lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d7a11ebd-48d5-48bf-abac-317d5da80a6a@intel.com>
Date: Thu, 10 Jul 2025 15:04:01 -0700
From: Sohil Mehta <sohil.mehta@...el.com>
To: Sean Christopherson <seanjc@...gle.com>, Thomas Gleixner
	<tglx@...utronix.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "H . Peter
 Anvin" <hpa@...or.com>, Borislav Petkov <bp@...en8.de>, Ingo Molnar
	<mingo@...hat.com>
CC: <x86@...nel.org>, <linux-kernel@...r.kernel.org>, Xin Li <xin@...or.com>,
	Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
	Adrian Hunter <adrian.hunter@...el.com>, Kan Liang
	<kan.liang@...ux.intel.com>, Tony Luck <tony.luck@...el.com>, Zhang Rui
	<rui.zhang@...el.com>, Steven Rostedt <rostedt@...dmis.org>, Andrew Cooper
	<andrew.cooper3@...rix.com>, "Kirill A . Shutemov"
	<kirill.shutemov@...ux.intel.com>, Jacob Pan <jacob.pan@...ux.microsoft.com>,
	Andi Kleen <ak@...ux.intel.com>, Kai Huang <kai.huang@...el.com>, "Sandipan
 Das" <sandipan.das@....com>, <linux-perf-users@...r.kernel.org>,
	<linux-edac@...r.kernel.org>, <kvm@...r.kernel.org>,
	<linux-pm@...r.kernel.org>, <linux-trace-kernel@...r.kernel.org>
Subject: Re: [PATCH v7 08/10] x86/nmi: Enable NMI-source for IPIs delivered as
 NMIs

On 7/8/2025 11:37 AM, Sean Christopherson wrote:

> This patch is buggy.  There are at least two implementations of ->send_IPI_mask()
> that this breaks:
> 

Thank you for point this out. I should have been more diligent.


> Looking at all of this again, shoving the NMI source information into the @vector
> is quite brittle.  Nothing forces implementations to handle embedded delivery
> mode information.
> 

I agree. There is already some confusion with NMI_VECTOR and APIC_DM_NMI
used interchangeably sometimes. Adding the new NMI-source vectors with
the encoded delivery mode makes it worse.


> One thought would be to pass a small struct (by value), and then provide macros
> to generate the structure for a specific vector.  That provides some amount of
> type safety and should make it a bit harder to pass in garbage, without making
> the callers any less readable.
>
> struct apic_ipi {
> 	u8 vector;
> 	u8 type;
> };
>  

I am fine with this approach. Though, the changes would be massive since
we have quite a few interfaces and a lot of "struct apic".

	.send_IPI
	.send_IPI_mask
	.send_IPI_mask_allbutself
	.send_IPI_allbutself
	.send_IPI_all
	.send_IPI_self


An option I was considering was whether we should avoid exposing the raw
delivery mode to the callers since it is mainly an APIC internal thing.
The callers should only have to say NMI or IRQ along with the vector and
let the APIC code figure out how to generate it.

One option is to add a separate set of send_IPI_NMI APIs parallel to
send_IPI ones that we have. But then we would end with >10 ways to
generate IPIs.

Another way would be to assign the NMI vectors in a different range and
use the range to differentiate between IRQ and NMI.

For example:
	IRQ => 0x0-0xFF
	NMI => 0x10000-0x1000F.

However, this would still be fragile and probably have similar issues to
the one you pointed out.

> 
> static __always_inline void __apic_send_IPI_self(struct apic_ipi ipi)

Taking a step back:

Since we are considering changing the interface, would it be worth
consolidating the multiple send_IPI APIs into one or two? Mainly, by
moving the destination information from the function name to the
function parameter.

  apic_send_IPI(DEST, MASK, TYPE, VECTOR)

  DEST   => self, all, allbutself, mask, maskbutself

  MASK   => cpumask

  TYPE   => IRQ, NMI

  VECTOR => Vector number specific to the type.

I like the single line IPI invocation. All of this can still be passed
in a neat "struct apic_ipi" with a macro helping the callers fill the
struct.

These interfaces are decades old. So, maybe I am being too ambitious and
this isn't practically feasible. Thoughts/Suggestions?


Note: Another part of me says there are only a handful of NMI IPI usages
and the heavy lifting isn't worth it. We should fix the bugs, improve
testing and use the existing approach since it is the least invasive :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ