[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option

To: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
From: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Date: Tue, 28 Jul 2015 21:26:35 -0700
Cc: "security@xxxxxxxxxx" <security@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, Steven Rostedt <rostedt@xxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Sasha Levin <sasha.levin@xxxxxxxxxx>
Delivery-date: Wed, 29 Jul 2015 04:26:58 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, Jul 28, 2015 at 8:01 PM, Boris Ostrovsky
<boris.ostrovsky@xxxxxxxxxx> wrote:
> On 07/28/2015 08:47 PM, Andrew Cooper wrote:
>>
>> On 29/07/2015 01:21, Andy Lutomirski wrote:
>>>
>>> On Tue, Jul 28, 2015 at 10:10 AM, Boris Ostrovsky
>>> <boris.ostrovsky@xxxxxxxxxx> wrote:
>>>>
>>>> On 07/28/2015 01:07 PM, Andy Lutomirski wrote:
>>>>>
>>>>> On Tue, Jul 28, 2015 at 9:30 AM, Andrew Cooper
>>>>> <andrew.cooper3@xxxxxxxxxx> wrote:
>>>>>>
>>>>>> I suspect that the set_ldt(NULL, 0) call hasn't reached Xen before
>>>>>> xen_free_ldt() is attempting to nab back the pages which Xen still has
>>>>>> mapped as an LDT.
>>>>>>
>>>>> I just instrumented it with yet more LSL instructions.  I'm pretty
>>>>> sure that set_ldt really is clearing at least LDT entry zero.
>>>>> Nonetheless the free_ldt call still oopses.
>>>>>
>>>> Yes, I added some instrumentation to the hypervisor and we definitely
>>>> set
>>>> LDT to NULL before failing.
>>>>
>>>> -boris
>>>
>>> Looking at map_ldt_shadow_page: what keeps shadow_ldt_mapcnt from
>>> getting incremented once on each CPU at the same time if both CPUs
>>> fault in the same shadow LDT page at the same time?
>>
>> Nothing, but that is fine.  If a page is in use in two vcpus LDTs, it is
>> expected to have a type refcount of 2.
>>
>>> Similarly, what
>>> keeps both CPUs from calling get_page_type at the same time and
>>> therefore losing track of the page type reference count?
>>
>> a cmpxchg() loop in the depths of __get_page_type().
>>
>>> I don't see why vmalloc or vm_unmap_aliases would have anything to do
>>> with this, though.
>
>
> So just for kicks I made lazy_max_pages() return 0 to free vmaps immediately
> and the problem went away.
>
> I also saw this warning, BTW:
>
> [  178.686542] ------------[ cut here ]------------
> [  178.686554] WARNING: CPU: 0 PID: 16440 at
> ./arch/x86/include/asm/mmu_context.h:96 load_mm_ldt+0x70/0x76()
> [  178.686558] DEBUG_LOCKS_WARN_ON(!irqs_disabled())

Whoops!  That should be checking preemptible(), not irqs_disabled().

--Andy

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Boris Ostrovsky
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Boris Ostrovsky
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Boris Ostrovsky
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Boris Ostrovsky

Prev by Date: [Xen-devel] [linux-3.16 bisection] complete test-amd64-i386-xl-qemut-stubdom-debianhvm-amd64-xsm
Next by Date: Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
Previous by thread: Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
Next by thread: Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.