x86: fix slow int80 path after XPTI additions

For the int80 slow path to jump to handle_exception_saved, %r14 needs to
be set up suitably for XPTI purposes. This is because of the difference
in nature between the int80 path (which is synchronous WRT guest
actions) and the exception path which is potentially asynchronous.

This is XSA-259.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 1cd7d938922c204a8abae12b80a5e06d125e897d..9c45c00bb012ed0e4698fab88659d23c1e79837a 100644 (file)
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -405,6 +405,12 @@ int80_slow_path:
         movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
         /* A GPF wouldn't have incremented the instruction pointer. */
         subq  $2,UREGS_rip(%rsp)
+        /*
+         * While we've cleared xen_cr3 above already, normal exception handling
+         * code has logic to restore the original value from %r15. Therefore we
+         * need to set up %r14 here, while %r15 is required to still be zero.
+         */
+        GET_STACK_END(14)
         jmp   handle_exception_saved
 
         /* create_bounce_frame & helpers don't need to be in .text.entry */