl8f?= =?utf-8?q?jSpqBaqWb2WUnPPiU3e2zmR3gmCXGL6JN3P0NGZUk9ujNgW/KxEKd8VmGfpJkT0I7?= =?utf-8?q?yIpkmLEXRBpjNHDW8+1UMM5rpzZdwn/usL6xV0fEEOApDrRz75hrHJj8nkT00kFAw?= =?utf-8?q?dA1rEFz2kSl5I5mB7u6L8auM7uNvF34al/CPdUy9m8I1vK7YUxcMxBwbR7XsM5Wt3?= =?utf-8?q?YUwIAnzmZppWC0yo13XakgKFgfomtvyCBA1i6FX6935is4n4WnPrUK3zGTAhOiykD?= =?utf-8?q?YWWjm538oICji4OAUHJHVkIPDQXN/IMu1zddcrfXbJH8aO1xbagEJ3vR0R+FzivyX?= =?utf-8?q?j21mvAMt1AKd5P6LiZIUI0QrK8695AtxRz2SzwSgN01CtVbtMeorRujD8LMDtv+t1?= =?utf-8?q?D5iAHe8i+aO/?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: f8b57309-4107-4807-245f-08db3f3e81b8 X-MS-Exchange-CrossTenant-AuthSource: VE1PR04MB6560.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Apr 2023 12:23:10.1533 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: c0UlK7xsY1Yg5F7feleYKlqImkes4HDzbFvF9mWD2tjCitgwiGO1YczCsOqnr7tqBQcHTvIkFRjo9iINi/KM/w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB9203 The assertion at the end of x86_emulate_wrapper() as well as the ones in x86_emul_{hw_exception,pagefault}() can trigger if we ignore X86EMUL_EXCEPTION coming back from certain hook functions. Squash exceptions when merely probing MSRs, plus on SWAPGS'es "best effort" error handling path. In adjust_bnd() add another assertion after the read_xcr(0, ...) invocation, paralleling the one in x86emul_get_fpu() - XCR0 reads should never fault when XSAVE is (implicitly) known to be available. Also update the respective comment in x86_emulate_wrapper(). Fixes: 14a6be89ec04 ("x86emul: correct EFLAGS.TF handling") Fixes: cb2626c75813 ("x86emul: conditionally clear BNDn for branches") Fixes: 6eb43fcf8a0b ("x86emul: support SWAPGS") Reported-by: AFL Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- EFER reads won't fault in any of the handlers we have, so in principle the respective check could be omitted (and hence has no Fixes: tag). Thoughts? The Fixes: tags are for the commits introducing the affected code; I'm not entirely sure whether the raising of exceptions from hook functions actually pre-dates them, but even if not the issues were at least latent ones already before. --- v2: Also update the respective comment in x86_emulate_wrapper(). --- a/xen/arch/x86/x86_emulate/0f01.c +++ b/xen/arch/x86/x86_emulate/0f01.c @@ -200,8 +200,10 @@ int x86emul_0f01(struct x86_emulate_stat if ( (rc = ops->write_segment(x86_seg_gs, &sreg, ctxt)) != X86EMUL_OKAY ) { - /* Best effort unwind (i.e. no error checking). */ - ops->write_msr(MSR_SHADOW_GS_BASE, msr_val, ctxt); + /* Best effort unwind (i.e. no real error checking). */ + if ( ops->write_msr(MSR_SHADOW_GS_BASE, msr_val, + ctxt) == X86EMUL_EXCEPTION ) + x86_emul_reset_event(ctxt); goto done; } break; --- a/xen/arch/x86/x86_emulate/0fae.c +++ b/xen/arch/x86/x86_emulate/0fae.c @@ -55,7 +55,10 @@ int x86emul_0fae(struct x86_emulate_stat cr4 = X86_CR4_OSFXSR; if ( !ops->read_msr || ops->read_msr(MSR_EFER, &msr_val, ctxt) != X86EMUL_OKAY ) + { + x86_emul_reset_event(ctxt); msr_val = 0; + } if ( !(cr4 & X86_CR4_OSFXSR) || (mode_64bit() && mode_ring0() && (msr_val & EFER_FFXSE)) ) s->op_bytes = offsetof(struct x86_fxsr, xmm[0]); --- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -1143,10 +1143,18 @@ static bool is_branch_step(struct x86_em const struct x86_emulate_ops *ops) { uint64_t debugctl; + int rc = X86EMUL_UNHANDLEABLE; - return ops->read_msr && - ops->read_msr(MSR_IA32_DEBUGCTLMSR, &debugctl, ctxt) == X86EMUL_OKAY && - (debugctl & IA32_DEBUGCTLMSR_BTF); + if ( !ops->read_msr || + (rc = ops->read_msr(MSR_IA32_DEBUGCTLMSR, &debugctl, + ctxt)) != X86EMUL_OKAY ) + { + if ( rc == X86EMUL_EXCEPTION ) + x86_emul_reset_event(ctxt); + debugctl = 0; + } + + return debugctl & IA32_DEBUGCTLMSR_BTF; } static void adjust_bnd(struct x86_emulate_ctxt *ctxt, @@ -1160,13 +1168,21 @@ static void adjust_bnd(struct x86_emulat if ( !ops->read_xcr || ops->read_xcr(0, &xcr0, ctxt) != X86EMUL_OKAY || !(xcr0 & X86_XCR0_BNDREGS) || !(xcr0 & X86_XCR0_BNDCSR) ) + { + ASSERT(!ctxt->event_pending); return; + } if ( !mode_ring0() ) bndcfg = read_bndcfgu(); else if ( !ops->read_msr || - ops->read_msr(MSR_IA32_BNDCFGS, &bndcfg, ctxt) != X86EMUL_OKAY ) + (rc = ops->read_msr(MSR_IA32_BNDCFGS, &bndcfg, + ctxt)) != X86EMUL_OKAY ) + { + if ( rc == X86EMUL_EXCEPTION ) + x86_emul_reset_event(ctxt); return; + } if ( (bndcfg & IA32_BNDCFGS_ENABLE) && !(bndcfg & IA32_BNDCFGS_PRESERVE) ) { /* @@ -8395,7 +8411,9 @@ int x86_emulate_wrapper( * An event being pending should exactly match returning * X86EMUL_EXCEPTION. (If this trips, the chances are a codepath has * called hvm_inject_hw_exception() rather than using - * x86_emul_hw_exception().) + * x86_emul_hw_exception(), or the invocation of a hook has caused an + * exception to be raised, while the caller was only checking for + * success/failure.) */ ASSERT(ctxt->event_pending == (rc == X86EMUL_EXCEPTION));