[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/x86: Change stub page freeing to fix smt=0

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jason Andryuk <jason.andryuk@xxxxxxx>
  • Date: Wed, 27 May 2026 10:42:10 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=citrix.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FKgLlTzuuWT+TepsQUUEsWjMz5etRLjqvFQF7cJ/nek=; b=Pj0RMzz2rGLVxzGw53Ut52Ok5HOTgfedbkuuQsT1/fvFkIiOKcbOev08avQ43DpwffVUED+J1Pf7AfKNQg8KHncM2452DSkqxWiMC7Wttf5CoE/kyr0XTVMPwuefx7yQvsdaPyUJWtCGb9yeUKE04w9OTK1JByDPg2KkrJDDp7bsZcW84MlhZJjMKvh+eHszlyrihtKKLcFEJeHNofiQPG5mTccWkwJ476kuxKYlmsk0T6ysS5KPkCGJBPJUrHVpdWKUGSHW5l9KO5pCt1wHx4IHFNEIY71p5nKKVaJz3p5+GKlZUg5aGdADdy3M4jzkQOGk/5/t8V+VLoPc3x8Rxg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZlGR7bYXJar2OZAIsTmCDInZ4LaeontTokQ18yrrukYFpJ8B+CKXq+25oJNwOZM+b6fGxjjMT3sBN5TC3Vnsp5/o1QcjNbr4Jlohw5ZoTNMyj7z4DTejKEi9sLoCn2kQHib6pmVQBDhqy8aFDaYKwkzYW/3sb4X3zg4i0LH6qQldafqgKOsKzhXj2fwZJ2/+al2KO6YV3MIqdKU5yZdIv+V+7Czmh/aGJZekpg0b5yOCUMuu+jHy6iL46X4VJmrSlO9F7oSPJEBgjr7gKmzttkb14JQ66ovP/a4+eJjkTm21bZA7KO25qWF2ZpHGmLz2UCjJPH9Pgsyok7bblIM7iA==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Cc: Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>
  • Delivery-date: Wed, 27 May 2026 14:42:39 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2026-05-27 10:14, Jason Andryuk wrote:

On 2026-05-26 18:03, Andrew Cooper wrote:

On 26/05/2026 9:31 pm, Jason Andryuk wrote:

A single stubs page is initialized with 0xcc and re-used, with multiple
CPUs each using a portion of the shared page.  In cpu_smpboot_free(),
each stubs area is checked against 0xcc.  When all are set to 0xcc, the
page is freed.

Booting a system with smt=0, CPU0 is initially setup, allocating the
stubs page and initializing to 0xcc.  When more CPUs are brought up,
CPU1 is initialized and then immediately brough offline as it is the
sibling of CPU0.  Since the page was initially memset with 0xcc,
cpu_smpboot_free() finds all stubs as 0xcc and frees the page.
However, the page is still assigned to CPU0 and continues to be assigned
to other CPUs.


It's more complicated than this.

With CONFIG_PV (and !opt_fred in 4.22 which is perhaps newer than you're
testing), the LSTAR and CSTAR stubs guarantee that the 0xcc's are
overwritten with real instructions.

In !CONFIG_PV, the 0xcc's only get overwritten by the exception recovery
selftests (CPU0 only, and gated on CONFIG_SELF_TESTS), and "complicated"
instructions in the emulator (which in your safety environment, you
likely have compiled out).

So, in your environment, I think you probably can exclude the stubs
entirely and trim even more LoC.
Thanks.  Ok, my build was !CONFIG_PV, so 0xcc's were not overwritten. The fault happened before the self tests ran. 

Correction: It was after the self tests ran and during dom0 construction.

(XEN) Pagetable walk from ffff830842652008:
(XEN)  L4[0x106] = 8000000079c72063 ffffffffffffffff
(XEN)  L3[0x021] = 0000000079ff3063 ffffffffffffffff
(XEN)  L2[0x013] = 000000085680f063 ffffffffffffffff
(XEN)  L1[0x052] = cccccccccccccccc ffffffffffffffff
It looks like the page is reallocated after free-ing, so after CPU1 is down. The re-use would write the page with PTEs. However, when later CPUs are brought down, their portion of the stubs page is overwritten with 0xcc. I think that is how the page, as a page table, is corrupted. 

Regards,
Jason

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.