From nobody Sat Feb 17 15:12:33 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TcXNN4D5Yz5BFvD;
	Sat, 17 Feb 2024 15:12:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TcXNM6ycjz4YXs;
	Sat, 17 Feb 2024 15:12:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1708182756;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=8GsiafOm4WrRmkI+oZPobVN2ET46ahECSjFpopWwsXo=;
	b=TTpQKu2j0vwrJX5nY+AsYVuP5RfCIE9m63f0obfZ9w60y65c1dLmFYExGEu7TjVENbEuo8
	zySMs1B0X8NlN8rGEZvFWrFP+wvlLicSP9S9UwamZLechBkgQNtcgaXdZlQlNFDExDoX2J
	utdb7hF1Tkf14tGFxwmhl0RFioGARz+XIYm1G4GF56MAAElbTHOy8f/XKGbntnCTl6WInT
	8bT5pueqcxag+NDp9Jt70f6fPhHAHTAflD5DL217TeIrovKUJ62toxnRF5A1CRwlmRIACW
	vPT/rRCdPxhucQ1osqWod7p12PVUpjATsgIyROf2Rx6CaTLjGAHqIxLRwTKQEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1708182756;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=8GsiafOm4WrRmkI+oZPobVN2ET46ahECSjFpopWwsXo=;
	b=SSFUfaUHPc9DvTXzXmAdVYI0r60abrVGIdxBM2mHqv7F+3S3Bib03V+6JhshYmJyV+lkt8
	vBvvCNBHMcTBjjK9loIyNOdlaPSXesn7FE/Cs/3RmoIMX/1BZNXOQ6oH7uXJ48VUZvN3aj
	7Vyibt+HL2yYez8sgCe2R29/OSL5QGsjL6MGS0jbgfGZ6MNBWFlWk5Dgoi8a/A0YL8zthz
	ktR0Ql0+cgJuJKnLYXVm06Ph2tdLmrfyCuecZzo1b5PpEbMV0CE8LOa6hao3rMrmb7J1eO
	DPmb0OCCiSEx1tTsmJ9XxXeXgacRQrJFMdE0gaYWNLqbZO1cczkjUhirfhgugA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708182756; a=rsa-sha256; cv=none;
	b=o+ken1haYKmULjrU7kMZG/BmNRUSecQHn3N91hfSx6j1XWwQmzlK/wsXjZc04xFB2Q8PeG
	drbY3wAqT9Oj7HDbHtgv85WJHhI7Jn8ggH2VbWSDWLCr1r03/EvztSC9Lh6xdaLmQTs1lU
	TLkivLWQm1du6y55rRSWNVkPE5KFEJL9hVdLsLihlhSqY46/NDAaQRN+j2wCDk9FAog89G
	mdszcI0Rc7bSN+9zuOh07+uj7d/W61FucQ5t55Qo9D0GmPzROmVmBHTg7tGv6060aBcs5y
	dOkvjiYwZdu1LMOsnSnevHtevW3PArSuCTqvpIZm2mus/CFWzBxhdXGG2fQLkQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TcXNK6t3gz1CD9;
	Sat, 17 Feb 2024 15:12:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41HFCXs5080987;
	Sat, 17 Feb 2024 15:12:33 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41HFCXsM080984;
	Sat, 17 Feb 2024 15:12:33 GMT
	(envelope-from git)
Date: Sat, 17 Feb 2024 15:12:33 GMT
Message-Id: <202402171512.41HFCXsM080984@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Andriy Gapon <avg@FreeBSD.org>
Subject: git: 007b84e6c159 - stable/14 - rdmsr_safe/wrmsr_safe:
  handle pcb_onfault nesting
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: avg
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 007b84e6c159c5cf0d42923877868afee6c2d523
Auto-Submitted: auto-generated

The branch stable/14 has been updated by avg:

URL: https://cgit.FreeBSD.org/src/commit/?id=007b84e6c159c5cf0d42923877868afee6c2d523

commit 007b84e6c159c5cf0d42923877868afee6c2d523
Author:     Andriy Gapon <avg@FreeBSD.org>
AuthorDate: 2024-01-30 06:45:01 +0000
Commit:     Andriy Gapon <avg@FreeBSD.org>
CommitDate: 2024-02-17 14:18:20 +0000

    rdmsr_safe/wrmsr_safe: handle pcb_onfault nesting
    
    rdmsr_safe and wrmsr_safe can be called while pcb_onfault is already
    set, so the functions are modified to preserve the handler rather than
    resetting it before returning.
    
    One case where that happens is when AMD microcode update routine
    is executed on a stack where copyin / copyout was already active.
    
    Here is a sample panic message from a crash caused by resetting the
    handler:
    
      <118>Updating CPU Microcode...
    
      Fatal trap 12: page fault while in kernel mode
      cpuid = 3; apic id = 03
      fault virtual address   = 0x11ed0de6000
      fault code              = supervisor write data, page not present
      instruction pointer     = 0x20:0xffffffff80c2df03
      stack pointer           = 0x28:0xfffffe01ce4a4c70
      frame pointer           = 0x28:0xfffffe01ce4a4c70
      code segment            = base 0x0, limit 0xfffff, type 0x1b
                              = DPL 0, pres 1, long 1, def32 0, gran 1
      processor eflags        = interrupt enabled, resume, IOPL = 0
      current process         = 117 (logger)
      trap number             = 12
      panic: page fault
      cpuid = 3
      time = 1681462027
      KDB: stack backtrace:
      db_trace_self_wrapper() at 0xffffffff80615deb = db_trace_self_wrapper+0x2b/frame 0xfffffe01ce4a4830
      kdb_backtrace() at 0xffffffff80943c77 = kdb_backtrace+0x37/frame 0xfffffe01ce4a48e0
      vpanic() at 0xffffffff808f5fe5 = vpanic+0x185/frame 0xfffffe01ce4a4940
      panic() at 0xffffffff808f5da3 = panic+0x43/frame 0xfffffe01ce4a49a0
      trap_fatal() at 0xffffffff80c31849 = trap_fatal+0x379/frame 0xfffffe01ce4a4a00
      trap_pfault() at 0xffffffff80c318b5 = trap_pfault+0x65/frame 0xfffffe01ce4a4a60
      trap() at 0xffffffff80c30f5f = trap+0x29f/frame 0xfffffe01ce4a4b80
      trap_check() at 0xffffffff80c31c29 = trap_check+0x29/frame 0xfffffe01ce4a4ba0
      calltrap() at 0xffffffff80c07fd8 = calltrap+0x8/frame 0xfffffe01ce4a4ba0
      --- trap 0xc, rip = 0xffffffff80c2df03, rsp = 0xfffffe01ce4a4c70, rbp = 0xfffffe01ce4a4c70 ---
      copyout_nosmap_std() at 0xffffffff80c2df03 = copyout_nosmap_std+0x63/frame 0xfffffe01ce4a4c70
      uiomove_faultflag() at 0xffffffff8095f0d5 = uiomove_faultflag+0xe5/frame 0xfffffe01ce4a4cb0
      uiomove() at 0xffffffff8095efeb = uiomove+0xb/frame 0xfffffe01ce4a4cc0
      pipe_read() at 0xffffffff80968860 = pipe_read+0x230/frame 0xfffffe01ce4a4d30
      dofileread() at 0xffffffff809653cb = dofileread+0x8b/frame 0xfffffe01ce4a4d80
      sys_read() at 0xffffffff80964fa0 = sys_read+0xc0/frame 0xfffffe01ce4a4df0
      amd64_syscall() at 0xffffffff80c3221a = amd64_syscall+0x18a/frame 0xfffffe01ce4a4f30
      fast_syscall_common() at 0xffffffff80c088eb = fast_syscall_common+0xf8/frame 0xfffffe01ce4a4f30
      --- syscall (3, FreeBSD ELF64, read), rip = 0x11ece41cfaa, rsp = 0x11ecbec4908, rbp = 0x11ecbec4920 ---
      Uptime: 41s
    
    And another one:
    
      Fatal trap 12: page fault while in kernel mode
      cpuid = 4; apic id = 04
      fault virtual address   = 0x800a22000
      fault code              = supervisor write data, page not present
      instruction pointer     = 0x20:0xffffffff80b2c7ca
      stack pointer           = 0x28:0xfffffe01c55b5480
      frame pointer           = 0x28:0xfffffe01c55b5480
      code segment            = base 0x0, limit 0xfffff, type 0x1b
                              = DPL 0, pres 1, long 1, def32 0, gran 1
      processor eflags        = interrupt enabled, resume, IOPL = 0
      current process         = 68418 (pfctl)
      trap number             = 12
      panic: page fault
      cpuid = 4
      time = 1625184463
      KDB: stack backtrace:
      db_trace_self_wrapper() at 0xffffffff805c1e8b = db_trace_self_wrapper+0x2b/frame 0xfffffe01c55b5040
      kdb_backtrace() at 0xffffffff808874b7 = kdb_backtrace+0x37/frame 0xfffffe01c55b50f0
      vpanic() at 0xffffffff808449d8 = vpanic+0x188/frame 0xfffffe01c55b5150
      panic() at 0xffffffff808445f3 = panic+0x43/frame 0xfffffe01c55b51b0
      trap_fatal() at 0xffffffff80b300a5 = trap_fatal+0x375/frame 0xfffffe01c55b5210
      trap_pfault() at 0xffffffff80b30180 = trap_pfault+0x80/frame 0xfffffe01c55b5280
      trap() at 0xffffffff80b2f729 = trap+0x289/frame 0xfffffe01c55b5390
      trap_check() at 0xffffffff80b304d9 = trap_check+0x29/frame 0xfffffe01c55b53b0
      calltrap() at 0xffffffff80b0bb28 = calltrap+0x8/frame 0xfffffe01c55b53b0
      --- trap 0xc, rip = 0xffffffff80b2c7ca, rsp = 0xfffffe01c55b5480, rbp = 0xfffffe01c55b5480 ---
      copyout_nosmap_std() at 0xffffffff80b2c7ca = copyout_nosmap_std+0x15a/frame 0xfffffe01c55b5480
      pfioctl() at 0xffffffff85539358 = pfioctl+0x4d28/frame 0xfffffe01c55b5940
      devfs_ioctl() at 0xffffffff807176cf = devfs_ioctl+0xcf/frame 0xfffffe01c55b59a0
      VOP_IOCTL_APV() at 0xffffffff80bb26e2 = VOP_IOCTL_APV+0x92/frame 0xfffffe01c55b59c0
      VOP_IOCTL() at 0xffffffff80928014 = VOP_IOCTL+0x34/frame 0xfffffe01c55b5a10
      vn_ioctl() at 0xffffffff80923330 = vn_ioctl+0xc0/frame 0xfffffe01c55b5b00
      devfs_ioctl_f() at 0xffffffff80717bbe = devfs_ioctl_f+0x1e/frame 0xfffffe01c55b5b20
      fo_ioctl() at 0xffffffff808abc6b = fo_ioctl+0xb/frame 0xfffffe01c55b5b30
      kern_ioctl() at 0xffffffff808abc01 = kern_ioctl+0x1d1/frame 0xfffffe01c55b5b80
      sys_ioctl() at 0xffffffff808ab982 = sys_ioctl+0x132/frame 0xfffffe01c55b5c50
      syscallenter() at 0xffffffff80b30cc9 = syscallenter+0x159/frame 0xfffffe01c55b5ca0
      amd64_syscall() at 0xffffffff80b309a5 = amd64_syscall+0x15/frame 0xfffffe01c55b5d30
      fast_syscall_common() at 0xffffffff80b0c44e = fast_syscall_common+0xf8/frame 0xfffffe01c55b5d30
    
    PR:             276426
    Reviewed by:    kib, markj
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D43639
    
    (cherry picked from commit 486b265a8fb6b2aad37f2819fa04feacf8184d53)
---
 sys/amd64/amd64/support.S | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/sys/amd64/amd64/support.S b/sys/amd64/amd64/support.S
index 6e541b75cdae..c95696bbe7ef 100644
--- a/sys/amd64/amd64/support.S
+++ b/sys/amd64/amd64/support.S
@@ -1532,6 +1532,7 @@ ENTRY(rdmsr_safe)
 /* int rdmsr_safe(u_int msr, uint64_t *data) */
 	PUSH_FRAME_POINTER
 	movq	PCPU(CURPCB),%r8
+	movq	PCB_ONFAULT(%r8),%r9
 	movq	$msr_onfault,PCB_ONFAULT(%r8)
 	movl	%edi,%ecx
 	rdmsr			/* Read MSR pointed by %ecx. Returns
@@ -1540,8 +1541,8 @@ ENTRY(rdmsr_safe)
 	movl	%eax,%eax	/* zero-extend %eax -> %rax */
 	orq	%rdx,%rax
 	movq	%rax,(%rsi)
-	xorq	%rax,%rax
-	movq	%rax,PCB_ONFAULT(%r8)
+	movq	%r9,PCB_ONFAULT(%r8)
+	xorl	%eax,%eax
 	POP_FRAME_POINTER
 	ret
 
@@ -1553,6 +1554,7 @@ ENTRY(wrmsr_safe)
 /* int wrmsr_safe(u_int msr, uint64_t data) */
 	PUSH_FRAME_POINTER
 	movq	PCPU(CURPCB),%r8
+	movq	PCB_ONFAULT(%r8),%r9
 	movq	$msr_onfault,PCB_ONFAULT(%r8)
 	movl	%edi,%ecx
 	movl	%esi,%eax
@@ -1560,8 +1562,8 @@ ENTRY(wrmsr_safe)
 	movl	%esi,%edx
 	wrmsr			/* Write MSR pointed by %ecx. Accepts
 				   hi byte in edx, lo in %eax. */
-	xorq	%rax,%rax
-	movq	%rax,PCB_ONFAULT(%r8)
+	movq	%r9,PCB_ONFAULT(%r8)
+	xorl	%eax,%eax
 	POP_FRAME_POINTER
 	ret
 
@@ -1570,7 +1572,7 @@ ENTRY(wrmsr_safe)
  */
 	ALIGN_TEXT
 msr_onfault:
-	movq	$0,PCB_ONFAULT(%r8)
+	movq	%r9,PCB_ONFAULT(%r8)
 	movl	$EFAULT,%eax
 	POP_FRAME_POINTER
 	ret