Xen project Mailing List

Re: [PATCH] xen/x86: Change stub page freeing to fix smt=0

To: Jason Andryuk <jason.andryuk@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 3 Jun 2026 15:33:37 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=koL+iUKKKz6cAzajbrY1sFHO4/L2u/l4dLA1R9g1DgI=; b=IokgsUY6aSUxKy/K4TueYWmZWvQZu2UQ8fXWuZkryk0nhH5vmRGkKfh+S9xtyo9nDC8hodPQK6dl8T6qThpYjiBzCka0lmH3NeiIZgEEcL8ZKJL3ifkKjy0RHfE9T7oRiUTb3UOEkQhpCGH60yo35sHrD14P/hs71Q0QiVisBKEwMa3z1Ey7YgCF06n3F1yYza7BlsouFd0yTPVIYySo0m0E9QY3HWZfUy4ND8OrR9epk+XMqX47gBSMges3D9bNkUW/WbzdwTd+S/SBpuQVir7u/EmZjadDL0C2OeUhQvOKzW5C3Yureq09FS8iw0t0UDHIc8zvBb36335zfaJjKQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=J+8xdWTkYjhqR1psIUbMfss7OF5TdnpU9+dwo9rmi9dleZEWCGlXMKypZY+xrDvsyqQsslDRxuXKz5wZI6vj2CgtXTFzhn9FNl84We9IDeHt3cVEMNkK54TNOcGqIsQldc00naX7GmBqxOocoe3kBgmsZyhhV84bR93Hazqi94GT/cQzVdw3nbIPznKAqTE1I2U6rJRjc7xYAcaq+IzuXrH6iTIUcz0krkcI5zyhItN2gH+5l02zXW0De9if1KYMUOXZIKXbGUcjChfZVdqnU8zsNx5fNV/PVGAKz9jj8BxlV70TowpD+uYYkLn4vr7sHaIptF4rl8QCIuzh99AAhQ==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>

Delivery-date: Wed, 03 Jun 2026 14:33:50 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 03/06/2026 3:03 pm, Jason Andryuk wrote: > On 2026-06-02 03:01, Roger Pau Monné wrote: >> On Mon, Jun 01, 2026 at 05:07:52PM -0400, Jason Andryuk wrote: >>> On 2026-06-01 13:00, Roger Pau Monné wrote: >>>> On Tue, May 26, 2026 at 04:31:14PM -0400, Jason Andryuk wrote: >>>>> A single stubs page is initialized with 0xcc and re-used, with >>>>> multiple >>>>> CPUs each using a portion of the shared page. In cpu_smpboot_free(), >>>>> each stubs area is checked against 0xcc. When all are set to >>>>> 0xcc, the >>>>> page is freed. >>>>> >>>>> Booting a system with smt=0, CPU0 is initially setup, allocating the >>>>> stubs page and initializing to 0xcc. When more CPUs are brought up, >>>>> CPU1 is initialized and then immediately brough offline as it is the >>>>> sibling of CPU0. Since the page was initially memset with 0xcc, >>>>> cpu_smpboot_free() finds all stubs as 0xcc and frees the page. >>>>> However, the page is still assigned to CPU0 and continues to be >>>>> assigned >>>>> to other CPUs. >>>>> >>>>> Meanwhile the page can be reallocated, which can lead to misbehavior. >>>>> The particular instance was the stubs page re-used as a page table >>>>> which >>>>> later faulted when the entry was all 0xcc. >>>>> >>>>> Change to initializing the page as 0xd6/STUB_BUF_FREE, and >>>>> initializing >>>>> individual stubs as 0xcc/STUB_BUF_USED. 0xd6 now indicates >>>>> unused, and >>>>> 0xcc indicates used/assigned. When freeing a CPU, the stub is set to >>>>> 0xd6, and the page is freed if all stubs are 0xd6. Initializing with >>>>> STUB_BUF_FREE lets cpu_smpboot_free() a page that was only ever >>>>> partially used. >>>>> >>>>> 0xd6/UDB is a 1 byte invalid opcode, which is similar to the existing >>>>> use of 0xcc. 0xd6 is used to identify bug frames, but the stub addr >>>>> (e.g. 0xffff82d07fffe000) fails the is_active_kernel_text() >>>>> check. It >>>>> should be okay to use here. >>>>> >>>>> Fixes: 7a66ac8d1633 ("x86: move syscall trampolines off the stack") >>>>> Signed-off-by: Jason Andryuk <jason.andryuk@xxxxxxx> >>>>> --- >>>>> It would be nice to use get_page()/put_page() to let count_info >>>>> handle >>>>> reference counting, but they require an owning domain. >>>>> >>>>> The listed Fixes introduced the use of 0xcc, but the smt commit >>>>> may have >>>>> made it more problematic. >>>>> Fixes: d8f974f1a646 ("x86: command line option to avoid use of >>>>> secondary hyper-threads") >>>> >>>> Speaking with Andrew, we believe it might be easier to simply forego >>>> the freeing of the page, possibly something like: >>>> >>>> diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c >>>> index ff05955bae40..62c6cbf4b561 100644 >>>> --- a/xen/arch/x86/smpboot.c >>>> +++ b/xen/arch/x86/smpboot.c >>>> @@ -990,19 +990,12 @@ static void cpu_smpboot_free(unsigned int >>>> cpu, bool remove) >>>> { >>>> mfn_t mfn = _mfn(per_cpu(stubs.mfn, cpu)); >>>> unsigned char *stub_page = map_domain_page(mfn); >>>> - unsigned int i; >>>> memset(stub_page + STUB_BUF_CPU_OFFS(cpu), 0xcc, >>>> STUB_BUF_SIZE); >>>> - for ( i = 0; i < STUBS_PER_PAGE; ++i ) >>>> - if ( stub_page[i * STUB_BUF_SIZE] != 0xcc ) >>>> - break; >>>> unmap_domain_page(stub_page); >>>> destroy_xen_mappings(per_cpu(stubs.addr, cpu) & PAGE_MASK, >>>> (per_cpu(stubs.addr, cpu) | >>>> ~PAGE_MASK) + 1); >>>> per_cpu(stubs.addr, cpu) = 0; >>>> - per_cpu(stubs.mfn, cpu) = 0; >>>> - if ( i == STUBS_PER_PAGE ) >>>> - free_domheap_page(mfn_to_page(mfn)); >>>> } >>>> if ( IS_ENABLED(CONFIG_PV32) ) >> >> I think I've made an oversight in the code above: if all 32 CPUs >> sharing the same stubs page are offlined, the reference to the stubs >> page is possibly lost (if CPUs are not parked) and a new stubs page >> would be allocated if any of those CPUs is brought back online, thus >> leaking the previous allocation. The simplest way to solve this would >> be to introduce an array that indexes the stub pages, and replace the >> logic in cpu_smpboot_alloc() that figures out whether stubs.mfn is set >> for adjacent CPUs. > > Right, but I thought Andrew's point was that offlining 32 CPUs is > unrealistic, so don't even bother tracking. If CPUs are offlined (and > you somehow keep running), you can leak the page. Perhaps I should rephrase that slightly. I don't think we want to fully leak the page (after all, there *is* a reference to it staying in l2_xenmap[]), but I also think we should bother having logic attempting to free it. Software-offlining 32 adjacent threads is unrealistic, and not worth the effort (particularly when the result is this). Rework the code to use l2_xenmap[] as the source of truth, and allocate a new ownerless page if the pagetables say one doesn't exist. When a CPU comes up, it can derive addr from its CPU number, and pull MFN out of the pagetable. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.