[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-4.0-testing] x86_64: Fix off-by-one error setting up the Interrupt Stack Tables

  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-4.0-testing <patchbot@xxxxxxx>
  • Date: Tue, 03 Jul 2012 22:00:16 +0000
  • Delivery-date: Tue, 03 Jul 2012 22:00:34 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>
# HG changeset patch
# User Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
# Date 1341319851 -3600
# Node ID 99bb81618bb5123cceccdbd4ee845ac5fe6ca61d
# Parent  ffd1f786a7b502455abe03c47d76985143e38b8f
x86_64: Fix off-by-one error setting up the Interrupt Stack Tables

The Interrupt Stack Table entries in a 64bit TSS are a 1 based data
structure as far as hardware is concerned.  As a result, the code
setting up stacks in subarch_percpu_traps_init() fills in the wrong
IST entries.

The result is that the MCE handler executes on the stack set up for
NMIs; the NMI handler executes on a stack set up for Double Faults,
and Double Faults are executed with a stack pointer set to 0.

Once the #DF handler starts to execute, it will usually take a page
fault looking up the address at 0xfffffffffffffff8, which will cause a
triple fault.  If a guest has mapped a page in that location, then it
will have some state overwritten, but as the #DF handler always calls
panic(), this is not a problem the guest will have time to care about.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
xen-unstable changeset:   25271:54da0329e259
xen-unstable date:        Thu May 10 11:04:32 2012 +0100
---


diff -r ffd1f786a7b5 -r 99bb81618bb5 xen/arch/x86/x86_64/traps.c
--- a/xen/arch/x86/x86_64/traps.c       Wed Jun 20 09:40:40 2012 +0100
+++ b/xen/arch/x86/x86_64/traps.c       Tue Jul 03 13:50:51 2012 +0100
@@ -385,13 +385,13 @@ void __devinit subarch_percpu_traps_init
     BUILD_BUG_ON((IST_MAX + 2) * PAGE_SIZE + PRIMARY_STACK_SIZE > STACK_SIZE);
 
     /* Machine Check handler has its own per-CPU 4kB stack. */
-    this_cpu(init_tss).ist[IST_MCE] = (unsigned long)&stack[IST_MCE * 
PAGE_SIZE];
+    this_cpu(init_tss).ist[IST_MCE-1] = (unsigned long)&stack[IST_MCE * 
PAGE_SIZE];
 
     /* Double-fault handler has its own per-CPU 4kB stack. */
-    this_cpu(init_tss).ist[IST_DF] = (unsigned long)&stack[IST_DF * PAGE_SIZE];
+    this_cpu(init_tss).ist[IST_DF-1] = (unsigned long)&stack[IST_DF * 
PAGE_SIZE];
 
     /* NMI handler has its own per-CPU 4kB stack. */
-    this_cpu(init_tss).ist[IST_NMI] = (unsigned long)&stack[IST_NMI * 
PAGE_SIZE];
+    this_cpu(init_tss).ist[IST_NMI-1] = (unsigned long)&stack[IST_NMI * 
PAGE_SIZE];
 
     /* Trampoline for SYSCALL entry from long mode. */
     stack = &stack[IST_MAX * PAGE_SIZE]; /* Skip the IST stacks. */
diff -r ffd1f786a7b5 -r 99bb81618bb5 xen/include/asm-x86/processor.h
--- a/xen/include/asm-x86/processor.h   Wed Jun 20 09:40:40 2012 +0100
+++ b/xen/include/asm-x86/processor.h   Tue Jul 03 13:50:51 2012 +0100
@@ -417,7 +417,9 @@ struct tss_struct {
     union { u64 rsp1, esp1; };
     union { u64 rsp2, esp2; };
     u64 reserved1;
-    u64 ist[7];
+    u64 ist[7]; /* Interrupt Stack Table is 1-based so tss->ist[0]
+                 * corresponds to an IST value of 1 in an Interrupt
+                 * Descriptor */
     u64 reserved2;
     u16 reserved3;
 #else

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.