Date: Mon, 20 Oct 2014 22:43:59 -0700 From: Craig Rodrigues <rodrigc@FreeBSD.org> To: src-committers@freebsd.org Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org Subject: Re: svn commit: r273356 - head/sys/amd64/amd64 Message-ID: <CAG=rPVcoDxENDeYZD3_vMT_6OdLfi-9xvafFn%2BeHH5hhvQJTCQ@mail.gmail.com> In-Reply-To: <201410210106.s9L16wXd016764@svn.freebsd.org> References: <201410210106.s9L16wXd016764@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Just to add some background to this fix, in the https://jenkins.freebsd.org cluster, we are using several bhyve VM's to host the environment for doing builds and tests. We are hammering on the VM's quite nicely. We found one problem where the bhyve binary would crash. Neel looked at the problem, and came up with this fix. Thanks, Neel! -- Craig On Mon, Oct 20, 2014 at 6:06 PM, Neel Natu <neel@freebsd.org> wrote: > Author: neel > Date: Tue Oct 21 01:06:58 2014 > New Revision: 273356 > URL: https://svnweb.freebsd.org/changeset/base/273356 > > Log: > Fix a race in pmap_emulate_accessed_dirty() that could trigger a EPT > misconfiguration VM-exit. > > An EPT misconfiguration is triggered when the processor encounters a PTE > that is writable but not readable (WR=10). On processors that require A/D > bit emulation PG_M and PG_A map to EPT_PG_WRITE and EPT_PG_READ > respectively. > > If the PTE is updated as in the following code snippet: > *pte |= PG_M; > *pte |= PG_A; > then it is possible for another processor to observe the PTE after the > PG_M > (aka EPT_PG_WRITE) bit is set but before PG_A (aka EPT_PG_READ) bit is > set. > > This will trigger an EPT misconfiguration VM-exit on the other processor. > > Reported by: rodrigc > Reviewed by: grehan > MFC after: 3 days > > Modified: > head/sys/amd64/amd64/pmap.c > > Modified: head/sys/amd64/amd64/pmap.c > > ============================================================================== > --- head/sys/amd64/amd64/pmap.c Tue Oct 21 00:07:37 2014 (r273355) > +++ head/sys/amd64/amd64/pmap.c Tue Oct 21 01:06:58 2014 (r273356) > @@ -6810,9 +6810,19 @@ retry: > if (ftype == VM_PROT_WRITE) { > if ((*pte & PG_RW) == 0) > goto done; > - *pte |= PG_M; > + /* > + * Set the modified and accessed bits simultaneously. > + * > + * Intel EPT PTEs that do software emulation of A/D bits > map > + * PG_A and PG_M to EPT_PG_READ and EPT_PG_WRITE > respectively. > + * An EPT misconfiguration is triggered if the PTE is > writable > + * but not readable (WR=10). This is avoided by setting > PG_A > + * and PG_M simultaneously. > + */ > + *pte |= PG_M | PG_A; > + } else { > + *pte |= PG_A; > } > - *pte |= PG_A; > > /* try to promote the mapping */ > if (va < VM_MAXUSER_ADDRESS) > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG=rPVcoDxENDeYZD3_vMT_6OdLfi-9xvafFn%2BeHH5hhvQJTCQ>