Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp435672pxx; Wed, 28 Oct 2020 08:17:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy8rjVDAaKpHY6PtR9W5fQ8sD8cy8MN9a6sRNA6U0ICHulfqwqSJiYJNEEktyuq9ac1prm+ X-Received: by 2002:a17:907:270f:: with SMTP id w15mr7770312ejk.505.1603898245136; Wed, 28 Oct 2020 08:17:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603898245; cv=none; d=google.com; s=arc-20160816; b=pX6SJ7yEB976KkfWADvbUc5Q8JONGTNe7eMI+ODJxkltYVHo6b6EiWqeetfHIq6nVj gE55cRDb+0bILHOOJdUDjpN6qhu+Bnn75irPd7dY5yuQABgCSilxHMtcCTboMqYAmfsd i4A1Vh0/6DuHeYsHfYs+mnxXtVLZl6oARuBdqQPPCWgQisREVmld4LzqeeZnvcF9lklN jhqOsfRfPgk790qEc0zEsBWMxMFURtmaC9+alp5rYo3uAkH1Ytby/1QaE1qfWGWDgpG1 EBIW1/5lHwQLz2TPkQwD6mFFdk7Fr17ybVks3mfZ9TUP7g3lE5YkCSXAReiMSb8sud3J Egtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6rQBN6gv5VH2v3TmPvOXroVovOUKgfmGxh7BjnqEfuY=; b=flVbxun6e0iGaFdcpDeCoPQpzF+NFdgx/7QcQFv9tbZY9nEN1sqVARZ4ofLXA3k8HP VOHW4qQ8qB78OfOATwF24R+mg3lOpWAaODuF/85Ct/iJ1ZJapRT1WHstZ5OlWrIkgVYC 9p3f5Gu30xOWAv2IiuD4g9Ak7WKnrcJri/VftS7EkP1KW7WtUyMndVKctbHY8RHbAesS OGbD95r7tRI+YC85bbuJWNB4tSL9AmReT4MyQKYNVQjBI54Q1yb68PvCkfGuC0Ebv4Js ULLEx/mh2WL7xCcHItPXaGbWcDGU9CYnTLS1Qu9wxpHJKYhNGbNylTL/Zhl2wX21mpdg TRLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BzOMHNQa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b29si2827715edn.354.2020.10.28.08.17.02; Wed, 28 Oct 2020 08:17:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BzOMHNQa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1810041AbgJ0QdK (ORCPT + 99 others); Tue, 27 Oct 2020 12:33:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:49302 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1802488AbgJ0Pti (ORCPT ); Tue, 27 Oct 2020 11:49:38 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5CEC422403; Tue, 27 Oct 2020 15:49:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603813766; bh=AHB07H4g+FtQrevFC36rhkGgxQARMUiGwshddXeFTJ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BzOMHNQaY2+pIItt2YlLjOrN4kptVxW4jA51roAEhDml9BL+oFShu0auYtTxcLctP 6/mb9LOeCUzRMOTdRDedg+dmeacU2lZTpxUGjzwFJFOK84aiBnANxVXEbYqdMtyfnB 4u4U65jiTJmOvEvfypO/tgJWnQlcR3QlLIdQaVZI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andy Lutomirski , Peter Zijlstra , kernel test robot , Borislav Petkov , Tony Luck , Sasha Levin Subject: [PATCH 5.9 663/757] x86/mce: Make mce_rdmsrl() panic on an inaccessible MSR Date: Tue, 27 Oct 2020 14:55:13 +0100 Message-Id: <20201027135521.640591825@linuxfoundation.org> X-Mailer: git-send-email 2.29.1 In-Reply-To: <20201027135450.497324313@linuxfoundation.org> References: <20201027135450.497324313@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Borislav Petkov [ Upstream commit e2def7d49d0812ea40a224161b2001b2e815dce2 ] If an exception needs to be handled while reading an MSR - which is in most of the cases caused by a #GP on a non-existent MSR - then this is most likely the incarnation of a BIOS or a hardware bug. Such bug violates the architectural guarantee that MCA banks are present with all MSRs belonging to them. The proper fix belongs in the hardware/firmware - not in the kernel. Handling an #MC exception which is raised while an NMI is being handled would cause the nasty NMI nesting issue because of the shortcoming of IRET of reenabling NMIs when executed. And the machine is in an #MC context already so be at its side. Tracing MSR accesses while in #MC is another no-no due to tracing being inherently a bad idea in atomic context: vmlinux.o: warning: objtool: do_machine_check()+0x4a: call to mce_rdmsrl() leaves .noinstr.text section so remove all that "additional" functionality from mce_rdmsrl() and provide it with a special exception handler which panics the machine when that MSR is not accessible. The exception handler prints a human-readable message explaining what the panic reason is but, what is more, it panics while in the #GP handler and latter won't have executed an IRET, thus opening the NMI nesting issue in the case when the #MC has happened while handling an NMI. (#MC itself won't be reenabled until MCG_STATUS hasn't been cleared). Suggested-by: Andy Lutomirski Suggested-by: Peter Zijlstra [ Add missing prototypes for ex_handler_* ] Reported-by: kernel test robot Signed-off-by: Borislav Petkov Reviewed-by: Tony Luck Link: https://lkml.kernel.org/r/20200906212130.GA28456@zn.tnic Signed-off-by: Sasha Levin --- arch/x86/kernel/cpu/mce/core.c | 72 +++++++++++++++++++++++++----- arch/x86/kernel/cpu/mce/internal.h | 10 +++++ 2 files changed, 70 insertions(+), 12 deletions(-) diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c index 4288645425f15..84eef4fa95990 100644 --- a/arch/x86/kernel/cpu/mce/core.c +++ b/arch/x86/kernel/cpu/mce/core.c @@ -373,10 +373,28 @@ static int msr_to_offset(u32 msr) return -1; } +__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, + struct pt_regs *regs, int trapnr, + unsigned long error_code, + unsigned long fault_addr) +{ + pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", + (unsigned int)regs->cx, regs->ip, (void *)regs->ip); + + show_stack_regs(regs); + + panic("MCA architectural violation!\n"); + + while (true) + cpu_relax(); + + return true; +} + /* MSR access wrappers used for error injection */ static noinstr u64 mce_rdmsrl(u32 msr) { - u64 v; + DECLARE_ARGS(val, low, high); if (__this_cpu_read(injectm.finished)) { int offset; @@ -395,21 +413,43 @@ static noinstr u64 mce_rdmsrl(u32 msr) return ret; } - if (rdmsrl_safe(msr, &v)) { - WARN_ONCE(1, "mce: Unable to read MSR 0x%x!\n", msr); - /* - * Return zero in case the access faulted. This should - * not happen normally but can happen if the CPU does - * something weird, or if the code is buggy. - */ - v = 0; - } + /* + * RDMSR on MCA MSRs should not fault. If they do, this is very much an + * architectural violation and needs to be reported to hw vendor. Panic + * the box to not allow any further progress. + */ + asm volatile("1: rdmsr\n" + "2:\n" + _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_rdmsr_fault) + : EAX_EDX_RET(val, low, high) : "c" (msr)); - return v; + + return EAX_EDX_VAL(val, low, high); +} + +__visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup, + struct pt_regs *regs, int trapnr, + unsigned long error_code, + unsigned long fault_addr) +{ + pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n", + (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, + regs->ip, (void *)regs->ip); + + show_stack_regs(regs); + + panic("MCA architectural violation!\n"); + + while (true) + cpu_relax(); + + return true; } static noinstr void mce_wrmsrl(u32 msr, u64 v) { + u32 low, high; + if (__this_cpu_read(injectm.finished)) { int offset; @@ -423,7 +463,15 @@ static noinstr void mce_wrmsrl(u32 msr, u64 v) return; } - wrmsrl(msr, v); + + low = (u32)v; + high = (u32)(v >> 32); + + /* See comment in mce_rdmsrl() */ + asm volatile("1: wrmsr\n" + "2:\n" + _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_wrmsr_fault) + : : "c" (msr), "a"(low), "d" (high) : "memory"); } /* diff --git a/arch/x86/kernel/cpu/mce/internal.h b/arch/x86/kernel/cpu/mce/internal.h index 6473070b5da49..b122610e9046a 100644 --- a/arch/x86/kernel/cpu/mce/internal.h +++ b/arch/x86/kernel/cpu/mce/internal.h @@ -185,4 +185,14 @@ extern bool amd_filter_mce(struct mce *m); static inline bool amd_filter_mce(struct mce *m) { return false; }; #endif +__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, + struct pt_regs *regs, int trapnr, + unsigned long error_code, + unsigned long fault_addr); + +__visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup, + struct pt_regs *regs, int trapnr, + unsigned long error_code, + unsigned long fault_addr); + #endif /* __X86_MCE_INTERNAL_H__ */ -- 2.25.1