lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <87lenppw93.ffs@tglx> Date: Fri, 02 Dec 2022 18:10:16 +0100 From: Thomas Gleixner <tglx@...utronix.de> To: Sean Christopherson <seanjc@...gle.com>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org Cc: "H. Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org, "Guilherme G . Piccoli" <gpiccoli@...lia.com>, Vitaly Kuznetsov <vkuznets@...hat.com>, Paolo Bonzini <pbonzini@...hat.com>, Sean Christopherson <seanjc@...gle.com>, Andrew Cooper <Andrew.Cooper3@...rix.com>, Tom Lendacky <thomas.lendacky@....com>, stable@...r.kernel.org Subject: Re: [PATCH v4 0/4] x86/crash: Fix double NMI shootdown bug On Wed, Nov 30 2022 at 23:36, Sean Christopherson wrote: > Fix a double NMI shootdown bug found and debugged by Guilherme, who did all > the hard work. NMI shootdown is a one-time thing; the handler leaves NMIs > blocked and enters halt. At best, a second (or third...) shootdown is an > expensive nop, at worst it can hang the kernel and prevent kexec'ing into > a new kernel, e.g. prior to the hardening of register_nmi_handler(), a > double shootdown resulted in a double list_add(), which is fatal when running > with CONFIG_BUG_ON_DATA_CORRUPTION=y. > > With the "right" kexec/kdump configuration, emergency_vmx_disable_all() can > be reached after kdump_nmi_shootdown_cpus() (currently the only two users > of nmi_shootdown_cpus()). > > To fix, move the disabling of virtualization into crash_nmi_callback(), > remove emergency_vmx_disable_all()'s callback, and do a shootdown for > emergency_vmx_disable_all() if and only if a shootdown hasn't yet occurred. > The only thing emergency_vmx_disable_all() cares about is disabling VMX/SVM > (obviously), and since I can't envision a use case for an NMI shootdown that > doesn't want to disable virtualization, doing that in the core handler means > emergency_vmx_disable_all() only needs to ensure _a_ shootdown occurs, it > doesn't care when that shootdown happened or what callback may have run. Reviewed-by: Thomas Gleixner <tglx@...utronix.de>
Powered by blists - more mailing lists