Xen project Mailing List

Re: [PATCH 07/16] x86/shadow: call sh_update_cr3() directly from sh_page_fault()

From: Tim Deegan <tim@xxxxxxx>

Date: Wed, 29 Mar 2023 07:49:00 +0100

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>

Delivery-date: Wed, 29 Mar 2023 06:49:16 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

At 12:37 +0200 on 28 Mar (1680007032), Jan Beulich wrote: > On 27.03.2023 17:39, Tim Deegan wrote: > > At 10:33 +0100 on 22 Mar (1679481226), Jan Beulich wrote: > >> There's no need for an indirect call here, as the mode is invariant > >> throughout the entire paging-locked region. All it takes to avoid it is > >> to have a forward declaration of sh_update_cr3() in place. > >> > >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > >> --- > >> I find this and the respective Win7 related comment suspicious: If we > >> really need to "fix up" L3 entries "on demand", wouldn't we better retry > >> the shadow_get_and_create_l1e() rather than exit? The spurious page > >> fault that the guest observes can, after all, not be known to be non- > >> fatal inside the guest. That's purely an OS policy. > > > > I think it has to be non-fatal because it can happen on real hardware, > > even if the hardware *does* fill the TLB here (which it is not > > required to). > > But if hardware filled the TLB, it won't raise #PF. If it didn't fill > the TLB (e.g. because of not even doing a walk when a PDPTE is non- > present), a #PF would be legitimate, and the handler would then need > to reload CR3. But such a #PF is what, according to the comment, Win7 > chokes on. IIRC the Win7 behaviour is to accept and discard the #PF as spurious (because it sees the PDPTE is present) *without* reloading CR3, so it gets stuck in a loop taking pagefaults. Here, we reload CR3 for it, to unstick it. I can't think of a mental model of the MMU that would have a problem here -- either the L3Es are special in which case the pagefault is correct (and we shouldn't even read the new contents) or they're just like other PTEs in which case the spurious fault is fine. > > The assert's not true here because the guest can push us down this > > path by doing exactly what Win 7 does here - loading CR3 with a > > missing L3E, then filling the L3E and causing a page fault that uses > > the now-filled L3E. (Or maybe that's not true any more; my mental > > model of the pagetable walker code might be out of date) > > Well, I specifically started the paragraph with 'Beyond the "on demand" > L3 entry creation'. IOW the assertion would look applicable to me if > we, as suggested higher up, retried shadow_get_and_create_l1e() and it > failed again. As the comment there says, "we know the guest entries are > OK", so the missing L3 entry must have appeared. Ah, I didn't quite understand you. Yes, if we changed the handler to rebuild the SL3E then I think the assertion would be valid again. Cheers, Tim.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.