[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] xen: fix XEN_DOMCTL_gdbsx_guestmemio crash

  • To: Juergen Gross <jgross@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Tue, 19 Apr 2022 10:40:42 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XHl5zMVUI9JQj3qnO004w1N0WeBh1P6ZMNp8VXwha3o=; b=DtCyR1fWRqkc71Z9zvg8iFEhZzJUHucdjAuCcRjfvUc7aiCQ/QSIfgx5PA3A4Cj23GRR1JmhrvPNZF44+AFCTU/FBfbugd1dFCDd5b9pfKpbi0qGsRvnbgPVgTlIKkd1dofRy8s7k7MQS7iHvJ6KDSI+TBrkA/LFtujfs6FfXlTUR94XWFHXb8E4wcOYOLMRFaJA9XaST4PGaClcYXWbxm2VIe081YaV0Z/vZlYSk7+WS1ZQw6tRW0DxlInx/KYUd2BE35OmmCFpGqBxdg9T/iyKYiNy4W6+5KlpsU8/294T7s+gYs2RWsATU4Q2zJfHQRJegKpO/j3SBglVMLKVQQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mLWBfiVab6VPaxtxu6hUL4dS5r+6RJGAeDC1AzL9Ov0F10gfOFw3av6w5uov8vHbXerXV9Vlq+r/n5Y6dCcIceUGvc2I5f55M0I3a2kZvIT44wRqgETNMZ2Iw+V3Po9HapdguOERHgpSIZHA6spDANdOL5DVSh4fdS5WGW8lLdEZj/SWl/NLxRztHu7mJf19x0RrmxM9o5g3BXzUiNXv8TE0Y1OBNI98S3unvAQ8aK7dZOEaiwkCbRhYSqBxe2ltIjiVZvyAH3p87vVueiRVqRnk1PlDw/KLXJzopRLTgXQhsqFufXwp0Drf84Ut3K1VlkkBr2Uwb7qF9O6AAbl3iA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Elena Ufimtseva <elena.ufimtseva@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Cheyenne Wills <cheyenne.wills@xxxxxxxxx>
  • Delivery-date: Tue, 19 Apr 2022 10:40:57 +0000
  • Ironport-data: A9a23:L2AcvKkg08zrlvvxEXtvE63o5gxhJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xJOCjzTPPnYY2enfI1/PtmzoEIF656DytRrTAVprHw8HyMWpZLJC+rCIxarNUt+DCFioGGLT Sk6QoOdRCzhZiaE/n9BCpC48T8kk/vgqoPUUIYoAAgoLeNfYHpn2EoLd9IR2NYy24DlWlLV4 LsenuWEULOb828sWo4rw/rrRCNH5JwebxtB4zTSzdgS1LPvvyF94KA3fMldHFOhKmVgJcaoR v6r8V2M1jixEyHBqD+Suu2TnkUiGtY+NOUV45Zcc/DKbhNq/kTe3kunXRa1hIg+ZzihxrhMJ NtxWZOYdCgQEoPFp/UhVgRSKzt7eq9ix+7tGC3q2SCT5xWun3rE5dxLVRhzFqpBv+F9DCdJ6 OASLy0LYlabneWqzbmnS+5qwMM+MM3sO4BZsXZlpd3bJa9+HdafHOOXu5kBgmdYasNmRJ4yY +IwbzZ1YQuGSBpIIloNU7o1nfuyh2m5eDpdwL6QjfRmvDmMk10puFTrGMX8e9C1TMJ7pUi7i 2vc023dLxYiDeXKnFJp9Vrp3IcjhxjTWo0IE6aj3uV3m1DVzWsWYDUGWF3+rfSnh0qWX9NEN 1dS6icotbI19kGgUp/6RRLQiHOAsxgVHcdeEugm8wyTw4LT+Q+SAmVCRTlEAPQkvsIrQT0h1 neSgsjkQzdotdW9Vna15rqS6zSoNkA9L3IGZCICZRsI5Z/kuo5bpgnUUt9pHaqxj9v0MTL92 TaHqG45nbp7pcUL2rS2+1bKxS2topzSZgEw7wTTGGmi62tEiJWNYoWp7R3Q6q9GJYPAF12Z5 iFay46Z8fwECoyLmGqVWuIREbq15vGDdjrBnVpoGJpn/DOok5K+Qb1tDPhFDB8BGq45lfXBO Sc/ZSs5CEdvAUaX
  • Ironport-hdrordr: A9a23:ThXG9KwLecosll8NRQskKrPxdegkLtp133Aq2lEZdPULSKGlfp GV9sjziyWetN9IYgBapTiBUJPwIk81bfZOkMUs1MSZLXPbUQyTXc5fBOrZsnDd8kjFmtK1up 0QFJSWZOeQMbE+t7eD3ODaKadv/DDkytHPuQ629R4EIm9XguNbnn5E422gYy9LrXx9dP4E/e 2nl696TlSbGUg/X4CePD0oTuLDr9rEmNbNehgdHSMq7wGIkHeB9KP6OwLw5GZfbxp/hZMZtU TVmQ3w4auu99uhzAXH6mPV55NK3PP819p4AtCWgMR9EESutu/oXvUiZ1SxhkFwnAid0idsrD AKmWZnAy1H0QKVQohym2q15+Cv6kd315ao8y7kvZKqm72EeNt9MbsBuWsRSGqm16Jr1usMr5 5jziaXsYFaAgjHmzm479/UVwtynk7xunY6l/UP5kYvGbf2RYUh27D3xnklWavo3RiKmrwPAa 1rFoXR9fxWeVSVYzTQuXRu2sWlWjA2Eg2dSkYPt8SJ23wO9UoJhXcw1YgahDMN5Zg9Q55L66 DNNblpjqhHSosTYbhmDOkMTMOrAijGQA7KMmiVPVP7fZt3cE7lutry+vE49euqcJsHwN87n4 nASkpRsSood0fnGaS1rep2G9D2MRGAtBjWu7FjDsJCy8zBrZLQQF6+YUFrlde8qPMCBcCeU+ qvOfttcoreEVc=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYU9bjmHO326ELbkuQmQOwkh6+0Kz3DCaA
  • Thread-topic: [PATCH v2] xen: fix XEN_DOMCTL_gdbsx_guestmemio crash
On 19/04/2022 11:18, Juergen Gross wrote:
> A hypervisor built without CONFIG_GDBSX will crash in case the
> XEN_DOMCTL_gdbsx_guestmemio domctl is being called, as the call will
> end up in iommu_do_domctl() with d == NULL:
>
> (XEN) CPU:    6
> (XEN) RIP:    e008:[<ffff82d040269984>] iommu_do_domctl+0x4/0x30
> (XEN) RFLAGS: 0000000000010202   CONTEXT: hypervisor (d0v0)
> (XEN) rax: 00000000000003e8   rbx: ffff830856277ef8   rcx: ffff830856277fff
> ...
> (XEN) Xen call trace:
> (XEN)    [<ffff82d040269984>] R iommu_do_domctl+0x4/0x30
> (XEN)    [<ffff82d04035cd5f>] S arch_do_domctl+0x7f/0x2330
> (XEN)    [<ffff82d040239e46>] S do_domctl+0xe56/0x1930
> (XEN)    [<ffff82d040238ff0>] S do_domctl+0/0x1930
> (XEN)    [<ffff82d0402f8c59>] S pv_hypercall+0x99/0x110
> (XEN)    [<ffff82d0402f5161>] S 
> arch/x86/pv/domain.c#_toggle_guest_pt+0x11/0x90
> (XEN)    [<ffff82d040366288>] S lstar_enter+0x128/0x130
> (XEN)
> (XEN) Pagetable walk from 0000000000000144:
> (XEN)  L4[0x000] = 0000000000000000 ffffffffffffffff
> (XEN)
> (XEN) ****************************************
> (XEN) Panic on CPU 6:
> (XEN) FATAL PAGE FAULT
> (XEN) [error_code=0000]
> (XEN) Faulting linear address: 0000000000000144
>
> Fix this issue by modifying the interface of gdbsx_guest_mem_io() to
> take the already known domain pointer instead of the domid.

There is some explanation missing here.  The adjustments you make are
within CONFIG_GDBSX, with the exception of the final hunk.


The actual bug is that non-IOMMU subops end up in iommu_do_domctl(), so
while this is good cleanup to gdbsx_guest_mem_io() it, along with Jan's
adjustment to iommu_do_domctl(), are not suitable fixes to the crash as
reported.

So someone's going to have to write a 3rd patch which actually fixes the
root of the crash, and this will become cleanup.

~Andrew

> diff --git a/xen/arch/x86/debug.c b/xen/arch/x86/debug.c
> index d90dc93056..c0dd6eaf15 100644
> --- a/xen/arch/x86/debug.c
> +++ b/xen/arch/x86/debug.c
> @@ -159,17 +159,11 @@ static unsigned int dbg_rw_guest_mem(struct domain *dp, 
> unsigned long addr,
>   * Returns: number of bytes remaining to be copied.
>   */
>  unsigned int dbg_rw_mem(unsigned long gva, XEN_GUEST_HANDLE_PARAM(void) buf,
> -                        unsigned int len, domid_t domid, bool toaddr,
> +                        unsigned int len, struct domain *d, bool toaddr,
>                          uint64_t pgd3)
>  {
> -    struct domain *d = rcu_lock_domain_by_id(domid);
> -
> -    if ( d )
> -    {
> -        if ( !d->is_dying )
> +    if ( d && !d->is_dying )
>              len = dbg_rw_guest_mem(d, gva, buf, len, toaddr, pgd3);

This needs re-indenting.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.