Re: [PATCH v3 3/3] Force all cpus to exit VMX root operation on crash/panic reliably

From: Andy Lutomirski <luto@kernel.org>
To: "David P. Reed" <dpreed@deepplum.com>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	X86 ML <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
	Allison Randal <allison@lohutok.net>,
	Enrico Weigelt <info@metux.net>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kate Stewart <kstewart@linuxfoundation.org>,
	"Peter Zijlstra (Intel)" <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Martin Molnar <martin.molnar.programming@gmail.com>,
	Andy Lutomirski <luto@kernel.org>,
	Alexandre Chartre <alexandre.chartre@oracle.com>,
	Jann Horn <jannh@google.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3 3/3] Force all cpus to exit VMX root operation on crash/panic reliably
Date: Sun, 5 Jul 2020 11:26:03 -0700	[thread overview]
Message-ID: <CALCETrWzh03fefGuSTM9hr9QY9_=xqbHg3hQ-_vo2PLUXuZ4wg@mail.gmail.com> (raw)
In-Reply-To: <20200704203809.76391-4-dpreed@deepplum.com>

On Sat, Jul 4, 2020 at 1:38 PM David P. Reed <dpreed@deepplum.com> wrote:
>
> Fix the logic during crash/panic reboot on Intel processors that
> can support VMX operation to ensure that all processors are not
> in VMX root operation. Prior code made optimistic assumptions
> about other cpus that would leave other cpus in VMX root operation
> depending on timing of crash/panic reboot.
> Builds on cpu_ermergency_vmxoff() and __cpu_emergency_vmxoff() created
> in a prior patch.
>
> Suggested-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Signed-off-by: David P. Reed <dpreed@deepplum.com>
> ---
>  arch/x86/kernel/reboot.c | 20 +++++++-------------
>  1 file changed, 7 insertions(+), 13 deletions(-)
>
> diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
> index 0ec7ced727fe..c8e96ba78efc 100644
> --- a/arch/x86/kernel/reboot.c
> +++ b/arch/x86/kernel/reboot.c
> @@ -543,24 +543,18 @@ static void emergency_vmx_disable_all(void)
>          * signals when VMX is enabled.
>          *
>          * We can't take any locks and we may be on an inconsistent
> -        * state, so we use NMIs as IPIs to tell the other CPUs to disable
> -        * VMX and halt.
> +        * state, so we use NMIs as IPIs to tell the other CPUs to exit
> +        * VMX root operation and halt.
>          *
>          * For safety, we will avoid running the nmi_shootdown_cpus()
>          * stuff unnecessarily, but we don't have a way to check
> -        * if other CPUs have VMX enabled. So we will call it only if the
> -        * CPU we are running on has VMX enabled.
> -        *
> -        * We will miss cases where VMX is not enabled on all CPUs. This
> -        * shouldn't do much harm because KVM always enable VMX on all
> -        * CPUs anyway. But we can miss it on the small window where KVM
> -        * is still enabling VMX.
> +        * if other CPUs might be in VMX root operation.
>          */
> -       if (cpu_has_vmx() && cpu_vmx_enabled()) {
> -               /* Disable VMX on this CPU. */
> -               cpu_vmxoff();
> +       if (cpu_has_vmx()) {
> +               /* Safely force out of VMX root operation on this CPU. */
> +               __cpu_emergency_vmxoff();
>
> -               /* Halt and disable VMX on the other CPUs */
> +               /* Halt and exit VMX root operation on the other CPUs */
>                 nmi_shootdown_cpus(vmxoff_nmi);
>
>         }

Seems reasonable to me.

As a minor caveat, doing cr4_clear_bits() in NMI context is not really
okay, but we're about to reboot, so nothing too awful should happen.
And this has very little to do with your patch.

Reviewed-by: Andy Lutomirski <luto@kernel.org>