From patchwork Tue Feb 21 02:11:15 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Haozhong Zhang <haozhong.zhang@intel.com>
X-Patchwork-Id: 9583791
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	14B196047C for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 21 Feb 2017 02:14:58 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DE3692891B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 21 Feb 2017 02:14:57 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D19DD2891D; Tue, 21 Feb 2017 02:14:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 441752891B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 21 Feb 2017 02:14:56 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1cfzvq-0004sH-TL; Tue, 21 Feb 2017 02:11:58 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <haozhong.zhang@intel.com>) id 1cfzvp-0004sB-VT
	for xen-devel@lists.xen.org; Tue, 21 Feb 2017 02:11:58 +0000
Received: from [193.109.254.147] by server-11.bemta-6.messagelabs.com id
	2F/FA-04971-DE1ABA85; Tue, 21 Feb 2017 02:11:57 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOLMWRWlGSWpSXmKPExsVywNwkQvfNwtU
	RBr3T5C2WfFzM4sDocXT3b6YAxijWzLyk/IoE1oymP3OYC6aKV3z4sZ61gXGLUBcjF4eQwHRG
	id+/fzJ2MXJySAjwShxZNoMVwg6Q2PN8LhNEUS+jxMLXrWwgCTYBfYkVjw+CFYkISEtc+3wZr
	JlZoFpi2spzYDXCAn4SD/+8AouzCKhKHHy6iwnE5hWwlXjQ2wW1QF7iwtVTLBMYuRcwMqxi1C
	hOLSpLLdI1NNRLKspMzyjJTczM0TU0MNPLTS0uTkxPzUlMKtZLzs/dxAj0MAMQ7GD8tCzgEKM
	kB5OSKO+dJasihPiS8lMqMxKLM+KLSnNSiw8xynBwKEnwmgMDRkiwKDU9tSItMwcYajBpCQ4e
	JRFeAZA0b3FBYm5xZjpE6hSjopQ4rzdIQgAkkVGaB9cGC+9LjLJSwryMQIcI8RSkFuVmlqDKv
	2IU52BUEuZ9uABoCk9mXgnc9FdAi5mAFt/0WAmyuCQRISXVwLhZvuFF+v8t2tzcAuGawRlrj8
	300po996zjIrUpf3X+NOoeEfv4QNAqPr33753p6b654iuX2r+edzNi3sq1H61WrpjX+k06PXO
	lfGDCxCeBmgLzBZPOqF0OSQyOmT07utw6iz/ty03xhSIydZd1XwTNznTfdWfholsydkZS2T1L
	5wVV+N+0lFZiKc5INNRiLipOBAAP01s9agIAAA==
X-Env-Sender: haozhong.zhang@intel.com
X-Msg-Ref: server-15.tower-27.messagelabs.com!1487643114!35150186!1
X-Originating-IP: [192.55.52.88]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogMTkyLjU1LjUyLjg4ID0+IDM3NDcyNQ==\n
X-StarScan-Received: 
X-StarScan-Version: 9.2.3; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 59748 invoked from network); 21 Feb 2017 02:11:56 -0000
Received: from mga01.intel.com (HELO mga01.intel.com) (192.55.52.88)
	by server-15.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384
	encrypted SMTP; 21 Feb 2017 02:11:56 -0000
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
	by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	20 Feb 2017 18:11:53 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos; i="5.35,187,1484035200"; d="scan'208";
	a="1132612268"
Received: from hz-desktop.sh.intel.com (HELO localhost) ([10.239.159.133])
	by fmsmga002.fm.intel.com with ESMTP; 20 Feb 2017 18:11:52 -0800
From: Haozhong Zhang <haozhong.zhang@intel.com>
To: xen-devel@lists.xen.org
Date: Tue, 21 Feb 2017 10:11:15 +0800
Message-Id: <20170221021115.24069-1-haozhong.zhang@intel.com>
X-Mailer: git-send-email 2.10.1
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <jbeulich@suse.com>,
	Haozhong Zhang <haozhong.zhang@intel.com>
Subject: [Xen-devel] [PATCH] xen/x86: ensure copying to L1 guest in
	update_runstate_area()
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

For a HVM domain, if a vcpu is in the nested guest mode,
__raw_copy_to_guest() and __copy_to_guest() used by
update_runstate_area() will copy data to L2 guest other than L1 guest.

Besides copying to the wrong address, this bug also causes crash in
the code path:
    context_switch(prev, next)
      _update_runstate_area(next)
        update_runstate_area(next)
	  __raw_copy_to_guest(...)
	    ...
	      __hvm_copy(...)
	        paging_gva_to_gfn(...)
		  nestedhap_walk_L1_p2m(...)
		    nvmx_hap_walk_L1_p2m(..)
		      vmx_vmcs_enter(v) [ v = next ]
		        vmx_vmcs_try_enter(v) [ v = next ]
			  if ( likely(v == current) )
                              return v->arch.hvm_vmx.vmcs_pa == this_cpu(current_vmcs);
vmx_vmcs_try_enter() will fail and trigger the assert in
vmx_vmcs_enter(), if vcpu 'next' is in the nested guest mode and is
being scheduled to another CPU.

This commit temporally clears the nested guest flag before all
__raw_copy_to_guest() and __copy_to_guest() in update_runstate_area(),
and restores the flag after those guest copy operations.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
---
 xen/arch/x86/domain.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 7d3071e..5f0444c 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -50,6 +50,7 @@
 #include <asm/mpspec.h>
 #include <asm/ldt.h>
 #include <asm/hvm/hvm.h>
+#include <asm/hvm/nestedhvm.h>
 #include <asm/hvm/support.h>
 #include <asm/hvm/viridian.h>
 #include <asm/debugreg.h>
@@ -1931,10 +1932,29 @@ bool_t update_runstate_area(struct vcpu *v)
     bool_t rc;
     smap_check_policy_t smap_policy;
     void __user *guest_handle = NULL;
+    bool nested_guest_mode = 0;
 
     if ( guest_handle_is_null(runstate_guest(v)) )
         return 1;
 
+    /*
+     * Must be before all following __raw_copy_to_guest() and __copy_to_guest().
+     *
+     * Otherwise, if 'v' is in the nested guest mode, paging_gva_to_gfn() called
+     * from __raw_copy_to_guest() and __copy_to_guest() will treat the target
+     * address as L2 gva, and __raw_copy_to_guest() and __copy_to_guest() will
+     * consequently copy runstate to L2 guest other than L1 guest.
+     *
+     * Therefore, we clear the nested guest flag before __raw_copy_to_guest()
+     * and __copy_to_guest(), and restore the flag after all guest copy.
+     */
+    if ( is_hvm_vcpu(v) && paging_mode_hap(v->domain) )
+    {
+        nested_guest_mode = nestedhvm_is_n2(v);
+        if ( nested_guest_mode )
+            nestedhvm_vcpu_exit_guestmode(v);
+    }
+
     smap_policy = smap_policy_change(v, SMAP_CHECK_ENABLED);
 
     if ( VM_ASSIST(v->domain, runstate_update_flag) )
@@ -1971,6 +1991,9 @@ bool_t update_runstate_area(struct vcpu *v)
 
     smap_policy_change(v, smap_policy);
 
+    if ( nested_guest_mode )
+        nestedhvm_vcpu_enter_guestmode(v);
+
     return rc;
 }