From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Don Koch <dkoch@verizon.com>, xen-devel@lists.xen.org
Cc: Keir Fraser <keir@xen.org>, Jan Beulich <jbeulich@suse.com>
Subject: Re: [PATCH v4] Sanity check xsave area when migrating or restoring from older Xen verions
Date: Tue, 21 Oct 2014 20:00:53 +0100 [thread overview]
Message-ID: <5446AD65.5070501@citrix.com> (raw)
In-Reply-To: <1413916854-18831-1-git-send-email-dkoch@verizon.com>
On 21/10/14 19:40, Don Koch wrote:
> Xen 4.3 and older transferred a maximum sized xsave area (as if all
> the available XCR0 bits were set); the new version only transfers
> based on the actual XCR0 bits. This may result in a smaller area if
> the last sections were missing (e.g., the LWP area from an AMD
> machine). If the size doesn't match the XCR0 derived size, the part of
> the xsave area between the XCR0 specified and transferred size is
> checked for zero data. If any part of the overflow area is non-zero,
> we return with an error.
>
> Signed-off-by: Don Koch <dkoch@verizon.com>
> ---
> Changes in V4:
> - Removed check of size base on xfeature_mask.
> - Unsign some ints.
> - Change %d to %u for unsigned ints.
> - Move printk to only print if non-zero data found.
>
> Changes in V3:
> - use h->data for zero check
> - remove max size check (use size that was sent)
> - fix error message (drop first byte value)
> - fix "for" issues
>
> Changes in V2:
> - Add check for size.
> - Add check for non-zero data in unused part of block.
>
> xen/arch/x86/hvm/hvm.c | 28 ++++++++++++++++------------
> 1 file changed, 16 insertions(+), 12 deletions(-)
>
> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> index f0e1edc..c2780d2 100644
> --- a/xen/arch/x86/hvm/hvm.c
> +++ b/xen/arch/x86/hvm/hvm.c
> @@ -1971,6 +1971,7 @@ static int hvm_load_cpu_xsave_states(struct domain *d, hvm_domain_context_t *h)
> struct vcpu *v;
> struct hvm_hw_cpu_xsave *ctxt;
> struct hvm_save_descriptor *desc;
> + unsigned int i, overflow_start;
>
> /* Which vcpu is this? */
> vcpuid = hvm_load_instance(h);
> @@ -2011,15 +2012,8 @@ static int hvm_load_cpu_xsave_states(struct domain *d, hvm_domain_context_t *h)
> save_area) + XSTATE_AREA_MIN_SIZE);
> return -EINVAL;
> }
> - size = HVM_CPU_XSAVE_SIZE(xfeature_mask);
> - if ( desc->length > size )
> - {
> - printk(XENLOG_G_WARNING
> - "HVM%d.%d restore mismatch: xsave length %u > %u\n",
> - d->domain_id, vcpuid, desc->length, size);
> - return -EOPNOTSUPP;
> - }
> h->cur += sizeof (*desc);
> + overflow_start = h->cur;
>
> ctxt = (struct hvm_hw_cpu_xsave *)&h->data[h->cur];
> h->cur += desc->length;
> @@ -2038,10 +2032,20 @@ static int hvm_load_cpu_xsave_states(struct domain *d, hvm_domain_context_t *h)
> size = HVM_CPU_XSAVE_SIZE(ctxt->xcr0_accum);
> if ( desc->length > size )
> {
> - printk(XENLOG_G_WARNING
> - "HVM%d.%d restore mismatch: xsave length %u > %u\n",
> - d->domain_id, vcpuid, desc->length, size);
> - return -EOPNOTSUPP;
> + /* Make sure missing bytes are all zero. */
Please make a reference to the bug in this comment, so the reasons for
the strange check is a little more obvious given a glance at the code.
Perhaps
/*
* Xen-4.3 and older used to send longer-than-needed xsave regions.
Permit loading the record if the extra data is all zero
*/
(suitably wrapped, given its natural indentation)
> + for ( i = size; i < desc->length; i++ )
> + {
> + if ( h->data[overflow_start + i] )
> + {
> + printk(XENLOG_G_WARNING
> + "HVM%u.%u restore mismatch: xsave length %u > %u\n",
> + d->domain_id, vcpuid, desc->length, size);
> + printk(XENLOG_G_WARNING
> + "HVM%u.%u restore mismatch: xsave has non-zero data starting at %#x\n",
> + d->domain_id, vcpuid, i);
This should be one message. Also note that, while a lot of code gets it
wrong, domain_id is signed while vcpuid is unsigned.
Perhaps
"HVM%d.%u restore: xsave length %#x > %#x with non-zero data at %#x\n"
It is quite unhelpful to report 3 related numbers, two in one base with
one in a different base. I feel hex is more useful here, when comparing
the offsets against the manuals.
~Andrew
> + return -EOPNOTSUPP;
> + }
> + }
> }
> /* Checking finished */
>
next prev parent reply other threads:[~2014-10-21 19:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-21 18:40 [PATCH v4] Sanity check xsave area when migrating or restoring from older Xen verions Don Koch
2014-10-21 19:00 ` Andrew Cooper [this message]
2014-10-21 19:25 ` Don Koch
2014-10-22 10:00 ` Jan Beulich
2014-10-22 13:19 ` Don Koch
2014-10-22 13:21 ` Andrew Cooper
2014-10-22 13:37 ` Don Koch
2014-10-22 14:03 ` Jan Beulich
2014-10-22 14:11 ` Don Koch
2014-10-22 14:21 ` Jan Beulich
2014-10-22 14:28 ` Don Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5446AD65.5070501@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=dkoch@verizon.com \
--cc=jbeulich@suse.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.