Xen project Mailing List

Re: [PATCH] pv32: Fix bogus cr2 on fault in emulation gate

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 21 May 2026 09:00:36 +0200

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=suse.com header.i="@suse.com" header.h="Content-Transfer-Encoding:In-Reply-To:Autocrypt:Content-Language:References:Cc:To:From:Subject:User-Agent:MIME-Version:Date:Message-ID"

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Thu, 21 May 2026 07:02:47 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 21.05.2026 08:33, Jan Beulich wrote: > On 20.05.2026 19:21, Andrew Cooper wrote: >> On 20/05/2026 5:48 pm, Teddy Astie wrote: >>> Le 20/05/2026 à 18:34, Andrew Cooper a écrit : >>>> On 20/05/2026 4:51 pm, Teddy Astie wrote: >>>>> __{put,get}_guest returns -EFAULT on access faults which causes >>>>> the injected cr2 to be off by 14 bytes (as EFAULT is 14) which is >>>>> incorrect. >>>>> >>>>> Fix the computation by relying on copy_{from,to}_guest_pv which >>>>> reports the number of remaining bytes instead of a negative errno, >>>>> such that we can compute the offset properly. >>>>> >>>>> Fixes: 70ad570b2799 ("x86/64: paravirt 32-on-64 call gate support") >>>>> Signed-off-by: Teddy Astie <teddy.astie@xxxxxxxxxx> >>>>> --- >>>>> xen/arch/x86/pv/emul-gate-op.c | 5 +++-- >>>>> 1 file changed, 3 insertions(+), 2 deletions(-) >>>>> >>>>> diff --git a/xen/arch/x86/pv/emul-gate-op.c >>>>> b/xen/arch/x86/pv/emul-gate-op.c >>>>> index c2c699fbff..cacc171115 100644 >>>>> --- a/xen/arch/x86/pv/emul-gate-op.c >>>>> +++ b/xen/arch/x86/pv/emul-gate-op.c >>>>> @@ -289,9 +289,10 @@ void pv_emulate_gate_op(struct cpu_user_regs >>>>> *regs) >>>>> int rc; >>>>> #define push(item) do \ >>>>> { \ >>>>> + unsigned int __value = item; \ >>>>> --stkp; \ >>>>> esp -= 4; \ >>>>> - rc = __put_guest(item, stkp); \ >>>>> + rc = copy_to_guest_pv(stkp, &__value, sizeof(__value)); \ >>>> >>>> Oh, this probably violates MISRA, but you don't need to use a separate >>>> variable because sizeof() has no side effects. >>>> >>>> Given that the expression is now &item, I think it needs to be &(item). >>>> >>> >>> I tried something like that, but it looked a bit weird and clang >>> wasn't happy (at least in language server) because of the &(x + y). >>> >>> We also need to ensure that we're actually copying 32-bits scalars >>> (and not 16-bits or 64-bits ones) like the previous behavior. >>> >>> That diff seems to work though >>> >>> diff --git a/xen/arch/x86/pv/emul-gate-op.c >>> b/xen/arch/x86/pv/emul-gate-op.c >>> index cacc171115..b72a3058dd 100644 >>> --- a/xen/arch/x86/pv/emul-gate-op.c >>> +++ b/xen/arch/x86/pv/emul-gate-op.c >>> @@ -289,10 +289,9 @@ void pv_emulate_gate_op(struct cpu_user_regs *regs) >>> int rc; >>> #define push(item) do \ >>> { \ >>> - unsigned int __value = item; \ >>> --stkp; \ >>> esp -= 4; \ >>> - rc = copy_to_guest_pv(stkp, &__value, sizeof(__value)); \ >>> + rc = copy_to_guest_pv(stkp, &(uint32_t)(item), >>> sizeof(uint32_t)); \ >>> if ( rc ) \ >>> { \ >>> pv_inject_page_fault(PFEC_write_access, \ >> >> Oh, that's a second bug you're fixing then. >> >> Pushes of ss/cs need to be done with 4-byte writes and zero extended. > > And they are: Access size is derived from the pointer passed, not from the > item. Oh, while access size has always been correct, .... >> I've added: >> >> The use of a local variable in push() also fixes a second bug. On all >> but the earliest 32bit CPUs, segment selectors pushes are >> zero-extended 32bit stores. Xen was not doing this for %ss and %cs. ... zero-extension was lost with the FRED work, so a 2nd Fixes: tag is going to be necessary: cb29eed2dae7 ("x86/traps: Extend struct cpu_user_regs/cpu_info with FRED fields"). Jan >> to the commit message. >> >> ~Andrew >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.