From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: [PATCH 6/6] test: verify that the emulator honours svm intercepts Date: Wed, 28 Jul 2010 21:04:35 +0300 Message-ID: <4C507133.8010403@redhat.com> References: <1280334351-6395-1-git-send-email-avi@redhat.com> <1280334351-6395-7-git-send-email-avi@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit To: Joerg Roedel , Marcelo Tosatti , kvm@vger.kernel.org Return-path: Received: from mx1.redhat.com ([209.132.183.28]:35790 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750795Ab0G1SEm (ORCPT ); Wed, 28 Jul 2010 14:04:42 -0400 In-Reply-To: <1280334351-6395-7-git-send-email-avi@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: On 07/28/2010 07:25 PM, Avi Kivity wrote: > > +static void corrupt_cr3_intercept_bypass(void *_test) > +{ > + struct test *test = _test; > + extern volatile u32 mmio_insn; > + > + while (!__sync_bool_compare_and_swap(&test->scratch, 1, 2)) > + pause(); > + pause(); > + pause(); > + pause(); > + mmio_insn = 0x90d8200f; // mov %cr3, %rax; nop > +} > + > +static void prepare_cr3_intercept_bypass(struct test *test) > +{ > + default_prepare(test); > + test->vmcb->control.intercept_cr_read |= 1<< 3; > + on_cpu_async(1, corrupt_cr3_intercept_bypass, test); > +} > + > +static void test_cr3_intercept_bypass(struct test *test) > +{ > + ulong a = 0xa0000; > + > + test->scratch = 1; > + while (test->scratch != 2) > + barrier(); > + > + asm volatile ("mmio_insn: mov %0, (%0); nop" > + : "+a"(a) : : "memory"); > + test->scratch = a; > +} ftrace makes it quite easy to see how things go wrong: > qemu-system-x86-10545 [004] 98291.582062: kvm_exit: reason vmrun rip > 0x4003d4 step into the guest > qemu-system-x86-10546 [006] 98291.582064: kvm_inj_virq: irq 32 here's out evil IPI > qemu-system-x86-10545 [004] 98291.582064: kvm_nested_vmrun: rip: > 0x00000000004003d1 vmcb: 0x0000000007ff8000 nrip: 0x0000000000400330 > int_ctl: 0x00000000 event_inj: 0x00000000 npt: off > qemu-system-x86-10546 [006] 98291.582065: kvm_inj_virq: irq 32 > qemu-system-x86-10545 [004] 98291.582065: kvm_nested_intercepts: > cr_read: 0008 cr_write: 0000 excp: 00000000 intercept: 0000000300000000 Note cr3 reads are intercepted > qemu-system-x86-10546 [006] 98291.582065: kvm_entry: vcpu 1 > qemu-system-x86-10545 [004] 98291.582070: kvm_entry: vcpu 0 > qemu-system-x86-10545 [004] 98291.582072: kvm_exit: reason npf rip > 0x400368 > qemu-system-x86-10545 [004] 98291.582073: kvm_nested_vmexit: rip: > 0x0000000000400368 reason: npf ext_inf1: 0x0000000000000006 ext_inf2: > 0x00000000000a0000 ext_int: 0x00000000 ext_int_err: 0x00000000 access assigned mmio -> trap to host > qemu-system-x86-10546 [006] 98291.582074: kvm_exit: reason npf rip > 0x4013c9 > qemu-system-x86-10545 [004] 98291.582074: kvm_page_fault: address > a0000 error_code 6 > qemu-system-x86-10546 [006] 98291.582074: kvm_page_fault: address > fee000b0 error_code 6 IPI on its way out > qemu-system-x86-10545 [004] 98291.582075: kvm_emulate_insn: 0:400368: > 0f 20 d8 (prot64) Emulating mov %cr3, %rax -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain.