From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>, Tim Deegan <tim@xen.org>,
Xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH for-4.5 RFC v2] x86/HVM: Unconditionally crash guests on repeated vmentry failures
Date: Tue, 25 Nov 2014 18:11:36 +0000 [thread overview]
Message-ID: <5474C658.4030901@citrix.com> (raw)
In-Reply-To: <5474C998020000780004AD1D@mail.emea.novell.com>
On 25/11/14 17:25, Jan Beulich wrote:
>>>> On 25.11.14 at 17:54, <andrew.cooper3@citrix.com> wrote:
>> This is RFC as there is still a niggle. I tested this via a partial revert of
>> the XSA-110 fix but the result is quite chatty given a double VMCB dump and
>> domain crash. However, I am not sure we want to make any vmentry failure
>> quite, as any vmentry failure constitues a Xen bug.
> I think that double printing would be tolerable, but I've had yet
> another idea: Couldn't we make the second exception a #DF,
> thus having the guest killed via triple fault in the worst case at
> the third recurring failure (via hvm_combine_hw_exceptions())?
That still won't catch a large class of vmentry failures from bad host
state. There needs to be some cutoff where we simply give up and crash
the domain. In the end, this is just an exercise in how much we attempt
to recover in the case that we have already hit a hypervisor bug, and
can't be completely certain about any state.
Furthermore, guest userspace being able to exploit a Xen bug to result
in a triple fault is no better than an instant domain_crash(), from a
VMs point of view. However, from a toolstacks point of view, it is even
worse, as malicious userspace could tie up toolstack resource in
domain_kill() and domain_create() (as a triple fault is modelled as a
clean reboot).
>
> Also your test results point out that we're delivering such an
> exception with wrong context to the guest: Machine state should
> match that before the results from the emulation got committed.
> But doing so would be a pretty significant change for almost no
> benefit.
Agreed, on both counts.
~Andrew
next prev parent reply other threads:[~2014-11-25 18:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-25 16:54 [PATCH for-4.5 RFC v2] x86/HVM: Unconditionally crash guests on repeated vmentry failures Andrew Cooper
2014-11-25 16:58 ` Andrew Cooper
2014-11-25 17:25 ` Jan Beulich
2014-11-25 18:11 ` Andrew Cooper [this message]
2014-11-26 16:53 ` Jan Beulich
2014-11-26 17:43 ` Andrew Cooper
2014-11-27 8:42 ` Jan Beulich
2014-11-27 10:26 ` Tim Deegan
2014-11-27 11:16 ` Jan Beulich
2014-11-27 11:20 ` Andrew Cooper
2014-11-27 11:29 ` Tim Deegan
2014-11-27 11:38 ` Jan Beulich
2014-11-27 11:44 ` Tim Deegan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5474C658.4030901@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.