From nobody Fri Apr 19 06:34:01 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1574374644; cv=none; d=zoho.com; s=zohoarc; b=S8JlZejsLpPtJFzHMGF5A4UF9imS15DYDWkRFNBceD29EGwt2/M75v3wPR9t/UomlDLqpIvbSYISpNWqx3QtHpS8wtmJMylMUvoVKZUC+0SUnFVr+qelBKDVT+U8rVYjq7uJ8LNxzr3MKRIOH7WCpeUAcZdbM3WSzV1nw1rUB0c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1574374644; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=j03Uo5fq+Zxl48ZrxeW5drP2gm050dBHNqoc5FlA2Po=; b=XjqSk4pUJKr/8QcBEeMlzbkqVllnJoY6oJSGciqwR+ux/fheO3AlIDgimF5vl6hDCHvMmOk2uQgrtZGxmpgt5+yNt2CvHsO+XDee1nIj+NQbPWED8OCY8jWw+tfcRRGkwawAPm2gafgOHrj9cQYNPJ1Tepuonu94xmgJYy+Fi5g= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1574374644240192.03531211499183; Thu, 21 Nov 2019 14:17:24 -0800 (PST) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iXukB-00077t-HF; Thu, 21 Nov 2019 22:16:07 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iXukA-00077n-8A for xen-devel@lists.xenproject.org; Thu, 21 Nov 2019 22:16:06 +0000 Received: from esa6.hc3370-68.iphmx.com (unknown [216.71.155.175]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 7f78379a-0cac-11ea-9631-bc764e2007e4; Thu, 21 Nov 2019 22:16:00 +0000 (UTC) X-Inumbo-ID: 7f78379a-0cac-11ea-9631-bc764e2007e4 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1574374560; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ldMBmOldI2iKTh4VR9QYTnyXSQf/G+qOY76q/OFm+M4=; b=Ce6ntlZlO3REFN1D3G9RrtJI7cMKxvj+RSQTDZtxOFK9Zp6JILFB5Q9j 1MuuqoAYSxpdQsLP3WgV0yRis7nKzrs18IkM5b5Gh4//OhCNE3p5g5XwQ rDHigmuhTsol+pf1c8rhKqriyouHMQRamxOe7VGnn7ceedF8z9KJ9sOeO c=; Authentication-Results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa6.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: 2rhv19R0F1MUQGnxAlU1cbSUgM14deDEZJUe1VZwVkR/Utin9rpeWNdQsETvuUDv908jBguRcC em5d2oHR1roUoS3hkoeaAlDp6yEyBXx1yW3XZ9K3BSJfM0g4mmxzpb3+VhJ5T5dWztgV3SiNIg DVMug+BZhgU8+RZn+IGr+fbjG76wiYPcAoad71MH/y+3qkrjf5SFLSvQV28iPnSUllOb8wyOgM JGOkyA3SyIyDkNokVlusYcJspDqM8yj/83alobN9GFV3NJ4Cn510XVo3PGfsVzU+REztzsuicz Tr0= X-SBRS: 2.7 X-MesageID: 9097596 X-Ironport-Server: esa6.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.69,227,1571716800"; d="scan'208";a="9097596" From: Andrew Cooper To: Xen-devel Date: Thu, 21 Nov 2019 22:15:50 +0000 Message-ID: <20191121221551.1175-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191121221551.1175-1-andrew.cooper3@citrix.com> References: <20191121221551.1175-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH 1/2] x86/vtx: Fix fault semantics for early task switch failures X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Kevin Tian , Jan Beulich , Wei Liu , Andrew Cooper , Jun Nakajima , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) The VT-x task switch handler adds inst_len to rip before calling hvm_task_switch(). This causes early faults to be delivered to the guest w= ith trap semantics, and break restartibility. Instead, pass the instruction length into hvm_task_switch() and write it in= to the outgoing tss only, leaving rip in its original location. For now, pass 0 on the SVM side. This highlights a separate preexisting bug which will be addressed in the following patch. While adjusting call sites, drop the unnecessary uint16_t cast. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Reviewed-by: Kevin Tian Reviewed-by: Roger Pau Monn=C3=A9 --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Jun Nakajima CC: Kevin Tian CC: Juergen Gross --- xen/arch/x86/hvm/hvm.c | 4 ++-- xen/arch/x86/hvm/svm/svm.c | 2 +- xen/arch/x86/hvm/vmx/vmx.c | 4 ++-- xen/include/asm-x86/hvm/hvm.h | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 818e705fd1..7f556171bd 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -2913,7 +2913,7 @@ void hvm_prepare_vm86_tss(struct vcpu *v, uint32_t ba= se, uint32_t limit) =20 void hvm_task_switch( uint16_t tss_sel, enum hvm_task_switch_reason taskswitch_reason, - int32_t errcode) + int32_t errcode, unsigned int insn_len) { struct vcpu *v =3D current; struct cpu_user_regs *regs =3D guest_cpu_user_regs(); @@ -2987,7 +2987,7 @@ void hvm_task_switch( if ( taskswitch_reason =3D=3D TSW_iret ) eflags &=3D ~X86_EFLAGS_NT; =20 - tss.eip =3D regs->eip; + tss.eip =3D regs->eip + insn_len; tss.eflags =3D eflags; tss.eax =3D regs->eax; tss.ecx =3D regs->ecx; diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 4eb6b0e4c7..049b800e20 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -2794,7 +2794,7 @@ void svm_vmexit_handler(struct cpu_user_regs *regs) */ vmcb->eventinj.bytes =3D 0; =20 - hvm_task_switch((uint16_t)vmcb->exitinfo1, reason, errcode); + hvm_task_switch(vmcb->exitinfo1, reason, errcode, 0); break; } =20 diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 6a5eeb5c13..6d048852c3 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -3956,8 +3956,8 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) __vmread(IDT_VECTORING_ERROR_CODE, &ecode); else ecode =3D -1; - regs->rip +=3D inst_len; - hvm_task_switch((uint16_t)exit_qualification, reasons[source], eco= de); + + hvm_task_switch(exit_qualification, reasons[source], ecode, inst_l= en); break; } case EXIT_REASON_CPUID: diff --git a/xen/include/asm-x86/hvm/hvm.h b/xen/include/asm-x86/hvm/hvm.h index f86af09898..4cce59bb31 100644 --- a/xen/include/asm-x86/hvm/hvm.h +++ b/xen/include/asm-x86/hvm/hvm.h @@ -297,7 +297,7 @@ void hvm_set_rdtsc_exiting(struct domain *d, bool_t ena= ble); enum hvm_task_switch_reason { TSW_jmp, TSW_iret, TSW_call_or_int }; void hvm_task_switch( uint16_t tss_sel, enum hvm_task_switch_reason taskswitch_reason, - int32_t errcode); + int32_t errcode, unsigned int insn_len); =20 enum hvm_access_type { hvm_access_insn_fetch, --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel From nobody Fri Apr 19 06:34:01 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1574374618; cv=none; d=zoho.com; s=zohoarc; b=D3WbNmMKh0LDT0l0pTJ9vXrHSHh+9w4+n5fpbLMCOD42qM2oG0zLGd5N2zAzy0FeCc7N0PFpKHYbsVS0WZeOdrQNgbLxJWGTdG6xt0mcvvOBo8hXhJg/wDkjF0ey19BHURyPznIx3YQXjEgGcaED3PIqHFyTu6YQF5bLSecCrXQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1574374618; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=SaRZpsoglych98H4Qhp7aoY9SD8X/Xz4z1kFM1LVhPc=; b=AE8Fn2Hnmj/HJV8INIyDi6rPJEUP8r26sI/WBUr7QRfSqgFd2e2paQY3e5KhL1Ey7YVbLkgAgZjM9PHJ7uUbv8ywJOqZpP2OWk9yWjr/IZMURgCBkOh2XpqYbRJ9CXACeAGw8HUdt5T3alzpBEdneEU+V7/ItVHs7Dn/K4OSt7U= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1574374618479499.76650162212957; Thu, 21 Nov 2019 14:16:58 -0800 (PST) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iXuk7-00077Z-8L; Thu, 21 Nov 2019 22:16:03 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iXuk6-00077O-Mg for xen-devel@lists.xenproject.org; Thu, 21 Nov 2019 22:16:02 +0000 Received: from esa5.hc3370-68.iphmx.com (unknown [216.71.155.168]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 7fcedb86-0cac-11ea-a340-12813bfff9fa; Thu, 21 Nov 2019 22:16:01 +0000 (UTC) X-Inumbo-ID: 7fcedb86-0cac-11ea-a340-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1574374561; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=0ePuMLCdOQUmAhARIX3k88jIct2Adw/krLtsw+wFAFM=; b=dAPun9QDpKpbpdZMRnEIF7gIs2IK5QD7Oon0wUB2q4nw1GrUuB2+2Skd YEZStzltciQP7y/YIrDDpPnxIE3aRsxkGJ0YPP76pZu3Lg21kI0YwjAZY fdbbp0s6Vr8LtLu39zGyPxKnwTDF9RjYymRzmZNIQwPj1A0dLWjvlKzSq U=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa5.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: agOf/DVA1bB2E4rTKnKYH7BlLyWQynXlD8MNHTkwsoRKSnbwxQeSs79Xc13MY1vf8wUP4QNK0S asAd38W89CG85UsuLL9Ow8GLaYKtvfrstZsy70hSkQnDM2E75Ug3XNDiaGItmFTxmdK4UYF8Qm M4gxCnp8SaNSUL48PErZpbskEjZHwTIMwUDHYFoyJI2cVd/UNTHCB6wasCzm3QIA9KMaJ7Dp6C Fe6OVOh8H0/H06zO+J4RiwX41fzn2DHs9MWBHLv+u6Z2Kj+xcqPiWAAhVH9dnGu3vu+z0R6vEe G+k= X-SBRS: 2.7 X-MesageID: 9042800 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.69,227,1571716800"; d="scan'208";a="9042800" From: Andrew Cooper To: Xen-devel Date: Thu, 21 Nov 2019 22:15:51 +0000 Message-ID: <20191121221551.1175-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191121221551.1175-1-andrew.cooper3@citrix.com> References: <20191121221551.1175-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH 2/2] x86/svm: Write the correct %eip into the outgoing task X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) The TASK_SWITCH vmexit has fault semantics, and doesn't provide any NRIPs assistance with instruction length. As a result, any instruction-induced t= ask switch has the outgoing task's %eip pointing at the instruction switch caus= ed the switch, rather than after it. This causes explicit use of task gates to livelock (as when the task return= s, it executes the task-switching instruction again), and any restartable task= to become a nop after its first instantiation (the entry state points at the ret/iret instruction used to exit the task). 32bit Windows in particular is known to use task gates for NMI handling, and to use NMI IPIs. In the task switch handler, distinguish instruction-induced from interrupt/exception-induced task switches, and decode the instruction under %rip to calculate its length. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross The implementation of svm_get_task_switch_insn_len() is bug-compatible with svm_get_insn_len() when it comes to conditional #GP'ing. I still haven't h= ad time to address this more thoroughly. AMD does permit TASK_SWITCH not to be intercepted and, I'm informed does do the right thing when it comes to a TSS crossing a page boundary. However, = it is not actually safe to leave task switches unintercepted. Any NPT or shad= ow page fault, even from logdirty/paging/etc will corrupt guest state in an unrecoverable manner. --- xen/arch/x86/hvm/svm/emulate.c | 55 +++++++++++++++++++++++++++++++= ++++ xen/arch/x86/hvm/svm/svm.c | 46 ++++++++++++++++++++++------- xen/include/asm-x86/hvm/svm/emulate.h | 1 + 3 files changed, 92 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/hvm/svm/emulate.c b/xen/arch/x86/hvm/svm/emulate.c index 3e52592847..176c25f60d 100644 --- a/xen/arch/x86/hvm/svm/emulate.c +++ b/xen/arch/x86/hvm/svm/emulate.c @@ -117,6 +117,61 @@ unsigned int svm_get_insn_len(struct vcpu *v, unsigned= int instr_enc) } =20 /* + * TASK_SWITCH vmexits never provide an instruction length. We must always + * decode under %rip to find the answer. + */ +unsigned int svm_get_task_switch_insn_len(struct vcpu *v) +{ + struct hvm_emulate_ctxt ctxt; + struct x86_emulate_state *state; + unsigned int emul_len, modrm_reg; + + ASSERT(v =3D=3D current); + hvm_emulate_init_once(&ctxt, NULL, guest_cpu_user_regs()); + hvm_emulate_init_per_insn(&ctxt, NULL, 0); + state =3D x86_decode_insn(&ctxt.ctxt, hvmemul_insn_fetch); + if ( IS_ERR_OR_NULL(state) ) + return 0; + + emul_len =3D x86_insn_length(state, &ctxt.ctxt); + + /* + * Check for an instruction which can cause a task switch. Any far + * jmp/call/ret, any software interrupt/exception, and iret. + */ + switch ( ctxt.ctxt.opcode ) + { + case 0xff: /* Grp 5 */ + /* call / jmp (far, absolute indirect) */ + if ( x86_insn_modrm(state, NULL, &modrm_reg) !=3D 3 || + (modrm_reg !=3D 3 && modrm_reg !=3D 5) ) + { + /* Wrong instruction. Throw #GP back for now. */ + default: + hvm_inject_hw_exception(TRAP_gp_fault, 0); + emul_len =3D 0; + break; + } + /* Fallthrough */ + case 0x62: /* bound */ + case 0x9a: /* call (far, absolute) */ + case 0xca: /* ret imm16 (far) */ + case 0xcb: /* ret (far) */ + case 0xcc: /* int3 */ + case 0xcd: /* int imm8 */ + case 0xce: /* into */ + case 0xcf: /* iret */ + case 0xea: /* jmp (far, absolute) */ + case 0xf1: /* icebp */ + break; + } + + x86_emulate_free_state(state); + + return emul_len; +} + +/* * Local variables: * mode: C * c-file-style: "BSD" diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 049b800e20..ba9c24a70c 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -2776,7 +2776,41 @@ void svm_vmexit_handler(struct cpu_user_regs *regs) =20 case VMEXIT_TASK_SWITCH: { enum hvm_task_switch_reason reason; - int32_t errcode =3D -1; + int32_t errcode =3D -1, insn_len =3D -1; + + /* + * All TASK_SWITCH intercepts have fault-like semantics. NRIP is + * never provided, even for instruction-induced task switches, but= we + * need to know the instruction length in order to set %eip suitab= ly + * in the outgoing TSS. + * + * For a task switch which vectored through the IDT, look at the t= ype + * to distinguish interrupts/exceptions from instruction based + * switches. + */ + if ( vmcb->eventinj.fields.v ) + { + /* + * HW_EXCEPTION, NMI and EXT_INTR are not instruction based. = All + * others are. + */ + if ( vmcb->eventinj.fields.type <=3D X86_EVENTTYPE_HW_EXCEPTIO= N ) + insn_len =3D 0; + + /* + * Clobber the vectoring information, as we are going to emula= te + * the task switch in full. + */ + vmcb->eventinj.bytes =3D 0; + } + + /* + * insn_len being -1 indicates that we have an instruction-induced + * task switch. Decode under %rip to find its length. + */ + if ( insn_len < 0 && (insn_len =3D svm_get_task_switch_insn_len(v)= ) =3D=3D 0 ) + break; + if ( (vmcb->exitinfo2 >> 36) & 1 ) reason =3D TSW_iret; else if ( (vmcb->exitinfo2 >> 38) & 1 ) @@ -2786,15 +2820,7 @@ void svm_vmexit_handler(struct cpu_user_regs *regs) if ( (vmcb->exitinfo2 >> 44) & 1 ) errcode =3D (uint32_t)vmcb->exitinfo2; =20 - /* - * Some processors set the EXITINTINFO field when the task switch - * is caused by a task gate in the IDT. In this case we will be - * emulating the event injection, so we do not want the processor - * to re-inject the original event! - */ - vmcb->eventinj.bytes =3D 0; - - hvm_task_switch(vmcb->exitinfo1, reason, errcode, 0); + hvm_task_switch(vmcb->exitinfo1, reason, errcode, insn_len); break; } =20 diff --git a/xen/include/asm-x86/hvm/svm/emulate.h b/xen/include/asm-x86/hv= m/svm/emulate.h index 9af10061c5..d7364f774a 100644 --- a/xen/include/asm-x86/hvm/svm/emulate.h +++ b/xen/include/asm-x86/hvm/svm/emulate.h @@ -51,6 +51,7 @@ struct vcpu; =20 unsigned int svm_get_insn_len(struct vcpu *v, unsigned int instr_enc); +unsigned int svm_get_task_switch_insn_len(struct vcpu *v); =20 #endif /* __ASM_X86_HVM_SVM_EMULATE_H__ */ =20 --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel