From: Ingo Molnar <mingo@kernel.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: X86 ML <x86@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
KVM list <kvm@vger.kernel.org>,
Arjan van de Ven <arjan@linux.intel.com>,
xen-devel <Xen-devel@lists.xen.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH v3 2/5] x86/msr: Carry on after a non-"safe" MSR access fails without !panic_on_oops
Date: Sat, 12 Mar 2016 16:36:15 +0100 [thread overview]
Message-ID: <20160312153615.GB17873@gmail.com> (raw)
In-Reply-To: <35f2f107e0d85473a0e66c08f93d571a9c72b7fc.1457723023.git.luto@kernel.org>
* Andy Lutomirski <luto@kernel.org> wrote:
> This demotes an OOPS and likely panic due to a failed non-"safe" MSR
> access to a WARN and, for RDMSR, a return value of zero. If
> panic_on_oops is set, then failed unsafe MSR accesses will still
> oops and panic.
>
> To be clear, this type of failure should *not* happen. This patch
> exists to minimize the chance of nasty undebuggable failures due on
> systems that used to work due to a now-fixed CONFIG_PARAVIRT=y bug.
>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
> ---
> arch/x86/include/asm/msr.h | 10 ++++++++--
> arch/x86/mm/extable.c | 33 +++++++++++++++++++++++++++++++++
> 2 files changed, 41 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h
> index 93fb7c1cffda..1487054a1a70 100644
> --- a/arch/x86/include/asm/msr.h
> +++ b/arch/x86/include/asm/msr.h
> @@ -92,7 +92,10 @@ static inline unsigned long long native_read_msr(unsigned int msr)
> {
> DECLARE_ARGS(val, low, high);
>
> - asm volatile("rdmsr" : EAX_EDX_RET(val, low, high) : "c" (msr));
> + asm volatile("1: rdmsr\n"
> + "2:\n"
> + _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_rdmsr_unsafe)
> + : EAX_EDX_RET(val, low, high) : "c" (msr));
> if (msr_tracepoint_active(__tracepoint_read_msr))
> do_trace_read_msr(msr, EAX_EDX_VAL(val, low, high), 0);
> return EAX_EDX_VAL(val, low, high);
> @@ -119,7 +122,10 @@ static inline unsigned long long native_read_msr_safe(unsigned int msr,
> static inline void native_write_msr(unsigned int msr,
> unsigned low, unsigned high)
> {
> - asm volatile("wrmsr" : : "c" (msr), "a"(low), "d" (high) : "memory");
> + asm volatile("1: wrmsr\n"
> + "2:\n"
> + _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_wrmsr_unsafe)
> + : : "c" (msr), "a"(low), "d" (high) : "memory");
> if (msr_tracepoint_active(__tracepoint_read_msr))
> do_trace_write_msr(msr, ((u64)high << 32 | low), 0);
> }
> diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
> index 9dd7e4b7fcde..f310714e6e6d 100644
> --- a/arch/x86/mm/extable.c
> +++ b/arch/x86/mm/extable.c
> @@ -49,6 +49,39 @@ bool ex_handler_ext(const struct exception_table_entry *fixup,
> }
> EXPORT_SYMBOL(ex_handler_ext);
>
> +bool ex_handler_rdmsr_unsafe(const struct exception_table_entry *fixup,
> + struct pt_regs *regs, int trapnr)
> +{
> + WARN(1, "unsafe MSR access error: RDMSR from 0x%x",
> + (unsigned int)regs->cx);
Btw., instead of the safe/unsafe naming (which has an emotional and security
secondary attribute), shouldn't we move this over to a _check() (or _checking())
naming instead that we do in other places in the kernel?
I.e.:
rdmsr(msr, l, h);
and:
if (rdmsr_check(msr, l, h)) {
...
}
and then we could name the helpers as _check() and _nocheck() - which is neutral
naming.
Thanks,
Ingo
next prev parent reply other threads:[~2016-03-12 15:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-11 19:06 [PATCH v3 0/5] Improve non-"safe" MSR access failure handling Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 1/5] x86/paravirt: Add _safe to the read_msr and write_msr PV hooks Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 2/5] x86/msr: Carry on after a non-"safe" MSR access fails without !panic_on_oops Andy Lutomirski
2016-03-12 15:31 ` Ingo Molnar
2016-03-12 15:36 ` Ingo Molnar [this message]
2016-03-12 17:32 ` Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read,write}_msr Andy Lutomirski
2016-03-14 14:02 ` Paolo Bonzini
2016-03-14 16:53 ` Andy Lutomirski
[not found] ` <CA+55aFzdUHUTomsMU7YAYgYkUQvNXHAiNX765wdSFqrKyoLKpQ@mail.gmail.com>
2016-03-14 17:02 ` Andy Lutomirski
2016-03-15 8:49 ` Paolo Bonzini
2016-03-15 8:56 ` Paolo Bonzini
2016-03-11 19:06 ` [PATCH v3 4/5] x86/paravirt: Make "unsafe" MSR accesses unsafe even if PARAVIRT=y Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 5/5] x86/msr: Set the return value to zero when native_rdmsr_safe fails Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160312153615.GB17873@gmail.com \
--to=mingo@kernel.org \
--cc=Xen-devel@lists.xen.org \
--cc=akpm@linux-foundation.org \
--cc=arjan@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).