[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS if forced to zero

To: Borislav Petkov <bp@xxxxxxxxx>
From: Juergen Gross <jgross@xxxxxxxx>
Date: Tue, 25 Apr 2017 20:34:34 +0200
Cc: x86@xxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, mingo@xxxxxxxxxx, hpa@xxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, boris.ostrovsky@xxxxxxxxxx, tglx@xxxxxxxxxxxxx
Delivery-date: Tue, 25 Apr 2017 18:34:44 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 25/04/17 20:24, Borislav Petkov wrote:
> On Tue, Apr 25, 2017 at 08:00:14PM +0200, Juergen Gross wrote:
>> When running as Xen pv guest X86_BUG_SYSRET_SS_ATTRS must not be set
>> on AMD cpus. Xen will disable this via setup_clear_cpu_cap(), so test
>> cpu_caps_cleared to not have disabled this bit.
>>
>> This bug/feature bit is kind of special as it will be used very early
>> when switching threads. Setting the bit and clearing it a little bit
>> later leaves a critical window where things can go wrong. This time
>> window has enlarged a little bit by using setup_clear_cpu_cap() instead
>> of the hypervisor's set_cpu_features callback. It seems this larger
>> window now makes it rather easy to hit the problem.
>>
>> The proper solution is to never set the bit in case of Xen.
>>
>> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
>> ---
>>  arch/x86/kernel/cpu/amd.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
>> index c36140d788fe..f659b6f534b7 100644
>> --- a/arch/x86/kernel/cpu/amd.c
>> +++ b/arch/x86/kernel/cpu/amd.c
>> @@ -800,7 +800,9 @@ static void init_amd(struct cpuinfo_x86 *c)
>>                      set_cpu_cap(c, X86_FEATURE_3DNOWPREFETCH);
>>  
>>      /* AMD CPUs don't reset SS attributes on SYSRET */
>> -    set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
>> +    if (!test_bit(X86_BUG_SYSRET_SS_ATTRS,
>> +                  (unsigned long *)cpu_caps_cleared))
>> +            set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
>>  }
> 
> Hold on, AFAICT we have this order:
> 
> c_init() -> init_amd() sets X86_BUG_SYSRET_SS_ATTRS

And what happens when there is a scheduling event right here?
__switch_to() will see X86_BUG_SYSRET_SS_ATTRS set and take a wrong
path.

> init_hypervisor->x86_hyper->set_cpu_features-> clear_cpu_bug(c, 
> X86_BUG_SYSRET_SS_ATTRS);

And now (with setup_clear_cpu_cap()) the bit is cleared a little bit
later. And all should be good. But it isn't.

> 
> and all is good.
> 
> And I remember seeing a patchset doing some xen cpuid cleanup so I'm
> assuming you're doing setup_clear_cpu_cap() now? And now we have to wag
> the dog?

No, now the time window with X86_BUG_SYSRET_SS_ATTRS set is so long we
actually see the problem happening.


Juergen

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS if forced to zero
  - From: Borislav Petkov

References:
- [Xen-devel] [PATCH] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS if forced to zero
  - From: Juergen Gross
- Re: [Xen-devel] [PATCH] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS if forced to zero
  - From: Borislav Petkov

Prev by Date: Re: [Xen-devel] [OSSTEST PATCH] ts-openstack-deploy: Set http proxy
Next by Date: [Xen-devel] [PULL 0/21] Please pull xen-20170421-v2-tag for 2.10
Previous by thread: Re: [Xen-devel] [PATCH] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS if forced to zero
Next by thread: Re: [Xen-devel] [PATCH] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS if forced to zero
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.