[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] x86/xen: suppress hugetlbfs in PV guests

To: <mingo@xxxxxxx>,<tglx@xxxxxxxxxxxxx>, <hpa@xxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Thu, 21 Apr 2016 00:27:04 -0600
Cc: Juergen Gross <JGross@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx
Delivery-date: Thu, 21 Apr 2016 06:27:18 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Huge pages are not normally available to PV guests. Not suppressing
hugetlbfs use results in an endless loop of page faults when user mode
code tries to access a hugetlbfs mapped area (since the hypervisor
denies such PTEs to be created, but error indications can't be
propagated out of xen_set_pte_at(), just like for various of its
siblings), and - once killed in an oops like this:

kernel BUG at .../fs/hugetlbfs/inode.c:428!
invalid opcode: 0000 [#1] SMP 
Modules linked in: ...
Supported: Yes
CPU: 2 PID: 6088 Comm: hugetlbfs Tainted: G        W         
4.4.0-2016-01-20-pv #2
Hardware name: ...
task: ffff8808059205c0 ti: ffff880803c84000 task.ti: ffff880803c84000
RIP: e030:[<ffffffff811c333b>]  [<ffffffff811c333b>] 
remove_inode_hugepages+0x25b/0x320
RSP: e02b:ffff880803c879a8  EFLAGS: 00010202
RAX: 000000000077a4db RBX: ffffea001acff000 RCX: 0000000078417d38
RDX: 0000000000000000 RSI: 000000007e154fa7 RDI: ffff880805d70960
RBP: 0000000000000960 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff880807486018 R14: 0000000000000000 R15: ffff880803c87af0
FS:  00007f85fa8b8700(0000) GS:ffff88080b640000(0000) knlGS:0000000000000000
CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f85fa000000 CR3: 0000000001a0a000 CR4: 0000000000040660
Stack:
 ffff880000000fb0 ffff880803c87a18 ffff880803c87ae8 ffff8808059205c0
 ffff880803c87af0 ffff880803c87ae8 ffff880807486018 0000000000000000
 ffffffff81bf6e60 ffff880807486168 000003ffffffffff 0000000003c87758
Call Trace:
 [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40
 [<ffffffff81167b3d>] evict+0xbd/0x1b0
 [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0
 [<ffffffff81165b0e>] dput+0x1fe/0x220
 [<ffffffff81150535>] __fput+0x155/0x200
 [<ffffffff81079fc0>] task_work_run+0x60/0xa0
 [<ffffffff81063510>] do_exit+0x160/0x400
 [<ffffffff810637eb>] do_group_exit+0x3b/0xa0
 [<ffffffff8106e8bd>] get_signal+0x1ed/0x470
 [<ffffffff8100f854>] do_signal+0x14/0x110
 [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0
 [<ffffffff814178a5>] retint_user+0x8/0x13

This is CVE-2016-3961 / XSA-174.

Reported-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx 
---
 arch/x86/include/asm/hugetlb.h |    1 +
 1 file changed, 1 insertion(+)

--- 4.6-rc4/arch/x86/include/asm/hugetlb.h
+++ 4.6-rc4-xsa174/arch/x86/include/asm/hugetlb.h
@@ -4,6 +4,7 @@
 #include <asm/page.h>
 #include <asm-generic/hugetlb.h>
 
+#define hugepages_supported() cpu_has_pse
 
 static inline int is_hugepage_only_range(struct mm_struct *mm,
                                         unsigned long addr,




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- [Xen-devel] [tip:x86/asm] x86/mm/xen: Suppress hugetlbfs in PV guests
  - From: tip-bot for Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH v2] x86/HVM: fix forwarding of internally cached requests
Next by Date: Re: [Xen-devel] [PATCH v8.1 11/27] xsplice: Implement payload loading
Previous by thread: Re: [Xen-devel] [PATCH v2] x86/HVM: fix forwarding of internally cached requests
Next by thread: [Xen-devel] [tip:x86/asm] x86/mm/xen: Suppress hugetlbfs in PV guests
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.