[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZGZ2834xLw/woerO@google.com>
Date: Thu, 18 May 2023 19:05:23 +0000
From: Mingwei Zhang <mizhang@...gle.com>
To: Sean Christopherson <seanjc@...gle.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, David Matlack <dmatlack@...gle.com>,
Jim Mattson <jmattson@...gle.com>
Subject: Re: [PATCH 9/9] KVM: x86/mmu: BUG() in rmap helpers iff
CONFIG_BUG_ON_DATA_CORRUPTION=y
On Thu, May 11, 2023, Sean Christopherson wrote:
> Introduce KVM_BUG_ON_DATA_CORRUPTION() and use it in the low-level rmap
> helpers to convert the existing BUG()s to WARN_ON_ONCE() when the kernel
> is built with CONFIG_BUG_ON_DATA_CORRUPTION=n, i.e. does NOT want to BUG()
> on corruption of host kernel data structures. Environments that don't
> have infrastructure to automatically capture crash dumps, i.e. aren't
> likely to enable CONFIG_BUG_ON_DATA_CORRUPTION=y, are typically better
> served overall by WARN-and-continue behavior (for the kernel, the VM is
> dead regardless), as a BUG() while holding mmu_lock all but guarantees
> the _best_ case scenario is a panic().
>
> Make the BUG()s conditional instead of removing/replacing them entirely as
> there's a non-zero chance (though by no means a guarantee) that the damage
> isn't contained to the target VM, e.g. if no rmap is found for a SPTE then
> KVM may be double-zapping the SPTE, i.e. has already freed the memory the
> SPTE pointed at and thus KVM is reading/writing memory that KVM no longer
> owns.
>
> Link: https://lore.kernel.org/all/20221129191237.31447-1-mizhang@google.com
> Suggested-by: Mingwei Zhang <mizhang@...gle.com>
> Cc: David Matlack <dmatlack@...gle.com>
> Cc: Jim Mattson <jmattson@...gle.com>
> Signed-off-by: Sean Christopherson <seanjc@...gle.com>
Reviewed-by: Mingwei Zhang <mizhang@...gle.com>
> +/*
> + * Note, "data corruption" refers to corruption of host kernel data structures,
> + * not guest data. Guest data corruption, suspected or confirmed, that is tied
> + * and contained to a single VM should *never* BUG() and potentially panic the
> + * host, i.e. use this variant of KVM_BUG() if and only if a KVM data structure
> + * is corrupted and that corruption can have a cascading effect to other parts
> + * of the hosts and/or to other VMs.
> + */
> +#define KVM_BUG_ON_DATA_CORRUPTION(cond, kvm) \
> +({ \
> + bool __ret = !!(cond); \
> + \
> + if (IS_ENABLED(CONFIG_BUG_ON_DATA_CORRUPTION)) \
> + BUG_ON(__ret); \
> + else if (WARN_ON_ONCE(__ret && !(kvm)->vm_bugged)) \
> + kvm_vm_bugged(kvm); \
> + unlikely(__ret); \
> +})
> +
Previously, my concern was that people might abuse this feature by
generating lots of KVM_BUG_ON_DATA_CORRUPTION() in the code, with the
execuse that "hey, it is not a BUG_ON(), just turn off
CONFIG_BUG_ON_DATA_CORRUPTION." In reality, especially in production, no
one will take that risk by completely turning off the KCONFIG, so
KVM_BUG_ON_DATA_CORRUPTION() is still a BUG_ON() but with people having
execuses to add more.
Later I realize that this worry is purely based on hypothesis, so I
choose to not worry about that anymore. Overall, making BUG_ON()
tunable is still a very good progress. Thank you and David for the
help.
-Mingwei
> static inline void kvm_vcpu_srcu_read_lock(struct kvm_vcpu *vcpu)
> {
> #ifdef CONFIG_PROVE_RCU
> --
> 2.40.1.606.ga4b1b128d6-goog
>
Powered by blists - more mailing lists