lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0d19eb84-f2b7-aa24-2fe9-19035b49fbd6@amd.com>
Date:   Thu, 8 Jul 2021 10:02:04 -0500
From:   Brijesh Singh <brijesh.singh@....com>
To:     Dave Hansen <dave.hansen@...el.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
        linux-efi@...r.kernel.org, platform-driver-x86@...r.kernel.org,
        linux-coco@...ts.linux.dev, linux-mm@...ck.org,
        linux-crypto@...r.kernel.org
Cc:     brijesh.singh@....com, Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Joerg Roedel <jroedel@...e.de>,
        Tom Lendacky <thomas.lendacky@....com>,
        "H. Peter Anvin" <hpa@...or.com>, Ard Biesheuvel <ardb@...nel.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Andy Lutomirski <luto@...nel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Sergio Lopez <slp@...hat.com>, Peter Gonda <pgonda@...gle.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>,
        David Rientjes <rientjes@...gle.com>,
        Dov Murik <dovmurik@...ux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@....com>,
        Borislav Petkov <bp@...en8.de>,
        Michael Roth <michael.roth@....com>,
        Vlastimil Babka <vbabka@...e.cz>, tony.luck@...el.com,
        npmccallum@...hat.com, brijesh.ksingh@...il.com
Subject: Re: [PATCH Part2 RFC v4 09/40] x86/fault: Add support to dump RMP
 entry on fault

Hi Dave,


On 7/7/21 2:21 PM, Dave Hansen wrote:
>> @@ -502,6 +503,81 @@ static void show_ldttss(const struct desc_ptr *gdt, const char *name, u16 index)
>>   		 name, index, addr, (desc.limit0 | (desc.limit1 << 16)));
>>   }
>>   
>> +static void dump_rmpentry(unsigned long address)
>> +{
> 
> A comment on this sucker would be nice.  I *think* this must be a kernel
> virtual address.  Reflecting that into the naming or a comment would be
> nice.

Ack, I will add some comment.

> 
>> +	struct rmpentry *e;
>> +	unsigned long pfn;
>> +	pgd_t *pgd;
>> +	pte_t *pte;
>> +	int level;
>> +
>> +	pgd = __va(read_cr3_pa());
>> +	pgd += pgd_index(address);
>> +
>> +	pte = lookup_address_in_pgd(pgd, address, &level);
>> +	if (unlikely(!pte))
>> +		return;
> 
> It's a little annoying this is doing *another* separate page walk.
> Don't we already do this for dumping the page tables themselves at oops
> time?
> 

Yes, we already do the walk in oops function, I'll extend the 
dump_rmpentry() to use the level from the oops to avoid the duplicate walk.


> Also, please get rid of all of the likely/unlikely()s in your patches.
> They are pure noise unless you have specific knowledge of the compiler
> getting something so horribly wrong that it affects real-world performance.
> 
>> +	switch (level) {
>> +	case PG_LEVEL_4K: {
>> +		pfn = pte_pfn(*pte);
>> +		break;
>> +	}
> 
> These superfluous brackets are really strange looking.  Could you remove
> them, please?

Noted.

> 
>> +	case PG_LEVEL_2M: {
>> +		pfn = pmd_pfn(*(pmd_t *)pte);
>> +		break;
>> +	}
>> +	case PG_LEVEL_1G: {
>> +		pfn = pud_pfn(*(pud_t *)pte);
>> +		break;
>> +	}
>> +	case PG_LEVEL_512G: {
>> +		pfn = p4d_pfn(*(p4d_t *)pte);
>> +		break;
>> +	}
>> +	default:
>> +		return;
>> +	}
>> +
>> +	e = snp_lookup_page_in_rmptable(pfn_to_page(pfn), &level);
> 
> So, lookup_address_in_pgd() looks to me like it will return pretty
> random page table entries as long as the entry isn't
> p{gd,4d,ud,md,te}_none().  It can certainly return !p*_present()
> entries.  Those are *NOT* safe to call pfn_to_page() on.
> 

I will add some checks to make sure that we are accessing only safe pfn's.

>> +	if (unlikely(!e))
>> +		return;
>> +
>> +	/*
>> +	 * If the RMP entry at the faulting address was not assigned, then
>> +	 * dump may not provide any useful debug information. Iterate
>> +	 * through the entire 2MB region, and dump the RMP entries if one
>> +	 * of the bit in the RMP entry is set.
>> +	 */
> 
> Some of this comment should be moved down to the loop itself.

Noted.

> 
>> +	if (rmpentry_assigned(e)) {
>> +		pr_alert("RMPEntry paddr 0x%lx [assigned=%d immutable=%d pagesize=%d gpa=0x%lx"
>> +			" asid=%d vmsa=%d validated=%d]\n", pfn << PAGE_SHIFT,
>> +			rmpentry_assigned(e), rmpentry_immutable(e), rmpentry_pagesize(e),
>> +			rmpentry_gpa(e), rmpentry_asid(e), rmpentry_vmsa(e),
>> +			rmpentry_validated(e));
>> +
>> +		pr_alert("RMPEntry paddr 0x%lx %016llx %016llx\n", pfn << PAGE_SHIFT,
>> +			e->high, e->low);
> 
> Could you please include an entire oops in the changelog that also
> includes this information?  It would be really nice if this was at least
> consistent in style to the stuff around it.

Here is one example: (in this case page was immutable and HV attempted 
to write to it).

BUG: unable to handle page fault for address: ffff98c78ee00000
#PF: supervisor write access in kernel mode
#PF: error_code(0x80000003) - rmp violation
PGD 304b201067 P4D 304b201067 PUD 20c7f06063 PMD 20c8976063 PTE 
80000020cee00163
RMPEntry paddr 0x20cee00000 [assigned=1 immutable=1 pagesize=0 gpa=0x0 
asid=0 vmsa=0 validated=0]
RMPEntry paddr 0x20cee00000 000000000000000f 8000000000000ffd


> 
> Also, how much of this stuff like rmpentry_asid() is duplicated in the
> "raw" dump of e->high and e->low?
> 

Most of the rmpentry_xxx assessors read the e->low. The RMP entry is a 
16-bytes. AMD APM defines only a few bits and keeps everything else 
reserved. We are in the process of updating APM to document few more 
bits. I am not adding assessors for the undocumented fields. Until then, 
we dump the entire 16-bytes.

I agree that we are duplicating the information. I can live with just a 
raw dump. That means anyone who is debugging the crash will look at the 
APM to decode the fields.


>> +	} else {
>> +		unsigned long pfn_end;
>> +
>> +		pfn = pfn & ~0x1ff;
> 
> There's a nice magic number.  Why not:
> 
> 	pfn = pfn & ~(PTRS_PER_PMD-1);
> 
> ?

Noted.

> 
> This also needs a comment about *WHY* this case is looking at a 2MB region.
> 

Actually the comment above says why we are looking for the 2MB region. 
Let me rearrange the comment block so that its more clear.

The reason for iterating through 2MB region is; if the faulting address 
is not assigned in the RMP table, and page table walk level is 2MB then 
one of entry within the large page is the root cause of the fault. Since 
we don't know which entry hence I dump all the non-zero entries.


>> +		pfn_end = pfn + PTRS_PER_PMD;
>> +
>> +		while (pfn < pfn_end) {
>> +			e = snp_lookup_page_in_rmptable(pfn_to_page(pfn), &level);
>> +
>> +			if (unlikely(!e))
>> +				return;
>> +
>> +			if (e->low || e->high)
>> +				pr_alert("RMPEntry paddr 0x%lx: %016llx %016llx\n",
>> +					pfn << PAGE_SHIFT, e->high, e->low);
> 
> Why does this dump "raw" RMP entries while the above stuff filters them
> through a bunch of helper macros?
> 

There are two cases which we need to consider:

1) the faulting page is a guest private (aka assigned)
2) the faulting page is a hypervisor (aka shared)

We will be primarily seeing #1. In this case, we know its a assigned 
page, and we can decode the fields.

The #2 will happen in rare conditions, if it happens, one of the 
undocumented bit in the RMP entry can provide us some useful information 
hence we dump the raw values.

-Brijesh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ