| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 5 Jul 2020 11:26:03 -0700
From: Andy Lutomirski <luto@...nel.org>
To: "David P. Reed" <dpreed@...pplum.com>
Cc: Sean Christopherson <sean.j.christopherson@...el.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
X86 ML <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>,
Allison Randal <allison@...utok.net>,
Enrico Weigelt <info@...ux.net>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Kate Stewart <kstewart@...uxfoundation.org>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
Martin Molnar <martin.molnar.programming@...il.com>,
Andy Lutomirski <luto@...nel.org>,
Alexandre Chartre <alexandre.chartre@...cle.com>,
Jann Horn <jannh@...gle.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3 3/3] Force all cpus to exit VMX root operation on
crash/panic reliably
On Sat, Jul 4, 2020 at 1:38 PM David P. Reed <dpreed@...pplum.com> wrote:
>
> Fix the logic during crash/panic reboot on Intel processors that
> can support VMX operation to ensure that all processors are not
> in VMX root operation. Prior code made optimistic assumptions
> about other cpus that would leave other cpus in VMX root operation
> depending on timing of crash/panic reboot.
> Builds on cpu_ermergency_vmxoff() and __cpu_emergency_vmxoff() created
> in a prior patch.
>
> Suggested-by: Sean Christopherson <sean.j.christopherson@...el.com>
> Signed-off-by: David P. Reed <dpreed@...pplum.com>
> ---
> arch/x86/kernel/reboot.c | 20 +++++++-------------
> 1 file changed, 7 insertions(+), 13 deletions(-)
>
> diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
> index 0ec7ced727fe..c8e96ba78efc 100644
> --- a/arch/x86/kernel/reboot.c
> +++ b/arch/x86/kernel/reboot.c
> @@ -543,24 +543,18 @@ static void emergency_vmx_disable_all(void)
> * signals when VMX is enabled.
> *
> * We can't take any locks and we may be on an inconsistent
> - * state, so we use NMIs as IPIs to tell the other CPUs to disable
> - * VMX and halt.
> + * state, so we use NMIs as IPIs to tell the other CPUs to exit
> + * VMX root operation and halt.
> *
> * For safety, we will avoid running the nmi_shootdown_cpus()
> * stuff unnecessarily, but we don't have a way to check
> - * if other CPUs have VMX enabled. So we will call it only if the
> - * CPU we are running on has VMX enabled.
> - *
> - * We will miss cases where VMX is not enabled on all CPUs. This
> - * shouldn't do much harm because KVM always enable VMX on all
> - * CPUs anyway. But we can miss it on the small window where KVM
> - * is still enabling VMX.
> + * if other CPUs might be in VMX root operation.
> */
> - if (cpu_has_vmx() && cpu_vmx_enabled()) {
> - /* Disable VMX on this CPU. */
> - cpu_vmxoff();
> + if (cpu_has_vmx()) {
> + /* Safely force out of VMX root operation on this CPU. */
> + __cpu_emergency_vmxoff();
>
> - /* Halt and disable VMX on the other CPUs */
> + /* Halt and exit VMX root operation on the other CPUs */
> nmi_shootdown_cpus(vmxoff_nmi);
>
> }
Seems reasonable to me.
As a minor caveat, doing cr4_clear_bits() in NMI context is not really
okay, but we're about to reboot, so nothing too awful should happen.
And this has very little to do with your patch.
Reviewed-by: Andy Lutomirski <luto@...nel.org>
Powered by blists - more mailing lists