| Message ID | 1464013052-32587-15-git-send-email-julien.grall@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, 23 May 2016, Julien Grall wrote: > Based on ARM ARM (D4.5.3 in ARM DDI 0486A and B3.12.7 in ARM DDI 0406C.c), > a Stage 1 translation error has priority over a Stage 2 translation error. > > Therefore gva_to_ipa can only fail if another vCPU is playing with the > page table. > > Rather than injecting a custom fault, replay the instruction and let the > processor injecting the correct fault. > > This is fine as Xen is handling all the pending softirqs > (see leave_hypervisor_tail) before returning to the guest. One of them > is the scheduler which could reschuled the vCPU. > > Signed-off-by: Julien Grall <julien.grall@arm.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> > Changes in v2: > - Update commit message to explain why a guest cannot DoS the > hypervisor with it. > --- > xen/arch/arm/traps.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c > index c0325d5..3acdba0 100644 > --- a/xen/arch/arm/traps.c > +++ b/xen/arch/arm/traps.c > @@ -2410,7 +2410,7 @@ static void do_trap_instr_abort_guest(struct cpu_user_regs *regs, > > rc = gva_to_ipa(gva, &gpa, GV2M_READ); > if ( rc == -EFAULT ) > - goto bad_insn_abort; > + return; /* Try again */ > } > > rc = p2m_mem_access_check(gpa, gva, npfec); > @@ -2422,7 +2422,6 @@ static void do_trap_instr_abort_guest(struct cpu_user_regs *regs, > break; > } > > -bad_insn_abort: > inject_iabt_exception(regs, gva, hsr.len); > } > > @@ -2452,7 +2451,7 @@ static void do_trap_data_abort_guest(struct cpu_user_regs *regs, > { > rc = gva_to_ipa(info.gva, &info.gpa, GV2M_READ); > if ( rc == -EFAULT ) > - goto bad_data_abort; > + return; /* Try again */ > } > > switch ( dabt.dfsc & 0x3f ) > -- > 1.9.1 >
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index c0325d5..3acdba0 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -2410,7 +2410,7 @@ static void do_trap_instr_abort_guest(struct cpu_user_regs *regs, rc = gva_to_ipa(gva, &gpa, GV2M_READ); if ( rc == -EFAULT ) - goto bad_insn_abort; + return; /* Try again */ } rc = p2m_mem_access_check(gpa, gva, npfec); @@ -2422,7 +2422,6 @@ static void do_trap_instr_abort_guest(struct cpu_user_regs *regs, break; } -bad_insn_abort: inject_iabt_exception(regs, gva, hsr.len); } @@ -2452,7 +2451,7 @@ static void do_trap_data_abort_guest(struct cpu_user_regs *regs, { rc = gva_to_ipa(info.gva, &info.gpa, GV2M_READ); if ( rc == -EFAULT ) - goto bad_data_abort; + return; /* Try again */ } switch ( dabt.dfsc & 0x3f )
Based on ARM ARM (D4.5.3 in ARM DDI 0486A and B3.12.7 in ARM DDI 0406C.c), a Stage 1 translation error has priority over a Stage 2 translation error. Therefore gva_to_ipa can only fail if another vCPU is playing with the page table. Rather than injecting a custom fault, replay the instruction and let the processor injecting the correct fault. This is fine as Xen is handling all the pending softirqs (see leave_hypervisor_tail) before returning to the guest. One of them is the scheduler which could reschuled the vCPU. Signed-off-by: Julien Grall <julien.grall@arm.com> --- Changes in v2: - Update commit message to explain why a guest cannot DoS the hypervisor with it. --- xen/arch/arm/traps.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)