[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] x86/svm: Separate STI and VMRUN instructions in svm_asm_do_resume()

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Mon, 17 Feb 2025 16:12:41 +0000
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Mon, 17 Feb 2025 16:15:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

There is a corner case in the VMRUN instruction where its INTR_SHADOW state
leaks into guest state if a VMExit occurs before the VMRUN is complete.  An
example of this could be taking #NPF due to event injection.

Xen can safely execute STI anywhere between CLGI and VMRUN, as CLGI blocks
external interrupts too.  Move the STI to the other end of the block, which
moves the VMRUN instruction outside of STI's shadow.

Link: 
https://lore.kernel.org/all/CADH9ctBs1YPmE4aCfGPNBwA10cA8RuAk2gO7542DjMZgs4uzJQ@xxxxxxxxxxxxxx/
Fixes: 66b245d9eaeb ("SVM: limit GIF=0 region")
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>

I'm reasonbly sure this will trigger reliably during LogDirty because of how
we do misconfig propagation.

It's also mostly benign; from the guest's point of view, a pending interrupt
will be delayed by one instruction.  Hence, not tagged for 4.20 at this
juncture.
---
 xen/arch/x86/hvm/svm/entry.S | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S
index 6fd9652c04a1..c710464673f0 100644
--- a/xen/arch/x86/hvm/svm/entry.S
+++ b/xen/arch/x86/hvm/svm/entry.S
@@ -57,6 +57,14 @@ __UNLIKELY_END(nsvm_hap)
 
         clgi
 
+        /*
+         * Set EFLAGS.IF, after CLGI covers us from real interrupts, but not
+         * immediately prior to VMRUN.  AMD CPUs leak Xen's INTR_SHADOW from
+         * the STI into guest state if a VMExit occurs during VMEntry
+         * (e.g. taking #NPF during event injecting.)
+         */
+        sti
+
         /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
         /* SPEC_CTRL_EXIT_TO_SVM       Req: b=curr %rsp=regs/cpuinfo, Clob: 
acd */
         .macro svm_vmentry_spec_ctrl
@@ -91,7 +99,6 @@ __UNLIKELY_END(nsvm_hap)
         pop  %rsi
         pop  %rdi
 
-        sti
         vmrun
 
         SAVE_ALL

base-commit: 414dde38b0cf8a38230c8c3f9e8564da9762e743
-- 
2.39.5

Follow-Ups:
- [PATCH v2] x86/svm: Separate STI and VMRUN instructions in svm_asm_do_resume()
  - From: Andrew Cooper
- Re: [PATCH] x86/svm: Separate STI and VMRUN instructions in svm_asm_do_resume()
  - From: Jan Beulich

Prev by Date: [PATCH] x86/ucode: Add option to scan microcode by default
Next by Date: Re: [PATCH v2 1/2] xen/passthrough: Provide stub functions when !HAS_PASSTHROUGH
Previous by thread: [PATCH] x86/ucode: Add option to scan microcode by default
Next by thread: Re: [PATCH] x86/svm: Separate STI and VMRUN instructions in svm_asm_do_resume()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.