| Message ID | 1462466065-30212-16-git-send-email-julien.grall@arm.com |
|---|---|
| State | Superseded |
| Headers | show |
Hi Stefano, On 21/05/16 15:51, Stefano Stabellini wrote: > On Sat, 21 May 2016, Stefano Stabellini wrote: >> On Thu, 5 May 2016, Julien Grall wrote: >>> Based on ARM ARM (D4.5.3 in ARM DDI 0486A and B3.12.7 in ARM DDI 0406C.c), >>> a Stage 1 translation error has priority over a Stage 2 translation error. >>> >>> Therefore gva_to_ipa can only fail if another vCPU is playing with the >>> page table. >>> >>> Rather than injecting a custom fault, replay the instruction and let the >>> processor injecting the correct fault. >>> >>> Signed-off-by: Julien Grall <julien.grall@arm.com> >> >> Couldn't a guest purposely cause a DoS in the hypervisor this way? > > Just double-checking. I am pretty sure it cannot, because the replayed > instruction won't cause another hypervisor trap the second time around. Before returning to the guest vCPU, Xen is handling any pending softirqs (see leave_hypervisor_tail). It might be possible to have the vCPU rescheduled. So even if the replay cause another hypervisor trap, it will only impact its timeslice. I will update the commit message to explain why it is not possible. Regards,
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index c0325d5..3acdba0 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -2410,7 +2410,7 @@ static void do_trap_instr_abort_guest(struct cpu_user_regs *regs, rc = gva_to_ipa(gva, &gpa, GV2M_READ); if ( rc == -EFAULT ) - goto bad_insn_abort; + return; /* Try again */ } rc = p2m_mem_access_check(gpa, gva, npfec); @@ -2422,7 +2422,6 @@ static void do_trap_instr_abort_guest(struct cpu_user_regs *regs, break; } -bad_insn_abort: inject_iabt_exception(regs, gva, hsr.len); } @@ -2452,7 +2451,7 @@ static void do_trap_data_abort_guest(struct cpu_user_regs *regs, { rc = gva_to_ipa(info.gva, &info.gpa, GV2M_READ); if ( rc == -EFAULT ) - goto bad_data_abort; + return; /* Try again */ } switch ( dabt.dfsc & 0x3f )
Based on ARM ARM (D4.5.3 in ARM DDI 0486A and B3.12.7 in ARM DDI 0406C.c), a Stage 1 translation error has priority over a Stage 2 translation error. Therefore gva_to_ipa can only fail if another vCPU is playing with the page table. Rather than injecting a custom fault, replay the instruction and let the processor injecting the correct fault. Signed-off-by: Julien Grall <julien.grall@arm.com> --- xen/arch/arm/traps.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)