From owner-svn-src-all@FreeBSD.ORG Tue Oct 21 05:44:02 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33242935; Tue, 21 Oct 2014 05:44:02 +0000 (UTC) Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 438DF2EE; Tue, 21 Oct 2014 05:44:01 +0000 (UTC) Received: by mail-lb0-f175.google.com with SMTP id u10so363271lbd.20 for ; Mon, 20 Oct 2014 22:43:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=5fA8LYp8CF2kJE8aFTLhrD74NqKqjqm98aTP4VxZUaM=; b=jFjMFXxJAv3FkXzlYpdSWVM5hdBmsj6WI66z1WsyRP16jSStsBnVJ19CC+ykOewtEZ +q+k+ac2wd7TiIcUvMKKJUFDf75z3zNcc0ogg10eJz6dKHcbJgOc//fLXbpQN5ACS1tH p8yOZwwtkVBm1Rntj9su8N3mQXLHGg2pnz9jYj+vFkjuOv+nekHX3eWP/82C062eHWA6 SLc7yB9NMUOcQ52kuQ+Vnms6JzBi4H+X1RU4iCkhaJ5UYg4xagO05LIbM25aHBHTZRMq FxAz38oCv3ydS4uN6lMAuNcPBRGMM3AbgCek2xEqYbQ4tN+QHiQtfHiPno4Qn4xrIhI0 Vn6w== MIME-Version: 1.0 X-Received: by 10.112.147.225 with SMTP id tn1mr32059159lbb.37.1413870239164; Mon, 20 Oct 2014 22:43:59 -0700 (PDT) Sender: crodr001@gmail.com Received: by 10.112.131.66 with HTTP; Mon, 20 Oct 2014 22:43:59 -0700 (PDT) In-Reply-To: <201410210106.s9L16wXd016764@svn.freebsd.org> References: <201410210106.s9L16wXd016764@svn.freebsd.org> Date: Mon, 20 Oct 2014 22:43:59 -0700 X-Google-Sender-Auth: fOktHhb-SLwq2XolSZUGJZRyU4A Message-ID: Subject: Re: svn commit: r273356 - head/sys/amd64/amd64 From: Craig Rodrigues To: src-committers@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 05:44:02 -0000 Hi, Just to add some background to this fix, in the https://jenkins.freebsd.org cluster, we are using several bhyve VM's to host the environment for doing builds and tests. We are hammering on the VM's quite nicely. We found one problem where the bhyve binary would crash. Neel looked at the problem, and came up with this fix. Thanks, Neel! -- Craig On Mon, Oct 20, 2014 at 6:06 PM, Neel Natu wrote: > Author: neel > Date: Tue Oct 21 01:06:58 2014 > New Revision: 273356 > URL: https://svnweb.freebsd.org/changeset/base/273356 > > Log: > Fix a race in pmap_emulate_accessed_dirty() that could trigger a EPT > misconfiguration VM-exit. > > An EPT misconfiguration is triggered when the processor encounters a PTE > that is writable but not readable (WR=10). On processors that require A/D > bit emulation PG_M and PG_A map to EPT_PG_WRITE and EPT_PG_READ > respectively. > > If the PTE is updated as in the following code snippet: > *pte |= PG_M; > *pte |= PG_A; > then it is possible for another processor to observe the PTE after the > PG_M > (aka EPT_PG_WRITE) bit is set but before PG_A (aka EPT_PG_READ) bit is > set. > > This will trigger an EPT misconfiguration VM-exit on the other processor. > > Reported by: rodrigc > Reviewed by: grehan > MFC after: 3 days > > Modified: > head/sys/amd64/amd64/pmap.c > > Modified: head/sys/amd64/amd64/pmap.c > > ============================================================================== > --- head/sys/amd64/amd64/pmap.c Tue Oct 21 00:07:37 2014 (r273355) > +++ head/sys/amd64/amd64/pmap.c Tue Oct 21 01:06:58 2014 (r273356) > @@ -6810,9 +6810,19 @@ retry: > if (ftype == VM_PROT_WRITE) { > if ((*pte & PG_RW) == 0) > goto done; > - *pte |= PG_M; > + /* > + * Set the modified and accessed bits simultaneously. > + * > + * Intel EPT PTEs that do software emulation of A/D bits > map > + * PG_A and PG_M to EPT_PG_READ and EPT_PG_WRITE > respectively. > + * An EPT misconfiguration is triggered if the PTE is > writable > + * but not readable (WR=10). This is avoided by setting > PG_A > + * and PG_M simultaneously. > + */ > + *pte |= PG_M | PG_A; > + } else { > + *pte |= PG_A; > } > - *pte |= PG_A; > > /* try to promote the mapping */ > if (va < VM_MAXUSER_ADDRESS) > >