From: James Dingwall <james-xen@dingwall.me.uk>
To: xen-devel@lists.xenproject.org
Subject: XSA-446 relevance on Intel
Date: Tue, 12 Dec 2023 09:43:29 +0000 [thread overview]
Message-ID: <ZXgrQdVvDuQCbCRP@dingwall.me.uk> (raw)
Hi,
We were experiencing a crash during PV domU boot on several different models
of hardware but all with Intel CPUs. The Xen version was based on stable-4.15
at 4a4daf6bddbe8a741329df5cc8768f7dec664aed (XSA-444) with some local
patches. Since updating the branch to b918c4cdc7ab2c1c9e9a9b54fa9d9c595913e028
(XSA-446) we have not observed the same crash.
The occurrence was on 1-2% of boots and we couldn't determine a particular
sequence of events that would trigger it. The kernel is based on Ubuntu's
5.15.0-91 tag but we also observed the same with -85. Due to the low
frequency it is possible that we simply haven't observed it again since
updating our Xen build.
If I have followed the early startup this is happening shortly after detection
of possible CPU vulnerabilities and patching in alternative instructions. As
the RIP was native_irq_return_iret and XSA-446 related to interupt management
I wondered if it was possible that despite "Xen is not believed to be vulnerable
in default configurations on CPUs from other hardware vendors." there could
be some conditions in which an Intel CPU is affected?
Thanks,
James
[ 0.374957] GDS: Unknown: Dependent on hypervisor status
[ 0.375007] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 0.375016] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 0.375022] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 0.375027] x86/fpu: Supporting XSAVE feature 0x020: 'AVX-512 opmask'
[ 0.375033] x86/fpu: Supporting XSAVE feature 0x040: 'AVX-512 Hi256'
[ 0.375038] x86/fpu: Supporting XSAVE feature 0x080: 'AVX-512 ZMM_Hi256'
[ 0.375047] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 0.375053] x86/fpu: xstate_offset[5]: 1088, xstate_sizes[5]: 64
[ 0.375059] x86/fpu: xstate_offset[6]: 1152, xstate_sizes[6]: 512
[ 0.375053] x86/fpu: xstate_offset[5]: 1088, xstate_sizes[5]: 64
[ 0.375059] x86/fpu: xstate_offset[6]: 1152, xstate_sizes[6]: 512
[ 0.375064] x86/fpu: xstate_offset[7]: 1664, xstate_sizes[7]: 1024
[ 0.375047] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 0.375053] x86/fpu: xstate_offset[5]: 1088, xstate_sizes[5]: 64
[ 0.375059] x86/fpu: xstate_offset[6]: 1152, xstate_sizes[6]: 512
[ 0.375064] x86/fpu: xstate_offset[7]: 1664, xstate_sizes[7]: 1024
[ 0.375070] x86/fpu: Enabled xstate features 0xe7, context size is 2688 bytes, using 'standard' format.
[ 0.398765] segment-related general protection fault: e030 [#1] SMP NOPTI
[ 0.398784] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-91-generic #101~20.04.1
[ 0.398792] RIP: e030:native_irq_return_iret+0x0/0x2
[ 0.398806] Code: 5b 41 5b 41 5a 41 59 41 58 58 59 5a 5e 5f 48 83 c4 08 eb 0f 0f 1f 00 90 66 66 2e 0f 1f 84 00 00 00 00 00 f6 44 24 20 04 75 02 <48> cf 57 0f 01 f8 eb 12 0f 20 df 90 90 90 90 90 48 81 e7 ff e7 ff
[ 0.398818] RSP: e02b:ffffffff82e03bd8 EFLAGS: 00010046
[ 0.398825] RAX: 0000000000000000 RBX: ffffffff82e03c30 RCX: 0000000000000000
[ 0.398831] RDX: 000000000000000f RSI: ffffffff81e011f4 RDI: ffffffff82e03ca0
[ 0.398836] RBP: ffffffff82e03c10 R08: ffffffff81e011ef R09: 0000000000000005
[ 0.398842] R10: 0000000000000006 R11: e8ae0feb75ccff49 R12: ffffffff81e011ef
[ 0.398848] R13: 0000000000000006 R14: ffffffff81e011f4 R15: 0000000000000005
[ 0.398860] FS: 0000000000000000(0000) GS:ffff88802dc00000(0000) knlGS:0000000000000000
[ 0.398866] CS: 10000e030 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.398872] CR2: 0000000000000000 CR3: 0000000002e10000 CR4: 0000000000050660
[ 0.398880] Call Trace:
[ 0.398883] <TASK>
[ 0.398887] ? show_trace_log_lvl+0x1d6/0x2ea
[ 0.398896] ? show_trace_log_lvl+0x1d6/0x2ea
[ 0.398902] ? optimize_nops+0x68/0x150
[ 0.398909] ? show_regs.part.0+0x23/0x29
[ 0.398914] ? __die_body.cold+0x8/0xd
[ 0.398919] ? die_addr+0x3e/0x60
[ 0.398925] ? exc_general_protection+0x1c1/0x350
[ 0.398933] ? asm_exc_general_protection+0x27/0x30
[ 0.398939] ? restore_regs_and_return_to_kernel+0x20/0x2c
[ 0.398945] ? restore_regs_and_return_to_kernel+0x1b/0x2c
[ 0.398950] ? restore_regs_and_return_to_kernel+0x1b/0x2c
[ 0.398956] ? restore_regs_and_return_to_kernel+0x20/0x2c
[ 0.398962] ? native_iret+0x7/0x7
[ 0.398967] ? insn_decode+0x79/0x100
[ 0.398975] ? insn_decode+0xcf/0x100
[ 0.398980] optimize_nops+0x68/0x150
[ 0.398986] apply_alternatives+0x181/0x3a0
[ 0.398991] ? restore_regs_and_return_to_kernel+0x1b/0x2c
[ 0.398996] ? fb_is_primary_device+0x25/0x73
[ 0.399003] ? restore_regs_and_return_to_kernel+0x1b/0x2c
[ 0.399009] ? apply_alternatives+0x8/0x3a0
[ 0.399014] ? fb_is_primary_device+0x6e/0x73
[ 0.399019] ? apply_returns+0xfc/0x180
[ 0.399024] ? fb_is_primary_device+0x6e/0x73
[ 0.399029] ? sanitize_boot_params.constprop.0+0xa/0xef
[ 0.399035] ? fb_is_primary_device+0x73/0x73
[ 0.399040] alternative_instructions+0xa9/0x173
[ 0.399049] arch_cpu_finalize_init+0x2c/0x51
[ 0.399055] start_kernel+0x425/0x4ce
[ 0.399060] x86_64_start_reservations+0x24/0x2a
[ 0.399066] xen_start_kernel+0x41e/0x429
[ 0.399072] startup_xen+0x3e/0x3e
[ 0.399078] </TASK>
[ 0.399081] Modules linked in:
[ 0.399087] ---[ end trace 94f81cdaf420d02b ]---
[ 0.399092] RIP: e030:native_irq_return_iret+0x0/0x2
[ 0.399098] Code: 5b 41 5b 41 5a 41 59 41 58 58 59 5a 5e 5f 48 83 c4 08 eb 0f 0f 1f 00 90 66 66 2e 0f 1f 84 00 00 00 00 00 f6 44 24 20 04 75 02 <48> cf 57 0f 01 f8 eb 12 0f 20 df 90 90 90 90 90 48 81 e7 ff e7 ff
[ 0.399110] RSP: e02b:ffffffff82e03bd8 EFLAGS: 00010046
[ 0.399116] RAX: 0000000000000000 RBX: ffffffff82e03c30 RCX: 0000000000000000
[ 0.399121] RDX: 000000000000000f RSI: ffffffff81e011f4 RDI: ffffffff82e03ca0
[ 0.399127] RBP: ffffffff82e03c10 R08: ffffffff81e011ef R09: 0000000000000005
[ 0.399132] R10: 0000000000000006 R11: e8ae0feb75ccff49 R12: ffffffff81e011ef
[ 0.399138] R13: 0000000000000006 R14: ffffffff81e011f4 R15: 0000000000000005
[ 0.399147] FS: 0000000000000000(0000) GS:ffff88802dc00000(0000) knlGS:0000000000000000
[ 0.399154] CS: 10000e030 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.399159] CR2: 0000000000000000 CR3: 0000000002e10000 CR4: 0000000000050660
[ 0.399168] Kernel panic - not syncing: Attempted to kill the idle task!
next reply other threads:[~2023-12-12 9:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-12 9:43 James Dingwall [this message]
2023-12-12 10:56 ` XSA-446 relevance on Intel Andrew Cooper
2024-01-05 9:52 ` James Dingwall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZXgrQdVvDuQCbCRP@dingwall.me.uk \
--to=james-xen@dingwall.me.uk \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.