File 54744729-SVM-don-t-crash-guest-upon-problems-occurring-in-user-mode.patch of Package xen.481
# Commit 28b4baacd599e8c10e6dac055f6a939bb730fb8a
# Date 2014-11-25 10:08:57 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: don't crash guest upon problems occurring in user mode
This extends commit 5283b310 ("x86/HVM: only kill guest when unknown VM
exit occurred in guest kernel mode") to a few more cases, including the
failed VM entry one that XSA-110 was needed to be issued for.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
# Commit 04ae2f6837b35bcfb689baf15f493da626929fb5
# Date 2014-12-02 12:48:01 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: prevent infinite VM entry retries
This reverts the VMX side of commit 28b4baac ("x86/HVM: don't crash
guest upon problems occurring in user mode") and gets SVM in line with
the resulting VMX behavior. This is because Andrew validly says
"A failed vmentry is overwhelmingly likely to be caused by corrupt
VMC[SB] state. As a result, injecting a fault and retrying the the
vmentry is likely to fail in the same way."
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Tim Deegan <tim@xen.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -90,6 +90,15 @@ static bool_t amd_erratum383_found __rea
static uint64_t osvw_length, osvw_status;
static DEFINE_SPINLOCK(osvw_lock);
+/* Only crash the guest if the problem originates in kernel mode. */
+static void svm_crash_or_fault(struct vcpu *v)
+{
+ if ( vmcb_get_cpl(v->arch.hvm_svm.vmcb) )
+ hvm_inject_hw_exception(TRAP_invalid_op, HVM_DELIVER_NO_ERROR_CODE);
+ else
+ domain_crash(v->domain);
+}
+
void __update_guest_eip(struct cpu_user_regs *regs, unsigned int inst_len)
{
struct vcpu *curr = current;
@@ -100,7 +109,7 @@ void __update_guest_eip(struct cpu_user_
if ( unlikely(inst_len > 15) )
{
gdprintk(XENLOG_ERR, "Bad instruction length %u\n", inst_len);
- domain_crash(curr->domain);
+ svm_crash_or_fault(curr);
return;
}
@@ -2166,8 +2175,8 @@ void svm_vmexit_handler(struct cpu_user_
goto out;
case NESTEDHVM_VMEXIT_FATALERROR:
gdprintk(XENLOG_ERR, "unexpected nestedsvm_vmexit() error\n");
- goto exit_and_crash;
-
+ domain_crash(v->domain);
+ goto out;
default:
BUG();
case NESTEDHVM_VMEXIT_ERROR:
@@ -2180,18 +2189,22 @@ void svm_vmexit_handler(struct cpu_user_
case NESTEDHVM_VMEXIT_FATALERROR:
gdprintk(XENLOG_ERR,
"unexpected nestedsvm_check_intercepts() error\n");
- goto exit_and_crash;
+ domain_crash(v->domain);
+ goto out;
default:
gdprintk(XENLOG_INFO, "nestedsvm_check_intercepts() returned %i\n",
nsret);
- goto exit_and_crash;
+ domain_crash(v->domain);
+ goto out;
}
}
if ( unlikely(exit_reason == VMEXIT_INVALID) )
{
+ gdprintk(XENLOG_ERR, "invalid VMCB state:\n");
svm_vmcb_dump(__func__, vmcb);
- goto exit_and_crash;
+ domain_crash(v->domain);
+ goto out;
}
perfc_incra(svmexits, exit_reason);
@@ -2226,13 +2239,13 @@ void svm_vmexit_handler(struct cpu_user_
case VMEXIT_EXCEPTION_DB:
if ( !v->domain->debugger_attached )
- goto exit_and_crash;
+ goto unexpected_exit_type;
domain_pause_for_debugger();
break;
case VMEXIT_EXCEPTION_BP:
if ( !v->domain->debugger_attached )
- goto exit_and_crash;
+ goto unexpected_exit_type;
/* AMD Vol2, 15.11: INT3, INTO, BOUND intercepts do not update RIP. */
if ( (inst_len = __get_instruction_length(v, INSTR_INT3)) == 0 )
break;
@@ -2469,16 +2482,12 @@ void svm_vmexit_handler(struct cpu_user_
break;
default:
- exit_and_crash:
+ unexpected_exit_type:
gdprintk(XENLOG_ERR, "unexpected VMEXIT: exit reason = %#"PRIx64", "
"exitinfo1 = %#"PRIx64", exitinfo2 = %#"PRIx64"\n",
exit_reason,
(u64)vmcb->exitinfo1, (u64)vmcb->exitinfo2);
- if ( vmcb_get_cpl(vmcb) )
- hvm_inject_hw_exception(TRAP_invalid_op,
- HVM_DELIVER_NO_ERROR_CODE);
- else
- domain_crash(v->domain);
+ svm_crash_or_fault(v);
break;
}
