From: Andrew Cooper <andrew.cooper3@citrix.com>
To: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Keir Fraser <keir@xen.org>, Jan Beulich <jbeulich@suse.com>,
Tim Deegan <tim@xen.org>
Subject: Reentrant NMIs, MCEs and interrupt stack tables.
Date: Wed, 21 Nov 2012 21:06:44 +0000 [thread overview]
Message-ID: <50AD4264.6030005@citrix.com> (raw)
Hello,
While working on a fix for the rare-but-possible problem of reentrant
NMIs and MCEs, I have discovered that it is sadly possible to generate
fake NMIs and MCEs which will run the relevant handlers on the relevant
stacks, without invoking any of the other CPU logic for these special
interrupts.
A fake NMI can be generated by a processor in PIC mode as opposed to
Virtual wire mode, with a delivery of vector 2. This setup is certainly
possible on a 64bit CPU, but I doubt there are many 64bit CPUs running
with only PIC.
A fake MCE is easy to generate. A mal-programmed IO-APIC, IOMMU or
MSI/MSI-X entry which deliveres vector 0x18 is sufficient. The LAPIC
will reject vectors 0 thru 0xf, but will deliver vectors 0x10 thru 0x1f,
despite them being architecturally reserved for exceptions.
The possibility of these fake interrupts (however unlikely) means that
there is necessarily a race condition between receiving a fake interrupt
and a genuine interrupt during which the handler cannot fixup the stack
sufficiently to be able to safely get back out. If this race condition
were to occur, the real interrupt will corrupt the exception frame of
the fake interrupt, meaning that we cannot possibly resume the original
context. This situation can be detected, but cannot be corrected, and
the only course of action is to crash gracefully.
The above problem made me wonder why we use separate stacks for NMIs and
MCEs. I completely accept that the double fault handler should be on a
separate stack, but as we guarentee never to return from it, these
problems disappear.
Is there any particular reason to have separate stacks for NMIs and
MCEs, other than perhaps that it is good/common practice? I can't think
of any other reasons offhand. (I am not necessarily advocating that we
combine NMIs and MCEs back into the regular Xen stack because, while it
would remove the above race condition, it would make other aspects of
the problem harder to solve.)
--
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com
next reply other threads:[~2012-11-21 21:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-21 21:06 Andrew Cooper [this message]
2012-11-21 21:17 ` Reentrant NMIs, MCEs and interrupt stack tables Tim Deegan
2012-11-21 21:40 ` Andrew Cooper
2012-11-22 8:55 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50AD4264.6030005@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.