All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <jbeulich@suse.com>,
	"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: "Wei Liu" <wl@xen.org>, "Roger Pau Monné" <roger.pau@citrix.com>,
	"Ian Jackson" <iwj@xenproject.org>
Subject: Re: [PATCH v3 1/2][4.15] x86/PV: conditionally avoid raising #GP for early guest MSR reads
Date: Fri, 12 Mar 2021 11:19:12 +0000	[thread overview]
Message-ID: <7504b027-f106-33e1-214a-eecf8ea5ff5d@citrix.com> (raw)
In-Reply-To: <90f87aa8-09da-1453-bd82-c722465c2881@suse.com>

On 12/03/2021 07:54, Jan Beulich wrote:
> Prior to 4.15 Linux, when running in PV mode, did not install a #GP
> handler early enough to cover for example the rdmsrl_safe() of
> MSR_K8_TSEG_ADDR in bsp_init_amd() (not to speak of the unguarded read
> of MSR_K7_HWCR later in the same function). The respective change
> (42b3a4cb5609 "x86/xen: Support early interrupts in xen pv guests") was
> backported to 4.14, but no further - presumably since it wasn't really
> easy because of other dependencies.
>
> Therefore, to prevent our change in the handling of guest MSR accesses
> to render PV Linux 4.13 and older unusable on at least AMD systems, make
> the raising of #GP on this paths conditional upon the guest having
> installed a handler, provided of course the MSR can be read in the first
> place (we would have raised #GP in that case even before). Producing
> zero for reads isn't necessarily correct and may trip code trying to
> detect presence of MSRs early, but since such detection logic won't work
> without a #GP handler anyway, this ought to be a fair workaround.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> Release-Acked-by: Ian Jackson <iwj@xenproject.org>

I am still of the firm belief that this is the wrong course of action.

It is deliberately papering over error handling bugs which, in the
NetBSD case, literally created memory corruption scenarios.  (Yes - that
was a WRMSR not RDMSR, but the general point still stands, particularly
in light of your expectation to do the same to the WRMSR).

It is one thing to not realise that we have a trainwreck here.  Its
totally another to take wilful action to keep current and all future
guests broken in the same way.

The *only* case where it is acceptable to skip error handling is if the
VM admin has specifically signed their life away to say that they'll
accept the, now discovered, potential-memory-corrupion consequences.

Rogers patch already does this.

~Andrew



  parent reply	other threads:[~2021-03-12 11:19 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-12  7:53 [PATCH v3 0/2][4.15] x86: guest MSR access handling tweaks Jan Beulich
2021-03-12  7:54 ` [PATCH v3 1/2][4.15] x86/PV: conditionally avoid raising #GP for early guest MSR reads Jan Beulich
2021-03-12  9:08   ` Roger Pau Monné
2021-03-12  9:32     ` Jan Beulich
2021-03-12 11:19   ` Andrew Cooper [this message]
2021-03-12 11:01     ` [PATCH v4 0/2][4.15] x86: guest MSR access handling tweaks Jan Beulich
2021-03-12 11:02       ` [PATCH v4 1/2][4.15] x86/PV: conditionally avoid raising #GP for early guest MSR reads Jan Beulich
2021-03-12 11:03       ` [PATCH v4 2/2][4.15] x86/AMD: expose HWCR.TscFreqSel to guests Jan Beulich
2021-03-12 13:59       ` [PATCH v4 0/2][4.15] x86: guest MSR access handling tweaks [and 1 more messages] Ian Jackson
2021-03-12 13:34     ` [PATCH v3 1/2][4.15] x86/PV: conditionally avoid raising #GP for early guest MSR reads Jan Beulich
2021-03-12  7:55 ` [PATCH v3 2/2][4.15] x86/AMD: expose HWCR.TscFreqSel to guests Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7504b027-f106-33e1-214a-eecf8ea5ff5d@citrix.com \
    --to=andrew.cooper3@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=jbeulich@suse.com \
    --cc=roger.pau@citrix.com \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.