[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] what's inside hypercall page?



After step by step monitoring, I get the following statistics about hypercall entries:

numbers | hypercalls | executed bytes (offset to hypercall entry)
   7755 24: 0 1 3 8 a c d
   6374 23: 0 1 3 4 9
   3281 25: 0 1 3 8 a c d
   2979 13: 0 1 3 8 a c d
   2475 17: 0 1 3 8
   2253 17: a c d
    749 3: 0 1 3 8 a c d
    655 23: 0 1 3 4 9 0 1 3 4 9
    640 29: 0 1 3 8
    636 29: a c d
    445 23: 0 1 3 4 9 0 1 3 4 9 0 1 3 4 9
    433 23: 0 1 3 4 9 0 1 3 4 9 0 1 3 4 9 0 1 3 4 9
    414 24: 0 1 3 8 a c d 0 1 3 8 a c d
    274 13: 0 1 3 8 8 a c d
    129 17: d
    125 17: a c
    112 29: a c d 0 1 3 8
    112 17: c d
    105 17: a
     73 24: 0 1 3 8 a c d 0 1 3 8 a c d 0 1 3 8 a c d
     67 17: 0
     59 17: 8 a c d
     54 17: 0 1 3
     53 17: 0 1
     50 17: 1 3 8 a c d
     46 17: 3 8 a c d
     21 3: 0 1 3 8 a c d 0 1 3 8 a c d
      8 33: 0 1 3 8 a c d
      7 17: 1 3
      6 13: 0 1 3 8 8 8 a c d
      5 29: d
      5 23: 0 1 3 4 9 0 1 3 4 9 0 1 3 4 9 0 1 3 4 9 0 1 3 4 9
      4 29: a c
      4 17: 3
      3 17: 8 a
      3 17: 8
      3 17: 3 8
      3 17: 1 3 8 a c
      3 17: 1
      2 29: 0 1 3 8 a c d
      2 17: 3 8 a
      2 17: 1 3 8 a
      2 17: 1 3 8
      1 29: c
      1 29: a
      1 29: 3 8 a c d
      1 29: 1 3 8 a c d
      1 29: 0 1
      1 29: 0
      1 17: 3 8 a c

From the above we can see that hypercall #17 and #29 are very irregular, with various combination occurs. Other hypercalls basically obey to the sequence of "0 1 3 8 a c d" which conforms to the content in hypercall_page_initialise function. HYPERCALL_iret is a special one as explained in the function, but it also conforms to its sequence of "0 1 3 4 9". So why would #17(do_xen_version) and #29(do_sched_op) performs irregular? They seem to be easily interrupted at any place of the hypercall entry. Besides, there is also some abnormals for #13(do_multicall) shown in bold.


From: quizy_jones@xxxxxxxxxxx
To: xen-devel@xxxxxxxxxxxxxxxxxxxx
Date: Wed, 2 Mar 2016 12:44:16 +0000
Subject: Re: [Xen-devel] what's inside hypercall page?

For following hypercall page initialise code,  where would the execution jumps at syscall? How can I predict what is the execution order of "pop %r11"? Is it the fifth instruction/step? I need the order to precisely set up hooks to monitor hypercalls.

static void hypercall_page_initialise_ring3_kernel(void *hypercall_page)
{
    char *p;
    int i;

    /* Fill in all the transfer points with template machine code. */
    for ( i = 0; i < (PAGE_SIZE / 32); i++ )
    {
        if ( i == __HYPERVISOR_iret )
            continue;

        p = (char *)(hypercall_page + (i * 32));
        *(u8  *)(p+ 0) = 0x51;    /* push %rcx */
        *(u16 *)(p+ 1) = 0x5341;  /* push %r11 */
        *(u8  *)(p+ 3) = 0xb8;    /* mov  $<i>,%eax */
        *(u32 *)(p+ 4) = i;
        *(u16 *)(p+ 8) = 0x050f;  /* syscall */
        *(u16 *)(p+10) = 0x5b41;  /* pop  %r11 */
        *(u8  *)(p+12) = 0x59;    /* pop  %rcx */
        *(u8  *)(p+13) = 0xc3;    /* ret */
    }

    /*
     * HYPERVISOR_iret is special because it doesn't return and expects a
     * special stack frame. Guests jump at this transfer point instead of
     * calling it.
     */
    p = (char *)(hypercall_page + (__HYPERVISOR_iret * 32));
    *(u8  *)(p+ 0) = 0x51;    /* push %rcx */
    *(u16 *)(p+ 1) = 0x5341;  /* push %r11 */
    *(u8  *)(p+ 3) = 0x50;    /* push %rax */
    *(u8  *)(p+ 4) = 0xb8;    /* mov  $__HYPERVISOR_iret,%eax */
    *(u32 *)(p+ 5) = __HYPERVISOR_iret;
    *(u16 *)(p+ 9) = 0x050f;  /* syscall */

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.