svn commit: r273356 - head/sys/amd64/amd64

Craig Rodrigues rodrigc at FreeBSD.org
Tue Oct 21 05:44:02 UTC 2014 

Hi,

Just to add some background to this fix, in the https://jenkins.freebsd.org
cluster,
we are using several bhyve VM's to host the environment for doing builds
and tests.  We are hammering on the VM's
quite nicely.  We found one problem where the bhyve binary would crash.

Neel looked at the problem, and came up with this fix.

Thanks, Neel!

--
Craig


On Mon, Oct 20, 2014 at 6:06 PM, Neel Natu <neel at freebsd.org> wrote:

> Author: neel
> Date: Tue Oct 21 01:06:58 2014
> New Revision: 273356
> URL: https://svnweb.freebsd.org/changeset/base/273356
>
> Log:
>   Fix a race in pmap_emulate_accessed_dirty() that could trigger a EPT
>   misconfiguration VM-exit.
>
>   An EPT misconfiguration is triggered when the processor encounters a PTE
>   that is writable but not readable (WR=10). On processors that require A/D
>   bit emulation PG_M and PG_A map to EPT_PG_WRITE and EPT_PG_READ
> respectively.
>
>   If the PTE is updated as in the following code snippet:
>         *pte |= PG_M;
>         *pte |= PG_A;
>   then it is possible for another processor to observe the PTE after the
> PG_M
>   (aka EPT_PG_WRITE) bit is set but before PG_A (aka EPT_PG_READ) bit is
> set.
>
>   This will trigger an EPT misconfiguration VM-exit on the other processor.
>
>   Reported by:  rodrigc
>   Reviewed by:  grehan
>   MFC after:    3 days
>
> Modified:
>   head/sys/amd64/amd64/pmap.c
>
> Modified: head/sys/amd64/amd64/pmap.c
>
> ==============================================================================
> --- head/sys/amd64/amd64/pmap.c Tue Oct 21 00:07:37 2014        (r273355)
> +++ head/sys/amd64/amd64/pmap.c Tue Oct 21 01:06:58 2014        (r273356)
> @@ -6810,9 +6810,19 @@ retry:
>         if (ftype == VM_PROT_WRITE) {
>                 if ((*pte & PG_RW) == 0)
>                         goto done;
> -               *pte |= PG_M;
> +               /*
> +                * Set the modified and accessed bits simultaneously.
> +                *
> +                * Intel EPT PTEs that do software emulation of A/D bits
> map
> +                * PG_A and PG_M to EPT_PG_READ and EPT_PG_WRITE
> respectively.
> +                * An EPT misconfiguration is triggered if the PTE is
> writable
> +                * but not readable (WR=10). This is avoided by setting
> PG_A
> +                * and PG_M simultaneously.
> +                */
> +               *pte |= PG_M | PG_A;
> +       } else {
> +               *pte |= PG_A;
>         }
> -       *pte |= PG_A;
>
>         /* try to promote the mapping */
>         if (va < VM_MAXUSER_ADDRESS)
>
>

More information about the svn-src-head mailing list