[PATCH] Test case of multibyte NOP in emulation mode

[PATCH] Test case of multibyte NOP in emulation mode

[李春奇 <Arthur Chunqi Li>]

Add multibyte NOP test case to kvm-unit-tests. This case can test one
of bugs when booting RHEL5.9 64-bit.

Signed-off-by: Arthur Chunqi Li <yzt356@gmail.com>
---
 x86/emulator.c |   33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/x86/emulator.c b/x86/emulator.c
index 96576e5..f26c70f 100644
--- a/x86/emulator.c
+++ b/x86/emulator.c
@@ -901,6 +901,37 @@ static void test_simplealu(u32 *mem)
     report("test", *mem == 0x8400);
 }

+static void test_nopl(uint64_t *mem, uint8_t *insn_page,
+       uint8_t *alt_insn_page, void *insn_ram)
+{
+    ulong *cr3 = (ulong *)read_cr3();
+
+    // Pad with RET instructions
+    memset(insn_page, 0xc3, 4096);
+    memset(alt_insn_page, 0xc3, 4096);
+    // Place a trapping instruction in the page to trigger a VMEXIT
+    insn_page[0] = 0x89; // mov %eax, (%rax)
+    insn_page[1] = 0x00;
+    insn_page[2] = 0x90; // nop
+    // Place nopl 0x0(%eax) in alt_insn_page for emulator to execuate
+    alt_insn_page[0] = 0x0f; // nop DWORD ptr[EAX]
+    alt_insn_page[1] = 0x1f;
+    alt_insn_page[2] = 0x00;
+
+    // Load the code TLB with insn_page, but point the page tables at
+    // alt_insn_page (and keep the data TLB clear, for AMD decode assist).
+    // This will make the CPU trap on the insn_page instruction but the
+    // hypervisor will see alt_insn_page.
+    install_page(cr3, virt_to_phys(insn_page), insn_ram);
+    // Load code TLB
+    invlpg(insn_ram);
+    asm volatile("call *%0" : : "r"(insn_ram + 3));
+    // Trap, let hypervisor emulate at alt_insn_page
+    install_page(cr3, virt_to_phys(alt_insn_page), insn_ram);
+    asm volatile("call *%0" : : "r"(insn_ram), "a"(mem));
+    report("nopl", 1);
+}
+
 int main()
 {
  void *mem;
@@ -964,6 +995,8 @@ int main()

  test_string_io_mmio(mem);

+ test_nopl(mem, insn_page, alt_insn_page, insn_ram);
+
  printf("\nSUMMARY: %d tests, %d failures\n", tests, fails);
  return fails ? 1 : 0;
 }
--
1.7.9.5

Re: [PATCH] Test case of multibyte NOP in emulation mode

[Gleb Natapov]

On Wed, Jun 05, 2013 at 10:16:46AM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> Add multibyte NOP test case to kvm-unit-tests. This case can test one
> of bugs when booting RHEL5.9 64-bit.
> 
Adding the test to x86/realmode.c will be much easier.

> Signed-off-by: Arthur Chunqi Li <yzt356@gmail.com>
> ---
>  x86/emulator.c |   33 +++++++++++++++++++++++++++++++++
>  1 file changed, 33 insertions(+)
> 
> diff --git a/x86/emulator.c b/x86/emulator.c
> index 96576e5..f26c70f 100644
> --- a/x86/emulator.c
> +++ b/x86/emulator.c
> @@ -901,6 +901,37 @@ static void test_simplealu(u32 *mem)
>      report("test", *mem == 0x8400);
>  }
> 
> +static void test_nopl(uint64_t *mem, uint8_t *insn_page,
> +       uint8_t *alt_insn_page, void *insn_ram)
> +{
> +    ulong *cr3 = (ulong *)read_cr3();
> +
> +    // Pad with RET instructions
> +    memset(insn_page, 0xc3, 4096);
> +    memset(alt_insn_page, 0xc3, 4096);
> +    // Place a trapping instruction in the page to trigger a VMEXIT
> +    insn_page[0] = 0x89; // mov %eax, (%rax)
> +    insn_page[1] = 0x00;
> +    insn_page[2] = 0x90; // nop
> +    // Place nopl 0x0(%eax) in alt_insn_page for emulator to execuate
> +    alt_insn_page[0] = 0x0f; // nop DWORD ptr[EAX]
> +    alt_insn_page[1] = 0x1f;
> +    alt_insn_page[2] = 0x00;
> +
> +    // Load the code TLB with insn_page, but point the page tables at
> +    // alt_insn_page (and keep the data TLB clear, for AMD decode assist).
> +    // This will make the CPU trap on the insn_page instruction but the
> +    // hypervisor will see alt_insn_page.
> +    install_page(cr3, virt_to_phys(insn_page), insn_ram);
> +    // Load code TLB
> +    invlpg(insn_ram);
> +    asm volatile("call *%0" : : "r"(insn_ram + 3));
> +    // Trap, let hypervisor emulate at alt_insn_page
> +    install_page(cr3, virt_to_phys(alt_insn_page), insn_ram);
> +    asm volatile("call *%0" : : "r"(insn_ram), "a"(mem));
> +    report("nopl", 1);
> +}
> +
>  int main()
>  {
>   void *mem;
> @@ -964,6 +995,8 @@ int main()
> 
>   test_string_io_mmio(mem);
> 
> + test_nopl(mem, insn_page, alt_insn_page, insn_ram);
> +
>   printf("\nSUMMARY: %d tests, %d failures\n", tests, fails);
>   return fails ? 1 : 0;
>  }
> --
> 1.7.9.5

--
			Gleb.

Re: [PATCH] Test case of multibyte NOP in emulation mode

[李春奇 <Arthur Chunqi Li>]

Yes, that should be the point. x86/realmode.c is always running in
emulation mode. I added the testing here there but no error occurred.
I cannot find the reason.

The code is as follows added to x86/realmode.c
static void test_nopl(void)
{
        MK_INSN(nopl, ".byte 0x0f, 0x1f, 0x00\n\r");
        exec_in_big_real_mode(&insn_nopl);
        report("nopl", 0, 1);
}

and I objdump from realmode.flat is as follows:
00006458 <insn_code_nopl>:
    6458:       0f 1f 00                nopl   (%eax)

But there cause no error when executing this insn. Why?


On Wed, Jun 5, 2013 at 2:42 PM, Gleb Natapov <gleb@redhat.com> wrote:
>
> On Wed, Jun 05, 2013 at 10:16:46AM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> > Add multibyte NOP test case to kvm-unit-tests. This case can test one
> > of bugs when booting RHEL5.9 64-bit.
> >
> Adding the test to x86/realmode.c will be much easier.
>
> > Signed-off-by: Arthur Chunqi Li <yzt356@gmail.com>
> > ---
> >  x86/emulator.c |   33 +++++++++++++++++++++++++++++++++
> >  1 file changed, 33 insertions(+)
> >
> > diff --git a/x86/emulator.c b/x86/emulator.c
> > index 96576e5..f26c70f 100644
> > --- a/x86/emulator.c
> > +++ b/x86/emulator.c
> > @@ -901,6 +901,37 @@ static void test_simplealu(u32 *mem)
> >      report("test", *mem == 0x8400);
> >  }
> >
> > +static void test_nopl(uint64_t *mem, uint8_t *insn_page,
> > +       uint8_t *alt_insn_page, void *insn_ram)
> > +{
> > +    ulong *cr3 = (ulong *)read_cr3();
> > +
> > +    // Pad with RET instructions
> > +    memset(insn_page, 0xc3, 4096);
> > +    memset(alt_insn_page, 0xc3, 4096);
> > +    // Place a trapping instruction in the page to trigger a VMEXIT
> > +    insn_page[0] = 0x89; // mov %eax, (%rax)
> > +    insn_page[1] = 0x00;
> > +    insn_page[2] = 0x90; // nop
> > +    // Place nopl 0x0(%eax) in alt_insn_page for emulator to execuate
> > +    alt_insn_page[0] = 0x0f; // nop DWORD ptr[EAX]
> > +    alt_insn_page[1] = 0x1f;
> > +    alt_insn_page[2] = 0x00;
> > +
> > +    // Load the code TLB with insn_page, but point the page tables at
> > +    // alt_insn_page (and keep the data TLB clear, for AMD decode assist).
> > +    // This will make the CPU trap on the insn_page instruction but the
> > +    // hypervisor will see alt_insn_page.
> > +    install_page(cr3, virt_to_phys(insn_page), insn_ram);
> > +    // Load code TLB
> > +    invlpg(insn_ram);
> > +    asm volatile("call *%0" : : "r"(insn_ram + 3));
> > +    // Trap, let hypervisor emulate at alt_insn_page
> > +    install_page(cr3, virt_to_phys(alt_insn_page), insn_ram);
> > +    asm volatile("call *%0" : : "r"(insn_ram), "a"(mem));
> > +    report("nopl", 1);
> > +}
> > +
> >  int main()
> >  {
> >   void *mem;
> > @@ -964,6 +995,8 @@ int main()
> >
> >   test_string_io_mmio(mem);
> >
> > + test_nopl(mem, insn_page, alt_insn_page, insn_ram);
> > +
> >   printf("\nSUMMARY: %d tests, %d failures\n", tests, fails);
> >   return fails ? 1 : 0;
> >  }
> > --
> > 1.7.9.5
>
> --
>                         Gleb.




--
Arthur Chunqi Li
Department of Computer Science
School of EECS
Peking University
Beijing, China

Re: [PATCH] Test case of multibyte NOP in emulation mode

[Gleb Natapov]

On Wed, Jun 05, 2013 at 03:00:33PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> Yes, that should be the point. x86/realmode.c is always running in
> emulation mode. I added the testing here there but no error occurred. I
> cannot find the reason.
> 
> The code is as follows added to x86/realmode.c
> static void test_nopl(void)
> {
>         MK_INSN(nopl, ".byte 0x0f, 0x1f, 0x00\n\r");
>         exec_in_big_real_mode(&insn_nopl);
>         report("nopl", 0, 1);
> }
> 
> and I objdump from realmode.flat is as follows:
> 00006458 <insn_code_nopl>:
>     6458:       0f 1f 00                nopl   (%eax)
> 
> But there cause no error when executing this insn. Why?
> 
Because you probably use cpu that supports unrestricted mode or use AMD
processor. Can you try loading kvm-intel with unrestricted_guest=0
option?

> 
> On Wed, Jun 5, 2013 at 2:42 PM, Gleb Natapov <gleb@redhat.com> wrote:
> 
> > On Wed, Jun 05, 2013 at 10:16:46AM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> > > Add multibyte NOP test case to kvm-unit-tests. This case can test one
> > > of bugs when booting RHEL5.9 64-bit.
> > >
> > Adding the test to x86/realmode.c will be much easier.
> >
> > > Signed-off-by: Arthur Chunqi Li <yzt356@gmail.com>
> > > ---
> > >  x86/emulator.c |   33 +++++++++++++++++++++++++++++++++
> > >  1 file changed, 33 insertions(+)
> > >
> > > diff --git a/x86/emulator.c b/x86/emulator.c
> > > index 96576e5..f26c70f 100644
> > > --- a/x86/emulator.c
> > > +++ b/x86/emulator.c
> > > @@ -901,6 +901,37 @@ static void test_simplealu(u32 *mem)
> > >      report("test", *mem == 0x8400);
> > >  }
> > >
> > > +static void test_nopl(uint64_t *mem, uint8_t *insn_page,
> > > +       uint8_t *alt_insn_page, void *insn_ram)
> > > +{
> > > +    ulong *cr3 = (ulong *)read_cr3();
> > > +
> > > +    // Pad with RET instructions
> > > +    memset(insn_page, 0xc3, 4096);
> > > +    memset(alt_insn_page, 0xc3, 4096);
> > > +    // Place a trapping instruction in the page to trigger a VMEXIT
> > > +    insn_page[0] = 0x89; // mov %eax, (%rax)
> > > +    insn_page[1] = 0x00;
> > > +    insn_page[2] = 0x90; // nop
> > > +    // Place nopl 0x0(%eax) in alt_insn_page for emulator to execuate
> > > +    alt_insn_page[0] = 0x0f; // nop DWORD ptr[EAX]
> > > +    alt_insn_page[1] = 0x1f;
> > > +    alt_insn_page[2] = 0x00;
> > > +
> > > +    // Load the code TLB with insn_page, but point the page tables at
> > > +    // alt_insn_page (and keep the data TLB clear, for AMD decode
> > assist).
> > > +    // This will make the CPU trap on the insn_page instruction but the
> > > +    // hypervisor will see alt_insn_page.
> > > +    install_page(cr3, virt_to_phys(insn_page), insn_ram);
> > > +    // Load code TLB
> > > +    invlpg(insn_ram);
> > > +    asm volatile("call *%0" : : "r"(insn_ram + 3));
> > > +    // Trap, let hypervisor emulate at alt_insn_page
> > > +    install_page(cr3, virt_to_phys(alt_insn_page), insn_ram);
> > > +    asm volatile("call *%0" : : "r"(insn_ram), "a"(mem));
> > > +    report("nopl", 1);
> > > +}
> > > +
> > >  int main()
> > >  {
> > >   void *mem;
> > > @@ -964,6 +995,8 @@ int main()
> > >
> > >   test_string_io_mmio(mem);
> > >
> > > + test_nopl(mem, insn_page, alt_insn_page, insn_ram);
> > > +
> > >   printf("\nSUMMARY: %d tests, %d failures\n", tests, fails);
> > >   return fails ? 1 : 0;
> > >  }
> > > --
> > > 1.7.9.5
> >
> > --
> >                         Gleb.
> >
> 
> 
> 
> -- 
> Arthur Chunqi Li
> Department of Computer Science
> School of EECS
> Peking University
> Beijing, China

--
			Gleb.

Re: [PATCH] Test case of multibyte NOP in emulation mode

[李春奇 <Arthur Chunqi Li>]

Yes, I load kvm-intel with unrestricted_guest=0 and the emulator runs
well. I will give another test case in x86/realmode.c later.

BTW, what is the action when a 64-bit instruction executes in
x86/realmode.c? Should I add 64-bit insn tests only in x86/emulator.c?

On Wed, Jun 5, 2013 at 4:27 PM, Gleb Natapov <gleb@redhat.com> wrote:
> On Wed, Jun 05, 2013 at 03:00:33PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
>> Yes, that should be the point. x86/realmode.c is always running in
>> emulation mode. I added the testing here there but no error occurred. I
>> cannot find the reason.
>>
>> The code is as follows added to x86/realmode.c
>> static void test_nopl(void)
>> {
>>         MK_INSN(nopl, ".byte 0x0f, 0x1f, 0x00\n\r");
>>         exec_in_big_real_mode(&insn_nopl);
>>         report("nopl", 0, 1);
>> }
>>
>> and I objdump from realmode.flat is as follows:
>> 00006458 <insn_code_nopl>:
>>     6458:       0f 1f 00                nopl   (%eax)
>>
>> But there cause no error when executing this insn. Why?
>>
> Because you probably use cpu that supports unrestricted mode or use AMD
> processor. Can you try loading kvm-intel with unrestricted_guest=0
> option?
>
>>
>> On Wed, Jun 5, 2013 at 2:42 PM, Gleb Natapov <gleb@redhat.com> wrote:
>>
>> > On Wed, Jun 05, 2013 at 10:16:46AM +0800, 李春奇 <Arthur Chunqi Li> wrote:
>> > > Add multibyte NOP test case to kvm-unit-tests. This case can test one
>> > > of bugs when booting RHEL5.9 64-bit.
>> > >
>> > Adding the test to x86/realmode.c will be much easier.
>> >
>> > > Signed-off-by: Arthur Chunqi Li <yzt356@gmail.com>
>> > > ---
>> > >  x86/emulator.c |   33 +++++++++++++++++++++++++++++++++
>> > >  1 file changed, 33 insertions(+)
>> > >
>> > > diff --git a/x86/emulator.c b/x86/emulator.c
>> > > index 96576e5..f26c70f 100644
>> > > --- a/x86/emulator.c
>> > > +++ b/x86/emulator.c
>> > > @@ -901,6 +901,37 @@ static void test_simplealu(u32 *mem)
>> > >      report("test", *mem == 0x8400);
>> > >  }
>> > >
>> > > +static void test_nopl(uint64_t *mem, uint8_t *insn_page,
>> > > +       uint8_t *alt_insn_page, void *insn_ram)
>> > > +{
>> > > +    ulong *cr3 = (ulong *)read_cr3();
>> > > +
>> > > +    // Pad with RET instructions
>> > > +    memset(insn_page, 0xc3, 4096);
>> > > +    memset(alt_insn_page, 0xc3, 4096);
>> > > +    // Place a trapping instruction in the page to trigger a VMEXIT
>> > > +    insn_page[0] = 0x89; // mov %eax, (%rax)
>> > > +    insn_page[1] = 0x00;
>> > > +    insn_page[2] = 0x90; // nop
>> > > +    // Place nopl 0x0(%eax) in alt_insn_page for emulator to execuate
>> > > +    alt_insn_page[0] = 0x0f; // nop DWORD ptr[EAX]
>> > > +    alt_insn_page[1] = 0x1f;
>> > > +    alt_insn_page[2] = 0x00;
>> > > +
>> > > +    // Load the code TLB with insn_page, but point the page tables at
>> > > +    // alt_insn_page (and keep the data TLB clear, for AMD decode
>> > assist).
>> > > +    // This will make the CPU trap on the insn_page instruction but the
>> > > +    // hypervisor will see alt_insn_page.
>> > > +    install_page(cr3, virt_to_phys(insn_page), insn_ram);
>> > > +    // Load code TLB
>> > > +    invlpg(insn_ram);
>> > > +    asm volatile("call *%0" : : "r"(insn_ram + 3));
>> > > +    // Trap, let hypervisor emulate at alt_insn_page
>> > > +    install_page(cr3, virt_to_phys(alt_insn_page), insn_ram);
>> > > +    asm volatile("call *%0" : : "r"(insn_ram), "a"(mem));
>> > > +    report("nopl", 1);
>> > > +}
>> > > +
>> > >  int main()
>> > >  {
>> > >   void *mem;
>> > > @@ -964,6 +995,8 @@ int main()
>> > >
>> > >   test_string_io_mmio(mem);
>> > >
>> > > + test_nopl(mem, insn_page, alt_insn_page, insn_ram);
>> > > +
>> > >   printf("\nSUMMARY: %d tests, %d failures\n", tests, fails);
>> > >   return fails ? 1 : 0;
>> > >  }
>> > > --
>> > > 1.7.9.5
>> >
>> > --
>> >                         Gleb.
>> >
>>
>>
>>
>> --
>> Arthur Chunqi Li
>> Department of Computer Science
>> School of EECS
>> Peking University
>> Beijing, China
>
> --
>                         Gleb.



-- 
Arthur Chunqi Li
Department of Computer Science
School of EECS
Peking University
Beijing, China

Re: [PATCH] Test case of multibyte NOP in emulation mode

[Gleb Natapov]

On Wed, Jun 05, 2013 at 05:23:18PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> Yes, I load kvm-intel with unrestricted_guest=0 and the emulator runs
> well. I will give another test case in x86/realmode.c later.
> 
The test fails for me on CPU without unrestricted guest support. This
means you either test on fixed kernel or unrestricted_guest=0 is broken.

> BTW, what is the action when a 64-bit instruction executes in
> x86/realmode.c? Should I add 64-bit insn tests only in x86/emulator.c?
> 
Yes, 64-bit or 32-bit instructions should be added to x86/emulator.c.

> On Wed, Jun 5, 2013 at 4:27 PM, Gleb Natapov <gleb@redhat.com> wrote:
> > On Wed, Jun 05, 2013 at 03:00:33PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> >> Yes, that should be the point. x86/realmode.c is always running in
> >> emulation mode. I added the testing here there but no error occurred. I
> >> cannot find the reason.
> >>
> >> The code is as follows added to x86/realmode.c
> >> static void test_nopl(void)
> >> {
> >>         MK_INSN(nopl, ".byte 0x0f, 0x1f, 0x00\n\r");
> >>         exec_in_big_real_mode(&insn_nopl);
> >>         report("nopl", 0, 1);
> >> }
> >>
> >> and I objdump from realmode.flat is as follows:
> >> 00006458 <insn_code_nopl>:
> >>     6458:       0f 1f 00                nopl   (%eax)
> >>
> >> But there cause no error when executing this insn. Why?
> >>
> > Because you probably use cpu that supports unrestricted mode or use AMD
> > processor. Can you try loading kvm-intel with unrestricted_guest=0
> > option?
> >
> >>
> >> On Wed, Jun 5, 2013 at 2:42 PM, Gleb Natapov <gleb@redhat.com> wrote:
> >>
> >> > On Wed, Jun 05, 2013 at 10:16:46AM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> >> > > Add multibyte NOP test case to kvm-unit-tests. This case can test one
> >> > > of bugs when booting RHEL5.9 64-bit.
> >> > >
> >> > Adding the test to x86/realmode.c will be much easier.
> >> >
> >> > > Signed-off-by: Arthur Chunqi Li <yzt356@gmail.com>
> >> > > ---
> >> > >  x86/emulator.c |   33 +++++++++++++++++++++++++++++++++
> >> > >  1 file changed, 33 insertions(+)
> >> > >
> >> > > diff --git a/x86/emulator.c b/x86/emulator.c
> >> > > index 96576e5..f26c70f 100644
> >> > > --- a/x86/emulator.c
> >> > > +++ b/x86/emulator.c
> >> > > @@ -901,6 +901,37 @@ static void test_simplealu(u32 *mem)
> >> > >      report("test", *mem == 0x8400);
> >> > >  }
> >> > >
> >> > > +static void test_nopl(uint64_t *mem, uint8_t *insn_page,
> >> > > +       uint8_t *alt_insn_page, void *insn_ram)
> >> > > +{
> >> > > +    ulong *cr3 = (ulong *)read_cr3();
> >> > > +
> >> > > +    // Pad with RET instructions
> >> > > +    memset(insn_page, 0xc3, 4096);
> >> > > +    memset(alt_insn_page, 0xc3, 4096);
> >> > > +    // Place a trapping instruction in the page to trigger a VMEXIT
> >> > > +    insn_page[0] = 0x89; // mov %eax, (%rax)
> >> > > +    insn_page[1] = 0x00;
> >> > > +    insn_page[2] = 0x90; // nop
> >> > > +    // Place nopl 0x0(%eax) in alt_insn_page for emulator to execuate
> >> > > +    alt_insn_page[0] = 0x0f; // nop DWORD ptr[EAX]
> >> > > +    alt_insn_page[1] = 0x1f;
> >> > > +    alt_insn_page[2] = 0x00;
> >> > > +
> >> > > +    // Load the code TLB with insn_page, but point the page tables at
> >> > > +    // alt_insn_page (and keep the data TLB clear, for AMD decode
> >> > assist).
> >> > > +    // This will make the CPU trap on the insn_page instruction but the
> >> > > +    // hypervisor will see alt_insn_page.
> >> > > +    install_page(cr3, virt_to_phys(insn_page), insn_ram);
> >> > > +    // Load code TLB
> >> > > +    invlpg(insn_ram);
> >> > > +    asm volatile("call *%0" : : "r"(insn_ram + 3));
> >> > > +    // Trap, let hypervisor emulate at alt_insn_page
> >> > > +    install_page(cr3, virt_to_phys(alt_insn_page), insn_ram);
> >> > > +    asm volatile("call *%0" : : "r"(insn_ram), "a"(mem));
> >> > > +    report("nopl", 1);
> >> > > +}
> >> > > +
> >> > >  int main()
> >> > >  {
> >> > >   void *mem;
> >> > > @@ -964,6 +995,8 @@ int main()
> >> > >
> >> > >   test_string_io_mmio(mem);
> >> > >
> >> > > + test_nopl(mem, insn_page, alt_insn_page, insn_ram);
> >> > > +
> >> > >   printf("\nSUMMARY: %d tests, %d failures\n", tests, fails);
> >> > >   return fails ? 1 : 0;
> >> > >  }
> >> > > --
> >> > > 1.7.9.5
> >> >
> >> > --
> >> >                         Gleb.
> >> >
> >>
> >>
> >>
> >> --
> >> Arthur Chunqi Li
> >> Department of Computer Science
> >> School of EECS
> >> Peking University
> >> Beijing, China
> >
> > --
> >                         Gleb.
> 
> 
> 
> -- 
> Arthur Chunqi Li
> Department of Computer Science
> School of EECS
> Peking University
> Beijing, China

--
			Gleb.

Re: [PATCH] Test case of multibyte NOP in emulation mode

[李春奇 <Arthur Chunqi Li>]

I mean after adding unrestricted_guest=0, the error is reproduced.
Sorry for confused expression. I have committed another patch in
x86/realmode.c.

On Wed, Jun 5, 2013 at 5:28 PM, Gleb Natapov <gleb@redhat.com> wrote:
> On Wed, Jun 05, 2013 at 05:23:18PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
>> Yes, I load kvm-intel with unrestricted_guest=0 and the emulator runs
>> well. I will give another test case in x86/realmode.c later.
>>
> The test fails for me on CPU without unrestricted guest support. This
> means you either test on fixed kernel or unrestricted_guest=0 is broken.
>
>> BTW, what is the action when a 64-bit instruction executes in
>> x86/realmode.c? Should I add 64-bit insn tests only in x86/emulator.c?
>>
> Yes, 64-bit or 32-bit instructions should be added to x86/emulator.c.
>
>> On Wed, Jun 5, 2013 at 4:27 PM, Gleb Natapov <gleb@redhat.com> wrote:
>> > On Wed, Jun 05, 2013 at 03:00:33PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
>> >> Yes, that should be the point. x86/realmode.c is always running in
>> >> emulation mode. I added the testing here there but no error occurred. I
>> >> cannot find the reason.
>> >>
>> >> The code is as follows added to x86/realmode.c
>> >> static void test_nopl(void)
>> >> {
>> >>         MK_INSN(nopl, ".byte 0x0f, 0x1f, 0x00\n\r");
>> >>         exec_in_big_real_mode(&insn_nopl);
>> >>         report("nopl", 0, 1);
>> >> }
>> >>
>> >> and I objdump from realmode.flat is as follows:
>> >> 00006458 <insn_code_nopl>:
>> >>     6458:       0f 1f 00                nopl   (%eax)
>> >>
>> >> But there cause no error when executing this insn. Why?
>> >>
>> > Because you probably use cpu that supports unrestricted mode or use AMD
>> > processor. Can you try loading kvm-intel with unrestricted_guest=0
>> > option?
>> >
>> >>
>> >> On Wed, Jun 5, 2013 at 2:42 PM, Gleb Natapov <gleb@redhat.com> wrote:
>> >>
>> >> > On Wed, Jun 05, 2013 at 10:16:46AM +0800, 李春奇 <Arthur Chunqi Li> wrote:
>> >> > > Add multibyte NOP test case to kvm-unit-tests. This case can test one
>> >> > > of bugs when booting RHEL5.9 64-bit.
>> >> > >
>> >> > Adding the test to x86/realmode.c will be much easier.
>> >> >
>> >> > > Signed-off-by: Arthur Chunqi Li <yzt356@gmail.com>
>> >> > > ---
>> >> > >  x86/emulator.c |   33 +++++++++++++++++++++++++++++++++
>> >> > >  1 file changed, 33 insertions(+)
>> >> > >
>> >> > > diff --git a/x86/emulator.c b/x86/emulator.c
>> >> > > index 96576e5..f26c70f 100644
>> >> > > --- a/x86/emulator.c
>> >> > > +++ b/x86/emulator.c
>> >> > > @@ -901,6 +901,37 @@ static void test_simplealu(u32 *mem)
>> >> > >      report("test", *mem == 0x8400);
>> >> > >  }
>> >> > >
>> >> > > +static void test_nopl(uint64_t *mem, uint8_t *insn_page,
>> >> > > +       uint8_t *alt_insn_page, void *insn_ram)
>> >> > > +{
>> >> > > +    ulong *cr3 = (ulong *)read_cr3();
>> >> > > +
>> >> > > +    // Pad with RET instructions
>> >> > > +    memset(insn_page, 0xc3, 4096);
>> >> > > +    memset(alt_insn_page, 0xc3, 4096);
>> >> > > +    // Place a trapping instruction in the page to trigger a VMEXIT
>> >> > > +    insn_page[0] = 0x89; // mov %eax, (%rax)
>> >> > > +    insn_page[1] = 0x00;
>> >> > > +    insn_page[2] = 0x90; // nop
>> >> > > +    // Place nopl 0x0(%eax) in alt_insn_page for emulator to execuate
>> >> > > +    alt_insn_page[0] = 0x0f; // nop DWORD ptr[EAX]
>> >> > > +    alt_insn_page[1] = 0x1f;
>> >> > > +    alt_insn_page[2] = 0x00;
>> >> > > +
>> >> > > +    // Load the code TLB with insn_page, but point the page tables at
>> >> > > +    // alt_insn_page (and keep the data TLB clear, for AMD decode
>> >> > assist).
>> >> > > +    // This will make the CPU trap on the insn_page instruction but the
>> >> > > +    // hypervisor will see alt_insn_page.
>> >> > > +    install_page(cr3, virt_to_phys(insn_page), insn_ram);
>> >> > > +    // Load code TLB
>> >> > > +    invlpg(insn_ram);
>> >> > > +    asm volatile("call *%0" : : "r"(insn_ram + 3));
>> >> > > +    // Trap, let hypervisor emulate at alt_insn_page
>> >> > > +    install_page(cr3, virt_to_phys(alt_insn_page), insn_ram);
>> >> > > +    asm volatile("call *%0" : : "r"(insn_ram), "a"(mem));
>> >> > > +    report("nopl", 1);
>> >> > > +}
>> >> > > +
>> >> > >  int main()
>> >> > >  {
>> >> > >   void *mem;
>> >> > > @@ -964,6 +995,8 @@ int main()
>> >> > >
>> >> > >   test_string_io_mmio(mem);
>> >> > >
>> >> > > + test_nopl(mem, insn_page, alt_insn_page, insn_ram);
>> >> > > +
>> >> > >   printf("\nSUMMARY: %d tests, %d failures\n", tests, fails);
>> >> > >   return fails ? 1 : 0;
>> >> > >  }
>> >> > > --
>> >> > > 1.7.9.5
>> >> >
>> >> > --
>> >> >                         Gleb.
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Arthur Chunqi Li
>> >> Department of Computer Science
>> >> School of EECS
>> >> Peking University
>> >> Beijing, China
>> >
>> > --
>> >                         Gleb.
>>
>>
>>
>> --
>> Arthur Chunqi Li
>> Department of Computer Science
>> School of EECS
>> Peking University
>> Beijing, China
>
> --
>                         Gleb.



-- 
Arthur Chunqi Li
Department of Computer Science
School of EECS
Peking University
Beijing, China

Re: [PATCH] Test case of multibyte NOP in emulation mode

[Gleb Natapov]

On Wed, Jun 05, 2013 at 05:46:31PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> I mean after adding unrestricted_guest=0, the error is reproduced.
Ah, OK. unrestricted_guest=0 works then :)

> Sorry for confused expression. I have committed another patch in
> x86/realmode.c.
> 
> On Wed, Jun 5, 2013 at 5:28 PM, Gleb Natapov <gleb@redhat.com> wrote:
> > On Wed, Jun 05, 2013 at 05:23:18PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> >> Yes, I load kvm-intel with unrestricted_guest=0 and the emulator runs
> >> well. I will give another test case in x86/realmode.c later.
> >>
> > The test fails for me on CPU without unrestricted guest support. This
> > means you either test on fixed kernel or unrestricted_guest=0 is broken.
> >
> >> BTW, what is the action when a 64-bit instruction executes in
> >> x86/realmode.c? Should I add 64-bit insn tests only in x86/emulator.c?
> >>
> > Yes, 64-bit or 32-bit instructions should be added to x86/emulator.c.
> >
> >> On Wed, Jun 5, 2013 at 4:27 PM, Gleb Natapov <gleb@redhat.com> wrote:
> >> > On Wed, Jun 05, 2013 at 03:00:33PM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> >> >> Yes, that should be the point. x86/realmode.c is always running in
> >> >> emulation mode. I added the testing here there but no error occurred. I
> >> >> cannot find the reason.
> >> >>
> >> >> The code is as follows added to x86/realmode.c
> >> >> static void test_nopl(void)
> >> >> {
> >> >>         MK_INSN(nopl, ".byte 0x0f, 0x1f, 0x00\n\r");
> >> >>         exec_in_big_real_mode(&insn_nopl);
> >> >>         report("nopl", 0, 1);
> >> >> }
> >> >>
> >> >> and I objdump from realmode.flat is as follows:
> >> >> 00006458 <insn_code_nopl>:
> >> >>     6458:       0f 1f 00                nopl   (%eax)
> >> >>
> >> >> But there cause no error when executing this insn. Why?
> >> >>
> >> > Because you probably use cpu that supports unrestricted mode or use AMD
> >> > processor. Can you try loading kvm-intel with unrestricted_guest=0
> >> > option?
> >> >
> >> >>
> >> >> On Wed, Jun 5, 2013 at 2:42 PM, Gleb Natapov <gleb@redhat.com> wrote:
> >> >>
> >> >> > On Wed, Jun 05, 2013 at 10:16:46AM +0800, 李春奇 <Arthur Chunqi Li> wrote:
> >> >> > > Add multibyte NOP test case to kvm-unit-tests. This case can test one
> >> >> > > of bugs when booting RHEL5.9 64-bit.
> >> >> > >
> >> >> > Adding the test to x86/realmode.c will be much easier.
> >> >> >
> >> >> > > Signed-off-by: Arthur Chunqi Li <yzt356@gmail.com>
> >> >> > > ---
> >> >> > >  x86/emulator.c |   33 +++++++++++++++++++++++++++++++++
> >> >> > >  1 file changed, 33 insertions(+)
> >> >> > >
> >> >> > > diff --git a/x86/emulator.c b/x86/emulator.c
> >> >> > > index 96576e5..f26c70f 100644
> >> >> > > --- a/x86/emulator.c
> >> >> > > +++ b/x86/emulator.c
> >> >> > > @@ -901,6 +901,37 @@ static void test_simplealu(u32 *mem)
> >> >> > >      report("test", *mem == 0x8400);
> >> >> > >  }
> >> >> > >
> >> >> > > +static void test_nopl(uint64_t *mem, uint8_t *insn_page,
> >> >> > > +       uint8_t *alt_insn_page, void *insn_ram)
> >> >> > > +{
> >> >> > > +    ulong *cr3 = (ulong *)read_cr3();
> >> >> > > +
> >> >> > > +    // Pad with RET instructions
> >> >> > > +    memset(insn_page, 0xc3, 4096);
> >> >> > > +    memset(alt_insn_page, 0xc3, 4096);
> >> >> > > +    // Place a trapping instruction in the page to trigger a VMEXIT
> >> >> > > +    insn_page[0] = 0x89; // mov %eax, (%rax)
> >> >> > > +    insn_page[1] = 0x00;
> >> >> > > +    insn_page[2] = 0x90; // nop
> >> >> > > +    // Place nopl 0x0(%eax) in alt_insn_page for emulator to execuate
> >> >> > > +    alt_insn_page[0] = 0x0f; // nop DWORD ptr[EAX]
> >> >> > > +    alt_insn_page[1] = 0x1f;
> >> >> > > +    alt_insn_page[2] = 0x00;
> >> >> > > +
> >> >> > > +    // Load the code TLB with insn_page, but point the page tables at
> >> >> > > +    // alt_insn_page (and keep the data TLB clear, for AMD decode
> >> >> > assist).
> >> >> > > +    // This will make the CPU trap on the insn_page instruction but the
> >> >> > > +    // hypervisor will see alt_insn_page.
> >> >> > > +    install_page(cr3, virt_to_phys(insn_page), insn_ram);
> >> >> > > +    // Load code TLB
> >> >> > > +    invlpg(insn_ram);
> >> >> > > +    asm volatile("call *%0" : : "r"(insn_ram + 3));
> >> >> > > +    // Trap, let hypervisor emulate at alt_insn_page
> >> >> > > +    install_page(cr3, virt_to_phys(alt_insn_page), insn_ram);
> >> >> > > +    asm volatile("call *%0" : : "r"(insn_ram), "a"(mem));
> >> >> > > +    report("nopl", 1);
> >> >> > > +}
> >> >> > > +
> >> >> > >  int main()
> >> >> > >  {
> >> >> > >   void *mem;
> >> >> > > @@ -964,6 +995,8 @@ int main()
> >> >> > >
> >> >> > >   test_string_io_mmio(mem);
> >> >> > >
> >> >> > > + test_nopl(mem, insn_page, alt_insn_page, insn_ram);
> >> >> > > +
> >> >> > >   printf("\nSUMMARY: %d tests, %d failures\n", tests, fails);
> >> >> > >   return fails ? 1 : 0;
> >> >> > >  }
> >> >> > > --
> >> >> > > 1.7.9.5
> >> >> >
> >> >> > --
> >> >> >                         Gleb.
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Arthur Chunqi Li
> >> >> Department of Computer Science
> >> >> School of EECS
> >> >> Peking University
> >> >> Beijing, China
> >> >
> >> > --
> >> >                         Gleb.
> >>
> >>
> >>
> >> --
> >> Arthur Chunqi Li
> >> Department of Computer Science
> >> School of EECS
> >> Peking University
> >> Beijing, China
> >
> > --
> >                         Gleb.
> 
> 
> 
> -- 
> Arthur Chunqi Li
> Department of Computer Science
> School of EECS
> Peking University
> Beijing, China

--
			Gleb.