From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751482AbcFXNCF (ORCPT <rfc822;w@1wt.eu>);
	Fri, 24 Jun 2016 09:02:05 -0400
Received: from userp1040.oracle.com ([156.151.31.81]:40359 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751229AbcFXNCC (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 24 Jun 2016 09:02:02 -0400
Date: Fri, 24 Jun 2016 15:04:53 +0200
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>, x86 <x86@kernel.org>,
        kvm <kvm@vger.kernel.org>, lkml <linux-kernel@vger.kernel.org>,
        Eugene Korenevsky <ekorenevsky@gmail.com>,
        Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
        "H . Peter Anvin" <hpa@zytor.com>,
        linux-stable <stable@vger.kernel.org>
Subject: Re: [PATCH] KVM: nVMX: VMX instructions: fix segment checks when L1
 is in long mode.
Message-ID: <20160624130453.GA32026@chrystal.uk.oracle.com>
References: <1466240465-19318-1-git-send-email-quentin.casasnovas@oracle.com>
 <24080992-801c-4606-c801-65ee68cf8779@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <24080992-801c-4606-c801-65ee68cf8779@redhat.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 23, 2016 at 06:03:01PM +0200, Paolo Bonzini wrote:
> 
> 
> On 18/06/2016 11:01, Quentin Casasnovas wrote:
> > Cross-checking the KVM/VMX VMREAD emulation code with the Intel Software
> > Developper Manual Volume 3C - "VMREAD - Read Field from Virtual-Machine
> > Control Structure", I found that we're enforcing that the destination
> > operand is NOT located in a read-only data segment or any code segment when
> > the L1 is in long mode - BUT that check should only happen when it is in
> > protected mode.
> > 
> > Shuffling the code a bit to make our emulation follow the specification
> > allows me to boot a Xen dom0 in a nested KVM and start HVM L2 guests
> > without problems.
> 
> That's great, and I'm applying the patch, but it's also pretty weird. :)
>  Do you have a pointer to Xen source code that does a VMREAD into a
> read-only data segment or a code segment?

It is indeed pretty weird.  Looking at the Xen stack trace, it looks like
the vmread is writing to an on-stack buffer, and surely it must be writable
so I wonder if Xen might not be using an executable stack for some reason?
That would be a bit scary so I'm surely missing something.

Is there an easy way to know from my KVM host the different segment
permission setup by the guest?

Quentin