Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp3432940pxx; Mon, 2 Nov 2020 08:45:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJzzY6RCNQ4ex3ocB+VP/z4qEwNFvGYE6caZ7wgEkXrZtCpwjm9ubkUKV6k7a/+cVeNs4mT7 X-Received: by 2002:a17:906:6d89:: with SMTP id h9mr15548296ejt.152.1604335529196; Mon, 02 Nov 2020 08:45:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604335529; cv=none; d=google.com; s=arc-20160816; b=U8gdA3/j1MGI3iMS8isrV0rAMMIumHXxTIa/Xq0ejjT4yPoISRX53NOUHIyHriKfMa spn6NgRPb9oHiM417Vu0YMHTyt6mOJt83GDZ76ym5mBaSwh9iVpa/eo0FwFcG7KhSgLs r9kf15Hczul2jCS521m8GzUZBYVzlTfXshEZXCWLKJjFbj3QMTJ9rCBr4wU9v2O1C0mH VII3RxRilu8ffeJroMsOLQXOyvvyupaJHEzV5ULleLO8PlsoqRnhp667Ya6vn4c0f/mS 35ezOmJIGej209X1L/Z4rJ50VkHw8stKpEBBzmgTJTXR+t2CznJtA1D7rnhf8iJ9JC2L ua+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Z+d818YUCcbVlR/JysJp1RAmAEoaBLjpuG8D8U7SqKQ=; b=nuPM66wZenuiFs6J9VGKMjuiHN3pO64crpE2VcPXgQn97hTISe3mMYGaZ6LPc9JbTN TDAUJsZUXrQM6xEdAULkW2Da5xQRSbSURGqzPVF4S7J6S8GO3ZbFhVRI1UISwI4kw3AC MoW9HeRP5X34AED7+NJhhJlWlyHXhQhDPeC6QQUlyi7MBqRFeRm2R2mZtbsCG4l7NqfX 6behjscA9K8DE2NJpoOJ+oHtxXWDCLL/Ibd/KiLbGLuogceVRbJPanns4TSHpLlyOBZi HEPafC4rEzpZQwBBO+pzN8pNDO6m0it1cdv4GAAFu4b1+7tHPRpvxmj3MZM/GftKLU8w 078w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=1Hqt4xIZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i2si10439966ejx.87.2020.11.02.08.45.06; Mon, 02 Nov 2020 08:45:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=1Hqt4xIZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727156AbgKBQnn (ORCPT + 99 others); Mon, 2 Nov 2020 11:43:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726868AbgKBQnn (ORCPT ); Mon, 2 Nov 2020 11:43:43 -0500 Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E714CC061A04 for ; Mon, 2 Nov 2020 08:43:42 -0800 (PST) Received: by mail-wm1-x342.google.com with SMTP id p19so1634230wmg.0 for ; Mon, 02 Nov 2020 08:43:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z+d818YUCcbVlR/JysJp1RAmAEoaBLjpuG8D8U7SqKQ=; b=1Hqt4xIZOLZwyC8O6kYf7k/TFdaN+YLxie4zOSb3Kfz619j9++lDs8+YyskxeHCuVX YQpy8FXElZEO13ZXFGmJqPlntw0YuvD6V1gIIHIb62HTf4JyqtmezUJAKXR5JsfPEJ6A 3cMVkS9NWl1B78Ci3com5rTqA7Izg1vIYtKgZ0R/R/qr+hMJPfu6md2WRoQqYwMWs0ED i0ly/SkwfL222dQS6QWV6njxuIfo49TJG8B/xEebzssMx6+2Jn5iaGpcZLwQQjEkACOQ IRYAkl/D8ZuWQP3s/mcDVdH490+5d2qhPW1Vio6rY4Va5z6vCeLaJVYm/tKvSW1GB+JL y3rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z+d818YUCcbVlR/JysJp1RAmAEoaBLjpuG8D8U7SqKQ=; b=AsbCgvEOCrd8dYt9z2Vv0/87xxK0RVNXpQ/+mJwH/z+oBe2UzrlojP10NXHypygYOQ OanfjgbuQ+Y7/eeaDLH7j4YXU7KT9ImTy9VIJoD0VhqcWSe4A0sobWYu7xEgY/ssN6Vu JbzOlpB94pVprSXRruPMEw74lqPJfG19p2khUCG/2VUk1L8MDvarubGTLc9MYDB23G+S vjZx5HsetUo4vxTavrzusZLwkaD4/APUKmkG8w2Ylh0C6xQMU+Lyw1yZ3Lm99MBxCu/i EJg+l7TkKsTksUuU4n8fmqNAhaJD3kLKHxrHVmRSeyHDoLE0ZBMgbhF1/uT9Cqttf3Km Jm6w== X-Gm-Message-State: AOAM530s1/UKxw5InEr7mWZW0Gm2klTisS0k51Do0+7IvGhq4wj9Cb1o caAWO3X/YH/T59G4m7F/2bVEONIUFUUX+jdkqBV4BA== X-Received: by 2002:a1c:20ce:: with SMTP id g197mr2496715wmg.49.1604335421664; Mon, 02 Nov 2020 08:43:41 -0800 (PST) MIME-Version: 1.0 References: <20201102061445.191638-1-tao3.xu@intel.com> In-Reply-To: <20201102061445.191638-1-tao3.xu@intel.com> From: Andy Lutomirski Date: Mon, 2 Nov 2020 08:43:30 -0800 Message-ID: Subject: Re: [PATCH] KVM: VMX: Enable Notify VM exit To: Tao Xu Cc: Paolo Bonzini , "Christopherson, Sean J" , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , X86 ML , kvm list , LKML , Xiaoyao Li Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 1, 2020 at 10:14 PM Tao Xu wrote: > > There are some cases that malicious virtual machines can cause CPU stuck > (event windows don't open up), e.g., infinite loop in microcode when > nested #AC (CVE-2015-5307). No event window obviously means no events, > e.g. NMIs, SMIs, and IRQs will all be blocked, may cause the related > hardware CPU can't be used by host or other VM. > > To resolve those cases, it can enable a notify VM exit if no > event window occur in VMX non-root mode for a specified amount of > time (notify window). > > Expose a module param for setting notify window, default setting it to > the time as 1/10 of periodic tick, and user can set it to 0 to disable > this feature. > > TODO: > 1. The appropriate value of notify window. > 2. Another patch to disable interception of #DB and #AC when notify > VM-Exiting is enabled. Whoa there. A VM control that says "hey, CPU, if you messed up and livelocked for a long time, please break out of the loop" is not a substitute for fixing the livelocks. So I don't think you get do disable interception of #DB and #AC. I also think you should print a loud warning and have some intelligent handling when this new exit triggers. > +static int handle_notify(struct kvm_vcpu *vcpu) > +{ > + unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION); > + > + /* > + * Notify VM exit happened while executing iret from NMI, > + * "blocked by NMI" bit has to be set before next VM entry. > + */ > + if (exit_qualification & NOTIFY_VM_CONTEXT_VALID) { > + if (enable_vnmi && > + (exit_qualification & INTR_INFO_UNBLOCK_NMI)) > + vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, > + GUEST_INTR_STATE_NMI); This needs actual documentation in the SDM or at least ISE please.