| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Jul 2021 10:02:04 -0500
From: Brijesh Singh <brijesh.singh@....com>
To: Dave Hansen <dave.hansen@...el.com>, x86@...nel.org,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
linux-efi@...r.kernel.org, platform-driver-x86@...r.kernel.org,
linux-coco@...ts.linux.dev, linux-mm@...ck.org,
linux-crypto@...r.kernel.org
Cc: brijesh.singh@....com, Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Joerg Roedel <jroedel@...e.de>,
Tom Lendacky <thomas.lendacky@....com>,
"H. Peter Anvin" <hpa@...or.com>, Ard Biesheuvel <ardb@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Sean Christopherson <seanjc@...gle.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Andy Lutomirski <luto@...nel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Sergio Lopez <slp@...hat.com>, Peter Gonda <pgonda@...gle.com>,
Peter Zijlstra <peterz@...radead.org>,
Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>,
David Rientjes <rientjes@...gle.com>,
Dov Murik <dovmurik@...ux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@....com>,
Borislav Petkov <bp@...en8.de>,
Michael Roth <michael.roth@....com>,
Vlastimil Babka <vbabka@...e.cz>, tony.luck@...el.com,
npmccallum@...hat.com, brijesh.ksingh@...il.com
Subject: Re: [PATCH Part2 RFC v4 09/40] x86/fault: Add support to dump RMP
entry on fault
Hi Dave,
On 7/7/21 2:21 PM, Dave Hansen wrote:
>> @@ -502,6 +503,81 @@ static void show_ldttss(const struct desc_ptr *gdt, const char *name, u16 index)
>> name, index, addr, (desc.limit0 | (desc.limit1 << 16)));
>> }
>>
>> +static void dump_rmpentry(unsigned long address)
>> +{
>
> A comment on this sucker would be nice. I *think* this must be a kernel
> virtual address. Reflecting that into the naming or a comment would be
> nice.
Ack, I will add some comment.
>
>> + struct rmpentry *e;
>> + unsigned long pfn;
>> + pgd_t *pgd;
>> + pte_t *pte;
>> + int level;
>> +
>> + pgd = __va(read_cr3_pa());
>> + pgd += pgd_index(address);
>> +
>> + pte = lookup_address_in_pgd(pgd, address, &level);
>> + if (unlikely(!pte))
>> + return;
>
> It's a little annoying this is doing *another* separate page walk.
> Don't we already do this for dumping the page tables themselves at oops
> time?
>
Yes, we already do the walk in oops function, I'll extend the
dump_rmpentry() to use the level from the oops to avoid the duplicate walk.
> Also, please get rid of all of the likely/unlikely()s in your patches.
> They are pure noise unless you have specific knowledge of the compiler
> getting something so horribly wrong that it affects real-world performance.
>
>> + switch (level) {
>> + case PG_LEVEL_4K: {
>> + pfn = pte_pfn(*pte);
>> + break;
>> + }
>
> These superfluous brackets are really strange looking. Could you remove
> them, please?
Noted.
>
>> + case PG_LEVEL_2M: {
>> + pfn = pmd_pfn(*(pmd_t *)pte);
>> + break;
>> + }
>> + case PG_LEVEL_1G: {
>> + pfn = pud_pfn(*(pud_t *)pte);
>> + break;
>> + }
>> + case PG_LEVEL_512G: {
>> + pfn = p4d_pfn(*(p4d_t *)pte);
>> + break;
>> + }
>> + default:
>> + return;
>> + }
>> +
>> + e = snp_lookup_page_in_rmptable(pfn_to_page(pfn), &level);
>
> So, lookup_address_in_pgd() looks to me like it will return pretty
> random page table entries as long as the entry isn't
> p{gd,4d,ud,md,te}_none(). It can certainly return !p*_present()
> entries. Those are *NOT* safe to call pfn_to_page() on.
>
I will add some checks to make sure that we are accessing only safe pfn's.
>> + if (unlikely(!e))
>> + return;
>> +
>> + /*
>> + * If the RMP entry at the faulting address was not assigned, then
>> + * dump may not provide any useful debug information. Iterate
>> + * through the entire 2MB region, and dump the RMP entries if one
>> + * of the bit in the RMP entry is set.
>> + */
>
> Some of this comment should be moved down to the loop itself.
Noted.
>
>> + if (rmpentry_assigned(e)) {
>> + pr_alert("RMPEntry paddr 0x%lx [assigned=%d immutable=%d pagesize=%d gpa=0x%lx"
>> + " asid=%d vmsa=%d validated=%d]\n", pfn << PAGE_SHIFT,
>> + rmpentry_assigned(e), rmpentry_immutable(e), rmpentry_pagesize(e),
>> + rmpentry_gpa(e), rmpentry_asid(e), rmpentry_vmsa(e),
>> + rmpentry_validated(e));
>> +
>> + pr_alert("RMPEntry paddr 0x%lx %016llx %016llx\n", pfn << PAGE_SHIFT,
>> + e->high, e->low);
>
> Could you please include an entire oops in the changelog that also
> includes this information? It would be really nice if this was at least
> consistent in style to the stuff around it.
Here is one example: (in this case page was immutable and HV attempted
to write to it).
BUG: unable to handle page fault for address: ffff98c78ee00000
#PF: supervisor write access in kernel mode
#PF: error_code(0x80000003) - rmp violation
PGD 304b201067 P4D 304b201067 PUD 20c7f06063 PMD 20c8976063 PTE
80000020cee00163
RMPEntry paddr 0x20cee00000 [assigned=1 immutable=1 pagesize=0 gpa=0x0
asid=0 vmsa=0 validated=0]
RMPEntry paddr 0x20cee00000 000000000000000f 8000000000000ffd
>
> Also, how much of this stuff like rmpentry_asid() is duplicated in the
> "raw" dump of e->high and e->low?
>
Most of the rmpentry_xxx assessors read the e->low. The RMP entry is a
16-bytes. AMD APM defines only a few bits and keeps everything else
reserved. We are in the process of updating APM to document few more
bits. I am not adding assessors for the undocumented fields. Until then,
we dump the entire 16-bytes.
I agree that we are duplicating the information. I can live with just a
raw dump. That means anyone who is debugging the crash will look at the
APM to decode the fields.
>> + } else {
>> + unsigned long pfn_end;
>> +
>> + pfn = pfn & ~0x1ff;
>
> There's a nice magic number. Why not:
>
> pfn = pfn & ~(PTRS_PER_PMD-1);
>
> ?
Noted.
>
> This also needs a comment about *WHY* this case is looking at a 2MB region.
>
Actually the comment above says why we are looking for the 2MB region.
Let me rearrange the comment block so that its more clear.
The reason for iterating through 2MB region is; if the faulting address
is not assigned in the RMP table, and page table walk level is 2MB then
one of entry within the large page is the root cause of the fault. Since
we don't know which entry hence I dump all the non-zero entries.
>> + pfn_end = pfn + PTRS_PER_PMD;
>> +
>> + while (pfn < pfn_end) {
>> + e = snp_lookup_page_in_rmptable(pfn_to_page(pfn), &level);
>> +
>> + if (unlikely(!e))
>> + return;
>> +
>> + if (e->low || e->high)
>> + pr_alert("RMPEntry paddr 0x%lx: %016llx %016llx\n",
>> + pfn << PAGE_SHIFT, e->high, e->low);
>
> Why does this dump "raw" RMP entries while the above stuff filters them
> through a bunch of helper macros?
>
There are two cases which we need to consider:
1) the faulting page is a guest private (aka assigned)
2) the faulting page is a hypervisor (aka shared)
We will be primarily seeing #1. In this case, we know its a assigned
page, and we can decode the fields.
The #2 will happen in rare conditions, if it happens, one of the
undocumented bit in the RMP entry can provide us some useful information
hence we dump the raw values.
-Brijesh
Powered by blists - more mailing lists