xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Ingo Molnar <mingo@kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: KVM list <kvm@vger.kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	the arch/x86 maintainers <x86@kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	xen-devel <Xen-devel@lists.xen.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Arjan van de Ven <arjan@linux.intel.com>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH v2 1/2] x86/msr: Carry on after a non-"safe" MSR access fails without !panic_on_oops
Date: Mon, 21 Sep 2015 10:46:42 +0200	[thread overview]
Message-ID: <20150921084642.GA30984__3454.48837983913$1442825290$gmane$org@gmail.com> (raw)
In-Reply-To: <CALCETrXqsKcqzfqMO2ctOJJ4X8Kb6vvoUpVDir9F2-a3XwK23w@mail.gmail.com>


* Andy Lutomirski <luto@amacapital.net> wrote:

> On Sep 20, 2015 5:15 PM, "Linus Torvalds" <torvalds@linux-foundation.org> wrote:
> >
> > On Sun, Sep 20, 2015 at 5:02 PM, Andy Lutomirski <luto@kernel.org> wrote:
> > > This demotes an OOPS and likely panic due to a failed non-"safe" MSR
> > > access to a WARN_ON_ONCE and a return of zero (in the RDMSR case).
> > > We still write a pr_info entry unconditionally for debugging.
> >
> > No, this is wrong.
> >
> > If you really want to do something like this, then just make all MSR reads 
> > safe. So the only difference between "safe" and "unsafe" is that the unsafe 
> > version just doesn't check the return value, and silently just returns zero 
> > for reads (or writes nothing).
> >
> > To quote Obi-Wan: "Use the exception table, Luke".
> >
> > Because decoding instructions is just too ugly. We'll do it for CPU errata 
> > where we might have to do it for user space code too (ie the AMD prefetch 
> > mess), but for code that _we_ control? Hell no.
> >
> > So NAK on this.
> 
> My personal preference is to just not do this at all.  A couple people disagree.  
> If we make the unsafe variants not oops, then I think we want to have the nice 
> loud warning, since these issues are bugs if they happen.
> 
> We could certainly use the exception table for this, but it'll result in bigger 
> core, since each MSR access will need an exception table entry and an associated 
> fixup to call some helper that warns and sets the result to zero.
> 
> I'd be happy to implement that, but only if it'll be applied. Otherwise I'd 
> rather just drop this patch and keep the rest of the series.

Linus, what's your preference?

Due to the bug mentioned earlier in this thread all MSR reads are currently 'safe' 
on all the major Linux distros (which all have CONFIG_PARAVIRT=y), i.e. by 
'fixing' them we'd reintroduce random crashes into various fragile pieces of 
code...

To add insult to injury, the current 'silently safe by accident' MSR code isn't so 
safe: because it leaves the result of the read uninitialized...

To fix this all I'd really like to have:

 - safe MSR reads by default (i.e. never boot crash the kernel on some rare 
   condition - which to most users is either a silent boot hang or an instant 
   restart). Historicaly we had a stream of 'silly boot crashes' due to MSR reads 
   that generate a #GPF. They make Linux less usable around the edges, especially 
   in the x86 non-server (desktop) space where most hardware vendors are either 
   openly Linux hostile, or, at best, Linux oblivious.

 - proper result-zeroing behavior on exceptions

 - and we should also generate _some_ sort of warning when MSR exceptions happen
   in an 'unintended' fashion.

Maybe the warning could be put under a (default-enabled) config option for the 
size conscious.

Or we could extend exception table entry encoding to include a 'warning bit', to 
not bloat the kernel. If the exception handler code encounters such an exception 
it would generate a one-time warning for that entry, but otherwise not crash the 
kernel and continue execution with an all-zeroes result for the MSR read.

Thanks,

	Ingo

  parent reply	other threads:[~2015-09-21  8:46 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <cover.1442793572.git.luto@kernel.org>
2015-09-21  0:02 ` [PATCH v2 1/2] x86/msr: Carry on after a non-"safe" MSR access fails without !panic_on_oops Andy Lutomirski
2015-09-21  0:02 ` [PATCH v2 2/2] x86/msr: Set the return value to zero when native_rdmsr_safe fails Andy Lutomirski
     [not found] ` <130a3b7ef4788baae3a6fe71293ab17442bc9a0a.1442793572.git.luto@kernel.org>
2015-09-21  0:15   ` [PATCH v2 1/2] x86/msr: Carry on after a non-"safe" MSR access fails without !panic_on_oops Linus Torvalds
     [not found]   ` <CA+55aFy4Chd-PJvxGne=TztPsvFqUG07Ht8mtc4+0oGNZNDOyw@mail.gmail.com>
2015-09-21  1:13     ` Andy Lutomirski
     [not found]     ` <CALCETrXqsKcqzfqMO2ctOJJ4X8Kb6vvoUpVDir9F2-a3XwK23w@mail.gmail.com>
2015-09-21  8:46       ` Ingo Molnar [this message]
     [not found]       ` <20150921084642.GA30984@gmail.com>
2015-09-21 12:27         ` Paolo Bonzini
2015-09-21 16:36         ` Linus Torvalds
     [not found]         ` <CA+55aFzKCi6pf0RP8HjDQYDsms6reB5AihuCAHEkVJtoOHk_Yw@mail.gmail.com>
2015-09-21 16:49           ` Arjan van de Ven
     [not found]           ` <56003506.1050100@linux.intel.com>
2015-09-21 17:27             ` Linus Torvalds
2015-09-21 17:43             ` Andy Lutomirski
     [not found]             ` <CALCETrUSEm_QLxGaBdmy3tQn=WnagvzTaYpy+i14sGUeaOUvTQ@mail.gmail.com>
2015-09-22  8:12               ` Paolo Bonzini
2015-09-21 18:16           ` Andy Lutomirski
     [not found]           ` <CALCETrUBcDxvtjKC-m97GPwCOHvcoDdGjnMJLukSue8ha55mng@mail.gmail.com>
2015-09-21 18:36             ` Borislav Petkov
2015-09-21 18:47             ` Linus Torvalds
2015-09-22  7:14           ` Ingo Molnar
2015-09-30 13:10           ` Peter Zijlstra
     [not found]           ` <20150930131002.GK2881@worktop.programming.kicks-ass.net>
2015-09-30 14:01             ` Ingo Molnar
     [not found]             ` <20150930140122.GB3285@gmail.com>
2015-09-30 18:04               ` Andy Lutomirski
     [not found]               ` <CALCETrVMV2_3ywQ_t+0rsqzxMm6D9PvDEmOdrie67rRzfj-W_Q@mail.gmail.com>
2015-10-01  7:15                 ` Ingo Molnar
     [not found]                 ` <20151001071505.GA21542@gmail.com>
2016-03-11 16:48                   ` Andy Lutomirski
     [not found]                   ` <CALCETrUFakwGL9zpj9TwKX9KbG9czq8fpEViU3nWaCvnpGurew@mail.gmail.com>
2016-03-12 16:02                     ` Ingo Molnar
2015-09-30 18:32           ` H. Peter Anvin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='20150921084642.GA30984__3454.48837983913$1442825290$gmane$org@gmail.com' \
    --to=mingo@kernel.org \
    --cc=Xen-devel@lists.xen.org \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@linux.intel.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).