xen/54005472-EPT-utilize-GLA-GPA-translation-known-for-certain-faults.patch

References: bnc#882089

# Commit ecb69533582e51999e5d76bce513be870222908f
# Date 2014-08-29 12:22:42 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
EPT: utilize GLA->GPA translation known for certain faults

Rather than doing the translation ourselves in __hvmemul_{read,write}()
leverage that we know the association for faults other than such having
occurred when translating addresses of page tables.

There is one intentional but not necessarily obvious (and possibly
subtle) adjustment to behavior: __hvmemul_read() no longer blindly
bails on instruction fetches matching the MMIO GVA (the callers of
handle_mmio_with_translation() now control the behavior via the struct
npfec they pass, and it didn't seem right to bail here rather than just
falling through to the unaccelerated path)

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>

--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -496,10 +496,11 @@ static int __hvmemul_read(
         while ( off & (chunk - 1) )
             chunk >>= 1;
 
-    if ( unlikely(vio->mmio_gva == (addr & PAGE_MASK)) && vio->mmio_gva )
+    if ( ((access_type != hvm_access_insn_fetch
+           ? vio->mmio_access.read_access
+           : vio->mmio_access.insn_fetch)) &&
+         (vio->mmio_gva == (addr & PAGE_MASK)) )
     {
-        if ( access_type == hvm_access_insn_fetch )
-            return X86EMUL_UNHANDLEABLE;
         gpa = (((paddr_t)vio->mmio_gpfn << PAGE_SHIFT) | off);
         while ( (off + chunk) <= PAGE_SIZE )
         {
@@ -639,7 +640,8 @@ static int hvmemul_write(
         while ( off & (chunk - 1) )
             chunk >>= 1;
 
-    if ( unlikely(vio->mmio_gva == (addr & PAGE_MASK)) && vio->mmio_gva )
+    if ( vio->mmio_access.write_access &&
+         (vio->mmio_gva == (addr & PAGE_MASK)) )
     {
         gpa = (((paddr_t)vio->mmio_gpfn << PAGE_SHIFT) | off);
         while ( (off + chunk) <= PAGE_SIZE )
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -1529,7 +1529,7 @@ int hvm_hap_nested_page_fault(paddr_t gp
          && is_hvm_vcpu(v)
          && hvm_mmio_internal(gpa) )
     {
-        if ( !handle_mmio() )
+        if ( !handle_mmio_with_translation(gla, gpa >> PAGE_SHIFT, npfec) )
             hvm_inject_hw_exception(TRAP_gp_fault, 0);
         rc = 1;
         goto out;
@@ -1603,7 +1603,7 @@ int hvm_hap_nested_page_fault(paddr_t gp
         if ( unlikely(is_pvh_vcpu(v)) )
             goto out;
 
-        if ( !handle_mmio() )
+        if ( !handle_mmio_with_translation(gla, gpa >> PAGE_SHIFT, npfec) )
             hvm_inject_hw_exception(TRAP_gp_fault, 0);
         rc = 1;
         goto out;
--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -189,7 +189,7 @@ int handle_mmio(void)
     if ( vio->io_state == HVMIO_awaiting_completion )
         vio->io_state = HVMIO_handle_mmio_awaiting_completion;
     else
-        vio->mmio_gva = 0;
+        vio->mmio_access = (struct npfec){};
 
     switch ( rc )
     {
@@ -218,9 +218,14 @@ int handle_mmio(void)
     return 1;
 }
 
-int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn)
+int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn,
+                                 struct npfec access)
 {
     struct hvm_vcpu_io *vio = &current->arch.hvm_vcpu.hvm_io;
+
+    vio->mmio_access = access.gla_valid &&
+                       access.kind == npfec_kind_with_gla
+                       ? access : (struct npfec){};
     vio->mmio_gva = gva & PAGE_MASK;
     vio->mmio_gpfn = gpfn;
     return handle_mmio();
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -2839,6 +2839,11 @@ static int sh_page_fault(struct vcpu *v,
     p2m_type_t p2mt;
     uint32_t rc;
     int version;
+    struct npfec access = {
+         .read_access = 1,
+         .gla_valid = 1,
+         .kind = npfec_kind_with_gla
+    };
 #if SHADOW_OPTIMIZATIONS & SHOPT_FAST_EMULATION
     int fast_emul = 0;
 #endif
@@ -2849,6 +2854,9 @@ static int sh_page_fault(struct vcpu *v,
 
     perfc_incr(shadow_fault);
 
+    if ( regs->error_code & PFEC_write_access )
+        access.write_access = 1;
+
 #if SHADOW_OPTIMIZATIONS & SHOPT_FAST_EMULATION
     /* If faulting frame is successfully emulated in last shadow fault
      * it's highly likely to reach same emulation action for this frame.
@@ -2950,7 +2958,7 @@ static int sh_page_fault(struct vcpu *v,
             SHADOW_PRINTK("fast path mmio %#"PRIpaddr"\n", gpa);
             reset_early_unshadow(v);
             trace_shadow_gen(TRC_SHADOW_FAST_MMIO, va);
-            return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT)
+            return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT, access)
                     ? EXCRET_fault_fixed : 0);
         }
         else
@@ -3447,7 +3455,7 @@ static int sh_page_fault(struct vcpu *v,
     paging_unlock(d);
     put_gfn(d, gfn_x(gfn));
     trace_shadow_gen(TRC_SHADOW_MMIO, va);
-    return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT)
+    return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT, access)
             ? EXCRET_fault_fixed : 0);
 
  not_a_shadow_fault:
--- a/xen/include/asm-x86/hvm/io.h
+++ b/xen/include/asm-x86/hvm/io.h
@@ -119,7 +119,8 @@ static inline void register_buffered_io_
 void send_timeoffset_req(unsigned long timeoff);
 void send_invalidate_req(void);
 int handle_mmio(void);
-int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn);
+int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn,
+                                 struct npfec);
 int handle_pio(uint16_t port, unsigned int size, int dir);
 void hvm_interrupt_post(struct vcpu *v, int vector, int type);
 void hvm_io_assist(ioreq_t *p);
--- a/xen/include/asm-x86/hvm/vcpu.h
+++ b/xen/include/asm-x86/hvm/vcpu.h
@@ -54,8 +54,9 @@ struct hvm_vcpu_io {
      * HVM emulation:
      *  Virtual address @mmio_gva maps to MMIO physical frame @mmio_gpfn.
      *  The latter is known to be an MMIO frame (not RAM).
-     *  This translation is only valid if @mmio_gva is non-zero.
+     *  This translation is only valid for accesses as per @mmio_access.
      */
+    struct npfec        mmio_access;
     unsigned long       mmio_gva;
     unsigned long       mmio_gpfn;
- Update to Xen Version 4.4.1 FCS xen-4.4.1-testing-src.tar.bz2 - Dropped patches now contained in tarball 53d7b781-x86-cpu-undo-BIOS-CPUID-max_leaf-limit-earlier.patch 53df71c7-lz4-check-for-underruns.patch 53e47d6b-x86_emulate-properly-do-IP-updates-and-other-side-effects.patch - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus 53df727b-x86-HVM-extend-LAPIC-shortcuts-around-P2M-lookups.patch 53e8be5f-x86-vHPET-use-rwlock-instead-of-simple-one.patch 53ff3659-x86-consolidate-boolean-inputs-in-hvm-and-p2m.patch 53ff36ae-x86-hvm-treat-non-insn-fetch-NPF-also-as-read-violations.patch 53ff36d5-x86-mem_event-deliver-gla-fault-EPT-violation-information.patch 54005472-EPT-utilize-GLA-GPA-translation-known-for-certain-faults.patch - Upstream patches from Jan 53f737b1-VMX-fix-DebugCtl-MSR-clearing.patch 53f7386d-x86-irq-process-softirqs-in-irq-keyhandlers.patch 53ff3716-x86-ats-Disable-Address-Translation-Services-by-default.patch 53ff3899-x86-NMI-allow-processing-unknown-NMIs-with-watchdog.patch - bnc#864801 - VUL-0: CVE-2013-4540: qemu: zaurus: buffer overrun on invalid state load CVE-2013-4540-qemu.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=328 2014-09-03 23:59:31 +02:00			`References: bnc#882089`

			`# Commit ecb69533582e51999e5d76bce513be870222908f`
			`# Date 2014-08-29 12:22:42 +0200`
			`# Author Jan Beulich <jbeulich@suse.com>`
			`# Committer Jan Beulich <jbeulich@suse.com>`
			`EPT: utilize GLA->GPA translation known for certain faults`

			`Rather than doing the translation ourselves in __hvmemul_{read,write}()`
			`leverage that we know the association for faults other than such having`
			`occurred when translating addresses of page tables.`

			`There is one intentional but not necessarily obvious (and possibly`
			`subtle) adjustment to behavior: __hvmemul_read() no longer blindly`
			`bails on instruction fetches matching the MMIO GVA (the callers of`
			`handle_mmio_with_translation() now control the behavior via the struct`
			`npfec they pass, and it didn't seem right to bail here rather than just`
			`falling through to the unaccelerated path)`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Reviewed-by: Tim Deegan <tim@xen.org>`

			`--- a/xen/arch/x86/hvm/emulate.c`
			`+++ b/xen/arch/x86/hvm/emulate.c`
			`@@ -496,10 +496,11 @@ static int __hvmemul_read(`
			`while ( off & (chunk - 1) )`
			`chunk >>= 1;`

			`- if ( unlikely(vio->mmio_gva == (addr & PAGE_MASK)) && vio->mmio_gva )`
			`+ if ( ((access_type != hvm_access_insn_fetch`
			`+ ? vio->mmio_access.read_access`
			`+ : vio->mmio_access.insn_fetch)) &&`
			`+ (vio->mmio_gva == (addr & PAGE_MASK)) )`
			`{`
			`- if ( access_type == hvm_access_insn_fetch )`
			`- return X86EMUL_UNHANDLEABLE;`
			`gpa = (((paddr_t)vio->mmio_gpfn << PAGE_SHIFT) \| off);`
			`while ( (off + chunk) <= PAGE_SIZE )`
			`{`
			`@@ -639,7 +640,8 @@ static int hvmemul_write(`
			`while ( off & (chunk - 1) )`
			`chunk >>= 1;`

			`- if ( unlikely(vio->mmio_gva == (addr & PAGE_MASK)) && vio->mmio_gva )`
			`+ if ( vio->mmio_access.write_access &&`
			`+ (vio->mmio_gva == (addr & PAGE_MASK)) )`
			`{`
			`gpa = (((paddr_t)vio->mmio_gpfn << PAGE_SHIFT) \| off);`
			`while ( (off + chunk) <= PAGE_SIZE )`
			`--- a/xen/arch/x86/hvm/hvm.c`
			`+++ b/xen/arch/x86/hvm/hvm.c`
			`@@ -1529,7 +1529,7 @@ int hvm_hap_nested_page_fault(paddr_t gp`
			`&& is_hvm_vcpu(v)`
			`&& hvm_mmio_internal(gpa) )`
			`{`
			`- if ( !handle_mmio() )`
			`+ if ( !handle_mmio_with_translation(gla, gpa >> PAGE_SHIFT, npfec) )`
			`hvm_inject_hw_exception(TRAP_gp_fault, 0);`
			`rc = 1;`
			`goto out;`
			`@@ -1603,7 +1603,7 @@ int hvm_hap_nested_page_fault(paddr_t gp`
			`if ( unlikely(is_pvh_vcpu(v)) )`
			`goto out;`

			`- if ( !handle_mmio() )`
			`+ if ( !handle_mmio_with_translation(gla, gpa >> PAGE_SHIFT, npfec) )`
			`hvm_inject_hw_exception(TRAP_gp_fault, 0);`
			`rc = 1;`
			`goto out;`
			`--- a/xen/arch/x86/hvm/io.c`
			`+++ b/xen/arch/x86/hvm/io.c`
			`@@ -189,7 +189,7 @@ int handle_mmio(void)`
			`if ( vio->io_state == HVMIO_awaiting_completion )`
			`vio->io_state = HVMIO_handle_mmio_awaiting_completion;`
			`else`
			`- vio->mmio_gva = 0;`
			`+ vio->mmio_access = (struct npfec){};`

			`switch ( rc )`
			`{`
			`@@ -218,9 +218,14 @@ int handle_mmio(void)`
			`return 1;`
			`}`

			`-int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn)`
			`+int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn,`
			`+ struct npfec access)`
			`{`
			`struct hvm_vcpu_io *vio = &current->arch.hvm_vcpu.hvm_io;`
			`+`
			`+ vio->mmio_access = access.gla_valid &&`
			`+ access.kind == npfec_kind_with_gla`
			`+ ? access : (struct npfec){};`
			`vio->mmio_gva = gva & PAGE_MASK;`
			`vio->mmio_gpfn = gpfn;`
			`return handle_mmio();`
			`--- a/xen/arch/x86/mm/shadow/multi.c`
			`+++ b/xen/arch/x86/mm/shadow/multi.c`
			`@@ -2839,6 +2839,11 @@ static int sh_page_fault(struct vcpu *v,`
			`p2m_type_t p2mt;`
			`uint32_t rc;`
			`int version;`
			`+ struct npfec access = {`
			`+ .read_access = 1,`
			`+ .gla_valid = 1,`
			`+ .kind = npfec_kind_with_gla`
			`+ };`
			`#if SHADOW_OPTIMIZATIONS & SHOPT_FAST_EMULATION`
			`int fast_emul = 0;`
			`#endif`
			`@@ -2849,6 +2854,9 @@ static int sh_page_fault(struct vcpu *v,`

			`perfc_incr(shadow_fault);`

			`+ if ( regs->error_code & PFEC_write_access )`
			`+ access.write_access = 1;`
			`+`
			`#if SHADOW_OPTIMIZATIONS & SHOPT_FAST_EMULATION`
			`/* If faulting frame is successfully emulated in last shadow fault`
			`* it's highly likely to reach same emulation action for this frame.`
			`@@ -2950,7 +2958,7 @@ static int sh_page_fault(struct vcpu *v,`
			`SHADOW_PRINTK("fast path mmio %#"PRIpaddr"\n", gpa);`
			`reset_early_unshadow(v);`
			`trace_shadow_gen(TRC_SHADOW_FAST_MMIO, va);`
			`- return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT)`
			`+ return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT, access)`
			`? EXCRET_fault_fixed : 0);`
			`}`
			`else`
			`@@ -3447,7 +3455,7 @@ static int sh_page_fault(struct vcpu *v,`
			`paging_unlock(d);`
			`put_gfn(d, gfn_x(gfn));`
			`trace_shadow_gen(TRC_SHADOW_MMIO, va);`
			`- return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT)`
			`+ return (handle_mmio_with_translation(va, gpa >> PAGE_SHIFT, access)`
			`? EXCRET_fault_fixed : 0);`

			`not_a_shadow_fault:`
			`--- a/xen/include/asm-x86/hvm/io.h`
			`+++ b/xen/include/asm-x86/hvm/io.h`
			`@@ -119,7 +119,8 @@ static inline void register_buffered_io_`
			`void send_timeoffset_req(unsigned long timeoff);`
			`void send_invalidate_req(void);`
			`int handle_mmio(void);`
			`-int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn);`
			`+int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn,`
			`+ struct npfec);`
			`int handle_pio(uint16_t port, unsigned int size, int dir);`
			`void hvm_interrupt_post(struct vcpu *v, int vector, int type);`
			`void hvm_io_assist(ioreq_t *p);`
			`--- a/xen/include/asm-x86/hvm/vcpu.h`
			`+++ b/xen/include/asm-x86/hvm/vcpu.h`
			`@@ -54,8 +54,9 @@ struct hvm_vcpu_io {`
			`* HVM emulation:`
			`* Virtual address @mmio_gva maps to MMIO physical frame @mmio_gpfn.`
			`* The latter is known to be an MMIO frame (not RAM).`
			`- * This translation is only valid if @mmio_gva is non-zero.`
			`+ * This translation is only valid for accesses as per @mmio_access.`
			`*/`
			`+ struct npfec mmio_access;`
			`unsigned long mmio_gva;`
			`unsigned long mmio_gpfn;`