From: bugzilla-daemon@bugzilla.kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 209155] KVM Linux guest with more than 1 CPU panics after commit 404d5d7bff0d419fe11c7eaebca9ec8f25258f95 on old CPU (Phenom x4)
Date: Tue, 08 Sep 2020 17:08:14 +0000 [thread overview]
Message-ID: <bug-209155-28872-1ZSa3F4n9U@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-209155-28872@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=209155
Sean Christopherson (sean.j.christopherson@intel.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sean.j.christopherson@intel
| |.com
--- Comment #8 from Sean Christopherson (sean.j.christopherson@intel.com) ---
From code inspection, I'm 99% confident the immediate bug is that svm->next_rip
is reset in svm_vcpu_run() only after calling svm_exit_handlers_fastpath(),
which will cause SVM's skip_emulated_instruction() to write a stale RIP. I
don't have AMD hardware to confirm, but this should be reproducible on modern
CPUs by loading kvm_amd with nrips=0.
That issue is easy enough to resolve, e.g. simply hoist "svm->next_rip = 0;" up
above the fastpath handling. But, there are additional complications with
advancing rip in the fastpath as svm_complete_interrupts() consumes rip, e.g.
for NMI unmasking logic and event reinjection. Odds are that NMI unmasking
will never "fail" as it would require the new rip to match the last IRET rip,
which would be very bizarre. Similarly, event reinjection should also be a
non-issue in practice as the WRMSR fastpath shouldn't be reachable if KVM was
injecting an event.
All the being said, IMO, the safest play would be to first yank out the call to
handle_fastpath_set_msr_irqoff() in svm_exit_handlers_fastpath() to ensure a
clean base and to provide a safe backport patch, then move
svm_complete_interrupts() into svm_vcpu_run(), and finally move the call to
svm_exit_handlers_fastpath() down a ways and reenable
handle_fastpath_set_msr_irqoff(). Aside from resolving weirdness with rip and
fastpath, it would also align VMX and SVM with respect to completing
interrupts.
--
You are receiving this mail because:
You are watching the assignee of the bug.
next prev parent reply other threads:[~2020-09-08 17:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-209155-28872@https.bugzilla.kernel.org/>
2020-09-04 22:47 ` [Bug 209155] KVM Linux guest with more than 1 CPU panics after commit 5a9f54435a48... on old CPU (Phenom x4) bugzilla-daemon
2020-09-08 0:31 ` [Bug 209155] KVM Linux guest with more than 1 CPU panics after commit 404d5d7bff0d419fe11c7eaebca9ec8f25258f95 " bugzilla-daemon
2020-09-08 17:08 ` bugzilla-daemon [this message]
2020-09-09 2:35 ` bugzilla-daemon
2020-09-09 16:20 ` bugzilla-daemon
2020-09-10 0:14 ` bugzilla-daemon
2020-09-10 12:12 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-209155-28872-1ZSa3F4n9U@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox