diff for duplicates of <Ynk40U/KA+hLBZRC@google.com> diff --git a/a/1.txt b/N1/1.txt index 20134bc..a1a7bec 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -41,11 +41,11 @@ Call stacks for the two callers would be very, very helpful. > > Fixes: ed72736183c4 ("x86/reboot: Force all cpus to exit VMX root if VMX is supported) > Fixes: 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump friendly version in panic path") -> Cc: David P. Reed <dpreed@deepplum.com> -> Cc: Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com> -> Cc: Paolo Bonzini <pbonzini@redhat.com> -> Cc: Sean Christopherson <seanjc@google.com> -> Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com> +> Cc: David P. Reed <dpreed-UISbPGJNPmdWk0Htik3J/w@public.gmane.org> +> Cc: Hidehiro Kawai <hidehiro.kawai.ez-FCd8Q96Dh0JBDgjK7y7TUQ@public.gmane.org> +> Cc: Paolo Bonzini <pbonzini-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> +> Cc: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> +> Signed-off-by: Guilherme G. Piccoli <gpiccoli-wEGTBA9jqPzQT0dZR+AlfA@public.gmane.org> > --- > arch/x86/include/asm/cpu.h | 1 + > arch/x86/kernel/crash.c | 8 ++++---- @@ -142,18 +142,4 @@ official mini series. > > -- > 2.36.0 -> --------------- next part -------------- -A non-text attachment was scrubbed... -Name: 0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch -Type: text/x-diff -Size: 6626 bytes -Desc: not available -URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0002.bin> --------------- next part -------------- -A non-text attachment was scrubbed... -Name: 0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch -Type: text/x-diff -Size: 2721 bytes -Desc: not available -URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0003.bin> +> diff --git a/N1/2.hdr b/N1/2.hdr new file mode 100644 index 0000000..3482a00 --- /dev/null +++ b/N1/2.hdr @@ -0,0 +1,3 @@ +Content-Type: text/x-diff; charset=us-ascii +Content-Disposition: attachment; + filename="0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch" diff --git a/N1/2.txt b/N1/2.txt new file mode 100644 index 0000000..18fdb45 --- /dev/null +++ b/N1/2.txt @@ -0,0 +1,176 @@ +From 8a4573b7cf3a3e49b409ba3a504934de181c259d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> +Date: Mon, 9 May 2022 07:36:34 -0700 +Subject: [PATCH 1/2] x86/crash: Disable virt in core NMI crash handler to + avoid double list_add + +Disable virtualization in crash_nmi_callback() and skip the requested NMI +shootdown if a shootdown has already occurred, i.e. a callback has been +registered. The NMI crash shootdown path doesn't play nice with multiple +invocations, e.g. attempting to register the NMI handler multiple times +will trigger a double list_add() and hang the sytem (in addition to +multiple other issues). If "crash_kexec_post_notifiers" is specified on +the kernel command line, panic() will invoke crash_smp_send_stop() and +result in a second call to nmi_shootdown_cpus() during +native_machine_emergency_restart(). + +Invoke the callback _before_ disabling virtualization, as the current +VMCS needs to be cleared before doing VMXOFF. Note, this results in a +subtle change in ordering between disabling virtualization and stopping +Intel PT on the responding CPUs. While VMX and Intel PT do interact, +VMXOFF and writes to MSR_IA32_RTIT_CTL do not induce faults between one +another, which is all that matters when panicking. + +WARN if nmi_shootdown_cpus() is called a second time with anything other +than the reboot path's "nop" handler, as bailing means the requested +isn't being invoked. Punt true handling of multiple shootdown callbacks +until there's an actual use case for doing so (beyond disabling +virtualization). + +Extract the disabling logic to a common helper to deduplicate code, and +to prepare for doing the shootdown in the emergency reboot path if SVM +is supported. + +Note, prior to commit ed72736183c4 ("x86/reboot: Force all cpus to exit +VMX root if VMX is supported), nmi_shootdown_cpus() was subtly protected +against a second invocation by a cpu_vmx_enabled() check as the kdump +handler would disable VMX if it ran first. + +Fixes: ed72736183c4 ("x86/reboot: Force all cpus to exit VMX root if VMX is supported) +Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Reported-by: Guilherme G. Piccoli <gpiccoli-wEGTBA9jqPzQT0dZR+AlfA@public.gmane.org> +Signed-off-by: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> +--- + arch/x86/include/asm/reboot.h | 1 + + arch/x86/kernel/crash.c | 16 +-------------- + arch/x86/kernel/reboot.c | 38 ++++++++++++++++++++++++++++++++--- + 3 files changed, 37 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h +index 04c17be9b5fd..8f2da36435a6 100644 +--- a/arch/x86/include/asm/reboot.h ++++ b/arch/x86/include/asm/reboot.h +@@ -25,6 +25,7 @@ void __noreturn machine_real_restart(unsigned int type); + #define MRR_BIOS 0 + #define MRR_APM 1 + ++void cpu_crash_disable_virtualization(void); + typedef void (*nmi_shootdown_cb)(int, struct pt_regs*); + void nmi_panic_self_stop(struct pt_regs *regs); + void nmi_shootdown_cpus(nmi_shootdown_cb callback); +diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c +index e8326a8d1c5d..fe0cf83843ba 100644 +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -81,15 +81,6 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs) + */ + cpu_crash_vmclear_loaded_vmcss(); + +- /* Disable VMX or SVM if needed. +- * +- * We need to disable virtualization on all CPUs. +- * Having VMX or SVM enabled on any CPU may break rebooting +- * after the kdump kernel has finished its task. +- */ +- cpu_emergency_vmxoff(); +- cpu_emergency_svm_disable(); +- + /* + * Disable Intel PT to stop its logging + */ +@@ -148,12 +139,7 @@ void native_machine_crash_shutdown(struct pt_regs *regs) + */ + cpu_crash_vmclear_loaded_vmcss(); + +- /* Booting kdump kernel with VMX or SVM enabled won't work, +- * because (among other limitations) we can't disable paging +- * with the virt flags. +- */ +- cpu_emergency_vmxoff(); +- cpu_emergency_svm_disable(); ++ cpu_crash_disable_virtualization(); + + /* + * Disable Intel PT to stop its logging +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index fa700b46588e..f9543a4e9b09 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -528,9 +528,9 @@ static inline void kb_wait(void) + } + } + +-static void vmxoff_nmi(int cpu, struct pt_regs *regs) ++static void nmi_shootdown_nop(int cpu, struct pt_regs *regs) + { +- cpu_emergency_vmxoff(); ++ /* Nothing to do, the NMI shootdown handler disables virtualization. */ + } + + /* Use NMIs as IPIs to tell all CPUs to disable virtualization */ +@@ -554,7 +554,7 @@ static void emergency_vmx_disable_all(void) + __cpu_emergency_vmxoff(); + + /* Halt and exit VMX root operation on the other CPUs. */ +- nmi_shootdown_cpus(vmxoff_nmi); ++ nmi_shootdown_cpus(nmi_shootdown_nop); + } + } + +@@ -802,6 +802,18 @@ static nmi_shootdown_cb shootdown_callback; + static atomic_t waiting_for_crash_ipi; + static int crash_ipi_issued; + ++void cpu_crash_disable_virtualization(void) ++{ ++ /* ++ * Disable virtualization, i.e. VMX or SVM, so that INIT is recognized ++ * during reboot. VMX blocks INIT if the CPU is post-VMXON, and SVM ++ * blocks INIT if GIF=0. Note, CLGI #UDs if SVM isn't enabled, so it's ++ * easier to just disable SVM unconditionally. ++ */ ++ cpu_emergency_vmxoff(); ++ cpu_emergency_svm_disable(); ++} ++ + static int crash_nmi_callback(unsigned int val, struct pt_regs *regs) + { + int cpu; +@@ -819,6 +831,12 @@ static int crash_nmi_callback(unsigned int val, struct pt_regs *regs) + + shootdown_callback(cpu, regs); + ++ /* ++ * Prepare the CPU for reboot _after_ invoking the callback so that the ++ * callback can safely use virtualization instructions, e.g. VMCLEAR. ++ */ ++ cpu_crash_disable_virtualization(); ++ + atomic_dec(&waiting_for_crash_ipi); + /* Assume hlt works */ + halt(); +@@ -840,6 +858,20 @@ void nmi_shootdown_cpus(nmi_shootdown_cb callback) + unsigned long msecs; + local_irq_disable(); + ++ /* ++ * Invoking multiple callbacks is not currently supported, registering ++ * the NMI handler twice will cause a list_add() double add BUG(). ++ * The exception is the "nop" handler in the emergency reboot path, ++ * which can run after e.g. kdump's shootdown. Do nothing if the crash ++ * handler has already run, i.e. has already prepared other CPUs, the ++ * reboot path doesn't have any work of its to do, it just needs to ++ * ensure all CPUs have prepared for reboot. ++ */ ++ if (shootdown_callback) { ++ WARN_ON_ONCE(callback != nmi_shootdown_nop); ++ return; ++ } ++ + /* Make a note of crashing cpu. Will be used in NMI callback. */ + crashing_cpu = safe_smp_processor_id(); + + +base-commit: 2764011106d0436cb44702cfb0981339d68c3509 +-- +2.36.0.512.ge40c2bad7a-goog diff --git a/N1/3.hdr b/N1/3.hdr new file mode 100644 index 0000000..88c74d8 --- /dev/null +++ b/N1/3.hdr @@ -0,0 +1,3 @@ +Content-Type: text/x-diff; charset=us-ascii +Content-Disposition: attachment; + filename="0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch" diff --git a/N1/3.txt b/N1/3.txt new file mode 100644 index 0000000..c0459ff --- /dev/null +++ b/N1/3.txt @@ -0,0 +1,72 @@ +From ce4b8fb50962c00a9bb29663e96501e90d68bd8b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> +Date: Mon, 9 May 2022 08:28:14 -0700 +Subject: [PATCH 2/2] x86/reboot: Disable virtualization in an emergency if SVM + is supported + +Disable SVM on all CPUs via NMI shootdown during an emergency reboot. +Like VMX, SVM can block INIT and thus prevent bringing up other CPUs via +INIT-SIPI-SIPI. + +Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Signed-off-by: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> +--- + arch/x86/kernel/reboot.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index f9543a4e9b09..33c1f4883b27 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -533,27 +533,29 @@ static void nmi_shootdown_nop(int cpu, struct pt_regs *regs) + /* Nothing to do, the NMI shootdown handler disables virtualization. */ + } + +-/* Use NMIs as IPIs to tell all CPUs to disable virtualization */ +-static void emergency_vmx_disable_all(void) ++static void emergency_reboot_disable_virtualization(void) + { + /* Just make sure we won't change CPUs while doing this */ + local_irq_disable(); + + /* +- * Disable VMX on all CPUs before rebooting, otherwise we risk hanging +- * the machine, because the CPU blocks INIT when it's in VMX root. ++ * Disable virtualization on all CPUs before rebooting to avoid hanging ++ * the system, as VMX and SVM block INIT when running in the host + * + * We can't take any locks and we may be on an inconsistent state, so +- * use NMIs as IPIs to tell the other CPUs to exit VMX root and halt. ++ * use NMIs as IPIs to tell the other CPUs to disable VMX/SVM and halt. + * +- * Do the NMI shootdown even if VMX if off on _this_ CPU, as that +- * doesn't prevent a different CPU from being in VMX root operation. ++ * Do the NMI shootdown even if virtualization is off on _this_ CPU, as ++ * other CPUs may have virtualization enabled. + */ +- if (cpu_has_vmx()) { +- /* Safely force _this_ CPU out of VMX root operation. */ +- __cpu_emergency_vmxoff(); ++ if (cpu_has_vmx() || cpu_has_svm(NULL)) { ++ /* Safely force _this_ CPU out of VMX/SVM operation. */ ++ if (cpu_has_vmx()) ++ __cpu_emergency_vmxoff(); ++ else ++ cpu_emergency_svm_disable(); + +- /* Halt and exit VMX root operation on the other CPUs. */ ++ /* Disable VMX/SVM and halt on other CPUs. */ + nmi_shootdown_cpus(nmi_shootdown_nop); + } + } +@@ -590,7 +592,7 @@ static void native_machine_emergency_restart(void) + unsigned short mode; + + if (reboot_emergency) +- emergency_vmx_disable_all(); ++ emergency_reboot_disable_virtualization(); + + tboot_shutdown(TB_SHUTDOWN_REBOOT); + +-- +2.36.0.512.ge40c2bad7a-goog diff --git a/a/content_digest b/N1/content_digest index ec71d3d..d3fa7e3 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,10 +1,40 @@ "ref\020220427224924.592546-1-gpiccoli@igalia.com\0" "ref\020220427224924.592546-2-gpiccoli@igalia.com\0" - "From\0Sean Christopherson <seanjc@google.com>\0" - "Subject\0[PATCH 01/30] x86/crash,reboot: Avoid re-disabling VMX in all CPUs on crash/restart\0" + "ref\020220427224924.592546-2-gpiccoli-wEGTBA9jqPzQT0dZR+AlfA@public.gmane.org\0" + "From\0Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\0" + "Subject\0Re: [PATCH 01/30] x86/crash,reboot: Avoid re-disabling VMX in all CPUs on crash/restart\0" "Date\0Mon, 9 May 2022 15:52:49 +0000\0" - "To\0kexec@lists.infradead.org\0" - "\00:1\0" + "To\0Guilherme G. Piccoli <gpiccoli-wEGTBA9jqPzQT0dZR+AlfA@public.gmane.org>\0" + "Cc\0akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org" + bhe-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org + pmladek-IBi9RG/b67k@public.gmane.org + kexec-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org + linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + bcm-kernel-feedback-list-dY08KVG/lbpWk0Htik3J/w@public.gmane.org + coresight-cunTk1MwBs8s++Sfvej+rw@public.gmane.org + linuxppc-dev-uLR06cmDAlY/bJ5BZ2RsiQ@public.gmane.org + linux-alpha-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org + linux-edac-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-hyperv-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-leds-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-mips-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-parisc-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-pm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-remoteproc-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-s390-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-tegra-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + linux-um-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org + linux-xtensa-PjhNF2WwrV/0Sa2dR60CXw@public.gmane.org + netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + openipmi-developer-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org + rcu-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + sparclinux-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + xen-devel-GuqFBffKawtpuQazS67q72D2FQJk+8+b@public.gmane.org + x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org + kernel-dev-wEGTBA9jqPzQT0dZR+AlfA@public.gmane.org + " k\0" + "\01:1\0" "b\0" "I find the shortlog to be very confusing, the bug has nothing to do with disabling\n" "VMX and I distinctly remember wrapping VMXOFF with exception fixup to prevent doom\n" @@ -49,11 +79,11 @@ "> \n" "> Fixes: ed72736183c4 (\"x86/reboot: Force all cpus to exit VMX root if VMX is supported)\n" "> Fixes: 0ee59413c967 (\"x86/panic: replace smp_send_stop() with kdump friendly version in panic path\")\n" - "> Cc: David P. Reed <dpreed@deepplum.com>\n" - "> Cc: Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com>\n" - "> Cc: Paolo Bonzini <pbonzini@redhat.com>\n" - "> Cc: Sean Christopherson <seanjc@google.com>\n" - "> Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>\n" + "> Cc: David P. Reed <dpreed-UISbPGJNPmdWk0Htik3J/w@public.gmane.org>\n" + "> Cc: Hidehiro Kawai <hidehiro.kawai.ez-FCd8Q96Dh0JBDgjK7y7TUQ@public.gmane.org>\n" + "> Cc: Paolo Bonzini <pbonzini-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>\n" + "> Cc: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\n" + "> Signed-off-by: Guilherme G. Piccoli <gpiccoli-wEGTBA9jqPzQT0dZR+AlfA@public.gmane.org>\n" "> ---\n" "> arch/x86/include/asm/cpu.h | 1 +\n" "> arch/x86/kernel/crash.c | 8 ++++----\n" @@ -150,20 +180,260 @@ "> \n" "> -- \n" "> 2.36.0\n" - "> \n" - "-------------- next part --------------\n" - "A non-text attachment was scrubbed...\n" - "Name: 0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch\n" - "Type: text/x-diff\n" - "Size: 6626 bytes\n" - "Desc: not available\n" - "URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0002.bin>\n" - "-------------- next part --------------\n" - "A non-text attachment was scrubbed...\n" - "Name: 0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch\n" - "Type: text/x-diff\n" - "Size: 2721 bytes\n" - "Desc: not available\n" - URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0003.bin> + > + "\01:2\0" + "fn\00001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch\0" + "b\0" + "From 8a4573b7cf3a3e49b409ba3a504934de181c259d Mon Sep 17 00:00:00 2001\n" + "From: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\n" + "Date: Mon, 9 May 2022 07:36:34 -0700\n" + "Subject: [PATCH 1/2] x86/crash: Disable virt in core NMI crash handler to\n" + " avoid double list_add\n" + "\n" + "Disable virtualization in crash_nmi_callback() and skip the requested NMI\n" + "shootdown if a shootdown has already occurred, i.e. a callback has been\n" + "registered. The NMI crash shootdown path doesn't play nice with multiple\n" + "invocations, e.g. attempting to register the NMI handler multiple times\n" + "will trigger a double list_add() and hang the sytem (in addition to\n" + "multiple other issues). If \"crash_kexec_post_notifiers\" is specified on\n" + "the kernel command line, panic() will invoke crash_smp_send_stop() and\n" + "result in a second call to nmi_shootdown_cpus() during\n" + "native_machine_emergency_restart().\n" + "\n" + "Invoke the callback _before_ disabling virtualization, as the current\n" + "VMCS needs to be cleared before doing VMXOFF. Note, this results in a\n" + "subtle change in ordering between disabling virtualization and stopping\n" + "Intel PT on the responding CPUs. While VMX and Intel PT do interact,\n" + "VMXOFF and writes to MSR_IA32_RTIT_CTL do not induce faults between one\n" + "another, which is all that matters when panicking.\n" + "\n" + "WARN if nmi_shootdown_cpus() is called a second time with anything other\n" + "than the reboot path's \"nop\" handler, as bailing means the requested\n" + "isn't being invoked. Punt true handling of multiple shootdown callbacks\n" + "until there's an actual use case for doing so (beyond disabling\n" + "virtualization).\n" + "\n" + "Extract the disabling logic to a common helper to deduplicate code, and\n" + "to prepare for doing the shootdown in the emergency reboot path if SVM\n" + "is supported.\n" + "\n" + "Note, prior to commit ed72736183c4 (\"x86/reboot: Force all cpus to exit\n" + "VMX root if VMX is supported), nmi_shootdown_cpus() was subtly protected\n" + "against a second invocation by a cpu_vmx_enabled() check as the kdump\n" + "handler would disable VMX if it ran first.\n" + "\n" + "Fixes: ed72736183c4 (\"x86/reboot: Force all cpus to exit VMX root if VMX is supported)\n" + "Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org\n" + "Reported-by: Guilherme G. Piccoli <gpiccoli-wEGTBA9jqPzQT0dZR+AlfA@public.gmane.org>\n" + "Signed-off-by: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\n" + "---\n" + " arch/x86/include/asm/reboot.h | 1 +\n" + " arch/x86/kernel/crash.c | 16 +--------------\n" + " arch/x86/kernel/reboot.c | 38 ++++++++++++++++++++++++++++++++---\n" + " 3 files changed, 37 insertions(+), 18 deletions(-)\n" + "\n" + "diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h\n" + "index 04c17be9b5fd..8f2da36435a6 100644\n" + "--- a/arch/x86/include/asm/reboot.h\n" + "+++ b/arch/x86/include/asm/reboot.h\n" + "@@ -25,6 +25,7 @@ void __noreturn machine_real_restart(unsigned int type);\n" + " #define MRR_BIOS\t0\n" + " #define MRR_APM\t\t1\n" + " \n" + "+void cpu_crash_disable_virtualization(void);\n" + " typedef void (*nmi_shootdown_cb)(int, struct pt_regs*);\n" + " void nmi_panic_self_stop(struct pt_regs *regs);\n" + " void nmi_shootdown_cpus(nmi_shootdown_cb callback);\n" + "diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c\n" + "index e8326a8d1c5d..fe0cf83843ba 100644\n" + "--- a/arch/x86/kernel/crash.c\n" + "+++ b/arch/x86/kernel/crash.c\n" + "@@ -81,15 +81,6 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs)\n" + " \t */\n" + " \tcpu_crash_vmclear_loaded_vmcss();\n" + " \n" + "-\t/* Disable VMX or SVM if needed.\n" + "-\t *\n" + "-\t * We need to disable virtualization on all CPUs.\n" + "-\t * Having VMX or SVM enabled on any CPU may break rebooting\n" + "-\t * after the kdump kernel has finished its task.\n" + "-\t */\n" + "-\tcpu_emergency_vmxoff();\n" + "-\tcpu_emergency_svm_disable();\n" + "-\n" + " \t/*\n" + " \t * Disable Intel PT to stop its logging\n" + " \t */\n" + "@@ -148,12 +139,7 @@ void native_machine_crash_shutdown(struct pt_regs *regs)\n" + " \t */\n" + " \tcpu_crash_vmclear_loaded_vmcss();\n" + " \n" + "-\t/* Booting kdump kernel with VMX or SVM enabled won't work,\n" + "-\t * because (among other limitations) we can't disable paging\n" + "-\t * with the virt flags.\n" + "-\t */\n" + "-\tcpu_emergency_vmxoff();\n" + "-\tcpu_emergency_svm_disable();\n" + "+\tcpu_crash_disable_virtualization();\n" + " \n" + " \t/*\n" + " \t * Disable Intel PT to stop its logging\n" + "diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c\n" + "index fa700b46588e..f9543a4e9b09 100644\n" + "--- a/arch/x86/kernel/reboot.c\n" + "+++ b/arch/x86/kernel/reboot.c\n" + "@@ -528,9 +528,9 @@ static inline void kb_wait(void)\n" + " \t}\n" + " }\n" + " \n" + "-static void vmxoff_nmi(int cpu, struct pt_regs *regs)\n" + "+static void nmi_shootdown_nop(int cpu, struct pt_regs *regs)\n" + " {\n" + "-\tcpu_emergency_vmxoff();\n" + "+\t/* Nothing to do, the NMI shootdown handler disables virtualization. */\n" + " }\n" + " \n" + " /* Use NMIs as IPIs to tell all CPUs to disable virtualization */\n" + "@@ -554,7 +554,7 @@ static void emergency_vmx_disable_all(void)\n" + " \t\t__cpu_emergency_vmxoff();\n" + " \n" + " \t\t/* Halt and exit VMX root operation on the other CPUs. */\n" + "-\t\tnmi_shootdown_cpus(vmxoff_nmi);\n" + "+\t\tnmi_shootdown_cpus(nmi_shootdown_nop);\n" + " \t}\n" + " }\n" + " \n" + "@@ -802,6 +802,18 @@ static nmi_shootdown_cb shootdown_callback;\n" + " static atomic_t waiting_for_crash_ipi;\n" + " static int crash_ipi_issued;\n" + " \n" + "+void cpu_crash_disable_virtualization(void)\n" + "+{\n" + "+\t/*\n" + "+\t * Disable virtualization, i.e. VMX or SVM, so that INIT is recognized\n" + "+\t * during reboot. VMX blocks INIT if the CPU is post-VMXON, and SVM\n" + "+\t * blocks INIT if GIF=0. Note, CLGI #UDs if SVM isn't enabled, so it's\n" + "+\t * easier to just disable SVM unconditionally.\n" + "+\t */\n" + "+\tcpu_emergency_vmxoff();\n" + "+\tcpu_emergency_svm_disable();\n" + "+}\n" + "+\n" + " static int crash_nmi_callback(unsigned int val, struct pt_regs *regs)\n" + " {\n" + " \tint cpu;\n" + "@@ -819,6 +831,12 @@ static int crash_nmi_callback(unsigned int val, struct pt_regs *regs)\n" + " \n" + " \tshootdown_callback(cpu, regs);\n" + " \n" + "+\t/*\n" + "+\t * Prepare the CPU for reboot _after_ invoking the callback so that the\n" + "+\t * callback can safely use virtualization instructions, e.g. VMCLEAR.\n" + "+\t */\n" + "+\tcpu_crash_disable_virtualization();\n" + "+\n" + " \tatomic_dec(&waiting_for_crash_ipi);\n" + " \t/* Assume hlt works */\n" + " \thalt();\n" + "@@ -840,6 +858,20 @@ void nmi_shootdown_cpus(nmi_shootdown_cb callback)\n" + " \tunsigned long msecs;\n" + " \tlocal_irq_disable();\n" + " \n" + "+\t/*\n" + "+\t * Invoking multiple callbacks is not currently supported, registering\n" + "+\t * the NMI handler twice will cause a list_add() double add BUG().\n" + "+\t * The exception is the \"nop\" handler in the emergency reboot path,\n" + "+\t * which can run after e.g. kdump's shootdown. Do nothing if the crash\n" + "+\t * handler has already run, i.e. has already prepared other CPUs, the\n" + "+\t * reboot path doesn't have any work of its to do, it just needs to\n" + "+\t * ensure all CPUs have prepared for reboot.\n" + "+\t */\n" + "+\tif (shootdown_callback) {\n" + "+\t\tWARN_ON_ONCE(callback != nmi_shootdown_nop);\n" + "+\t\treturn;\n" + "+\t}\n" + "+\n" + " \t/* Make a note of crashing cpu. Will be used in NMI callback. */\n" + " \tcrashing_cpu = safe_smp_processor_id();\n" + " \n" + "\n" + "base-commit: 2764011106d0436cb44702cfb0981339d68c3509\n" + "-- \n" + 2.36.0.512.ge40c2bad7a-goog + "\01:3\0" + "fn\00002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch\0" + "b\0" + "From ce4b8fb50962c00a9bb29663e96501e90d68bd8b Mon Sep 17 00:00:00 2001\n" + "From: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\n" + "Date: Mon, 9 May 2022 08:28:14 -0700\n" + "Subject: [PATCH 2/2] x86/reboot: Disable virtualization in an emergency if SVM\n" + " is supported\n" + "\n" + "Disable SVM on all CPUs via NMI shootdown during an emergency reboot.\n" + "Like VMX, SVM can block INIT and thus prevent bringing up other CPUs via\n" + "INIT-SIPI-SIPI.\n" + "\n" + "Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org\n" + "Signed-off-by: Sean Christopherson <seanjc-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\n" + "---\n" + " arch/x86/kernel/reboot.c | 26 ++++++++++++++------------\n" + " 1 file changed, 14 insertions(+), 12 deletions(-)\n" + "\n" + "diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c\n" + "index f9543a4e9b09..33c1f4883b27 100644\n" + "--- a/arch/x86/kernel/reboot.c\n" + "+++ b/arch/x86/kernel/reboot.c\n" + "@@ -533,27 +533,29 @@ static void nmi_shootdown_nop(int cpu, struct pt_regs *regs)\n" + " \t/* Nothing to do, the NMI shootdown handler disables virtualization. */\n" + " }\n" + " \n" + "-/* Use NMIs as IPIs to tell all CPUs to disable virtualization */\n" + "-static void emergency_vmx_disable_all(void)\n" + "+static void emergency_reboot_disable_virtualization(void)\n" + " {\n" + " \t/* Just make sure we won't change CPUs while doing this */\n" + " \tlocal_irq_disable();\n" + " \n" + " \t/*\n" + "-\t * Disable VMX on all CPUs before rebooting, otherwise we risk hanging\n" + "-\t * the machine, because the CPU blocks INIT when it's in VMX root.\n" + "+\t * Disable virtualization on all CPUs before rebooting to avoid hanging\n" + "+\t * the system, as VMX and SVM block INIT when running in the host\n" + " \t *\n" + " \t * We can't take any locks and we may be on an inconsistent state, so\n" + "-\t * use NMIs as IPIs to tell the other CPUs to exit VMX root and halt.\n" + "+\t * use NMIs as IPIs to tell the other CPUs to disable VMX/SVM and halt.\n" + " \t *\n" + "-\t * Do the NMI shootdown even if VMX if off on _this_ CPU, as that\n" + "-\t * doesn't prevent a different CPU from being in VMX root operation.\n" + "+\t * Do the NMI shootdown even if virtualization is off on _this_ CPU, as\n" + "+\t * other CPUs may have virtualization enabled.\n" + " \t */\n" + "-\tif (cpu_has_vmx()) {\n" + "-\t\t/* Safely force _this_ CPU out of VMX root operation. */\n" + "-\t\t__cpu_emergency_vmxoff();\n" + "+\tif (cpu_has_vmx() || cpu_has_svm(NULL)) {\n" + "+\t\t/* Safely force _this_ CPU out of VMX/SVM operation. */\n" + "+\t\tif (cpu_has_vmx())\n" + "+\t\t\t__cpu_emergency_vmxoff();\n" + "+\t\telse\n" + "+\t\t\tcpu_emergency_svm_disable();\n" + " \n" + "-\t\t/* Halt and exit VMX root operation on the other CPUs. */\n" + "+\t\t/* Disable VMX/SVM and halt on other CPUs. */\n" + " \t\tnmi_shootdown_cpus(nmi_shootdown_nop);\n" + " \t}\n" + " }\n" + "@@ -590,7 +592,7 @@ static void native_machine_emergency_restart(void)\n" + " \tunsigned short mode;\n" + " \n" + " \tif (reboot_emergency)\n" + "-\t\temergency_vmx_disable_all();\n" + "+\t\temergency_reboot_disable_virtualization();\n" + " \n" + " \ttboot_shutdown(TB_SHUTDOWN_REBOOT);\n" + " \n" + "-- \n" + 2.36.0.512.ge40c2bad7a-goog -3be9201c695e4da7cfca208c981473813e543ff3a9120ce19aba847befe8a493 +1aae2f1845de36a34b6901e81ac337ea9cab5cebbd792c2a999f035747a30fde
diff --git a/a/1.txt b/N2/1.txt index 20134bc..c34f04c 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -142,18 +142,4 @@ official mini series. > > -- > 2.36.0 -> --------------- next part -------------- -A non-text attachment was scrubbed... -Name: 0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch -Type: text/x-diff -Size: 6626 bytes -Desc: not available -URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0002.bin> --------------- next part -------------- -A non-text attachment was scrubbed... -Name: 0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch -Type: text/x-diff -Size: 2721 bytes -Desc: not available -URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0003.bin> +> diff --git a/N2/2.hdr b/N2/2.hdr new file mode 100644 index 0000000..3482a00 --- /dev/null +++ b/N2/2.hdr @@ -0,0 +1,3 @@ +Content-Type: text/x-diff; charset=us-ascii +Content-Disposition: attachment; + filename="0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch" diff --git a/N2/2.txt b/N2/2.txt new file mode 100644 index 0000000..e74f6a2 --- /dev/null +++ b/N2/2.txt @@ -0,0 +1,176 @@ +From 8a4573b7cf3a3e49b409ba3a504934de181c259d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Mon, 9 May 2022 07:36:34 -0700 +Subject: [PATCH 1/2] x86/crash: Disable virt in core NMI crash handler to + avoid double list_add + +Disable virtualization in crash_nmi_callback() and skip the requested NMI +shootdown if a shootdown has already occurred, i.e. a callback has been +registered. The NMI crash shootdown path doesn't play nice with multiple +invocations, e.g. attempting to register the NMI handler multiple times +will trigger a double list_add() and hang the sytem (in addition to +multiple other issues). If "crash_kexec_post_notifiers" is specified on +the kernel command line, panic() will invoke crash_smp_send_stop() and +result in a second call to nmi_shootdown_cpus() during +native_machine_emergency_restart(). + +Invoke the callback _before_ disabling virtualization, as the current +VMCS needs to be cleared before doing VMXOFF. Note, this results in a +subtle change in ordering between disabling virtualization and stopping +Intel PT on the responding CPUs. While VMX and Intel PT do interact, +VMXOFF and writes to MSR_IA32_RTIT_CTL do not induce faults between one +another, which is all that matters when panicking. + +WARN if nmi_shootdown_cpus() is called a second time with anything other +than the reboot path's "nop" handler, as bailing means the requested +isn't being invoked. Punt true handling of multiple shootdown callbacks +until there's an actual use case for doing so (beyond disabling +virtualization). + +Extract the disabling logic to a common helper to deduplicate code, and +to prepare for doing the shootdown in the emergency reboot path if SVM +is supported. + +Note, prior to commit ed72736183c4 ("x86/reboot: Force all cpus to exit +VMX root if VMX is supported), nmi_shootdown_cpus() was subtly protected +against a second invocation by a cpu_vmx_enabled() check as the kdump +handler would disable VMX if it ran first. + +Fixes: ed72736183c4 ("x86/reboot: Force all cpus to exit VMX root if VMX is supported) +Cc: stable@vger.kernel.org +Reported-by: Guilherme G. Piccoli <gpiccoli@igalia.com> +Signed-off-by: Sean Christopherson <seanjc@google.com> +--- + arch/x86/include/asm/reboot.h | 1 + + arch/x86/kernel/crash.c | 16 +-------------- + arch/x86/kernel/reboot.c | 38 ++++++++++++++++++++++++++++++++--- + 3 files changed, 37 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h +index 04c17be9b5fd..8f2da36435a6 100644 +--- a/arch/x86/include/asm/reboot.h ++++ b/arch/x86/include/asm/reboot.h +@@ -25,6 +25,7 @@ void __noreturn machine_real_restart(unsigned int type); + #define MRR_BIOS 0 + #define MRR_APM 1 + ++void cpu_crash_disable_virtualization(void); + typedef void (*nmi_shootdown_cb)(int, struct pt_regs*); + void nmi_panic_self_stop(struct pt_regs *regs); + void nmi_shootdown_cpus(nmi_shootdown_cb callback); +diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c +index e8326a8d1c5d..fe0cf83843ba 100644 +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -81,15 +81,6 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs) + */ + cpu_crash_vmclear_loaded_vmcss(); + +- /* Disable VMX or SVM if needed. +- * +- * We need to disable virtualization on all CPUs. +- * Having VMX or SVM enabled on any CPU may break rebooting +- * after the kdump kernel has finished its task. +- */ +- cpu_emergency_vmxoff(); +- cpu_emergency_svm_disable(); +- + /* + * Disable Intel PT to stop its logging + */ +@@ -148,12 +139,7 @@ void native_machine_crash_shutdown(struct pt_regs *regs) + */ + cpu_crash_vmclear_loaded_vmcss(); + +- /* Booting kdump kernel with VMX or SVM enabled won't work, +- * because (among other limitations) we can't disable paging +- * with the virt flags. +- */ +- cpu_emergency_vmxoff(); +- cpu_emergency_svm_disable(); ++ cpu_crash_disable_virtualization(); + + /* + * Disable Intel PT to stop its logging +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index fa700b46588e..f9543a4e9b09 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -528,9 +528,9 @@ static inline void kb_wait(void) + } + } + +-static void vmxoff_nmi(int cpu, struct pt_regs *regs) ++static void nmi_shootdown_nop(int cpu, struct pt_regs *regs) + { +- cpu_emergency_vmxoff(); ++ /* Nothing to do, the NMI shootdown handler disables virtualization. */ + } + + /* Use NMIs as IPIs to tell all CPUs to disable virtualization */ +@@ -554,7 +554,7 @@ static void emergency_vmx_disable_all(void) + __cpu_emergency_vmxoff(); + + /* Halt and exit VMX root operation on the other CPUs. */ +- nmi_shootdown_cpus(vmxoff_nmi); ++ nmi_shootdown_cpus(nmi_shootdown_nop); + } + } + +@@ -802,6 +802,18 @@ static nmi_shootdown_cb shootdown_callback; + static atomic_t waiting_for_crash_ipi; + static int crash_ipi_issued; + ++void cpu_crash_disable_virtualization(void) ++{ ++ /* ++ * Disable virtualization, i.e. VMX or SVM, so that INIT is recognized ++ * during reboot. VMX blocks INIT if the CPU is post-VMXON, and SVM ++ * blocks INIT if GIF=0. Note, CLGI #UDs if SVM isn't enabled, so it's ++ * easier to just disable SVM unconditionally. ++ */ ++ cpu_emergency_vmxoff(); ++ cpu_emergency_svm_disable(); ++} ++ + static int crash_nmi_callback(unsigned int val, struct pt_regs *regs) + { + int cpu; +@@ -819,6 +831,12 @@ static int crash_nmi_callback(unsigned int val, struct pt_regs *regs) + + shootdown_callback(cpu, regs); + ++ /* ++ * Prepare the CPU for reboot _after_ invoking the callback so that the ++ * callback can safely use virtualization instructions, e.g. VMCLEAR. ++ */ ++ cpu_crash_disable_virtualization(); ++ + atomic_dec(&waiting_for_crash_ipi); + /* Assume hlt works */ + halt(); +@@ -840,6 +858,20 @@ void nmi_shootdown_cpus(nmi_shootdown_cb callback) + unsigned long msecs; + local_irq_disable(); + ++ /* ++ * Invoking multiple callbacks is not currently supported, registering ++ * the NMI handler twice will cause a list_add() double add BUG(). ++ * The exception is the "nop" handler in the emergency reboot path, ++ * which can run after e.g. kdump's shootdown. Do nothing if the crash ++ * handler has already run, i.e. has already prepared other CPUs, the ++ * reboot path doesn't have any work of its to do, it just needs to ++ * ensure all CPUs have prepared for reboot. ++ */ ++ if (shootdown_callback) { ++ WARN_ON_ONCE(callback != nmi_shootdown_nop); ++ return; ++ } ++ + /* Make a note of crashing cpu. Will be used in NMI callback. */ + crashing_cpu = safe_smp_processor_id(); + + +base-commit: 2764011106d0436cb44702cfb0981339d68c3509 +-- +2.36.0.512.ge40c2bad7a-goog diff --git a/N2/3.hdr b/N2/3.hdr new file mode 100644 index 0000000..88c74d8 --- /dev/null +++ b/N2/3.hdr @@ -0,0 +1,3 @@ +Content-Type: text/x-diff; charset=us-ascii +Content-Disposition: attachment; + filename="0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch" diff --git a/N2/3.txt b/N2/3.txt new file mode 100644 index 0000000..688b135 --- /dev/null +++ b/N2/3.txt @@ -0,0 +1,72 @@ +From ce4b8fb50962c00a9bb29663e96501e90d68bd8b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Mon, 9 May 2022 08:28:14 -0700 +Subject: [PATCH 2/2] x86/reboot: Disable virtualization in an emergency if SVM + is supported + +Disable SVM on all CPUs via NMI shootdown during an emergency reboot. +Like VMX, SVM can block INIT and thus prevent bringing up other CPUs via +INIT-SIPI-SIPI. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson <seanjc@google.com> +--- + arch/x86/kernel/reboot.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index f9543a4e9b09..33c1f4883b27 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -533,27 +533,29 @@ static void nmi_shootdown_nop(int cpu, struct pt_regs *regs) + /* Nothing to do, the NMI shootdown handler disables virtualization. */ + } + +-/* Use NMIs as IPIs to tell all CPUs to disable virtualization */ +-static void emergency_vmx_disable_all(void) ++static void emergency_reboot_disable_virtualization(void) + { + /* Just make sure we won't change CPUs while doing this */ + local_irq_disable(); + + /* +- * Disable VMX on all CPUs before rebooting, otherwise we risk hanging +- * the machine, because the CPU blocks INIT when it's in VMX root. ++ * Disable virtualization on all CPUs before rebooting to avoid hanging ++ * the system, as VMX and SVM block INIT when running in the host + * + * We can't take any locks and we may be on an inconsistent state, so +- * use NMIs as IPIs to tell the other CPUs to exit VMX root and halt. ++ * use NMIs as IPIs to tell the other CPUs to disable VMX/SVM and halt. + * +- * Do the NMI shootdown even if VMX if off on _this_ CPU, as that +- * doesn't prevent a different CPU from being in VMX root operation. ++ * Do the NMI shootdown even if virtualization is off on _this_ CPU, as ++ * other CPUs may have virtualization enabled. + */ +- if (cpu_has_vmx()) { +- /* Safely force _this_ CPU out of VMX root operation. */ +- __cpu_emergency_vmxoff(); ++ if (cpu_has_vmx() || cpu_has_svm(NULL)) { ++ /* Safely force _this_ CPU out of VMX/SVM operation. */ ++ if (cpu_has_vmx()) ++ __cpu_emergency_vmxoff(); ++ else ++ cpu_emergency_svm_disable(); + +- /* Halt and exit VMX root operation on the other CPUs. */ ++ /* Disable VMX/SVM and halt on other CPUs. */ + nmi_shootdown_cpus(nmi_shootdown_nop); + } + } +@@ -590,7 +592,7 @@ static void native_machine_emergency_restart(void) + unsigned short mode; + + if (reboot_emergency) +- emergency_vmx_disable_all(); ++ emergency_reboot_disable_virtualization(); + + tboot_shutdown(TB_SHUTDOWN_REBOOT); + +-- +2.36.0.512.ge40c2bad7a-goog diff --git a/a/content_digest b/N2/content_digest index ec71d3d..a3113ec 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -1,10 +1,70 @@ "ref\020220427224924.592546-1-gpiccoli@igalia.com\0" "ref\020220427224924.592546-2-gpiccoli@igalia.com\0" "From\0Sean Christopherson <seanjc@google.com>\0" - "Subject\0[PATCH 01/30] x86/crash,reboot: Avoid re-disabling VMX in all CPUs on crash/restart\0" + "Subject\0Re: [PATCH 01/30] x86/crash,reboot: Avoid re-disabling VMX in all CPUs on crash/restart\0" "Date\0Mon, 9 May 2022 15:52:49 +0000\0" - "To\0kexec@lists.infradead.org\0" - "\00:1\0" + "To\0Guilherme G. Piccoli <gpiccoli@igalia.com>\0" + "Cc\0akpm@linux-foundation.org" + bhe@redhat.com + pmladek@suse.com + kexec@lists.infradead.org + linux-kernel@vger.kernel.org + bcm-kernel-feedback-list@broadcom.com + coresight@lists.linaro.org + linuxppc-dev@lists.ozlabs.org + linux-alpha@vger.kernel.org + linux-arm-kernel@lists.infradead.org + linux-edac@vger.kernel.org + linux-hyperv@vger.kernel.org + linux-leds@vger.kernel.org + linux-mips@vger.kernel.org + linux-parisc@vger.kernel.org + linux-pm@vger.kernel.org + linux-remoteproc@vger.kernel.org + linux-s390@vger.kernel.org + linux-tegra@vger.kernel.org + linux-um@lists.infradead.org + linux-xtensa@linux-xtensa.org + netdev@vger.kernel.org + openipmi-developer@lists.sourceforge.net + rcu@vger.kernel.org + sparclinux@vger.kernel.org + xen-devel@lists.xenproject.org + x86@kernel.org + kernel-dev@igalia.com + kernel@gpiccoli.net + halves@canonical.com + fabiomirmar@gmail.com + alejandro.j.jimenez@oracle.com + andriy.shevchenko@linux.intel.com + arnd@arndb.de + bp@alien8.de + corbet@lwn.net + d.hatayama@jp.fujitsu.com + dave.hansen@linux.intel.com + dyoung@redhat.com + feng.tang@intel.com + gregkh@linuxfoundation.org + mikelley@microsoft.com + hidehiro.kawai.ez@hitachi.com + jgross@suse.com + john.ogness@linutronix.de + keescook@chromium.org + luto@kernel.org + mhiramat@kernel.org + mingo@redhat.com + paulmck@kernel.org + peterz@infradead.org + rostedt@goodmis.org + senozhatsky@chromium.org + stern@rowland.harvard.edu + tglx@linutronix.de + vgoyal@redhat.com + vkuznets@redhat.com + will@kernel.org + David P . Reed <dpreed@deepplum.com> + " Paolo Bonzini <pbonzini@redhat.com>\0" + "\01:1\0" "b\0" "I find the shortlog to be very confusing, the bug has nothing to do with disabling\n" "VMX and I distinctly remember wrapping VMXOFF with exception fixup to prevent doom\n" @@ -150,20 +210,260 @@ "> \n" "> -- \n" "> 2.36.0\n" - "> \n" - "-------------- next part --------------\n" - "A non-text attachment was scrubbed...\n" - "Name: 0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch\n" - "Type: text/x-diff\n" - "Size: 6626 bytes\n" - "Desc: not available\n" - "URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0002.bin>\n" - "-------------- next part --------------\n" - "A non-text attachment was scrubbed...\n" - "Name: 0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch\n" - "Type: text/x-diff\n" - "Size: 2721 bytes\n" - "Desc: not available\n" - URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0003.bin> + > + "\01:2\0" + "fn\00001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch\0" + "b\0" + "From 8a4573b7cf3a3e49b409ba3a504934de181c259d Mon Sep 17 00:00:00 2001\n" + "From: Sean Christopherson <seanjc@google.com>\n" + "Date: Mon, 9 May 2022 07:36:34 -0700\n" + "Subject: [PATCH 1/2] x86/crash: Disable virt in core NMI crash handler to\n" + " avoid double list_add\n" + "\n" + "Disable virtualization in crash_nmi_callback() and skip the requested NMI\n" + "shootdown if a shootdown has already occurred, i.e. a callback has been\n" + "registered. The NMI crash shootdown path doesn't play nice with multiple\n" + "invocations, e.g. attempting to register the NMI handler multiple times\n" + "will trigger a double list_add() and hang the sytem (in addition to\n" + "multiple other issues). If \"crash_kexec_post_notifiers\" is specified on\n" + "the kernel command line, panic() will invoke crash_smp_send_stop() and\n" + "result in a second call to nmi_shootdown_cpus() during\n" + "native_machine_emergency_restart().\n" + "\n" + "Invoke the callback _before_ disabling virtualization, as the current\n" + "VMCS needs to be cleared before doing VMXOFF. Note, this results in a\n" + "subtle change in ordering between disabling virtualization and stopping\n" + "Intel PT on the responding CPUs. While VMX and Intel PT do interact,\n" + "VMXOFF and writes to MSR_IA32_RTIT_CTL do not induce faults between one\n" + "another, which is all that matters when panicking.\n" + "\n" + "WARN if nmi_shootdown_cpus() is called a second time with anything other\n" + "than the reboot path's \"nop\" handler, as bailing means the requested\n" + "isn't being invoked. Punt true handling of multiple shootdown callbacks\n" + "until there's an actual use case for doing so (beyond disabling\n" + "virtualization).\n" + "\n" + "Extract the disabling logic to a common helper to deduplicate code, and\n" + "to prepare for doing the shootdown in the emergency reboot path if SVM\n" + "is supported.\n" + "\n" + "Note, prior to commit ed72736183c4 (\"x86/reboot: Force all cpus to exit\n" + "VMX root if VMX is supported), nmi_shootdown_cpus() was subtly protected\n" + "against a second invocation by a cpu_vmx_enabled() check as the kdump\n" + "handler would disable VMX if it ran first.\n" + "\n" + "Fixes: ed72736183c4 (\"x86/reboot: Force all cpus to exit VMX root if VMX is supported)\n" + "Cc: stable@vger.kernel.org\n" + "Reported-by: Guilherme G. Piccoli <gpiccoli@igalia.com>\n" + "Signed-off-by: Sean Christopherson <seanjc@google.com>\n" + "---\n" + " arch/x86/include/asm/reboot.h | 1 +\n" + " arch/x86/kernel/crash.c | 16 +--------------\n" + " arch/x86/kernel/reboot.c | 38 ++++++++++++++++++++++++++++++++---\n" + " 3 files changed, 37 insertions(+), 18 deletions(-)\n" + "\n" + "diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h\n" + "index 04c17be9b5fd..8f2da36435a6 100644\n" + "--- a/arch/x86/include/asm/reboot.h\n" + "+++ b/arch/x86/include/asm/reboot.h\n" + "@@ -25,6 +25,7 @@ void __noreturn machine_real_restart(unsigned int type);\n" + " #define MRR_BIOS\t0\n" + " #define MRR_APM\t\t1\n" + " \n" + "+void cpu_crash_disable_virtualization(void);\n" + " typedef void (*nmi_shootdown_cb)(int, struct pt_regs*);\n" + " void nmi_panic_self_stop(struct pt_regs *regs);\n" + " void nmi_shootdown_cpus(nmi_shootdown_cb callback);\n" + "diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c\n" + "index e8326a8d1c5d..fe0cf83843ba 100644\n" + "--- a/arch/x86/kernel/crash.c\n" + "+++ b/arch/x86/kernel/crash.c\n" + "@@ -81,15 +81,6 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs)\n" + " \t */\n" + " \tcpu_crash_vmclear_loaded_vmcss();\n" + " \n" + "-\t/* Disable VMX or SVM if needed.\n" + "-\t *\n" + "-\t * We need to disable virtualization on all CPUs.\n" + "-\t * Having VMX or SVM enabled on any CPU may break rebooting\n" + "-\t * after the kdump kernel has finished its task.\n" + "-\t */\n" + "-\tcpu_emergency_vmxoff();\n" + "-\tcpu_emergency_svm_disable();\n" + "-\n" + " \t/*\n" + " \t * Disable Intel PT to stop its logging\n" + " \t */\n" + "@@ -148,12 +139,7 @@ void native_machine_crash_shutdown(struct pt_regs *regs)\n" + " \t */\n" + " \tcpu_crash_vmclear_loaded_vmcss();\n" + " \n" + "-\t/* Booting kdump kernel with VMX or SVM enabled won't work,\n" + "-\t * because (among other limitations) we can't disable paging\n" + "-\t * with the virt flags.\n" + "-\t */\n" + "-\tcpu_emergency_vmxoff();\n" + "-\tcpu_emergency_svm_disable();\n" + "+\tcpu_crash_disable_virtualization();\n" + " \n" + " \t/*\n" + " \t * Disable Intel PT to stop its logging\n" + "diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c\n" + "index fa700b46588e..f9543a4e9b09 100644\n" + "--- a/arch/x86/kernel/reboot.c\n" + "+++ b/arch/x86/kernel/reboot.c\n" + "@@ -528,9 +528,9 @@ static inline void kb_wait(void)\n" + " \t}\n" + " }\n" + " \n" + "-static void vmxoff_nmi(int cpu, struct pt_regs *regs)\n" + "+static void nmi_shootdown_nop(int cpu, struct pt_regs *regs)\n" + " {\n" + "-\tcpu_emergency_vmxoff();\n" + "+\t/* Nothing to do, the NMI shootdown handler disables virtualization. */\n" + " }\n" + " \n" + " /* Use NMIs as IPIs to tell all CPUs to disable virtualization */\n" + "@@ -554,7 +554,7 @@ static void emergency_vmx_disable_all(void)\n" + " \t\t__cpu_emergency_vmxoff();\n" + " \n" + " \t\t/* Halt and exit VMX root operation on the other CPUs. */\n" + "-\t\tnmi_shootdown_cpus(vmxoff_nmi);\n" + "+\t\tnmi_shootdown_cpus(nmi_shootdown_nop);\n" + " \t}\n" + " }\n" + " \n" + "@@ -802,6 +802,18 @@ static nmi_shootdown_cb shootdown_callback;\n" + " static atomic_t waiting_for_crash_ipi;\n" + " static int crash_ipi_issued;\n" + " \n" + "+void cpu_crash_disable_virtualization(void)\n" + "+{\n" + "+\t/*\n" + "+\t * Disable virtualization, i.e. VMX or SVM, so that INIT is recognized\n" + "+\t * during reboot. VMX blocks INIT if the CPU is post-VMXON, and SVM\n" + "+\t * blocks INIT if GIF=0. Note, CLGI #UDs if SVM isn't enabled, so it's\n" + "+\t * easier to just disable SVM unconditionally.\n" + "+\t */\n" + "+\tcpu_emergency_vmxoff();\n" + "+\tcpu_emergency_svm_disable();\n" + "+}\n" + "+\n" + " static int crash_nmi_callback(unsigned int val, struct pt_regs *regs)\n" + " {\n" + " \tint cpu;\n" + "@@ -819,6 +831,12 @@ static int crash_nmi_callback(unsigned int val, struct pt_regs *regs)\n" + " \n" + " \tshootdown_callback(cpu, regs);\n" + " \n" + "+\t/*\n" + "+\t * Prepare the CPU for reboot _after_ invoking the callback so that the\n" + "+\t * callback can safely use virtualization instructions, e.g. VMCLEAR.\n" + "+\t */\n" + "+\tcpu_crash_disable_virtualization();\n" + "+\n" + " \tatomic_dec(&waiting_for_crash_ipi);\n" + " \t/* Assume hlt works */\n" + " \thalt();\n" + "@@ -840,6 +858,20 @@ void nmi_shootdown_cpus(nmi_shootdown_cb callback)\n" + " \tunsigned long msecs;\n" + " \tlocal_irq_disable();\n" + " \n" + "+\t/*\n" + "+\t * Invoking multiple callbacks is not currently supported, registering\n" + "+\t * the NMI handler twice will cause a list_add() double add BUG().\n" + "+\t * The exception is the \"nop\" handler in the emergency reboot path,\n" + "+\t * which can run after e.g. kdump's shootdown. Do nothing if the crash\n" + "+\t * handler has already run, i.e. has already prepared other CPUs, the\n" + "+\t * reboot path doesn't have any work of its to do, it just needs to\n" + "+\t * ensure all CPUs have prepared for reboot.\n" + "+\t */\n" + "+\tif (shootdown_callback) {\n" + "+\t\tWARN_ON_ONCE(callback != nmi_shootdown_nop);\n" + "+\t\treturn;\n" + "+\t}\n" + "+\n" + " \t/* Make a note of crashing cpu. Will be used in NMI callback. */\n" + " \tcrashing_cpu = safe_smp_processor_id();\n" + " \n" + "\n" + "base-commit: 2764011106d0436cb44702cfb0981339d68c3509\n" + "-- \n" + 2.36.0.512.ge40c2bad7a-goog + "\01:3\0" + "fn\00002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch\0" + "b\0" + "From ce4b8fb50962c00a9bb29663e96501e90d68bd8b Mon Sep 17 00:00:00 2001\n" + "From: Sean Christopherson <seanjc@google.com>\n" + "Date: Mon, 9 May 2022 08:28:14 -0700\n" + "Subject: [PATCH 2/2] x86/reboot: Disable virtualization in an emergency if SVM\n" + " is supported\n" + "\n" + "Disable SVM on all CPUs via NMI shootdown during an emergency reboot.\n" + "Like VMX, SVM can block INIT and thus prevent bringing up other CPUs via\n" + "INIT-SIPI-SIPI.\n" + "\n" + "Cc: stable@vger.kernel.org\n" + "Signed-off-by: Sean Christopherson <seanjc@google.com>\n" + "---\n" + " arch/x86/kernel/reboot.c | 26 ++++++++++++++------------\n" + " 1 file changed, 14 insertions(+), 12 deletions(-)\n" + "\n" + "diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c\n" + "index f9543a4e9b09..33c1f4883b27 100644\n" + "--- a/arch/x86/kernel/reboot.c\n" + "+++ b/arch/x86/kernel/reboot.c\n" + "@@ -533,27 +533,29 @@ static void nmi_shootdown_nop(int cpu, struct pt_regs *regs)\n" + " \t/* Nothing to do, the NMI shootdown handler disables virtualization. */\n" + " }\n" + " \n" + "-/* Use NMIs as IPIs to tell all CPUs to disable virtualization */\n" + "-static void emergency_vmx_disable_all(void)\n" + "+static void emergency_reboot_disable_virtualization(void)\n" + " {\n" + " \t/* Just make sure we won't change CPUs while doing this */\n" + " \tlocal_irq_disable();\n" + " \n" + " \t/*\n" + "-\t * Disable VMX on all CPUs before rebooting, otherwise we risk hanging\n" + "-\t * the machine, because the CPU blocks INIT when it's in VMX root.\n" + "+\t * Disable virtualization on all CPUs before rebooting to avoid hanging\n" + "+\t * the system, as VMX and SVM block INIT when running in the host\n" + " \t *\n" + " \t * We can't take any locks and we may be on an inconsistent state, so\n" + "-\t * use NMIs as IPIs to tell the other CPUs to exit VMX root and halt.\n" + "+\t * use NMIs as IPIs to tell the other CPUs to disable VMX/SVM and halt.\n" + " \t *\n" + "-\t * Do the NMI shootdown even if VMX if off on _this_ CPU, as that\n" + "-\t * doesn't prevent a different CPU from being in VMX root operation.\n" + "+\t * Do the NMI shootdown even if virtualization is off on _this_ CPU, as\n" + "+\t * other CPUs may have virtualization enabled.\n" + " \t */\n" + "-\tif (cpu_has_vmx()) {\n" + "-\t\t/* Safely force _this_ CPU out of VMX root operation. */\n" + "-\t\t__cpu_emergency_vmxoff();\n" + "+\tif (cpu_has_vmx() || cpu_has_svm(NULL)) {\n" + "+\t\t/* Safely force _this_ CPU out of VMX/SVM operation. */\n" + "+\t\tif (cpu_has_vmx())\n" + "+\t\t\t__cpu_emergency_vmxoff();\n" + "+\t\telse\n" + "+\t\t\tcpu_emergency_svm_disable();\n" + " \n" + "-\t\t/* Halt and exit VMX root operation on the other CPUs. */\n" + "+\t\t/* Disable VMX/SVM and halt on other CPUs. */\n" + " \t\tnmi_shootdown_cpus(nmi_shootdown_nop);\n" + " \t}\n" + " }\n" + "@@ -590,7 +592,7 @@ static void native_machine_emergency_restart(void)\n" + " \tunsigned short mode;\n" + " \n" + " \tif (reboot_emergency)\n" + "-\t\temergency_vmx_disable_all();\n" + "+\t\temergency_reboot_disable_virtualization();\n" + " \n" + " \ttboot_shutdown(TB_SHUTDOWN_REBOOT);\n" + " \n" + "-- \n" + 2.36.0.512.ge40c2bad7a-goog -3be9201c695e4da7cfca208c981473813e543ff3a9120ce19aba847befe8a493 +a6a9e40794703b8011962d999dd7df619b7303378979eb2ea04e0d7294044c02
diff --git a/a/1.txt b/N3/1.txt index 20134bc..c34f04c 100644 --- a/a/1.txt +++ b/N3/1.txt @@ -142,18 +142,4 @@ official mini series. > > -- > 2.36.0 -> --------------- next part -------------- -A non-text attachment was scrubbed... -Name: 0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch -Type: text/x-diff -Size: 6626 bytes -Desc: not available -URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0002.bin> --------------- next part -------------- -A non-text attachment was scrubbed... -Name: 0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch -Type: text/x-diff -Size: 2721 bytes -Desc: not available -URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0003.bin> +> diff --git a/N3/2.hdr b/N3/2.hdr new file mode 100644 index 0000000..3482a00 --- /dev/null +++ b/N3/2.hdr @@ -0,0 +1,3 @@ +Content-Type: text/x-diff; charset=us-ascii +Content-Disposition: attachment; + filename="0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch" diff --git a/N3/2.txt b/N3/2.txt new file mode 100644 index 0000000..e74f6a2 --- /dev/null +++ b/N3/2.txt @@ -0,0 +1,176 @@ +From 8a4573b7cf3a3e49b409ba3a504934de181c259d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Mon, 9 May 2022 07:36:34 -0700 +Subject: [PATCH 1/2] x86/crash: Disable virt in core NMI crash handler to + avoid double list_add + +Disable virtualization in crash_nmi_callback() and skip the requested NMI +shootdown if a shootdown has already occurred, i.e. a callback has been +registered. The NMI crash shootdown path doesn't play nice with multiple +invocations, e.g. attempting to register the NMI handler multiple times +will trigger a double list_add() and hang the sytem (in addition to +multiple other issues). If "crash_kexec_post_notifiers" is specified on +the kernel command line, panic() will invoke crash_smp_send_stop() and +result in a second call to nmi_shootdown_cpus() during +native_machine_emergency_restart(). + +Invoke the callback _before_ disabling virtualization, as the current +VMCS needs to be cleared before doing VMXOFF. Note, this results in a +subtle change in ordering between disabling virtualization and stopping +Intel PT on the responding CPUs. While VMX and Intel PT do interact, +VMXOFF and writes to MSR_IA32_RTIT_CTL do not induce faults between one +another, which is all that matters when panicking. + +WARN if nmi_shootdown_cpus() is called a second time with anything other +than the reboot path's "nop" handler, as bailing means the requested +isn't being invoked. Punt true handling of multiple shootdown callbacks +until there's an actual use case for doing so (beyond disabling +virtualization). + +Extract the disabling logic to a common helper to deduplicate code, and +to prepare for doing the shootdown in the emergency reboot path if SVM +is supported. + +Note, prior to commit ed72736183c4 ("x86/reboot: Force all cpus to exit +VMX root if VMX is supported), nmi_shootdown_cpus() was subtly protected +against a second invocation by a cpu_vmx_enabled() check as the kdump +handler would disable VMX if it ran first. + +Fixes: ed72736183c4 ("x86/reboot: Force all cpus to exit VMX root if VMX is supported) +Cc: stable@vger.kernel.org +Reported-by: Guilherme G. Piccoli <gpiccoli@igalia.com> +Signed-off-by: Sean Christopherson <seanjc@google.com> +--- + arch/x86/include/asm/reboot.h | 1 + + arch/x86/kernel/crash.c | 16 +-------------- + arch/x86/kernel/reboot.c | 38 ++++++++++++++++++++++++++++++++--- + 3 files changed, 37 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h +index 04c17be9b5fd..8f2da36435a6 100644 +--- a/arch/x86/include/asm/reboot.h ++++ b/arch/x86/include/asm/reboot.h +@@ -25,6 +25,7 @@ void __noreturn machine_real_restart(unsigned int type); + #define MRR_BIOS 0 + #define MRR_APM 1 + ++void cpu_crash_disable_virtualization(void); + typedef void (*nmi_shootdown_cb)(int, struct pt_regs*); + void nmi_panic_self_stop(struct pt_regs *regs); + void nmi_shootdown_cpus(nmi_shootdown_cb callback); +diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c +index e8326a8d1c5d..fe0cf83843ba 100644 +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -81,15 +81,6 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs) + */ + cpu_crash_vmclear_loaded_vmcss(); + +- /* Disable VMX or SVM if needed. +- * +- * We need to disable virtualization on all CPUs. +- * Having VMX or SVM enabled on any CPU may break rebooting +- * after the kdump kernel has finished its task. +- */ +- cpu_emergency_vmxoff(); +- cpu_emergency_svm_disable(); +- + /* + * Disable Intel PT to stop its logging + */ +@@ -148,12 +139,7 @@ void native_machine_crash_shutdown(struct pt_regs *regs) + */ + cpu_crash_vmclear_loaded_vmcss(); + +- /* Booting kdump kernel with VMX or SVM enabled won't work, +- * because (among other limitations) we can't disable paging +- * with the virt flags. +- */ +- cpu_emergency_vmxoff(); +- cpu_emergency_svm_disable(); ++ cpu_crash_disable_virtualization(); + + /* + * Disable Intel PT to stop its logging +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index fa700b46588e..f9543a4e9b09 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -528,9 +528,9 @@ static inline void kb_wait(void) + } + } + +-static void vmxoff_nmi(int cpu, struct pt_regs *regs) ++static void nmi_shootdown_nop(int cpu, struct pt_regs *regs) + { +- cpu_emergency_vmxoff(); ++ /* Nothing to do, the NMI shootdown handler disables virtualization. */ + } + + /* Use NMIs as IPIs to tell all CPUs to disable virtualization */ +@@ -554,7 +554,7 @@ static void emergency_vmx_disable_all(void) + __cpu_emergency_vmxoff(); + + /* Halt and exit VMX root operation on the other CPUs. */ +- nmi_shootdown_cpus(vmxoff_nmi); ++ nmi_shootdown_cpus(nmi_shootdown_nop); + } + } + +@@ -802,6 +802,18 @@ static nmi_shootdown_cb shootdown_callback; + static atomic_t waiting_for_crash_ipi; + static int crash_ipi_issued; + ++void cpu_crash_disable_virtualization(void) ++{ ++ /* ++ * Disable virtualization, i.e. VMX or SVM, so that INIT is recognized ++ * during reboot. VMX blocks INIT if the CPU is post-VMXON, and SVM ++ * blocks INIT if GIF=0. Note, CLGI #UDs if SVM isn't enabled, so it's ++ * easier to just disable SVM unconditionally. ++ */ ++ cpu_emergency_vmxoff(); ++ cpu_emergency_svm_disable(); ++} ++ + static int crash_nmi_callback(unsigned int val, struct pt_regs *regs) + { + int cpu; +@@ -819,6 +831,12 @@ static int crash_nmi_callback(unsigned int val, struct pt_regs *regs) + + shootdown_callback(cpu, regs); + ++ /* ++ * Prepare the CPU for reboot _after_ invoking the callback so that the ++ * callback can safely use virtualization instructions, e.g. VMCLEAR. ++ */ ++ cpu_crash_disable_virtualization(); ++ + atomic_dec(&waiting_for_crash_ipi); + /* Assume hlt works */ + halt(); +@@ -840,6 +858,20 @@ void nmi_shootdown_cpus(nmi_shootdown_cb callback) + unsigned long msecs; + local_irq_disable(); + ++ /* ++ * Invoking multiple callbacks is not currently supported, registering ++ * the NMI handler twice will cause a list_add() double add BUG(). ++ * The exception is the "nop" handler in the emergency reboot path, ++ * which can run after e.g. kdump's shootdown. Do nothing if the crash ++ * handler has already run, i.e. has already prepared other CPUs, the ++ * reboot path doesn't have any work of its to do, it just needs to ++ * ensure all CPUs have prepared for reboot. ++ */ ++ if (shootdown_callback) { ++ WARN_ON_ONCE(callback != nmi_shootdown_nop); ++ return; ++ } ++ + /* Make a note of crashing cpu. Will be used in NMI callback. */ + crashing_cpu = safe_smp_processor_id(); + + +base-commit: 2764011106d0436cb44702cfb0981339d68c3509 +-- +2.36.0.512.ge40c2bad7a-goog diff --git a/N3/3.hdr b/N3/3.hdr new file mode 100644 index 0000000..88c74d8 --- /dev/null +++ b/N3/3.hdr @@ -0,0 +1,3 @@ +Content-Type: text/x-diff; charset=us-ascii +Content-Disposition: attachment; + filename="0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch" diff --git a/N3/3.txt b/N3/3.txt new file mode 100644 index 0000000..688b135 --- /dev/null +++ b/N3/3.txt @@ -0,0 +1,72 @@ +From ce4b8fb50962c00a9bb29663e96501e90d68bd8b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Mon, 9 May 2022 08:28:14 -0700 +Subject: [PATCH 2/2] x86/reboot: Disable virtualization in an emergency if SVM + is supported + +Disable SVM on all CPUs via NMI shootdown during an emergency reboot. +Like VMX, SVM can block INIT and thus prevent bringing up other CPUs via +INIT-SIPI-SIPI. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson <seanjc@google.com> +--- + arch/x86/kernel/reboot.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index f9543a4e9b09..33c1f4883b27 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -533,27 +533,29 @@ static void nmi_shootdown_nop(int cpu, struct pt_regs *regs) + /* Nothing to do, the NMI shootdown handler disables virtualization. */ + } + +-/* Use NMIs as IPIs to tell all CPUs to disable virtualization */ +-static void emergency_vmx_disable_all(void) ++static void emergency_reboot_disable_virtualization(void) + { + /* Just make sure we won't change CPUs while doing this */ + local_irq_disable(); + + /* +- * Disable VMX on all CPUs before rebooting, otherwise we risk hanging +- * the machine, because the CPU blocks INIT when it's in VMX root. ++ * Disable virtualization on all CPUs before rebooting to avoid hanging ++ * the system, as VMX and SVM block INIT when running in the host + * + * We can't take any locks and we may be on an inconsistent state, so +- * use NMIs as IPIs to tell the other CPUs to exit VMX root and halt. ++ * use NMIs as IPIs to tell the other CPUs to disable VMX/SVM and halt. + * +- * Do the NMI shootdown even if VMX if off on _this_ CPU, as that +- * doesn't prevent a different CPU from being in VMX root operation. ++ * Do the NMI shootdown even if virtualization is off on _this_ CPU, as ++ * other CPUs may have virtualization enabled. + */ +- if (cpu_has_vmx()) { +- /* Safely force _this_ CPU out of VMX root operation. */ +- __cpu_emergency_vmxoff(); ++ if (cpu_has_vmx() || cpu_has_svm(NULL)) { ++ /* Safely force _this_ CPU out of VMX/SVM operation. */ ++ if (cpu_has_vmx()) ++ __cpu_emergency_vmxoff(); ++ else ++ cpu_emergency_svm_disable(); + +- /* Halt and exit VMX root operation on the other CPUs. */ ++ /* Disable VMX/SVM and halt on other CPUs. */ + nmi_shootdown_cpus(nmi_shootdown_nop); + } + } +@@ -590,7 +592,7 @@ static void native_machine_emergency_restart(void) + unsigned short mode; + + if (reboot_emergency) +- emergency_vmx_disable_all(); ++ emergency_reboot_disable_virtualization(); + + tboot_shutdown(TB_SHUTDOWN_REBOOT); + +-- +2.36.0.512.ge40c2bad7a-goog diff --git a/N3/4.hdr b/N3/4.hdr new file mode 100644 index 0000000..4b86001 --- /dev/null +++ b/N3/4.hdr @@ -0,0 +1,4 @@ +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Content-Disposition: inline diff --git a/N3/4.txt b/N3/4.txt new file mode 100644 index 0000000..baf18f9 --- /dev/null +++ b/N3/4.txt @@ -0,0 +1,4 @@ +_______________________________________________ +linux-um mailing list +linux-um@lists.infradead.org +http://lists.infradead.org/mailman/listinfo/linux-um diff --git a/a/content_digest b/N3/content_digest index ec71d3d..874fdae 100644 --- a/a/content_digest +++ b/N3/content_digest @@ -1,10 +1,70 @@ "ref\020220427224924.592546-1-gpiccoli@igalia.com\0" "ref\020220427224924.592546-2-gpiccoli@igalia.com\0" "From\0Sean Christopherson <seanjc@google.com>\0" - "Subject\0[PATCH 01/30] x86/crash,reboot: Avoid re-disabling VMX in all CPUs on crash/restart\0" + "Subject\0Re: [PATCH 01/30] x86/crash,reboot: Avoid re-disabling VMX in all CPUs on crash/restart\0" "Date\0Mon, 9 May 2022 15:52:49 +0000\0" - "To\0kexec@lists.infradead.org\0" - "\00:1\0" + "To\0Guilherme G. Piccoli <gpiccoli@igalia.com>\0" + "Cc\0akpm@linux-foundation.org" + bhe@redhat.com + pmladek@suse.com + kexec@lists.infradead.org + linux-kernel@vger.kernel.org + bcm-kernel-feedback-list@broadcom.com + coresight@lists.linaro.org + linuxppc-dev@lists.ozlabs.org + linux-alpha@vger.kernel.org + linux-arm-kernel@lists.infradead.org + linux-edac@vger.kernel.org + linux-hyperv@vger.kernel.org + linux-leds@vger.kernel.org + linux-mips@vger.kernel.org + linux-parisc@vger.kernel.org + linux-pm@vger.kernel.org + linux-remoteproc@vger.kernel.org + linux-s390@vger.kernel.org + linux-tegra@vger.kernel.org + linux-um@lists.infradead.org + linux-xtensa@linux-xtensa.org + netdev@vger.kernel.org + openipmi-developer@lists.sourceforge.net + rcu@vger.kernel.org + sparclinux@vger.kernel.org + xen-devel@lists.xenproject.org + x86@kernel.org + kernel-dev@igalia.com + kernel@gpiccoli.net + halves@canonical.com + fabiomirmar@gmail.com + alejandro.j.jimenez@oracle.com + andriy.shevchenko@linux.intel.com + arnd@arndb.de + bp@alien8.de + corbet@lwn.net + d.hatayama@jp.fujitsu.com + dave.hansen@linux.intel.com + dyoung@redhat.com + feng.tang@intel.com + gregkh@linuxfoundation.org + mikelley@microsoft.com + hidehiro.kawai.ez@hitachi.com + jgross@suse.com + john.ogness@linutronix.de + keescook@chromium.org + luto@kernel.org + mhiramat@kernel.org + mingo@redhat.com + paulmck@kernel.org + peterz@infradead.org + rostedt@goodmis.org + senozhatsky@chromium.org + stern@rowland.harvard.edu + tglx@linutronix.de + vgoyal@redhat.com + vkuznets@redhat.com + will@kernel.org + David P . Reed <dpreed@deepplum.com> + " Paolo Bonzini <pbonzini@redhat.com>\0" + "\01:1\0" "b\0" "I find the shortlog to be very confusing, the bug has nothing to do with disabling\n" "VMX and I distinctly remember wrapping VMXOFF with exception fixup to prevent doom\n" @@ -150,20 +210,266 @@ "> \n" "> -- \n" "> 2.36.0\n" - "> \n" - "-------------- next part --------------\n" - "A non-text attachment was scrubbed...\n" - "Name: 0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch\n" - "Type: text/x-diff\n" - "Size: 6626 bytes\n" - "Desc: not available\n" - "URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0002.bin>\n" - "-------------- next part --------------\n" - "A non-text attachment was scrubbed...\n" - "Name: 0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch\n" - "Type: text/x-diff\n" - "Size: 2721 bytes\n" - "Desc: not available\n" - URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0003.bin> + > + "\01:2\0" + "fn\00001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch\0" + "b\0" + "From 8a4573b7cf3a3e49b409ba3a504934de181c259d Mon Sep 17 00:00:00 2001\n" + "From: Sean Christopherson <seanjc@google.com>\n" + "Date: Mon, 9 May 2022 07:36:34 -0700\n" + "Subject: [PATCH 1/2] x86/crash: Disable virt in core NMI crash handler to\n" + " avoid double list_add\n" + "\n" + "Disable virtualization in crash_nmi_callback() and skip the requested NMI\n" + "shootdown if a shootdown has already occurred, i.e. a callback has been\n" + "registered. The NMI crash shootdown path doesn't play nice with multiple\n" + "invocations, e.g. attempting to register the NMI handler multiple times\n" + "will trigger a double list_add() and hang the sytem (in addition to\n" + "multiple other issues). If \"crash_kexec_post_notifiers\" is specified on\n" + "the kernel command line, panic() will invoke crash_smp_send_stop() and\n" + "result in a second call to nmi_shootdown_cpus() during\n" + "native_machine_emergency_restart().\n" + "\n" + "Invoke the callback _before_ disabling virtualization, as the current\n" + "VMCS needs to be cleared before doing VMXOFF. Note, this results in a\n" + "subtle change in ordering between disabling virtualization and stopping\n" + "Intel PT on the responding CPUs. While VMX and Intel PT do interact,\n" + "VMXOFF and writes to MSR_IA32_RTIT_CTL do not induce faults between one\n" + "another, which is all that matters when panicking.\n" + "\n" + "WARN if nmi_shootdown_cpus() is called a second time with anything other\n" + "than the reboot path's \"nop\" handler, as bailing means the requested\n" + "isn't being invoked. Punt true handling of multiple shootdown callbacks\n" + "until there's an actual use case for doing so (beyond disabling\n" + "virtualization).\n" + "\n" + "Extract the disabling logic to a common helper to deduplicate code, and\n" + "to prepare for doing the shootdown in the emergency reboot path if SVM\n" + "is supported.\n" + "\n" + "Note, prior to commit ed72736183c4 (\"x86/reboot: Force all cpus to exit\n" + "VMX root if VMX is supported), nmi_shootdown_cpus() was subtly protected\n" + "against a second invocation by a cpu_vmx_enabled() check as the kdump\n" + "handler would disable VMX if it ran first.\n" + "\n" + "Fixes: ed72736183c4 (\"x86/reboot: Force all cpus to exit VMX root if VMX is supported)\n" + "Cc: stable@vger.kernel.org\n" + "Reported-by: Guilherme G. Piccoli <gpiccoli@igalia.com>\n" + "Signed-off-by: Sean Christopherson <seanjc@google.com>\n" + "---\n" + " arch/x86/include/asm/reboot.h | 1 +\n" + " arch/x86/kernel/crash.c | 16 +--------------\n" + " arch/x86/kernel/reboot.c | 38 ++++++++++++++++++++++++++++++++---\n" + " 3 files changed, 37 insertions(+), 18 deletions(-)\n" + "\n" + "diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h\n" + "index 04c17be9b5fd..8f2da36435a6 100644\n" + "--- a/arch/x86/include/asm/reboot.h\n" + "+++ b/arch/x86/include/asm/reboot.h\n" + "@@ -25,6 +25,7 @@ void __noreturn machine_real_restart(unsigned int type);\n" + " #define MRR_BIOS\t0\n" + " #define MRR_APM\t\t1\n" + " \n" + "+void cpu_crash_disable_virtualization(void);\n" + " typedef void (*nmi_shootdown_cb)(int, struct pt_regs*);\n" + " void nmi_panic_self_stop(struct pt_regs *regs);\n" + " void nmi_shootdown_cpus(nmi_shootdown_cb callback);\n" + "diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c\n" + "index e8326a8d1c5d..fe0cf83843ba 100644\n" + "--- a/arch/x86/kernel/crash.c\n" + "+++ b/arch/x86/kernel/crash.c\n" + "@@ -81,15 +81,6 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs)\n" + " \t */\n" + " \tcpu_crash_vmclear_loaded_vmcss();\n" + " \n" + "-\t/* Disable VMX or SVM if needed.\n" + "-\t *\n" + "-\t * We need to disable virtualization on all CPUs.\n" + "-\t * Having VMX or SVM enabled on any CPU may break rebooting\n" + "-\t * after the kdump kernel has finished its task.\n" + "-\t */\n" + "-\tcpu_emergency_vmxoff();\n" + "-\tcpu_emergency_svm_disable();\n" + "-\n" + " \t/*\n" + " \t * Disable Intel PT to stop its logging\n" + " \t */\n" + "@@ -148,12 +139,7 @@ void native_machine_crash_shutdown(struct pt_regs *regs)\n" + " \t */\n" + " \tcpu_crash_vmclear_loaded_vmcss();\n" + " \n" + "-\t/* Booting kdump kernel with VMX or SVM enabled won't work,\n" + "-\t * because (among other limitations) we can't disable paging\n" + "-\t * with the virt flags.\n" + "-\t */\n" + "-\tcpu_emergency_vmxoff();\n" + "-\tcpu_emergency_svm_disable();\n" + "+\tcpu_crash_disable_virtualization();\n" + " \n" + " \t/*\n" + " \t * Disable Intel PT to stop its logging\n" + "diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c\n" + "index fa700b46588e..f9543a4e9b09 100644\n" + "--- a/arch/x86/kernel/reboot.c\n" + "+++ b/arch/x86/kernel/reboot.c\n" + "@@ -528,9 +528,9 @@ static inline void kb_wait(void)\n" + " \t}\n" + " }\n" + " \n" + "-static void vmxoff_nmi(int cpu, struct pt_regs *regs)\n" + "+static void nmi_shootdown_nop(int cpu, struct pt_regs *regs)\n" + " {\n" + "-\tcpu_emergency_vmxoff();\n" + "+\t/* Nothing to do, the NMI shootdown handler disables virtualization. */\n" + " }\n" + " \n" + " /* Use NMIs as IPIs to tell all CPUs to disable virtualization */\n" + "@@ -554,7 +554,7 @@ static void emergency_vmx_disable_all(void)\n" + " \t\t__cpu_emergency_vmxoff();\n" + " \n" + " \t\t/* Halt and exit VMX root operation on the other CPUs. */\n" + "-\t\tnmi_shootdown_cpus(vmxoff_nmi);\n" + "+\t\tnmi_shootdown_cpus(nmi_shootdown_nop);\n" + " \t}\n" + " }\n" + " \n" + "@@ -802,6 +802,18 @@ static nmi_shootdown_cb shootdown_callback;\n" + " static atomic_t waiting_for_crash_ipi;\n" + " static int crash_ipi_issued;\n" + " \n" + "+void cpu_crash_disable_virtualization(void)\n" + "+{\n" + "+\t/*\n" + "+\t * Disable virtualization, i.e. VMX or SVM, so that INIT is recognized\n" + "+\t * during reboot. VMX blocks INIT if the CPU is post-VMXON, and SVM\n" + "+\t * blocks INIT if GIF=0. Note, CLGI #UDs if SVM isn't enabled, so it's\n" + "+\t * easier to just disable SVM unconditionally.\n" + "+\t */\n" + "+\tcpu_emergency_vmxoff();\n" + "+\tcpu_emergency_svm_disable();\n" + "+}\n" + "+\n" + " static int crash_nmi_callback(unsigned int val, struct pt_regs *regs)\n" + " {\n" + " \tint cpu;\n" + "@@ -819,6 +831,12 @@ static int crash_nmi_callback(unsigned int val, struct pt_regs *regs)\n" + " \n" + " \tshootdown_callback(cpu, regs);\n" + " \n" + "+\t/*\n" + "+\t * Prepare the CPU for reboot _after_ invoking the callback so that the\n" + "+\t * callback can safely use virtualization instructions, e.g. VMCLEAR.\n" + "+\t */\n" + "+\tcpu_crash_disable_virtualization();\n" + "+\n" + " \tatomic_dec(&waiting_for_crash_ipi);\n" + " \t/* Assume hlt works */\n" + " \thalt();\n" + "@@ -840,6 +858,20 @@ void nmi_shootdown_cpus(nmi_shootdown_cb callback)\n" + " \tunsigned long msecs;\n" + " \tlocal_irq_disable();\n" + " \n" + "+\t/*\n" + "+\t * Invoking multiple callbacks is not currently supported, registering\n" + "+\t * the NMI handler twice will cause a list_add() double add BUG().\n" + "+\t * The exception is the \"nop\" handler in the emergency reboot path,\n" + "+\t * which can run after e.g. kdump's shootdown. Do nothing if the crash\n" + "+\t * handler has already run, i.e. has already prepared other CPUs, the\n" + "+\t * reboot path doesn't have any work of its to do, it just needs to\n" + "+\t * ensure all CPUs have prepared for reboot.\n" + "+\t */\n" + "+\tif (shootdown_callback) {\n" + "+\t\tWARN_ON_ONCE(callback != nmi_shootdown_nop);\n" + "+\t\treturn;\n" + "+\t}\n" + "+\n" + " \t/* Make a note of crashing cpu. Will be used in NMI callback. */\n" + " \tcrashing_cpu = safe_smp_processor_id();\n" + " \n" + "\n" + "base-commit: 2764011106d0436cb44702cfb0981339d68c3509\n" + "-- \n" + 2.36.0.512.ge40c2bad7a-goog + "\01:3\0" + "fn\00002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch\0" + "b\0" + "From ce4b8fb50962c00a9bb29663e96501e90d68bd8b Mon Sep 17 00:00:00 2001\n" + "From: Sean Christopherson <seanjc@google.com>\n" + "Date: Mon, 9 May 2022 08:28:14 -0700\n" + "Subject: [PATCH 2/2] x86/reboot: Disable virtualization in an emergency if SVM\n" + " is supported\n" + "\n" + "Disable SVM on all CPUs via NMI shootdown during an emergency reboot.\n" + "Like VMX, SVM can block INIT and thus prevent bringing up other CPUs via\n" + "INIT-SIPI-SIPI.\n" + "\n" + "Cc: stable@vger.kernel.org\n" + "Signed-off-by: Sean Christopherson <seanjc@google.com>\n" + "---\n" + " arch/x86/kernel/reboot.c | 26 ++++++++++++++------------\n" + " 1 file changed, 14 insertions(+), 12 deletions(-)\n" + "\n" + "diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c\n" + "index f9543a4e9b09..33c1f4883b27 100644\n" + "--- a/arch/x86/kernel/reboot.c\n" + "+++ b/arch/x86/kernel/reboot.c\n" + "@@ -533,27 +533,29 @@ static void nmi_shootdown_nop(int cpu, struct pt_regs *regs)\n" + " \t/* Nothing to do, the NMI shootdown handler disables virtualization. */\n" + " }\n" + " \n" + "-/* Use NMIs as IPIs to tell all CPUs to disable virtualization */\n" + "-static void emergency_vmx_disable_all(void)\n" + "+static void emergency_reboot_disable_virtualization(void)\n" + " {\n" + " \t/* Just make sure we won't change CPUs while doing this */\n" + " \tlocal_irq_disable();\n" + " \n" + " \t/*\n" + "-\t * Disable VMX on all CPUs before rebooting, otherwise we risk hanging\n" + "-\t * the machine, because the CPU blocks INIT when it's in VMX root.\n" + "+\t * Disable virtualization on all CPUs before rebooting to avoid hanging\n" + "+\t * the system, as VMX and SVM block INIT when running in the host\n" + " \t *\n" + " \t * We can't take any locks and we may be on an inconsistent state, so\n" + "-\t * use NMIs as IPIs to tell the other CPUs to exit VMX root and halt.\n" + "+\t * use NMIs as IPIs to tell the other CPUs to disable VMX/SVM and halt.\n" + " \t *\n" + "-\t * Do the NMI shootdown even if VMX if off on _this_ CPU, as that\n" + "-\t * doesn't prevent a different CPU from being in VMX root operation.\n" + "+\t * Do the NMI shootdown even if virtualization is off on _this_ CPU, as\n" + "+\t * other CPUs may have virtualization enabled.\n" + " \t */\n" + "-\tif (cpu_has_vmx()) {\n" + "-\t\t/* Safely force _this_ CPU out of VMX root operation. */\n" + "-\t\t__cpu_emergency_vmxoff();\n" + "+\tif (cpu_has_vmx() || cpu_has_svm(NULL)) {\n" + "+\t\t/* Safely force _this_ CPU out of VMX/SVM operation. */\n" + "+\t\tif (cpu_has_vmx())\n" + "+\t\t\t__cpu_emergency_vmxoff();\n" + "+\t\telse\n" + "+\t\t\tcpu_emergency_svm_disable();\n" + " \n" + "-\t\t/* Halt and exit VMX root operation on the other CPUs. */\n" + "+\t\t/* Disable VMX/SVM and halt on other CPUs. */\n" + " \t\tnmi_shootdown_cpus(nmi_shootdown_nop);\n" + " \t}\n" + " }\n" + "@@ -590,7 +592,7 @@ static void native_machine_emergency_restart(void)\n" + " \tunsigned short mode;\n" + " \n" + " \tif (reboot_emergency)\n" + "-\t\temergency_vmx_disable_all();\n" + "+\t\temergency_reboot_disable_virtualization();\n" + " \n" + " \ttboot_shutdown(TB_SHUTDOWN_REBOOT);\n" + " \n" + "-- \n" + 2.36.0.512.ge40c2bad7a-goog + "\01:4\0" + "b\0" + "_______________________________________________\n" + "linux-um mailing list\n" + "linux-um@lists.infradead.org\n" + http://lists.infradead.org/mailman/listinfo/linux-um -3be9201c695e4da7cfca208c981473813e543ff3a9120ce19aba847befe8a493 +47953dea01cf292163ceacfbcea2addcdd88e068217178573a781c3decb20287
diff --git a/a/1.txt b/N4/1.txt index 20134bc..c34f04c 100644 --- a/a/1.txt +++ b/N4/1.txt @@ -142,18 +142,4 @@ official mini series. > > -- > 2.36.0 -> --------------- next part -------------- -A non-text attachment was scrubbed... -Name: 0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch -Type: text/x-diff -Size: 6626 bytes -Desc: not available -URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0002.bin> --------------- next part -------------- -A non-text attachment was scrubbed... -Name: 0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch -Type: text/x-diff -Size: 2721 bytes -Desc: not available -URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0003.bin> +> diff --git a/N4/2.hdr b/N4/2.hdr new file mode 100644 index 0000000..3482a00 --- /dev/null +++ b/N4/2.hdr @@ -0,0 +1,3 @@ +Content-Type: text/x-diff; charset=us-ascii +Content-Disposition: attachment; + filename="0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch" diff --git a/N4/2.txt b/N4/2.txt new file mode 100644 index 0000000..e74f6a2 --- /dev/null +++ b/N4/2.txt @@ -0,0 +1,176 @@ +From 8a4573b7cf3a3e49b409ba3a504934de181c259d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Mon, 9 May 2022 07:36:34 -0700 +Subject: [PATCH 1/2] x86/crash: Disable virt in core NMI crash handler to + avoid double list_add + +Disable virtualization in crash_nmi_callback() and skip the requested NMI +shootdown if a shootdown has already occurred, i.e. a callback has been +registered. The NMI crash shootdown path doesn't play nice with multiple +invocations, e.g. attempting to register the NMI handler multiple times +will trigger a double list_add() and hang the sytem (in addition to +multiple other issues). If "crash_kexec_post_notifiers" is specified on +the kernel command line, panic() will invoke crash_smp_send_stop() and +result in a second call to nmi_shootdown_cpus() during +native_machine_emergency_restart(). + +Invoke the callback _before_ disabling virtualization, as the current +VMCS needs to be cleared before doing VMXOFF. Note, this results in a +subtle change in ordering between disabling virtualization and stopping +Intel PT on the responding CPUs. While VMX and Intel PT do interact, +VMXOFF and writes to MSR_IA32_RTIT_CTL do not induce faults between one +another, which is all that matters when panicking. + +WARN if nmi_shootdown_cpus() is called a second time with anything other +than the reboot path's "nop" handler, as bailing means the requested +isn't being invoked. Punt true handling of multiple shootdown callbacks +until there's an actual use case for doing so (beyond disabling +virtualization). + +Extract the disabling logic to a common helper to deduplicate code, and +to prepare for doing the shootdown in the emergency reboot path if SVM +is supported. + +Note, prior to commit ed72736183c4 ("x86/reboot: Force all cpus to exit +VMX root if VMX is supported), nmi_shootdown_cpus() was subtly protected +against a second invocation by a cpu_vmx_enabled() check as the kdump +handler would disable VMX if it ran first. + +Fixes: ed72736183c4 ("x86/reboot: Force all cpus to exit VMX root if VMX is supported) +Cc: stable@vger.kernel.org +Reported-by: Guilherme G. Piccoli <gpiccoli@igalia.com> +Signed-off-by: Sean Christopherson <seanjc@google.com> +--- + arch/x86/include/asm/reboot.h | 1 + + arch/x86/kernel/crash.c | 16 +-------------- + arch/x86/kernel/reboot.c | 38 ++++++++++++++++++++++++++++++++--- + 3 files changed, 37 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h +index 04c17be9b5fd..8f2da36435a6 100644 +--- a/arch/x86/include/asm/reboot.h ++++ b/arch/x86/include/asm/reboot.h +@@ -25,6 +25,7 @@ void __noreturn machine_real_restart(unsigned int type); + #define MRR_BIOS 0 + #define MRR_APM 1 + ++void cpu_crash_disable_virtualization(void); + typedef void (*nmi_shootdown_cb)(int, struct pt_regs*); + void nmi_panic_self_stop(struct pt_regs *regs); + void nmi_shootdown_cpus(nmi_shootdown_cb callback); +diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c +index e8326a8d1c5d..fe0cf83843ba 100644 +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -81,15 +81,6 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs) + */ + cpu_crash_vmclear_loaded_vmcss(); + +- /* Disable VMX or SVM if needed. +- * +- * We need to disable virtualization on all CPUs. +- * Having VMX or SVM enabled on any CPU may break rebooting +- * after the kdump kernel has finished its task. +- */ +- cpu_emergency_vmxoff(); +- cpu_emergency_svm_disable(); +- + /* + * Disable Intel PT to stop its logging + */ +@@ -148,12 +139,7 @@ void native_machine_crash_shutdown(struct pt_regs *regs) + */ + cpu_crash_vmclear_loaded_vmcss(); + +- /* Booting kdump kernel with VMX or SVM enabled won't work, +- * because (among other limitations) we can't disable paging +- * with the virt flags. +- */ +- cpu_emergency_vmxoff(); +- cpu_emergency_svm_disable(); ++ cpu_crash_disable_virtualization(); + + /* + * Disable Intel PT to stop its logging +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index fa700b46588e..f9543a4e9b09 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -528,9 +528,9 @@ static inline void kb_wait(void) + } + } + +-static void vmxoff_nmi(int cpu, struct pt_regs *regs) ++static void nmi_shootdown_nop(int cpu, struct pt_regs *regs) + { +- cpu_emergency_vmxoff(); ++ /* Nothing to do, the NMI shootdown handler disables virtualization. */ + } + + /* Use NMIs as IPIs to tell all CPUs to disable virtualization */ +@@ -554,7 +554,7 @@ static void emergency_vmx_disable_all(void) + __cpu_emergency_vmxoff(); + + /* Halt and exit VMX root operation on the other CPUs. */ +- nmi_shootdown_cpus(vmxoff_nmi); ++ nmi_shootdown_cpus(nmi_shootdown_nop); + } + } + +@@ -802,6 +802,18 @@ static nmi_shootdown_cb shootdown_callback; + static atomic_t waiting_for_crash_ipi; + static int crash_ipi_issued; + ++void cpu_crash_disable_virtualization(void) ++{ ++ /* ++ * Disable virtualization, i.e. VMX or SVM, so that INIT is recognized ++ * during reboot. VMX blocks INIT if the CPU is post-VMXON, and SVM ++ * blocks INIT if GIF=0. Note, CLGI #UDs if SVM isn't enabled, so it's ++ * easier to just disable SVM unconditionally. ++ */ ++ cpu_emergency_vmxoff(); ++ cpu_emergency_svm_disable(); ++} ++ + static int crash_nmi_callback(unsigned int val, struct pt_regs *regs) + { + int cpu; +@@ -819,6 +831,12 @@ static int crash_nmi_callback(unsigned int val, struct pt_regs *regs) + + shootdown_callback(cpu, regs); + ++ /* ++ * Prepare the CPU for reboot _after_ invoking the callback so that the ++ * callback can safely use virtualization instructions, e.g. VMCLEAR. ++ */ ++ cpu_crash_disable_virtualization(); ++ + atomic_dec(&waiting_for_crash_ipi); + /* Assume hlt works */ + halt(); +@@ -840,6 +858,20 @@ void nmi_shootdown_cpus(nmi_shootdown_cb callback) + unsigned long msecs; + local_irq_disable(); + ++ /* ++ * Invoking multiple callbacks is not currently supported, registering ++ * the NMI handler twice will cause a list_add() double add BUG(). ++ * The exception is the "nop" handler in the emergency reboot path, ++ * which can run after e.g. kdump's shootdown. Do nothing if the crash ++ * handler has already run, i.e. has already prepared other CPUs, the ++ * reboot path doesn't have any work of its to do, it just needs to ++ * ensure all CPUs have prepared for reboot. ++ */ ++ if (shootdown_callback) { ++ WARN_ON_ONCE(callback != nmi_shootdown_nop); ++ return; ++ } ++ + /* Make a note of crashing cpu. Will be used in NMI callback. */ + crashing_cpu = safe_smp_processor_id(); + + +base-commit: 2764011106d0436cb44702cfb0981339d68c3509 +-- +2.36.0.512.ge40c2bad7a-goog diff --git a/N4/3.hdr b/N4/3.hdr new file mode 100644 index 0000000..88c74d8 --- /dev/null +++ b/N4/3.hdr @@ -0,0 +1,3 @@ +Content-Type: text/x-diff; charset=us-ascii +Content-Disposition: attachment; + filename="0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch" diff --git a/N4/3.txt b/N4/3.txt new file mode 100644 index 0000000..688b135 --- /dev/null +++ b/N4/3.txt @@ -0,0 +1,72 @@ +From ce4b8fb50962c00a9bb29663e96501e90d68bd8b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Mon, 9 May 2022 08:28:14 -0700 +Subject: [PATCH 2/2] x86/reboot: Disable virtualization in an emergency if SVM + is supported + +Disable SVM on all CPUs via NMI shootdown during an emergency reboot. +Like VMX, SVM can block INIT and thus prevent bringing up other CPUs via +INIT-SIPI-SIPI. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson <seanjc@google.com> +--- + arch/x86/kernel/reboot.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index f9543a4e9b09..33c1f4883b27 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -533,27 +533,29 @@ static void nmi_shootdown_nop(int cpu, struct pt_regs *regs) + /* Nothing to do, the NMI shootdown handler disables virtualization. */ + } + +-/* Use NMIs as IPIs to tell all CPUs to disable virtualization */ +-static void emergency_vmx_disable_all(void) ++static void emergency_reboot_disable_virtualization(void) + { + /* Just make sure we won't change CPUs while doing this */ + local_irq_disable(); + + /* +- * Disable VMX on all CPUs before rebooting, otherwise we risk hanging +- * the machine, because the CPU blocks INIT when it's in VMX root. ++ * Disable virtualization on all CPUs before rebooting to avoid hanging ++ * the system, as VMX and SVM block INIT when running in the host + * + * We can't take any locks and we may be on an inconsistent state, so +- * use NMIs as IPIs to tell the other CPUs to exit VMX root and halt. ++ * use NMIs as IPIs to tell the other CPUs to disable VMX/SVM and halt. + * +- * Do the NMI shootdown even if VMX if off on _this_ CPU, as that +- * doesn't prevent a different CPU from being in VMX root operation. ++ * Do the NMI shootdown even if virtualization is off on _this_ CPU, as ++ * other CPUs may have virtualization enabled. + */ +- if (cpu_has_vmx()) { +- /* Safely force _this_ CPU out of VMX root operation. */ +- __cpu_emergency_vmxoff(); ++ if (cpu_has_vmx() || cpu_has_svm(NULL)) { ++ /* Safely force _this_ CPU out of VMX/SVM operation. */ ++ if (cpu_has_vmx()) ++ __cpu_emergency_vmxoff(); ++ else ++ cpu_emergency_svm_disable(); + +- /* Halt and exit VMX root operation on the other CPUs. */ ++ /* Disable VMX/SVM and halt on other CPUs. */ + nmi_shootdown_cpus(nmi_shootdown_nop); + } + } +@@ -590,7 +592,7 @@ static void native_machine_emergency_restart(void) + unsigned short mode; + + if (reboot_emergency) +- emergency_vmx_disable_all(); ++ emergency_reboot_disable_virtualization(); + + tboot_shutdown(TB_SHUTDOWN_REBOOT); + +-- +2.36.0.512.ge40c2bad7a-goog diff --git a/a/content_digest b/N4/content_digest index ec71d3d..bcf2181 100644 --- a/a/content_digest +++ b/N4/content_digest @@ -1,10 +1,70 @@ "ref\020220427224924.592546-1-gpiccoli@igalia.com\0" "ref\020220427224924.592546-2-gpiccoli@igalia.com\0" "From\0Sean Christopherson <seanjc@google.com>\0" - "Subject\0[PATCH 01/30] x86/crash,reboot: Avoid re-disabling VMX in all CPUs on crash/restart\0" + "Subject\0Re: [PATCH 01/30] x86/crash,reboot: Avoid re-disabling VMX in all CPUs on crash/restart\0" "Date\0Mon, 9 May 2022 15:52:49 +0000\0" - "To\0kexec@lists.infradead.org\0" - "\00:1\0" + "To\0Guilherme G. Piccoli <gpiccoli@igalia.com>\0" + "Cc\0linux-hyperv@vger.kernel.org" + halves@canonical.com + linux-xtensa@linux-xtensa.org + peterz@infradead.org + alejandro.j.jimenez@oracle.com + linux-remoteproc@vger.kernel.org + feng.tang@intel.com + linux-mips@vger.kernel.org + hidehiro.kawai.ez@hitachi.com + sparclinux@vger.kernel.org + will@kernel.org + tglx@linutronix.de + linux-leds@vger.kernel.org + linux-s390@vger.kernel.org + mikelley@microsoft.com + john.ogness@linutronix.de + bhe@redhat.com + corbet@lwn.net + paulmck@kernel.org + fabiomirmar@gmail.com + x86@kernel.org + David P . Reed <dpreed@deepplum.com> + mingo@redhat.com + bcm-kernel-feedback-list@broadcom.com + xen-devel@lists.xenproject.org + dyoung@redhat.com + vgoyal@redhat.com + pmladek@suse.com + dave.hansen@linux.intel.com + keescook@chromium.org + arnd@arndb.de + linux-pm@vger.kernel.org + coresight@lists.linaro.org + linux-um@lists.infradead.org + rostedt@goodmis.org + rcu@vger.kernel.org + gregkh@linuxfoundation.org + bp@alien8.de + luto@kernel.org + linux-tegra@vger.kernel.org + openipmi-developer@lists.sourceforge.net + andriy.shevchenko@linux.intel.com + vkuznets@redhat.com + linux-arm-kernel@lists.infradead.org + linux-edac@vger.kernel.org + jgross@suse.com + linux-parisc@vger.kernel.org + netdev@vger.kernel.org + kernel@gpiccoli.net + kexec@lists.infradead.org + linux-kernel@vger.kernel.org + stern@rowland.harvard.edu + senozhatsky@chromium.org + d.hatayama@jp.fujitsu.com + mhiramat@kernel.org + kernel-dev@igalia.com + linux-alpha@vger.kernel.org + Paolo Bonzini <pbonzini@redhat.com> + akpm@linux-foundation.org + " linuxppc-dev@lists.ozlabs.org\0" + "\01:1\0" "b\0" "I find the shortlog to be very confusing, the bug has nothing to do with disabling\n" "VMX and I distinctly remember wrapping VMXOFF with exception fixup to prevent doom\n" @@ -150,20 +210,260 @@ "> \n" "> -- \n" "> 2.36.0\n" - "> \n" - "-------------- next part --------------\n" - "A non-text attachment was scrubbed...\n" - "Name: 0001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch\n" - "Type: text/x-diff\n" - "Size: 6626 bytes\n" - "Desc: not available\n" - "URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0002.bin>\n" - "-------------- next part --------------\n" - "A non-text attachment was scrubbed...\n" - "Name: 0002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch\n" - "Type: text/x-diff\n" - "Size: 2721 bytes\n" - "Desc: not available\n" - URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220509/5e99544c/attachment-0003.bin> + > + "\01:2\0" + "fn\00001-x86-crash-Disable-virt-in-core-NMI-crash-handler-to-.patch\0" + "b\0" + "From 8a4573b7cf3a3e49b409ba3a504934de181c259d Mon Sep 17 00:00:00 2001\n" + "From: Sean Christopherson <seanjc@google.com>\n" + "Date: Mon, 9 May 2022 07:36:34 -0700\n" + "Subject: [PATCH 1/2] x86/crash: Disable virt in core NMI crash handler to\n" + " avoid double list_add\n" + "\n" + "Disable virtualization in crash_nmi_callback() and skip the requested NMI\n" + "shootdown if a shootdown has already occurred, i.e. a callback has been\n" + "registered. The NMI crash shootdown path doesn't play nice with multiple\n" + "invocations, e.g. attempting to register the NMI handler multiple times\n" + "will trigger a double list_add() and hang the sytem (in addition to\n" + "multiple other issues). If \"crash_kexec_post_notifiers\" is specified on\n" + "the kernel command line, panic() will invoke crash_smp_send_stop() and\n" + "result in a second call to nmi_shootdown_cpus() during\n" + "native_machine_emergency_restart().\n" + "\n" + "Invoke the callback _before_ disabling virtualization, as the current\n" + "VMCS needs to be cleared before doing VMXOFF. Note, this results in a\n" + "subtle change in ordering between disabling virtualization and stopping\n" + "Intel PT on the responding CPUs. While VMX and Intel PT do interact,\n" + "VMXOFF and writes to MSR_IA32_RTIT_CTL do not induce faults between one\n" + "another, which is all that matters when panicking.\n" + "\n" + "WARN if nmi_shootdown_cpus() is called a second time with anything other\n" + "than the reboot path's \"nop\" handler, as bailing means the requested\n" + "isn't being invoked. Punt true handling of multiple shootdown callbacks\n" + "until there's an actual use case for doing so (beyond disabling\n" + "virtualization).\n" + "\n" + "Extract the disabling logic to a common helper to deduplicate code, and\n" + "to prepare for doing the shootdown in the emergency reboot path if SVM\n" + "is supported.\n" + "\n" + "Note, prior to commit ed72736183c4 (\"x86/reboot: Force all cpus to exit\n" + "VMX root if VMX is supported), nmi_shootdown_cpus() was subtly protected\n" + "against a second invocation by a cpu_vmx_enabled() check as the kdump\n" + "handler would disable VMX if it ran first.\n" + "\n" + "Fixes: ed72736183c4 (\"x86/reboot: Force all cpus to exit VMX root if VMX is supported)\n" + "Cc: stable@vger.kernel.org\n" + "Reported-by: Guilherme G. Piccoli <gpiccoli@igalia.com>\n" + "Signed-off-by: Sean Christopherson <seanjc@google.com>\n" + "---\n" + " arch/x86/include/asm/reboot.h | 1 +\n" + " arch/x86/kernel/crash.c | 16 +--------------\n" + " arch/x86/kernel/reboot.c | 38 ++++++++++++++++++++++++++++++++---\n" + " 3 files changed, 37 insertions(+), 18 deletions(-)\n" + "\n" + "diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h\n" + "index 04c17be9b5fd..8f2da36435a6 100644\n" + "--- a/arch/x86/include/asm/reboot.h\n" + "+++ b/arch/x86/include/asm/reboot.h\n" + "@@ -25,6 +25,7 @@ void __noreturn machine_real_restart(unsigned int type);\n" + " #define MRR_BIOS\t0\n" + " #define MRR_APM\t\t1\n" + " \n" + "+void cpu_crash_disable_virtualization(void);\n" + " typedef void (*nmi_shootdown_cb)(int, struct pt_regs*);\n" + " void nmi_panic_self_stop(struct pt_regs *regs);\n" + " void nmi_shootdown_cpus(nmi_shootdown_cb callback);\n" + "diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c\n" + "index e8326a8d1c5d..fe0cf83843ba 100644\n" + "--- a/arch/x86/kernel/crash.c\n" + "+++ b/arch/x86/kernel/crash.c\n" + "@@ -81,15 +81,6 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs)\n" + " \t */\n" + " \tcpu_crash_vmclear_loaded_vmcss();\n" + " \n" + "-\t/* Disable VMX or SVM if needed.\n" + "-\t *\n" + "-\t * We need to disable virtualization on all CPUs.\n" + "-\t * Having VMX or SVM enabled on any CPU may break rebooting\n" + "-\t * after the kdump kernel has finished its task.\n" + "-\t */\n" + "-\tcpu_emergency_vmxoff();\n" + "-\tcpu_emergency_svm_disable();\n" + "-\n" + " \t/*\n" + " \t * Disable Intel PT to stop its logging\n" + " \t */\n" + "@@ -148,12 +139,7 @@ void native_machine_crash_shutdown(struct pt_regs *regs)\n" + " \t */\n" + " \tcpu_crash_vmclear_loaded_vmcss();\n" + " \n" + "-\t/* Booting kdump kernel with VMX or SVM enabled won't work,\n" + "-\t * because (among other limitations) we can't disable paging\n" + "-\t * with the virt flags.\n" + "-\t */\n" + "-\tcpu_emergency_vmxoff();\n" + "-\tcpu_emergency_svm_disable();\n" + "+\tcpu_crash_disable_virtualization();\n" + " \n" + " \t/*\n" + " \t * Disable Intel PT to stop its logging\n" + "diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c\n" + "index fa700b46588e..f9543a4e9b09 100644\n" + "--- a/arch/x86/kernel/reboot.c\n" + "+++ b/arch/x86/kernel/reboot.c\n" + "@@ -528,9 +528,9 @@ static inline void kb_wait(void)\n" + " \t}\n" + " }\n" + " \n" + "-static void vmxoff_nmi(int cpu, struct pt_regs *regs)\n" + "+static void nmi_shootdown_nop(int cpu, struct pt_regs *regs)\n" + " {\n" + "-\tcpu_emergency_vmxoff();\n" + "+\t/* Nothing to do, the NMI shootdown handler disables virtualization. */\n" + " }\n" + " \n" + " /* Use NMIs as IPIs to tell all CPUs to disable virtualization */\n" + "@@ -554,7 +554,7 @@ static void emergency_vmx_disable_all(void)\n" + " \t\t__cpu_emergency_vmxoff();\n" + " \n" + " \t\t/* Halt and exit VMX root operation on the other CPUs. */\n" + "-\t\tnmi_shootdown_cpus(vmxoff_nmi);\n" + "+\t\tnmi_shootdown_cpus(nmi_shootdown_nop);\n" + " \t}\n" + " }\n" + " \n" + "@@ -802,6 +802,18 @@ static nmi_shootdown_cb shootdown_callback;\n" + " static atomic_t waiting_for_crash_ipi;\n" + " static int crash_ipi_issued;\n" + " \n" + "+void cpu_crash_disable_virtualization(void)\n" + "+{\n" + "+\t/*\n" + "+\t * Disable virtualization, i.e. VMX or SVM, so that INIT is recognized\n" + "+\t * during reboot. VMX blocks INIT if the CPU is post-VMXON, and SVM\n" + "+\t * blocks INIT if GIF=0. Note, CLGI #UDs if SVM isn't enabled, so it's\n" + "+\t * easier to just disable SVM unconditionally.\n" + "+\t */\n" + "+\tcpu_emergency_vmxoff();\n" + "+\tcpu_emergency_svm_disable();\n" + "+}\n" + "+\n" + " static int crash_nmi_callback(unsigned int val, struct pt_regs *regs)\n" + " {\n" + " \tint cpu;\n" + "@@ -819,6 +831,12 @@ static int crash_nmi_callback(unsigned int val, struct pt_regs *regs)\n" + " \n" + " \tshootdown_callback(cpu, regs);\n" + " \n" + "+\t/*\n" + "+\t * Prepare the CPU for reboot _after_ invoking the callback so that the\n" + "+\t * callback can safely use virtualization instructions, e.g. VMCLEAR.\n" + "+\t */\n" + "+\tcpu_crash_disable_virtualization();\n" + "+\n" + " \tatomic_dec(&waiting_for_crash_ipi);\n" + " \t/* Assume hlt works */\n" + " \thalt();\n" + "@@ -840,6 +858,20 @@ void nmi_shootdown_cpus(nmi_shootdown_cb callback)\n" + " \tunsigned long msecs;\n" + " \tlocal_irq_disable();\n" + " \n" + "+\t/*\n" + "+\t * Invoking multiple callbacks is not currently supported, registering\n" + "+\t * the NMI handler twice will cause a list_add() double add BUG().\n" + "+\t * The exception is the \"nop\" handler in the emergency reboot path,\n" + "+\t * which can run after e.g. kdump's shootdown. Do nothing if the crash\n" + "+\t * handler has already run, i.e. has already prepared other CPUs, the\n" + "+\t * reboot path doesn't have any work of its to do, it just needs to\n" + "+\t * ensure all CPUs have prepared for reboot.\n" + "+\t */\n" + "+\tif (shootdown_callback) {\n" + "+\t\tWARN_ON_ONCE(callback != nmi_shootdown_nop);\n" + "+\t\treturn;\n" + "+\t}\n" + "+\n" + " \t/* Make a note of crashing cpu. Will be used in NMI callback. */\n" + " \tcrashing_cpu = safe_smp_processor_id();\n" + " \n" + "\n" + "base-commit: 2764011106d0436cb44702cfb0981339d68c3509\n" + "-- \n" + 2.36.0.512.ge40c2bad7a-goog + "\01:3\0" + "fn\00002-x86-reboot-Disable-virtualization-in-an-emergency-if.patch\0" + "b\0" + "From ce4b8fb50962c00a9bb29663e96501e90d68bd8b Mon Sep 17 00:00:00 2001\n" + "From: Sean Christopherson <seanjc@google.com>\n" + "Date: Mon, 9 May 2022 08:28:14 -0700\n" + "Subject: [PATCH 2/2] x86/reboot: Disable virtualization in an emergency if SVM\n" + " is supported\n" + "\n" + "Disable SVM on all CPUs via NMI shootdown during an emergency reboot.\n" + "Like VMX, SVM can block INIT and thus prevent bringing up other CPUs via\n" + "INIT-SIPI-SIPI.\n" + "\n" + "Cc: stable@vger.kernel.org\n" + "Signed-off-by: Sean Christopherson <seanjc@google.com>\n" + "---\n" + " arch/x86/kernel/reboot.c | 26 ++++++++++++++------------\n" + " 1 file changed, 14 insertions(+), 12 deletions(-)\n" + "\n" + "diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c\n" + "index f9543a4e9b09..33c1f4883b27 100644\n" + "--- a/arch/x86/kernel/reboot.c\n" + "+++ b/arch/x86/kernel/reboot.c\n" + "@@ -533,27 +533,29 @@ static void nmi_shootdown_nop(int cpu, struct pt_regs *regs)\n" + " \t/* Nothing to do, the NMI shootdown handler disables virtualization. */\n" + " }\n" + " \n" + "-/* Use NMIs as IPIs to tell all CPUs to disable virtualization */\n" + "-static void emergency_vmx_disable_all(void)\n" + "+static void emergency_reboot_disable_virtualization(void)\n" + " {\n" + " \t/* Just make sure we won't change CPUs while doing this */\n" + " \tlocal_irq_disable();\n" + " \n" + " \t/*\n" + "-\t * Disable VMX on all CPUs before rebooting, otherwise we risk hanging\n" + "-\t * the machine, because the CPU blocks INIT when it's in VMX root.\n" + "+\t * Disable virtualization on all CPUs before rebooting to avoid hanging\n" + "+\t * the system, as VMX and SVM block INIT when running in the host\n" + " \t *\n" + " \t * We can't take any locks and we may be on an inconsistent state, so\n" + "-\t * use NMIs as IPIs to tell the other CPUs to exit VMX root and halt.\n" + "+\t * use NMIs as IPIs to tell the other CPUs to disable VMX/SVM and halt.\n" + " \t *\n" + "-\t * Do the NMI shootdown even if VMX if off on _this_ CPU, as that\n" + "-\t * doesn't prevent a different CPU from being in VMX root operation.\n" + "+\t * Do the NMI shootdown even if virtualization is off on _this_ CPU, as\n" + "+\t * other CPUs may have virtualization enabled.\n" + " \t */\n" + "-\tif (cpu_has_vmx()) {\n" + "-\t\t/* Safely force _this_ CPU out of VMX root operation. */\n" + "-\t\t__cpu_emergency_vmxoff();\n" + "+\tif (cpu_has_vmx() || cpu_has_svm(NULL)) {\n" + "+\t\t/* Safely force _this_ CPU out of VMX/SVM operation. */\n" + "+\t\tif (cpu_has_vmx())\n" + "+\t\t\t__cpu_emergency_vmxoff();\n" + "+\t\telse\n" + "+\t\t\tcpu_emergency_svm_disable();\n" + " \n" + "-\t\t/* Halt and exit VMX root operation on the other CPUs. */\n" + "+\t\t/* Disable VMX/SVM and halt on other CPUs. */\n" + " \t\tnmi_shootdown_cpus(nmi_shootdown_nop);\n" + " \t}\n" + " }\n" + "@@ -590,7 +592,7 @@ static void native_machine_emergency_restart(void)\n" + " \tunsigned short mode;\n" + " \n" + " \tif (reboot_emergency)\n" + "-\t\temergency_vmx_disable_all();\n" + "+\t\temergency_reboot_disable_virtualization();\n" + " \n" + " \ttboot_shutdown(TB_SHUTDOWN_REBOOT);\n" + " \n" + "-- \n" + 2.36.0.512.ge40c2bad7a-goog -3be9201c695e4da7cfca208c981473813e543ff3a9120ce19aba847befe8a493 +658177ca5613ca74a5d829503562a1bb0499ab596315408bbac76ea0b4323066
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.