From: Mukesh Rathor <mukesh.rathor@oracle.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: George.Dunlap@eu.citrix.com, tim@xen.org, eddie.dong@intel.com,
keir.xen@gmail.com, jun.nakajima@intel.com,
xen-devel@lists.xenproject.org
Subject: Re: [V9 PATCH 7/8] pvh dom0: check for vioapic null ptr in vioapic_range
Date: Tue, 6 May 2014 18:07:01 -0700 [thread overview]
Message-ID: <20140506180701.0ef99936@mantra.us.oracle.com> (raw)
In-Reply-To: <5368AEF9020000780000F2D7@mail.emea.novell.com>
On Tue, 06 May 2014 08:44:25 +0100
"Jan Beulich" <JBeulich@suse.com> wrote:
> >>> On 06.05.14 at 02:19, <mukesh.rathor@oracle.com> wrote:
> > 1. We can go with the patch that adds pvh_mmio_handlers in
> > anticipation of future msix, hpet support:
> >
> > +static const struct hvm_mmio_handler *const
> > +pvh_mmio_handlers[HVM_MMIO_HANDLER_NR] =
> > ...
> >
> > That would naturally return X86EMUL_UNHANDLEABLE in this case.
> >
> > OUTCOME: guest would be injected with GPF, but xen won't crash
> > it.
>
> That's pretty odd a result from a nested paging fault, but perhaps
> acceptable/reasonable for PVH. Of course such should never happen
> for HVM. And I wonder whether a virtualization exception (vector 20)
> wouldn't be more natural here (delivered directly via hardware if
> support for this is available and there isn't anything preventing the
> delivery).
>
> > 2. We could go with vioapic null ptr check in vioapic_range()
> > itself, thus causing handle_mmio to return X86EMUL_UNHANDLEABLE
> > also.
> >
> > OUTCOME: guest would be injected with GPF, but xen won't crash
> > it.
> >
> >
> > 3. Add pvh check above in hvm_hap_nested_page_fault:
> >
> > put_gfn(p2m->domain, gfn);
> > if ( is_pvh_vcpu(v) )
> > {
> > rc = 0;
> > goto out;
> > }
> > if ( !handle_mmio() ) <==========
> > hvm_inject_hw_exception(TRAP_gp_fault, 0);
> > ...
> >
> > OUTCOME: xen would crash guest with the nice ept violation
> > message.
> >
> >
> > 4. Add check for pvh in handle_mmio:
> >
> > int handle_mmio(void)
> > {
> > int rc;
> >
> > if ( is_pvh_vcpu(current) )
> > return X86EMUL_UNHANDLEABLE;
> > ...
> >
> > OUTCOME: guest would be injected with GPF, but xen won't crash
> > it.
> >
> >
> > 5. Do 1/2/4 above, but in addition, in hvm_hap_nested_page_fault()
> > do:
> >
> > if ( (p2mt == p2m_mmio_dm) ||
> > (access_w && (p2mt == p2m_ram_ro)) )
> > {
> > put_gfn(p2m->domain, gfn);
> > rc = 1;
> > if ( !handle_mmio() ) <==========
> > {
> > if ( is_pvh_vcpu )
> > rc = 0;
> > else
> > hvm_inject_hw_exception(TRAP_gp_fault, 0);
> > }
> > goto out;
> > }
> >
> > OUTCOME: xen would crash guest with the nice ept violation
> > message that prints all the details.
> >
> > Please lmk your thoughts and preference, and I'll submit patch. The
> > patch would not be part of dom0 pvh series, as a pvh domU ept
> > violation could cause this xen panic too in vioapic_range. We may
> > wanna backport it too (not sure because of experimental nature of
> > the feature).
>
> So my first preference would be #VE to be delivered to the guest. If
> such can't be delivered, I guess killing the guest is more natural
> than injecting #GP - we may want/need to make support for #VE a
> requirement for PVH guests.
#VE support doesn't appear to be there in guest right now. So, let
me not get too distracted, we've other higher prirority fixmes, not to
mention other supports like amd, migration, 32bit etc I'd like
to address right after this series goes in.
> Alternatively, whether handle_mmio() itself filters out PVH, or
> whether its callers take care to not call it in that case largely
> depends on what would produce cleaner code - i.e. if all but one of
> the code paths already avoid calling the function, I would think the
> remaining one should do so too unless moving the filter into the
> function would allow cleaning up the other call sites.
>
> That not withstanding I think we will want/need pvh_mmio_handlers[]
> at some point anyway - if that's going to be multiplexed inside
> handle_mmio(), then preventing the function to be called would be the
> wrong thing now (as that would then later need to be undone, and
> hence would better get done right from the beginning).
>
> What I'm definitely against - as said before - is option 2.
Ok, so looks like you are ok with #3. We can add pvh_mmio_handlers when
adding the msix support so it gets done properly as it needs some work
on guest side too from what I recall. #3 would be easy to backport also.
thanks
Mukesh
next prev parent reply other threads:[~2014-05-07 1:07 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-16 0:12 [V9 PATCH 0/8] pvh dom0 patches Mukesh Rathor
2014-04-16 0:12 ` [V9 PATCH 1/8] pvh dom0: move some pv specific code to static functions Mukesh Rathor
2014-04-16 0:12 ` [V9 PATCH 2/8] pvh dom0: construct_dom0 changes Mukesh Rathor
2014-04-16 0:12 ` [V9 PATCH 3/8] pvh dom0: Introduce p2m_map_foreign Mukesh Rathor
2014-04-16 0:12 ` [V9 PATCH 4/8] pvh dom0: Add checks and restrictions for p2m_is_foreign Mukesh Rathor
2014-04-16 15:28 ` Jan Beulich
2014-04-16 0:12 ` [V9 PATCH 5/8] pvh dom0: make xsm_map_gmfn_foreign available for x86 Mukesh Rathor
2014-04-16 14:29 ` Daniel De Graaf
2014-04-16 0:12 ` [V9 PATCH 6/8] pvh dom0: Add and remove foreign pages Mukesh Rathor
2014-04-16 16:00 ` Jan Beulich
2014-04-17 1:37 ` Mukesh Rathor
2014-04-17 6:50 ` Jan Beulich
2014-04-17 12:36 ` Tim Deegan
2014-04-17 13:58 ` Jan Beulich
2014-04-19 0:59 ` Mukesh Rathor
2014-04-21 16:10 ` Jan Beulich
2014-04-24 2:21 ` Mukesh Rathor
2014-04-24 6:44 ` Jan Beulich
2014-04-24 9:46 ` Tim Deegan
2014-04-25 2:09 ` Mukesh Rathor
2014-04-25 6:49 ` Jan Beulich
2014-04-25 23:23 ` Mukesh Rathor
2014-04-26 0:06 ` Mukesh Rathor
2014-04-28 7:23 ` Jan Beulich
2014-04-25 8:55 ` Tim Deegan
2014-04-25 23:29 ` Mukesh Rathor
2014-04-26 1:34 ` Mukesh Rathor
2014-04-28 8:54 ` Jan Beulich
2014-04-28 9:09 ` Tim Deegan
2014-04-22 0:19 ` Mukesh Rathor
2014-04-22 7:28 ` Jan Beulich
2014-04-23 0:28 ` Mukesh Rathor
2014-04-23 9:03 ` Jan Beulich
2014-04-23 16:13 ` Andres Lagar-Cavilla
2014-04-24 16:37 ` Tim Deegan
2014-04-16 0:12 ` [V9 PATCH 7/8] pvh dom0: check for vioapic null ptr in vioapic_range Mukesh Rathor
2014-04-16 16:05 ` Jan Beulich
2014-04-17 1:44 ` Mukesh Rathor
2014-04-17 6:54 ` Jan Beulich
2014-04-22 0:59 ` Mukesh Rathor
2014-04-22 7:33 ` Jan Beulich
2014-04-23 0:11 ` Mukesh Rathor
2014-04-23 9:07 ` Jan Beulich
2014-04-23 21:18 ` Mukesh Rathor
2014-04-24 6:49 ` Jan Beulich
2014-04-24 23:28 ` Mukesh Rathor
2014-05-06 0:19 ` Mukesh Rathor
2014-05-06 7:44 ` Jan Beulich
2014-05-07 1:07 ` Mukesh Rathor [this message]
2014-05-07 6:47 ` Jan Beulich
2014-05-07 23:52 ` Mukesh Rathor
2014-05-08 6:33 ` Jan Beulich
2014-04-16 0:12 ` [V9 PATCH 8/8] pvh dom0: add opt_dom0pvh to setup.c Mukesh Rathor
2014-04-16 12:57 ` Konrad Rzeszutek Wilk
2014-04-16 13:01 ` Andrew Cooper
2014-04-16 16:09 ` Jan Beulich
2014-04-16 14:57 ` [V9 PATCH 0/8] pvh dom0 patches Roger Pau Monné
2014-04-16 21:15 ` Mukesh Rathor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140506180701.0ef99936@mantra.us.oracle.com \
--to=mukesh.rathor@oracle.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=eddie.dong@intel.com \
--cc=jun.nakajima@intel.com \
--cc=keir.xen@gmail.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).