From: Sean Christopherson <sean.j.christopherson@intel.com>
To: "David P. Reed" <dpreed@deepplum.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
X86 ML <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
Allison Randal <allison@lohutok.net>,
Enrico Weigelt <info@metux.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kate Stewart <kstewart@linuxfoundation.org>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
Martin Molnar <martin.molnar.programming@gmail.com>,
Andy Lutomirski <luto@kernel.org>,
Alexandre Chartre <alexandre.chartre@oracle.com>,
Jann Horn <jannh@google.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Fix undefined operation VMXOFF during reboot and crash
Date: Thu, 11 Jun 2020 10:00:31 -0700 [thread overview]
Message-ID: <20200611170031.GI29918@linux.intel.com> (raw)
In-Reply-To: <1591893200.58634165@apps.rackspace.com>
On Thu, Jun 11, 2020 at 12:33:20PM -0400, David P. Reed wrote:
> To respond to Thomas Gleixner's suggestion about exception masking mechanism
> - it may well be a better fix, but a) I used "BUG" as a model, and b) the
> exception masking is undocumented anywhere I can find. These are "static
> inline" routines, and only the "emergency" version needs protection, because
> you'd want a random VMXOFF to actually trap.
The only in-kernel usage of cpu_vmxoff() are for emergencies. And, the only
reasonable source of faults on VMXOFF is that VMX is already off, i.e. for
the kernel's usage, the goal is purely to ensure VMX is disabled, how we get
there doesn't truly matter.
> In at least one of the calls to emergency, it is stated that no locks may be
> taken at all because of where it was.
>
> Further, I have a different patch that requires a scratch page per processor
> to exist, but which never takes a UD fault. (basically, it attempts VMXON
> first, and then does VMXOFF after VMXON, which ensures exit from VMX root
> mode, but VMXON needs a blank page to either succeed or fail without GP
> fault). If someone prefers that, it's local to the routine, but requires a
> new scratch page per processor be allocated. So after testing it, I decided
> in the interest of memory reduction that the masking of UD was preferable.
Please no, doing VMXON, even temporarily, could cause breakage. The CPU's
VMCS cache isn't cleared on VMXOFF. Doing VMXON after kdump_nmi_callback()
invokes cpu_crash_vmclear_loaded_vmcss() would create a window where VMPTRLD
could succeed in a hypervisor and lead to memory corruption in the new
kernel when the VMCS is evicted from the non-coherent VMCS cache.
> I'm happy to resubmit the masking exception patch as version 2, if it works
> in my test case.
>
> Advice?
Please test the below, which simply eats any exception on VMXOFF.
diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h
index 9aad0e0876fb..54bc84d7028d 100644
--- a/arch/x86/include/asm/virtext.h
+++ b/arch/x86/include/asm/virtext.h
@@ -32,13 +32,15 @@ static inline int cpu_has_vmx(void)
/** Disable VMX on the current CPU
*
- * vmxoff causes a undefined-opcode exception if vmxon was not run
- * on the CPU previously. Only call this function if you know VMX
- * is enabled.
+ * VMXOFF causes a #UD if the CPU is not post-VMXON, eat any #UDs to handle
+ * races with a hypervisor doing VMXOFF, e.g. if an NMI arrived between VMXOFF
+ * and clearing CR4.VMXE.
*/
static inline void cpu_vmxoff(void)
{
- asm volatile ("vmxoff");
+ asm volatile("1: vmxoff\n\t"
+ "2:\n\t"
+ _ASM_EXTABLE(1b, 2b));
cr4_clear_bits(X86_CR4_VMXE);
}
next prev parent reply other threads:[~2020-06-11 17:00 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-10 18:12 [PATCH] Fix undefined operation VMXOFF during reboot and crash David P. Reed
2020-06-10 19:36 ` Randy Dunlap
2020-06-10 21:34 ` Thomas Gleixner
2020-06-10 21:42 ` Sean Christopherson
2020-06-10 22:08 ` Thomas Gleixner
2020-06-10 21:36 ` Sean Christopherson
2020-06-10 21:59 ` Andy Lutomirski
2020-06-11 0:00 ` Sean Christopherson
2020-06-11 0:15 ` Andy Lutomirski
[not found] ` <1591893200.58634165@apps.rackspace.com>
2020-06-11 17:00 ` Sean Christopherson [this message]
2020-06-11 17:02 ` Andy Lutomirski
2020-06-11 19:45 ` [PATCH v2] " David P. Reed
2020-06-11 19:48 ` David P. Reed
2020-06-25 6:06 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200611170031.GI29918@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=alexandre.chartre@oracle.com \
--cc=allison@lohutok.net \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=dpreed@deepplum.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=info@metux.net \
--cc=jannh@google.com \
--cc=kstewart@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=martin.molnar.programming@gmail.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox