Re: [PATCH] x86: setup: extend low identity map to cover whole kernel range

From: Matt Fleming
Date: Wed Oct 14 2015 - 17:01:20 EST

Next message: kbuild test robot: "Re: [PATCH][v5] PM / hibernate: Print the possible panic reason when resuming with inconsistent e820 map"
Previous message: Amanieu d'Antras: "[PATCH 20/20] signal: Remove unnecessary zero-initialization of siginfo_t"
In reply to: Andy Lutomirski: "Re: [PATCH] x86: setup: extend low identity map to cover whole kernel range"
Next in thread: Andy Lutomirski: "Re: [PATCH] x86: setup: extend low identity map to cover whole kernel range"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 14 Oct, at 09:22:03AM, Andy Lutomirski wrote:
> On Wed, Oct 14, 2015 at 6:52 AM, Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx> wrote:
> > (Pulling in luto for low-level x86 fu)
> >
> > On Wed, 14 Oct, at 01:30:45PM, Paolo Bonzini wrote:
> >> On 32-bit systems, the initial_page_table is reused by
> >> efi_call_phys_prolog as an identity map to call
> >> SetVirtualAddressMap. efi_call_phys_prolog takes care of
> >> converting the current CPU's GDT to a physical address too.
> >>
> >> For PAE kernels the identity mapping is achieved by aliasing the
> >> first PDPE for the kernel memory mapping into the first PDPE
> >> of initial_page_table. This makes the EFI stub's trick "just work".
> >>
> >> However, for non-PAE kernels there is no guarantee that the identity
> >> mapping in the initial_page_table extends as far as the GDT; in this
> >> case, accesses to the GDT will cause a page fault (which quickly becomes
> >> a triple fault). Fix this by copying the kernel mappings from
> >> swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET and at
> >> identity mapping.
> >
> > Oops, good catch guys. This is clearly a bug, but...
> >
> >> For some reason, this is only reproducible with QEMU's dynamic translation
> >> mode, and not for example with KVM. However, even under KVM one can clearly
> >> see that the page table is bogus:
>
> I haven't looked at the code, but it wouldn't surprise me if this is
> some kind of TLB issue. With the hardware TLB (which is in use on
> KVM), it seems quite likely that the GDT is pretty much always in the
> TLB and, if nothing flushes global mappings, then it'll probably stick
> around.

>From some quick experiments it appears that you can skate past this
issue if you don't receive any interrupts while the bogus GDT pointer
is loaded, or if you avoid reloading the segment registers in general.
Which is interesting because I assumed that writing to GDTR took
immediate effect.

Up until commit 23a0d4e8fa6d ("efi: Disable interrupts around EFI
calls, not in the epilog/prolog calls") interrupts were disabled
around the prolog and epilog calls, and the functional GDT was
re-installed before interrupts were re-enabled.

That does explain why no one has complained about this issue before.

--
Matt Fleming, Intel Open Source Technology Center
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: kbuild test robot: "Re: [PATCH][v5] PM / hibernate: Print the possible panic reason when resuming with inconsistent e820 map"
Previous message: Amanieu d'Antras: "[PATCH 20/20] signal: Remove unnecessary zero-initialization of siginfo_t"
In reply to: Andy Lutomirski: "Re: [PATCH] x86: setup: extend low identity map to cover whole kernel range"
Next in thread: Andy Lutomirski: "Re: [PATCH] x86: setup: extend low identity map to cover whole kernel range"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]