Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp4010421ybt; Sun, 5 Jul 2020 13:56:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyo/nDxo0ZtGPS4c3BHRlpewAyAnF8gQE25/COcOLnDEE/yObX5Pt8TwO+2VyOHrziTqyz2 X-Received: by 2002:a17:906:5418:: with SMTP id q24mr40289454ejo.266.1593982575258; Sun, 05 Jul 2020 13:56:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593982575; cv=none; d=google.com; s=arc-20160816; b=cS5SLqMOVf6AB340GnVtroapW0VHMNRBYh+irUgZs+Hxp0hfqB/+a1lsPASMOColRv UrkXECd0CnB5S2G3GRyiMVdkr144z2TqxWDx+igVKbPsIQ5IlJM/LPIX+dRzJcPDJXMu ml8m6xta/woFG76wigG4uGR0nlPrtlW23gjh6EvHnDFK/Oje4QdOtWI/DCyoFR/psBkn 8JgQeN+QDnQBJ0wxpC+Cl50yCpr0BknWLIZ6YaFpjcsKdFmH7qnJqMbRoRtxs3vkk+DQ AVJvKfWp/D9BgJNQRA2vC8XMj2TilqmJElQ+ecqxVqPYYfk0KGbuJJ8BE2Dc7k5xnTVr oXZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=r9VbIS3GzkECnakhlEufA+pEDFCUMw+EbTjZcfociuk=; b=vxV061TTVpExolkckhWOWw1c2meJvf3tVus48wn9yQGl3XEZ8GzcxJG5bkBlFN6G8r 4jT2k3PE5tBP6efZNUnGPXm9k8n5mbEGckjyleSLS0JWOcW7ypHuvaQFCubLYcA9WSbp CwCgjOREwIw30GRdFdK+YVkFjAt3/x3H+w+mYgNjExxdQ+N83XPuzvw8neom2q0dyrSO 6jXaWO0u15Qk4BSbVFZT38zLesFfZLhpThA3PgVJVRDfToB879L6rr9oGPhFL7N6s6Nu VeZ4k/ZknQg03gtphs20neFH5/w0t54MfmlGdeR+8p7b7FLrPgMg+ON+yuNtYbPwSYUq u/2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rjex7168; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e23si11998970edy.264.2020.07.05.13.55.51; Sun, 05 Jul 2020 13:56:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rjex7168; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728270AbgGEUxy (ORCPT + 99 others); Sun, 5 Jul 2020 16:53:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:55816 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728056AbgGEUxx (ORCPT ); Sun, 5 Jul 2020 16:53:53 -0400 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 99627207CD for ; Sun, 5 Jul 2020 20:53:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593982432; bh=9RDRMuJ1yhkI0FV1AmxTqXQufZf4YIfBZSX0VGAC754=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=rjex7168IsEZxqMOEM89tSwWdcgHFTWxfIRRE6y7r0PeX4xBRtBGkx1vXnvWpK9F7 Fqb5MhXysKX4gdE+s8diN/OPTo3b9QSUBAkE/yjw7vx104ny8usrQNdNkoxNS+/aOe A3RJVwzDf18eBEefVapZU7SAB9/bwf0B4FioEftM= Received: by mail-wm1-f44.google.com with SMTP id j18so37087154wmi.3 for ; Sun, 05 Jul 2020 13:53:52 -0700 (PDT) X-Gm-Message-State: AOAM531yom3Q8MSqwCOzhULOUJIgy9WLDJmGHTmBrdjKEI85TgG9xVtT 4OpLzbe/L7akpOOR633HALS3BD7HmWUSmRrTVMyZ/Q== X-Received: by 2002:a7b:c09a:: with SMTP id r26mr45511123wmh.176.1593982431130; Sun, 05 Jul 2020 13:53:51 -0700 (PDT) MIME-Version: 1.0 References: <20200629214956.GA12962@linux.intel.com> <20200704203809.76391-1-dpreed@deepplum.com> <20200704203809.76391-4-dpreed@deepplum.com> <1593979233.22877148@apps.rackspace.com> In-Reply-To: <1593979233.22877148@apps.rackspace.com> From: Andy Lutomirski Date: Sun, 5 Jul 2020 13:53:39 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 3/3] Force all cpus to exit VMX root operation on crash/panic reliably To: "David P. Reed" Cc: Andy Lutomirski , Sean Christopherson , Thomas Gleixner , Ingo Molnar , Borislav Petkov , X86 ML , "H. Peter Anvin" , Allison Randal , Enrico Weigelt , Greg Kroah-Hartman , Kate Stewart , "Peter Zijlstra (Intel)" , Randy Dunlap , Martin Molnar , Alexandre Chartre , Jann Horn , Dave Hansen , LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 5, 2020 at 1:00 PM David P. Reed wrote: > > > > On Sunday, July 5, 2020 2:26pm, "Andy Lutomirski" said: > > > On Sat, Jul 4, 2020 at 1:38 PM David P. Reed wrot= e: > >> > >> Fix the logic during crash/panic reboot on Intel processors that > >> can support VMX operation to ensure that all processors are not > >> in VMX root operation. Prior code made optimistic assumptions > >> about other cpus that would leave other cpus in VMX root operation > >> depending on timing of crash/panic reboot. > >> Builds on cpu_ermergency_vmxoff() and __cpu_emergency_vmxoff() created > >> in a prior patch. > >> > >> Suggested-by: Sean Christopherson > >> Signed-off-by: David P. Reed > >> --- > >> arch/x86/kernel/reboot.c | 20 +++++++------------- > >> 1 file changed, 7 insertions(+), 13 deletions(-) > >> > >> diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c > >> index 0ec7ced727fe..c8e96ba78efc 100644 > >> --- a/arch/x86/kernel/reboot.c > >> +++ b/arch/x86/kernel/reboot.c > >> @@ -543,24 +543,18 @@ static void emergency_vmx_disable_all(void) > >> * signals when VMX is enabled. > >> * > >> * We can't take any locks and we may be on an inconsistent > >> - * state, so we use NMIs as IPIs to tell the other CPUs to dis= able > >> - * VMX and halt. > >> + * state, so we use NMIs as IPIs to tell the other CPUs to exi= t > >> + * VMX root operation and halt. > >> * > >> * For safety, we will avoid running the nmi_shootdown_cpus() > >> * stuff unnecessarily, but we don't have a way to check > >> - * if other CPUs have VMX enabled. So we will call it only if = the > >> - * CPU we are running on has VMX enabled. > >> - * > >> - * We will miss cases where VMX is not enabled on all CPUs. Th= is > >> - * shouldn't do much harm because KVM always enable VMX on all > >> - * CPUs anyway. But we can miss it on the small window where K= VM > >> - * is still enabling VMX. > >> + * if other CPUs might be in VMX root operation. > >> */ > >> - if (cpu_has_vmx() && cpu_vmx_enabled()) { > >> - /* Disable VMX on this CPU. */ > >> - cpu_vmxoff(); > >> + if (cpu_has_vmx()) { > >> + /* Safely force out of VMX root operation on this CPU.= */ > >> + __cpu_emergency_vmxoff(); > >> > >> - /* Halt and disable VMX on the other CPUs */ > >> + /* Halt and exit VMX root operation on the other CPUs = */ > >> nmi_shootdown_cpus(vmxoff_nmi); > >> > >> } > > > > Seems reasonable to me. > > > > As a minor caveat, doing cr4_clear_bits() in NMI context is not really > > okay, but we're about to reboot, so nothing too awful should happen. > > And this has very little to do with your patch. > > I had wondered why the bit is cleared, too. (I assumed it was OK or desir= able, because it was being cleared in NMI context before). Happy to submit = a separate patch to eliminate that issue as well, since the point of emerge= ncy vmxoff is only to get out of VMX root mode - CR4.VMXE's state is irrele= vant. Of course, clearing it prevents any future emergency vmxoff attempts.= (there seemed to be some confusion about "enabling" VMX vs. "in VMX operat= ion" in the comments) Should I? I have a vague recollection of some firmwares that got upset if rebooted with CR4.VMXE set. Sean? The real issue here is that the percpu CR4 machinery uses IRQ-offness as a lock, and NMI breaks this. --Andy