Xen project Mailing List

Re: [Xen-devel] Reentrant NMIs, MCEs and interrupt stack tables.

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Tim Deegan <tim@xxxxxxx>

Date: Wed, 21 Nov 2012 21:17:00 +0000

Cc: Keir Fraser <keir@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 21 Nov 2012 21:17:29 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

At 21:06 +0000 on 21 Nov (1353532004), Andrew Cooper wrote: > Hello, > > While working on a fix for the rare-but-possible problem of reentrant > NMIs and MCEs, I have discovered that it is sadly possible to generate > fake NMIs and MCEs which will run the relevant handlers on the relevant > stacks, without invoking any of the other CPU logic for these special > interrupts. > > A fake NMI can be generated by a processor in PIC mode as opposed to > Virtual wire mode, with a delivery of vector 2. This setup is certainly > possible on a 64bit CPU, but I doubt there are many 64bit CPUs running > with only PIC. > > A fake MCE is easy to generate. A mal-programmed IO-APIC, IOMMU or > MSI/MSI-X entry which deliveres vector 0x18 is sufficient. The LAPIC > will reject vectors 0 thru 0xf, but will deliver vectors 0x10 thru 0x1f, > despite them being architecturally reserved for exceptions. You're not suggesting these could be caused by guest activity? > The possibility of these fake interrupts (however unlikely) means that > there is necessarily a race condition between receiving a fake interrupt > and a genuine interrupt during which the handler cannot fixup the stack > sufficiently to be able to safely get back out. If this race condition > were to occur, the real interrupt will corrupt the exception frame of > the fake interrupt, meaning that we cannot possibly resume the original > context. This situation can be detected, but cannot be corrected, and > the only course of action is to crash gracefully. If once of these could only be casued by a bug in Xen, then I don't think we need to handle it at all. If it's trivial to detect it and crash cleanly, that would be nice. > The above problem made me wonder why we use separate stacks for NMIs and > MCEs. I completely accept that the double fault handler should be on a > separate stack, but as we guarentee never to return from it, these > problems disappear. > > Is there any particular reason to have separate stacks for NMIs and > MCEs, other than perhaps that it is good/common practice? It's to avoid a race where we take an NMI or MCE after swicthhing to the user/guest stack but before SYSRET. Tim. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.