|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] VMX: flush cache when vmentry back to UC guest
commit 86d60e855fe118df0dbdf67b67b1a0ec8fdb9f0d
Author: Liu Jinsong <jinsong.liu@xxxxxxxxx>
AuthorDate: Wed Nov 6 10:13:20 2013 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Nov 6 10:13:20 2013 +0100
VMX: flush cache when vmentry back to UC guest
This patch flush cache when vmentry back to UC guest, to prevent
cache polluted by hypervisor access guest memory during UC mode.
The elegant way to do this is, simply add wbinvd just before vmentry.
However, currently wbinvd before vmentry will mysteriously trigger
lapic timer interrupt storm, hung booting stage for 10s ~ 60s. We still
didn't dig out the root cause of interrupt storm, so currently this
patch add flag indicating hypervisor access UC guest memory to prevent
interrupt storm -- though it still leaves aspects un-addressed, i.e.
speculative reads, and multi-vCPU issues, etc.
Whenever the interrupt storm got root caused and fixed, the protection
flag can be removed -- that would be final clean and elegant approach
dealing with cache flushing before vmentry.
This is CVE-2013-2212 / XSA-60.
Suggested-by: Jan Beulich <jbeulich@xxxxxxxx>
Suggested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Signed-off-by: Liu Jinsong <jinsong.liu@xxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Jun Nakajima <jun.nakajima@xxxxxxxxx>
---
xen/arch/x86/hvm/hvm.c | 6 ++++++
xen/arch/x86/hvm/vmx/vmx.c | 7 +++++++
xen/include/asm-x86/hvm/vcpu.h | 1 +
3 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 73d1cf0..36699b8 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -2477,6 +2477,9 @@ static enum hvm_copy_result __hvm_copy(
return HVMCOPY_unhandleable;
#endif
+ if ( unlikely(curr->arch.hvm_vcpu.cache_mode == NO_FILL_CACHE_MODE) )
+ curr->arch.hvm_vcpu.hypervisor_access_uc_hvm_memory = 1;
+
while ( todo > 0 )
{
count = min_t(int, PAGE_SIZE - (addr & ~PAGE_MASK), todo);
@@ -2588,6 +2591,9 @@ static enum hvm_copy_result __hvm_clear(paddr_t addr, int
size)
return HVMCOPY_unhandleable;
#endif
+ if ( unlikely(curr->arch.hvm_vcpu.cache_mode == NO_FILL_CACHE_MODE) )
+ curr->arch.hvm_vcpu.hypervisor_access_uc_hvm_memory = 1;
+
while ( todo > 0 )
{
count = min_t(int, PAGE_SIZE - (addr & ~PAGE_MASK), todo);
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 75be62e..a0ad37a 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2974,6 +2974,13 @@ void vmx_vmenter_helper(const struct cpu_user_regs *regs)
struct hvm_vcpu_asid *p_asid;
bool_t need_flush;
+ /* In case hypervisor access hvm memory when guest uc mode */
+ if ( unlikely(curr->arch.hvm_vcpu.hypervisor_access_uc_hvm_memory) )
+ {
+ curr->arch.hvm_vcpu.hypervisor_access_uc_hvm_memory = 0;
+ wbinvd();
+ }
+
if ( !cpu_has_vmx_vpid )
goto out;
if ( nestedhvm_vcpu_in_guestmode(curr) )
diff --git a/xen/include/asm-x86/hvm/vcpu.h b/xen/include/asm-x86/hvm/vcpu.h
index 8fa5452..a309389 100644
--- a/xen/include/asm-x86/hvm/vcpu.h
+++ b/xen/include/asm-x86/hvm/vcpu.h
@@ -167,6 +167,7 @@ struct hvm_vcpu {
/* Which cache mode is this VCPU in (CR0:CD/NW)? */
u8 cache_mode;
+ bool_t hypervisor_access_uc_hvm_memory;
struct hvm_vcpu_io hvm_io;
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |