[PATCH v2 0/3] xen/arm: Survive unknown traps from guests

[PATCH v2 0/3] xen/arm: Survive unknown traps from guests

[Julien Grall]

Hi all,

This small patch series ensure that Xen will not die when receiving unknown
trap from the guests. I am not aware of any issue with platform we currently
support, so I am not sure whether it would be Xen 4.9 material.

Cheers,

Julien Grall (3):
  xen/arm: arm32: Rename the trap to the correct name
  xen/arm: do_trap_hypervisor: Separate hypervisor and guest traps
  xen/arm: Survive unknown traps from guests

 xen/arch/arm/arm32/entry.S |  8 ++++----
 xen/arch/arm/arm32/traps.c |  4 ++--
 xen/arch/arm/arm64/entry.S |  6 +++---
 xen/arch/arm/traps.c       | 18 +++++++++++++++++-
 4 files changed, 26 insertions(+), 10 deletions(-)

-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 1/3] xen/arm: arm32: Rename the trap to the correct name

[Julien Grall]

Per Table B1-3 in ARM DDI 0406C.c, the vector 0x8 for hyp is called
"Hypervisor Call".

Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>

---
    Changes in v2:
        - Add Stefano's reviewed-by
---
 xen/arch/arm/arm32/entry.S | 4 ++--
 xen/arch/arm/arm32/traps.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
index 2b04a99664..05733089f7 100644
--- a/xen/arch/arm/arm32/entry.S
+++ b/xen/arch/arm/arm32/entry.S
@@ -149,7 +149,7 @@ trap_##trap:                                                            \
 GLOBAL(hyp_traps_vector)
         .word 0                         /* 0x00 - Reset */
         b trap_undefined_instruction    /* 0x04 - Undefined Instruction */
-        b trap_supervisor_call          /* 0x08 - Supervisor Call */
+        b trap_hypervisor_call          /* 0x08 - Hypervisor Call */
         b trap_prefetch_abort           /* 0x0c - Prefetch Abort */
         b trap_data_abort               /* 0x10 - Data Abort */
         b trap_hypervisor               /* 0x14 - Hypervisor */
@@ -157,7 +157,7 @@ GLOBAL(hyp_traps_vector)
         b trap_fiq                      /* 0x1c - FIQ */
 
 DEFINE_TRAP_ENTRY(undefined_instruction)
-DEFINE_TRAP_ENTRY(supervisor_call)
+DEFINE_TRAP_ENTRY(hypervisor_call)
 DEFINE_TRAP_ENTRY(prefetch_abort)
 DEFINE_TRAP_ENTRY(hypervisor)
 DEFINE_TRAP_ENTRY_NOIRQ(irq)
diff --git a/xen/arch/arm/arm32/traps.c b/xen/arch/arm/arm32/traps.c
index 5bc5f64d86..e75836792a 100644
--- a/xen/arch/arm/arm32/traps.c
+++ b/xen/arch/arm/arm32/traps.c
@@ -50,9 +50,9 @@ die:
     do_unexpected_trap("Undefined Instruction", regs);
 }
 
-asmlinkage void do_trap_supervisor_call(struct cpu_user_regs *regs)
+asmlinkage void do_trap_hypervisor_call(struct cpu_user_regs *regs)
 {
-    do_unexpected_trap("Supervisor Call", regs);
+    do_unexpected_trap("Hypervisor Call", regs);
 }
 
 asmlinkage void do_trap_prefetch_abort(struct cpu_user_regs *regs)
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 2/3] xen/arm: do_trap_hypervisor: Separate hypervisor and guest traps

[Julien Grall]

The function do_trap_hypervisor is currently handling both trap coming
from the hypervisor and the guest. This makes difficult to get specific
behavior when a trap is coming from either the guest or the hypervisor.

Split the function into two parts:
    - do_trap_guest_sync to handle guest traps
    - do_trap_hyp_sync to handle hypervisor traps

On AArch32, the Hyp Trap Exception provides the standard mechanism for
trapping Guest OS functions to the hypervisor (see B1.14.1 in ARM DDI
0406C.c). It cannot be generated when generated when the processor is in
Hyp Mode, instead other exception will be used. So it is fine to replace
the call to do_trap_hypervisor by do_trap_guest_sync.

For AArch64, there are two distincts exception depending whether the
exception was taken from the current level (hypervisor) or lower level
(guest).

Note that the unknown traps from guests will lead to panic Xen. This is
already behavior and is left unchanged for simplicy. A follow-up patch
will address that.

Signed-off-by: Julien Grall <julien.grall@arm.com>

---
    Changes in v2:
        - Improve warning message
        - Clarify in the commit message that the behavior is not yet
        changed.
---
 xen/arch/arm/arm32/entry.S |  4 ++--
 xen/arch/arm/arm64/entry.S |  6 +++---
 xen/arch/arm/traps.c       | 17 ++++++++++++++++-
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
index 05733089f7..120922e64e 100644
--- a/xen/arch/arm/arm32/entry.S
+++ b/xen/arch/arm/arm32/entry.S
@@ -152,14 +152,14 @@ GLOBAL(hyp_traps_vector)
         b trap_hypervisor_call          /* 0x08 - Hypervisor Call */
         b trap_prefetch_abort           /* 0x0c - Prefetch Abort */
         b trap_data_abort               /* 0x10 - Data Abort */
-        b trap_hypervisor               /* 0x14 - Hypervisor */
+        b trap_guest_sync               /* 0x14 - Hypervisor */
         b trap_irq                      /* 0x18 - IRQ */
         b trap_fiq                      /* 0x1c - FIQ */
 
 DEFINE_TRAP_ENTRY(undefined_instruction)
 DEFINE_TRAP_ENTRY(hypervisor_call)
 DEFINE_TRAP_ENTRY(prefetch_abort)
-DEFINE_TRAP_ENTRY(hypervisor)
+DEFINE_TRAP_ENTRY(guest_sync)
 DEFINE_TRAP_ENTRY_NOIRQ(irq)
 DEFINE_TRAP_ENTRY_NOIRQ(fiq)
 DEFINE_TRAP_ENTRY_NOABORT(data_abort)
diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S
index 137e67c674..06afc8a4e4 100644
--- a/xen/arch/arm/arm64/entry.S
+++ b/xen/arch/arm/arm64/entry.S
@@ -189,7 +189,7 @@ hyp_sync:
         entry   hyp=1
         msr     daifclr, #6
         mov     x0, sp
-        bl      do_trap_hypervisor
+        bl      do_trap_hyp_sync
         exit    hyp=1
 
 hyp_irq:
@@ -211,7 +211,7 @@ guest_sync:
                     SKIP_SYNCHRONIZE_SERROR_ENTRY_EXIT)
         msr     daifclr, #6
         mov     x0, sp
-        bl      do_trap_hypervisor
+        bl      do_trap_guest_sync
 1:
         exit    hyp=0, compat=0
 
@@ -254,7 +254,7 @@ guest_sync_compat:
                     SKIP_SYNCHRONIZE_SERROR_ENTRY_EXIT)
         msr     daifclr, #6
         mov     x0, sp
-        bl      do_trap_hypervisor
+        bl      do_trap_guest_sync
 1:
         exit    hyp=0, compat=1
 
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 6010c96c54..645812210d 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -2805,7 +2805,7 @@ static void enter_hypervisor_head(struct cpu_user_regs *regs)
     }
 }
 
-asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
+asmlinkage void do_trap_guest_sync(struct cpu_user_regs *regs)
 {
     const union hsr hsr = { .bits = regs->hsr };
 
@@ -2925,6 +2925,21 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
         do_trap_data_abort_guest(regs, hsr);
         break;
 
+    default:
+        printk("Unknown Guest Trap. HSR=0x%x EC=0x%x IL=%x Syndrome=0x%"PRIx32"\n",
+               hsr.bits, hsr.ec, hsr.len, hsr.iss);
+        do_unexpected_trap("Guest", regs);
+    }
+}
+
+asmlinkage void do_trap_hyp_sync(struct cpu_user_regs *regs)
+{
+    const union hsr hsr = { .bits = regs->hsr };
+
+    enter_hypervisor_head(regs);
+
+    switch ( hsr.ec )
+    {
 #ifdef CONFIG_ARM_64
     case HSR_EC_BRK:
         do_trap_brk(regs, hsr);
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 2/3] xen/arm: do_trap_hypervisor: Separate hypervisor and guest traps

[Stefano Stabellini]

On Fri, 5 May 2017, Julien Grall wrote:
> The function do_trap_hypervisor is currently handling both trap coming
> from the hypervisor and the guest. This makes difficult to get specific
> behavior when a trap is coming from either the guest or the hypervisor.
> 
> Split the function into two parts:
>     - do_trap_guest_sync to handle guest traps
>     - do_trap_hyp_sync to handle hypervisor traps
> 
> On AArch32, the Hyp Trap Exception provides the standard mechanism for
> trapping Guest OS functions to the hypervisor (see B1.14.1 in ARM DDI
> 0406C.c). It cannot be generated when generated when the processor is in
> Hyp Mode, instead other exception will be used. So it is fine to replace
> the call to do_trap_hypervisor by do_trap_guest_sync.
> 
> For AArch64, there are two distincts exception depending whether the
> exception was taken from the current level (hypervisor) or lower level
> (guest).
> 
> Note that the unknown traps from guests will lead to panic Xen. This is
> already behavior and is left unchanged for simplicy. A follow-up patch
> will address that.
> 
> Signed-off-by: Julien Grall <julien.grall@arm.com>

Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>


> ---
>     Changes in v2:
>         - Improve warning message
>         - Clarify in the commit message that the behavior is not yet
>         changed.
> ---
>  xen/arch/arm/arm32/entry.S |  4 ++--
>  xen/arch/arm/arm64/entry.S |  6 +++---
>  xen/arch/arm/traps.c       | 17 ++++++++++++++++-
>  3 files changed, 21 insertions(+), 6 deletions(-)
> 
> diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
> index 05733089f7..120922e64e 100644
> --- a/xen/arch/arm/arm32/entry.S
> +++ b/xen/arch/arm/arm32/entry.S
> @@ -152,14 +152,14 @@ GLOBAL(hyp_traps_vector)
>          b trap_hypervisor_call          /* 0x08 - Hypervisor Call */
>          b trap_prefetch_abort           /* 0x0c - Prefetch Abort */
>          b trap_data_abort               /* 0x10 - Data Abort */
> -        b trap_hypervisor               /* 0x14 - Hypervisor */
> +        b trap_guest_sync               /* 0x14 - Hypervisor */
>          b trap_irq                      /* 0x18 - IRQ */
>          b trap_fiq                      /* 0x1c - FIQ */
>  
>  DEFINE_TRAP_ENTRY(undefined_instruction)
>  DEFINE_TRAP_ENTRY(hypervisor_call)
>  DEFINE_TRAP_ENTRY(prefetch_abort)
> -DEFINE_TRAP_ENTRY(hypervisor)
> +DEFINE_TRAP_ENTRY(guest_sync)
>  DEFINE_TRAP_ENTRY_NOIRQ(irq)
>  DEFINE_TRAP_ENTRY_NOIRQ(fiq)
>  DEFINE_TRAP_ENTRY_NOABORT(data_abort)
> diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S
> index 137e67c674..06afc8a4e4 100644
> --- a/xen/arch/arm/arm64/entry.S
> +++ b/xen/arch/arm/arm64/entry.S
> @@ -189,7 +189,7 @@ hyp_sync:
>          entry   hyp=1
>          msr     daifclr, #6
>          mov     x0, sp
> -        bl      do_trap_hypervisor
> +        bl      do_trap_hyp_sync
>          exit    hyp=1
>  
>  hyp_irq:
> @@ -211,7 +211,7 @@ guest_sync:
>                      SKIP_SYNCHRONIZE_SERROR_ENTRY_EXIT)
>          msr     daifclr, #6
>          mov     x0, sp
> -        bl      do_trap_hypervisor
> +        bl      do_trap_guest_sync
>  1:
>          exit    hyp=0, compat=0
>  
> @@ -254,7 +254,7 @@ guest_sync_compat:
>                      SKIP_SYNCHRONIZE_SERROR_ENTRY_EXIT)
>          msr     daifclr, #6
>          mov     x0, sp
> -        bl      do_trap_hypervisor
> +        bl      do_trap_guest_sync
>  1:
>          exit    hyp=0, compat=1
>  
> diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
> index 6010c96c54..645812210d 100644
> --- a/xen/arch/arm/traps.c
> +++ b/xen/arch/arm/traps.c
> @@ -2805,7 +2805,7 @@ static void enter_hypervisor_head(struct cpu_user_regs *regs)
>      }
>  }
>  
> -asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
> +asmlinkage void do_trap_guest_sync(struct cpu_user_regs *regs)
>  {
>      const union hsr hsr = { .bits = regs->hsr };
>  
> @@ -2925,6 +2925,21 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
>          do_trap_data_abort_guest(regs, hsr);
>          break;
>  
> +    default:
> +        printk("Unknown Guest Trap. HSR=0x%x EC=0x%x IL=%x Syndrome=0x%"PRIx32"\n",
> +               hsr.bits, hsr.ec, hsr.len, hsr.iss);
> +        do_unexpected_trap("Guest", regs);
> +    }
> +}
> +
> +asmlinkage void do_trap_hyp_sync(struct cpu_user_regs *regs)
> +{
> +    const union hsr hsr = { .bits = regs->hsr };
> +
> +    enter_hypervisor_head(regs);
> +
> +    switch ( hsr.ec )
> +    {
>  #ifdef CONFIG_ARM_64
>      case HSR_EC_BRK:
>          do_trap_brk(regs, hsr);
> -- 
> 2.11.0
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 3/3] xen/arm: Survive unknown traps from guests

[Julien Grall]

Currently we crash Xen if we see an ESR_EL2.EC value we don't recognise.
As configurable disables/enables are added to the architecture
(controlled by RES1/RESO bits respectively), with associated synchronous
exceptions, it may be possible for a guest to trigger exceptions with
classes that we don't recognise.

While we can't service these exceptions in a manner useful to the guest,
we can avoid bringing down the host. Per ARM DDI 0487A.k_iss10775, page
D7-1937, EC values within the range 0x00 - 0x2c are reserved for future
use with synchronous exceptions, and EC within the range 0x2d - 0x3f may
be used for either synchronous or asynchronous exceptions.

The patch makes Xen handle any unknown EC by injecting an UNDEFINED
exception into the guest, with a corresponding (ratelimited) warning in
the log.

This patch is based on Linux commit f050fe7a9164 "arm: KVM: Survive unknown
traps from the guest".

Signed-off-by: Julien Grall <julien.grall@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>

---
    Changes in v2:
        - Add Stefano's reviewed-by
---
 xen/arch/arm/traps.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 645812210d..6cf9ee7244 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -2926,9 +2926,10 @@ asmlinkage void do_trap_guest_sync(struct cpu_user_regs *regs)
         break;
 
     default:
-        printk("Unknown Guest Trap. HSR=0x%x EC=0x%x IL=%x Syndrome=0x%"PRIx32"\n",
-               hsr.bits, hsr.ec, hsr.len, hsr.iss);
-        do_unexpected_trap("Guest", regs);
+        gprintk(XENLOG_WARNING,
+                "Unknown Guest Trap. HSR=0x%x EC=0x%x IL=%x Syndrome=0x%"PRIx32"\n",
+                hsr.bits, hsr.ec, hsr.len, hsr.iss);
+        inject_undef_exception(regs, hsr);
     }
 }
 
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 0/3] xen/arm: Survive unknown traps from guests

[Stefano Stabellini]

On Fri, 5 May 2017, Julien Grall wrote:
> Hi all,
> 
> This small patch series ensure that Xen will not die when receiving unknown
> trap from the guests. I am not aware of any issue with platform we currently
> support, so I am not sure whether it would be Xen 4.9 material.

Given that it is a bug fix and of small risk, I think it should be in
4.9.


> Cheers,
> 
> Julien Grall (3):
>   xen/arm: arm32: Rename the trap to the correct name
>   xen/arm: do_trap_hypervisor: Separate hypervisor and guest traps
>   xen/arm: Survive unknown traps from guests
> 
>  xen/arch/arm/arm32/entry.S |  8 ++++----
>  xen/arch/arm/arm32/traps.c |  4 ++--
>  xen/arch/arm/arm64/entry.S |  6 +++---
>  xen/arch/arm/traps.c       | 18 +++++++++++++++++-
>  4 files changed, 26 insertions(+), 10 deletions(-)
> 
> -- 
> 2.11.0
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 0/3] xen/arm: Survive unknown traps from guests

[Julien Grall]

Hi Stefano,

On 05/05/17 20:09, Stefano Stabellini wrote:
> On Fri, 5 May 2017, Julien Grall wrote:
>> Hi all,
>>
>> This small patch series ensure that Xen will not die when receiving unknown
>> trap from the guests. I am not aware of any issue with platform we currently
>> support, so I am not sure whether it would be Xen 4.9 material.
>
> Given that it is a bug fix and of small risk, I think it should be in
> 4.9.

I agree here, this would allow Xen to be used safely on new hardware if 
no other patch is required.

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel