[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [XTF PATCH] XSA-186: Work around suspected Broadwell TLB erratum

To: Jan Beulich <JBeulich@xxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Fri, 28 Oct 2016 13:39:38 +0100
Cc: Xen-devel <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Fri, 28 Oct 2016 12:40:40 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 28/10/16 13:03, Jan Beulich wrote:
>>>> On 28.10.16 at 12:36, <andrew.cooper3@xxxxxxxxxx> wrote:
>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
> (Maybe you want to drop the ...
>
>> --- a/tests/xsa-186/main.c
>> +++ b/tests/xsa-186/main.c
>> @@ -144,6 +144,29 @@ void test_main(void)
>>      memcpy(stub, insn_buf_start, insn_buf_end - insn_buf_start);
>>  
>>      /*
>> +     * Work around suspected Broadwell TLB Erratum
>> +     *
>> +     * Occasionally, this test failes with:
>> +     *
>> +     *   --- Xen Test Framework ---
>> +     *   Environment: HVM 64bit (Long mode 4 levels)
>> +     *   XSA-186 PoC
>> +     *   ******************************
>> +     *   PANIC: Unhandled exception at 0008:fffffffffffffffa
>> +     *   Vec 14 #PF[-I-sr-] %cr2 fffffffffffffffa
>> +     *   ******************************
>> +     *
>> +     * on Broadwell hardware.  The mapping is definitely present as the
>> +     * memcpy() has already succeeded.  Inserting an invlpg resolves the
>> +     * issue, sugguesting that there is a race conditon between dTLB/iTLB
> ... stray u which slipped into "suggesting".)
>
> Btw - would you mind trying something else: Instead of the INVLPG,
> put a CPUID or some other serializing instruction in here. ISTR that
> for self modifying code this is required, i.e. the CPU could have been
> fetching instructions ahead of the memcpy(), and nothing would be
> there to force it to drop what it has already executed speculatively,
> including the exception token.

That is an interesting point, but still doesn't explain the symptoms. 
If the icache wasn't flushed, we might get junk instructions and a #UD/#GP.

However, in this case the fault is for an instruction fetch from a
non-present page, not a failure to execute what it found there.

I expect a cpuid instruction would resolve the issue, but it also forces
a vmexit which complicates the microarchitectural interactions here. 
Something else, like executing an int3 will also serialise the pipeline,
but not vmexit.  I will try and find some time to experiment.

~Andrew


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [XTF PATCH] XSA-186: Work around suspected Broadwell TLB erratum
  - From: Jan Beulich

References:
- Re: [Xen-devel] Broadwell TLB Erratum
  - From: Jan Beulich
- [Xen-devel] [XTF PATCH] XSA-186: Work around suspected Broadwell TLB erratum
  - From: Andrew Cooper
- Re: [Xen-devel] [XTF PATCH] XSA-186: Work around suspected Broadwell TLB erratum
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH v2 3/5] tasklet: Remove the old-softirq implementation.
Next by Date: Re: [Xen-devel] [XTF PATCH] XSA-186: Work around suspected Broadwell TLB erratum
Previous by thread: Re: [Xen-devel] [XTF PATCH] XSA-186: Work around suspected Broadwell TLB erratum
Next by thread: Re: [Xen-devel] [XTF PATCH] XSA-186: Work around suspected Broadwell TLB erratum
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.