在 2018/2/14 16:09, Jan Beulich 写道:
In an IBRS available env, bootup panic when bti=0 like below:
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: SMEP IBRS/IBPB STIBP
(XEN) BTI mitigations: Thunk N/A, Others: IBRS- SMEP
(XEN) [ Xen-4.4.4OVM x86_64 debug=n Tainted:C ]
(XEN) CPU:0
(XEN) RIP:e008:[]
entry.o#handle_ist_exception+0xd1/0x176
(XEN) RFLAGS: 00010046 CONTEXT: hypervisor
(XEN) rax: rbx: rcx: 0048
(XEN) rdx: 0001 rsi: rdi:
(XEN) rbp: rsp: 82d080529f58 r8:
(XEN) r9: r10: r11:
(XEN) r12: r13: r14: 82d08052
(XEN) r15: cr0: 8005003b cr4: 001506f0
(XEN) cr3: 76fbe000 cr2:
(XEN) ds: es: fs: gs: ss: cs: e008
(XEN) Xen stack trace from rsp=82d080529f58:
(XEN)0018 0002 82d080528000
(XEN) 82d0802a50e0 82d08052fd98 82d08072fc00
(XEN) 0001 0400 0830
(XEN) 000a 82d0803f0fc0 0002
(XEN)82d080298876 e008 0046 82d08052fdf8
(XEN)
(XEN) Xen call trace:
(XEN)[] entry.o#handle_ist_exception+0xd1/0x176
(XEN)
(XEN)
(XEN)
(XEN) Panic on CPU 0:
(XEN) GENERAL PROTECTION FAULT
(XEN) [error_code=]
(XEN)
It's due to %edx isn't cleared to zero before wrmsr.
DO_OVERWRITE_RSB clobbers %eax and happend to cover the bug in certain case so
we didn't reproduce without bti=0.
Signed-off-by: Zhenzhong Duan
Re-do actual code change. Also drop an unused label.
Signed-off-by: Jan Beulich
--- a/xen/include/asm-x86/spec_ctrl_asm.h
+++ b/xen/include/asm-x86/spec_ctrl_asm.h
@@ -274,7 +274,9 @@
testb $BTI_IST_RSB, %al
jz .L\@_skip_rsb
+mov %eax, %edx
DO_OVERWRITE_RSB
+mov %edx, %eax
.L\@_skip_rsb:
@@ -286,13 +288,13 @@
setz %dl
and %dl, STACK_CPUINFO_FIELD(use_shadow_spec_ctrl)(%r14)
-.L\@_entry_from_xen:
/*
* Load Xen's intended value. SPEC_CTRL_IBRS vs 0 is encoded in the
* bottom bit of bti_ist_info, via a deliberate alias with BTI_IST_IBRS.
*/
mov $MSR_SPEC_CTRL, %ecx
and $BTI_IST_IBRS, %eax
+xor %edx, %edx
wrmsr
/* Opencoded UNLIKELY_START() with no condition. */
I just found this patch could be optimized a bit actually by only adding
two instructions. Let me prepare a v3 patch, a few minutes.
--
thanks
zduan
___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel