From: Sergey Dyasli <sergey.dyasli@citrix.com>
To: "JBeulich@suse.com" <JBeulich@suse.com>
Cc: Sergey Dyasli <sergey.dyasli@citrix.com>,
Kevin Tian <kevin.tian@intel.com>,
Andrew Cooper <Andrew.Cooper3@citrix.com>,
"jun.nakajima@intel.com" <jun.nakajima@intel.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [PATCH v1 1/2] x86/vvmx: check vmcs address in vmread/vmwrite
Date: Wed, 1 Mar 2017 14:22:53 +0000 [thread overview]
Message-ID: <1488378172.2934.3.camel@citrix.com> (raw)
In-Reply-To: <58B6E2FB020000780013EC16@prv-mh.provo.novell.com>
On Wed, 2017-03-01 at 07:04 -0700, Jan Beulich wrote:
> > > > On 01.03.17 at 14:44, <sergey.dyasli@citrix.com> wrote:
> >
> > On Wed, 2017-03-01 at 05:55 -0700, Jan Beulich wrote:
> > > > > > On 01.03.17 at 10:13, <sergey.dyasli@citrix.com> wrote:
> > > >
> > > > If nested vmcs's address is invalid, virtual_vmcs_enter() will fail
> > > > during vmread/vmwrite:
> > > >
> > > > (XEN) Xen BUG at .../git/upstream/xen/xen/include/asm/hvm/vmx/vmx.h:333
> > > > (XEN) ----[ Xen-4.9-unstable x86_64 debug=y Tainted: H ]----
> > > > (XEN) Xen call trace:
> > > > (XEN) [<ffff82d0801f925e>] vmcs.c#arch/x86/hvm/vmx/vmcs.o.unlikely+0x28/0x19a
> > > > (XEN) [<ffff82d0801f60e3>] virtual_vmcs_vmwrite_safe+0x16/0x52
> > > > (XEN) [<ffff82d080202cb2>] nvmx_handle_vmwrite+0x70/0xfe
> > > > (XEN) [<ffff82d0801fe98a>] vmx_vmexit_handler+0x1379/0x1c49
> > > > (XEN) [<ffff82d08020427c>] vmx_asm_vmexit_handler+0x3c/0x120
> > > >
> > > > Fix this by emulating VMfailInvalid if the address is invalid.
> > >
> > > So just like in patch 2 this is __vmptrld() not properly dealing with
> > > errors. Instead of doing checks in software which hardware does
> > > anyway, wouldn't it be better to introduce (and use here and
> > > there) vmptrld_safe()?
> >
> > Currently it's assumed that virtual_vmcs_enter/exit() never fail.
> > It's easy to maintain that assumption with one simple check:
> >
> > nv_vvmcxaddr != INVALID_PADDR
> >
> > as long as nvmx_handle_vmptrld() correctly checks the validity of
> > provided pointer.
>
> Yet even more safe would be to avoid the check here and simply
> properly check and convey the instruction results.
In the future it should be possible to limit (level) the set of VMX
features provided to the guest. One example would be VMCS shadowing.
In such cases checks mustn't be done by H/W since it can be different.
> > Additionally, it would be painful to return the correct error value
> > all the way back to nvmx_handle_vmptrld().
>
> Surely that's at best relevant in the other patch. Here you're in
> virtual_vmcs_vmwrite_safe(), which already knows how to
> communicate back an error indicator.
How checking the return value of virtual_vmcs_enter() is different
from checking nv_vvmcxaddr?
--
Thanks,
Sergey
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-03-01 14:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-01 9:13 [PATCH v1 0/2] x86/vvmx: a couple of fixes (vmptrld + vmread/vmwrite) Sergey Dyasli
2017-03-01 9:13 ` [PATCH v1 1/2] x86/vvmx: check vmcs address in vmread/vmwrite Sergey Dyasli
2017-03-01 10:58 ` Andrew Cooper
2017-03-01 12:55 ` Jan Beulich
2017-03-01 13:22 ` Andrew Cooper
2017-03-01 13:40 ` Jan Beulich
2017-03-01 13:44 ` Sergey Dyasli
2017-03-01 14:04 ` Jan Beulich
2017-03-01 14:22 ` Sergey Dyasli [this message]
2017-03-01 14:28 ` Jan Beulich
2017-03-01 15:23 ` Sergey Dyasli
2017-03-01 15:39 ` Jan Beulich
2017-03-03 8:21 ` Tian, Kevin
2017-03-01 9:13 ` [PATCH v1 2/2] x86/vvmx: add vmcs id check into vmptrld emulation Sergey Dyasli
2017-03-01 11:01 ` Andrew Cooper
2017-03-03 10:54 ` Jan Beulich
2017-03-03 8:21 ` Tian, Kevin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488378172.2934.3.camel@citrix.com \
--to=sergey.dyasli@citrix.com \
--cc=Andrew.Cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=jun.nakajima@intel.com \
--cc=kevin.tian@intel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).