From nobody Mon Feb 9 03:16:51 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1671748354528150.3804048854837; Thu, 22 Dec 2022 14:32:34 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.468696.727894 (Exim 4.92) (envelope-from ) id 1p8U6k-0003ql-GB; Thu, 22 Dec 2022 22:32:10 +0000 Received: by outflank-mailman (output) from mailman id 468696.727894; Thu, 22 Dec 2022 22:32:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1p8U6k-0003po-Bl; Thu, 22 Dec 2022 22:32:10 +0000 Received: by outflank-mailman (input) for mailman id 468696; Thu, 22 Dec 2022 22:32:09 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1p8U6j-0003ch-1g for xen-devel@lists.xenproject.org; Thu, 22 Dec 2022 22:32:09 +0000 Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 75c10f6f-8248-11ed-8fd4-01056ac49cbb; Thu, 22 Dec 2022 23:32:04 +0100 (CET) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 2E8C25C00B4; Thu, 22 Dec 2022 17:32:04 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 22 Dec 2022 17:32:04 -0500 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 22 Dec 2022 17:32:03 -0500 (EST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 75c10f6f-8248-11ed-8fd4-01056ac49cbb DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm2; t=1671748324; x=1671834724; bh=fT0Z3+eeo9 6n0/JAYUaHTtOcrsYp5CyVIPq9wgQhDIc=; b=ETfPuXBXhPoqGmpfPCKjDF037W /36r9T54OE7tKKn3PVsyzVvE7OVNR9zfBT2kFMbK6Z6+XJeg2KmkiV99JeZLGdL0 32w5MhyX5Ap1WdRYCEegsd5hHSE6DKk4B4eUC7JQu8hC0RWTL2qd27Jwug4RW4lb ZjYMXyWKIAEs0WIVrBcDB+8fkf9cOVlH+XM3D24wNTGdRw5dMas5+PQA6GPANh8I lDEGNK+V7pTusg2Fwy+pCCOFkgOIoKN+/WTz3W77D1qXhDibeCfS5gq6j7qVlZy3 315GijRh5ieUQM/hhmEBQ5qpgSrE+i1k6QESiovLl7YNXEvWnDNNl/cwZKzA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1671748324; x= 1671834724; bh=fT0Z3+eeo96n0/JAYUaHTtOcrsYp5CyVIPq9wgQhDIc=; b=X 9lZy4FShFs0Uya4r95r1XzycYPqHXWxof8BIHQZlCGaGZ4mRBIZFsEkka+7p93HO zy7hocws79htKhJUE5OGCOq3cnWuEQZ34dJD6frXqhhC/jPP1KNuL/rLfW3vWUYn oOw0e2Zd9l6SNTaD/s8uHYs6yCfs6+Tc79b9cadIRXJ3hvV0LbVuzNUIt55hgd6q GG8nn8/25WF1cIS2zvitifny//zKZcEzl2fT2Afd9oMgRzTRyELJ6vv8Ywcej/BU 7eEG9APo0AkARsUrOJjGOEsh43mjTnF2808NXhRXmA4OwfOgnsIJNu1C3Q7V234P OWVj6H84sY3o/gq7Pea3g== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrhedtgdduieefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffkofgjfhggtgfgsehtkeertdertdejnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeeludekleeljeekveekfeeghfff gedvieegleeigeejffefieeviedvjeegveetieenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: xen-devel@lists.xenproject.org Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , Jan Beulich , Andrew Cooper , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu , Tim Deegan , George Dunlap Subject: [PATCH v6 4/5] x86/mm: Reject invalid cacheability in PV guests by default Date: Thu, 22 Dec 2022 17:31:49 -0500 Message-Id: <2236399f561d348937f2ff7777fe47ad4236dbda.1671744225.git.demi@invisiblethingslab.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1671748354770100011 Setting cacheability flags that are not ones specified by Xen is a bug in the guest. By default, return -EINVAL if a guests attempts to do this. The invalid-cacheability=3D Xen command-line flag allows the administrator to allow such attempts or to produce Suggested-by: Andrew Cooper Signed-off-by: Demi Marie Obenour --- Changes since v5: - Make parameters static and __ro_after_init. - Replace boolean parameter allow_invalid_cacheability with string parameter invalid-cacheability. - Move parameter definitions to near where they are used. - Add documentation. Changes since v4: - Remove pointless BUILD_BUG_ON(). - Add comment explaining why an exception is being injected. Changes since v3: - Add Andrew Cooper=E2=80=99s Suggested-by --- docs/misc/xen-command-line.pandoc | 11 ++++++ xen/arch/x86/mm.c | 60 ++++++++++++++++++++++++++++++- 2 files changed, 70 insertions(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index 424b12cfb27d6ade2ec63eacb8afe5df82465451..0230a7bc17cbd4362a42ea64cea= 695f31f5e0f86 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1417,6 +1417,17 @@ detection of systems known to misbehave upon accesse= s to that port. ### idle_latency_factor (x86) > `=3D ` =20 +### invalid-cacheability (x86) +> `=3D allow | deny | trap` + +> Default: `deny` in release builds, otherwise `trap` + +Specify what happens when a PV guest tries to use one of the reserved entr= ies in +the PAT. `deny` causes the attempt to be rejected with -EINVAL, `allow` a= llows +the attempt, and `trap` causes a general protection fault to be raised. +Currently, the reserved entries are marked as uncacheable in Xen's PAT, bu= t this +will change if new memory types are added, so guests must not rely on it. + ### ioapic_ack (x86) > `=3D old | new` =20 diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 65ba0f58ed8c26ac0343528303851739981c03bd..bacfb776d688f68dcbf79d83723= fff329b75fd18 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -1324,6 +1324,37 @@ static int put_page_from_l4e(l4_pgentry_t l4e, mfn_t= l4mfn, unsigned int flags) return put_pt_page(l4e_get_page(l4e), mfn_to_page(l4mfn), flags); } =20 +enum { + INVALID_CACHEABILITY_ALLOW, + INVALID_CACHEABILITY_DENY, + INVALID_CACHEABILITY_TRAP, +}; + +#ifdef NDEBUG +#define INVALID_CACHEABILITY_DEFAULT INVALID_CACHEABILITY_DENY +#else +#define INVALID_CACHEABILITY_DEFAULT INVALID_CACHEABILITY_TRAP +#endif + +static __ro_after_init uint8_t invalid_cacheability =3D + INVALID_CACHEABILITY_DEFAULT; + +static int __init cf_check set_invalid_cacheability(const char *str) +{ + if (strcmp("allow", str) =3D=3D 0) + invalid_cacheability =3D INVALID_CACHEABILITY_ALLOW; + else if (strcmp("deny", str) =3D=3D 0) + invalid_cacheability =3D INVALID_CACHEABILITY_DENY; + else if (strcmp("trap", str) =3D=3D 0) + invalid_cacheability =3D INVALID_CACHEABILITY_TRAP; + else + return -EINVAL; + + return 0; +} + +custom_param("invalid-cacheability", set_invalid_cacheability); + static int promote_l1_table(struct page_info *page) { struct domain *d =3D page_get_owner(page); @@ -1343,7 +1374,34 @@ static int promote_l1_table(struct page_info *page) } else { - switch ( ret =3D get_page_from_l1e(pl1e[i], d, d) ) + l1_pgentry_t l1e =3D pl1e[i]; + + if ( invalid_cacheability !=3D INVALID_CACHEABILITY_ALLOW ) + { + switch ( l1e.l1 & PAGE_CACHE_ATTRS ) + { + case _PAGE_WB: + case _PAGE_UC: + case _PAGE_UCM: + case _PAGE_WC: + case _PAGE_WT: + case _PAGE_WP: + break; + default: + /* + * If we get here, a PV guest tried to use one of the + * reserved values in Xen's PAT. This indicates a bug + * in the guest. If requested by the user, inject #GP + * to cause the guest to log a stack trace. + */ + if ( invalid_cacheability =3D=3D INVALID_CACHEABILITY_= TRAP ) + pv_inject_hw_exception(TRAP_gp_fault, 0); + ret =3D -EINVAL; + goto fail; + } + } + + switch ( ret =3D get_page_from_l1e(l1e, d, d) ) { default: goto fail; --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab