Xen project Mailing List

[PATCH v6 4/5] x86/mm: Reject invalid cacheability in PV guests by default

From: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>

Date: Thu, 22 Dec 2022 17:31:49 -0500

Cc: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>

Delivery-date: Thu, 22 Dec 2022 22:32:10 +0000

Feedback-id: iac594737:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Setting cacheability flags that are not ones specified by Xen is a bug in the guest. By default, return -EINVAL if a guests attempts to do this. The invalid-cacheability= Xen command-line flag allows the administrator to allow such attempts or to produce Suggested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Signed-off-by: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx> --- Changes since v5: - Make parameters static and __ro_after_init. - Replace boolean parameter allow_invalid_cacheability with string parameter invalid-cacheability. - Move parameter definitions to near where they are used. - Add documentation. Changes since v4: - Remove pointless BUILD_BUG_ON(). - Add comment explaining why an exception is being injected. Changes since v3: - Add Andrew Cooper’s Suggested-by --- docs/misc/xen-command-line.pandoc | 11 ++++++ xen/arch/x86/mm.c | 60 ++++++++++++++++++++++++++++++- 2 files changed, 70 insertions(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 424b12cfb27d6ade2ec63eacb8afe5df82465451..0230a7bc17cbd4362a42ea64cea695f31f5e0f86 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1417,6 +1417,17 @@ detection of systems known to misbehave upon accesses to that port. ### idle_latency_factor (x86) > `= <integer>` +### invalid-cacheability (x86) +> `= allow | deny | trap` + +> Default: `deny` in release builds, otherwise `trap` + +Specify what happens when a PV guest tries to use one of the reserved entries in +the PAT. `deny` causes the attempt to be rejected with -EINVAL, `allow` allows +the attempt, and `trap` causes a general protection fault to be raised. +Currently, the reserved entries are marked as uncacheable in Xen's PAT, but this +will change if new memory types are added, so guests must not rely on it. + ### ioapic_ack (x86) > `= old | new` diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 65ba0f58ed8c26ac0343528303851739981c03bd..bacfb776d688f68dcbf79d83723fff329b75fd18 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -1324,6 +1324,37 @@ static int put_page_from_l4e(l4_pgentry_t l4e, mfn_t l4mfn, unsigned int flags) return put_pt_page(l4e_get_page(l4e), mfn_to_page(l4mfn), flags); } +enum { + INVALID_CACHEABILITY_ALLOW, + INVALID_CACHEABILITY_DENY, + INVALID_CACHEABILITY_TRAP, +}; + +#ifdef NDEBUG +#define INVALID_CACHEABILITY_DEFAULT INVALID_CACHEABILITY_DENY +#else +#define INVALID_CACHEABILITY_DEFAULT INVALID_CACHEABILITY_TRAP +#endif + +static __ro_after_init uint8_t invalid_cacheability = + INVALID_CACHEABILITY_DEFAULT; + +static int __init cf_check set_invalid_cacheability(const char *str) +{ + if (strcmp("allow", str) == 0) + invalid_cacheability = INVALID_CACHEABILITY_ALLOW; + else if (strcmp("deny", str) == 0) + invalid_cacheability = INVALID_CACHEABILITY_DENY; + else if (strcmp("trap", str) == 0) + invalid_cacheability = INVALID_CACHEABILITY_TRAP; + else + return -EINVAL; + + return 0; +} + +custom_param("invalid-cacheability", set_invalid_cacheability); + static int promote_l1_table(struct page_info *page) { struct domain *d = page_get_owner(page); @@ -1343,7 +1374,34 @@ static int promote_l1_table(struct page_info *page) } else { - switch ( ret = get_page_from_l1e(pl1e[i], d, d) ) + l1_pgentry_t l1e = pl1e[i]; + + if ( invalid_cacheability != INVALID_CACHEABILITY_ALLOW ) + { + switch ( l1e.l1 & PAGE_CACHE_ATTRS ) + { + case _PAGE_WB: + case _PAGE_UC: + case _PAGE_UCM: + case _PAGE_WC: + case _PAGE_WT: + case _PAGE_WP: + break; + default: + /* + * If we get here, a PV guest tried to use one of the + * reserved values in Xen's PAT. This indicates a bug + * in the guest. If requested by the user, inject #GP + * to cause the guest to log a stack trace. + */ + if ( invalid_cacheability == INVALID_CACHEABILITY_TRAP ) + pv_inject_hw_exception(TRAP_gp_fault, 0); + ret = -EINVAL; + goto fail; + } + } + + switch ( ret = get_page_from_l1e(l1e, d, d) ) { default: goto fail; -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.