[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.18] x86/svm: Separate STI and VMRUN instructions in svm_asm_do_resume()

commit 61923364d3417642554043c87b644a0d34537d70
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Mar 20 13:29:57 2025 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Mar 20 13:29:57 2025 +0100

    x86/svm: Separate STI and VMRUN instructions in svm_asm_do_resume()
    
    There is a corner case in the VMRUN instruction where its INTR_SHADOW state
    leaks into guest state if a VMExit occurs before the VMRUN is complete.  An
    example of this could be taking #NPF due to event injection.
    
    Xen can safely execute STI anywhere between CLGI and VMRUN, as CLGI blocks
    external interrupts too.  However, an exception (while fatal) will appear to
    be in an irqs-on region (as GIF isn't considered), so position the STI after
    the speculation actions but prior to the GPR pops.
    
    Link: 
https://lore.kernel.org/all/CADH9ctBs1YPmE4aCfGPNBwA10cA8RuAk2gO7542DjMZgs4uzJQ@xxxxxxxxxxxxxx/
    Fixes: 66b245d9eaeb ("SVM: limit GIF=0 region")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: c989ff614f6bad48b3bd4b32694f711b31c7b2d6
    master date: 2025-02-19 12:45:48 +0000
---
 xen/arch/x86/hvm/svm/entry.S | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S
index 5f318629b4..9fb457ad95 100644
--- a/xen/arch/x86/hvm/svm/entry.S
+++ b/xen/arch/x86/hvm/svm/entry.S
@@ -74,6 +74,14 @@ __UNLIKELY_END(nsvm_hap)
         ALTERNATIVE "", svm_vmentry_spec_ctrl, X86_FEATURE_SC_MSR_HVM
         ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV
 
+        /*
+         * Set EFLAGS.IF after CLGI covers us from real interrupts, but not
+         * immediately prior to VMRUN.  The VMRUN instruction leaks it's
+         * INTR_SHADOW into guest state if a VMExit occurs before VMRUN
+         * completes (e.g. taking #NPF during event injecting.)
+         */
+        sti
+
         pop  %r15
         pop  %r14
         pop  %r13
@@ -91,7 +99,6 @@ __UNLIKELY_END(nsvm_hap)
         pop  %rsi
         pop  %rdi
 
-        sti
         vmrun
 
         SAVE_ALL
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.18

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.