The emulation layers of Xen lack PCID support, and as we only offer
PCID to HAP guests, all writes to CR3 are handled by hardware,
except when introspection is involved. Consequently, trying to set
CR3 when the noflush bit is set in hvm_set_cr3() leads to domain
crashes. The workaround is to clear the noflush bit in
hvm_set_cr3() (and, for completeness, to compare old vs new
CR3 values in hvm_monitor_cr() after clearing the noflush bit
for them as well).
Signed-off-by: Razvan Cojocaru <rcojoc...@bitdefender.com>
Reported-by: Bitweasil <bitwea...@cryptohaze.com>
Suggested-by: Andrew Cooper <andrew.coop...@citrix.com>
---
xen/arch/x86/hvm/hvm.c | 3 +++
xen/arch/x86/hvm/monitor.c | 6 ++++++
2 files changed, 9 insertions(+)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 2689046..1ab2522 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -2324,6 +2324,9 @@ int hvm_set_cr3(unsigned long value, bool_t may_defer)
}
}
+ if ( hvm_pcid_enabled(v) ) /* Clear the noflush bit. */
+ value &= ((1ull << 63) - 1);
+
if ( hvm_paging_enabled(v) && !paging_mode_hap(v->domain) &&
(value != v->arch.hvm_vcpu.guest_cr[3]) )
{
diff --git a/xen/arch/x86/hvm/monitor.c b/xen/arch/x86/hvm/monitor.c
index 131b852..e0f0530 100644
--- a/xen/arch/x86/hvm/monitor.c
+++ b/xen/arch/x86/hvm/monitor.c
@@ -36,6 +36,12 @@ bool hvm_monitor_cr(unsigned int index, unsigned long value,
unsigned long old)
struct arch_domain *ad = &curr->domain->arch;
unsigned int ctrlreg_bitmask = monitor_ctrlreg_bitmask(index);
+ if ( index == 3 && hvm_pcid_enabled(curr) ) /* Clear the noflush bit. */
+ {
+ value &= ((1ull << 63) - 1);
+ old &= ((1ull << 63) - 1);
+ }
+
if ( (ad->monitor.write_ctrlreg_enabled & ctrlreg_bitmask) &&
(!(ad->monitor.write_ctrlreg_onchangeonly & ctrlreg_bitmask) ||
value != old) &&
--
2.7.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
