1. Patchew
  2. linux
  3. View series

[PATCH v4 0/4] x86/crash: Fix double NMI shootdown bug

Sean Christopherson posted 4 patches 3 years, 2 months ago 
arch/x86/include/asm/reboot.h  |  2 +
arch/x86/include/asm/virtext.h | 13 ++++-
arch/x86/kernel/crash.c        | 17 +------
arch/x86/kernel/reboot.c       | 88 ++++++++++++++++++++++++----------
arch/x86/kernel/smp.c          |  6 +--
5 files changed, 82 insertions(+), 44 deletions(-)
[PATCH v4 0/4] x86/crash: Fix double NMI shootdown bug
Posted by Sean Christopherson 3 years, 2 months ago 
Fix a double NMI shootdown bug found and debugged by Guilherme, who did all
the hard work.  NMI shootdown is a one-time thing; the handler leaves NMIs
blocked and enters halt.  At best, a second (or third...) shootdown is an
expensive nop, at worst it can hang the kernel and prevent kexec'ing into
a new kernel, e.g. prior to the hardening of register_nmi_handler(), a
double shootdown resulted in a double list_add(), which is fatal when running
with CONFIG_BUG_ON_DATA_CORRUPTION=y.

With the "right" kexec/kdump configuration, emergency_vmx_disable_all() can
be reached after kdump_nmi_shootdown_cpus() (currently the only two users
of nmi_shootdown_cpus()).

To fix, move the disabling of virtualization into crash_nmi_callback(),
remove emergency_vmx_disable_all()'s callback, and do a shootdown for
emergency_vmx_disable_all() if and only if a shootdown hasn't yet occurred.
The only thing emergency_vmx_disable_all() cares about is disabling VMX/SVM
(obviously), and since I can't envision a use case for an NMI shootdown that
doesn't want to disable virtualization, doing that in the core handler means
emergency_vmx_disable_all() only needs to ensure _a_ shootdown occurs, it
doesn't care when that shootdown happened or what callback may have run.

Patches 2-4 bring SVM on par with VMX.

v4:
  - Set GIF=1 prior to disabling SVM. [Andrew, Tom]
  - Name new helper cpu_emergency_disable_virtualization() instead of
    cpu_crash_disable_virtualization().
  - Add patch to handle SVM in the stop/reboot case.
  - Drop patch to fold __cpu_emergency_vmxoff() into cpu_emergency_vmxoff(),
    will be sent as part of a larger cleanup.

v3:
  - https://lore.kernel.org/all/20221114233441.3895891-1-seanjc@google.com
  - Re-collect Guilherme's Tested-by.
  - Tweak comment in patch 1 to reference STGI instead of CLGI.
  - Celebrate this series' half-birthday.

v2:
  - Use a NULL handler and crash_ipi_issued instead of a magic nop
    handler. [tglx]
  - Add comments to call out that modifying the existing handler
    once the NMI is sent may cause explosions.
  - Add a patch to cleanup cpu_emergency_vmxoff().
  - https://lore.kernel.org/all/20220518001647.1291448-1-seanjc@google.com

v1: https://lore.kernel.org/all/20220511234332.3654455-1-seanjc@google.com

Sean Christopherson (4):
  x86/crash: Disable virt in core NMI crash handler to avoid double
    shootdown
  x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
  x86/reboot: Disable virtualization in an emergency if SVM is supported
  x86/reboot: Disable SVM, not just VMX, when stopping CPUs

 arch/x86/include/asm/reboot.h  |  2 +
 arch/x86/include/asm/virtext.h | 13 ++++-
 arch/x86/kernel/crash.c        | 17 +------
 arch/x86/kernel/reboot.c       | 88 ++++++++++++++++++++++++----------
 arch/x86/kernel/smp.c          |  6 +--
 5 files changed, 82 insertions(+), 44 deletions(-)


base-commit: d800169041c0e035160c8b81f30d4b7e8f8ef777
-- 
2.38.1.584.g0f3c55d4c2-goog
Re: [PATCH v4 0/4] x86/crash: Fix double NMI shootdown bug
Posted by Sean Christopherson 3 years ago 
On Wed, 30 Nov 2022 23:36:46 +0000, Sean Christopherson wrote:
> Fix a double NMI shootdown bug found and debugged by Guilherme, who did all
> the hard work.  NMI shootdown is a one-time thing; the handler leaves NMIs
> blocked and enters halt.  At best, a second (or third...) shootdown is an
> expensive nop, at worst it can hang the kernel and prevent kexec'ing into
> a new kernel, e.g. prior to the hardening of register_nmi_handler(), a
> double shootdown resulted in a double list_add(), which is fatal when running
> with CONFIG_BUG_ON_DATA_CORRUPTION=y.
> 
> [...]

Applied to kvm-x86 misc, thanks!

[1/4] x86/crash: Disable virt in core NMI crash handler to avoid double shootdown
      https://github.com/kvm-x86/linux/commit/26044aff37a5
[2/4] x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
      https://github.com/kvm-x86/linux/commit/6a3236580b0b
[3/4] x86/reboot: Disable virtualization in an emergency if SVM is supported
      https://github.com/kvm-x86/linux/commit/d81f952aa657
[4/4] x86/reboot: Disable SVM, not just VMX, when stopping CPUs
      https://github.com/kvm-x86/linux/commit/a2b07fa7b933

--
https://github.com/kvm-x86/linux/tree/next
https://github.com/kvm-x86/linux/tree/fixes
Re: [PATCH v4 0/4] x86/crash: Fix double NMI shootdown bug
Posted by Guilherme G. Piccoli 3 years ago 
On 27/01/2023 21:05, Sean Christopherson wrote:
> On Wed, 30 Nov 2022 23:36:46 +0000, Sean Christopherson wrote:
>> Fix a double NMI shootdown bug found and debugged by Guilherme, who did all
>> the hard work.  NMI shootdown is a one-time thing; the handler leaves NMIs
>> blocked and enters halt.  At best, a second (or third...) shootdown is an
>> expensive nop, at worst it can hang the kernel and prevent kexec'ing into
>> a new kernel, e.g. prior to the hardening of register_nmi_handler(), a
>> double shootdown resulted in a double list_add(), which is fatal when running
>> with CONFIG_BUG_ON_DATA_CORRUPTION=y.
>>
>> [...]
> 
> Applied to kvm-x86 misc, thanks!
> 
> [1/4] x86/crash: Disable virt in core NMI crash handler to avoid double shootdown
>       https://github.com/kvm-x86/linux/commit/26044aff37a5
> [2/4] x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
>       https://github.com/kvm-x86/linux/commit/6a3236580b0b
> [3/4] x86/reboot: Disable virtualization in an emergency if SVM is supported
>       https://github.com/kvm-x86/linux/commit/d81f952aa657
> [4/4] x86/reboot: Disable SVM, not just VMX, when stopping CPUs
>       https://github.com/kvm-x86/linux/commit/a2b07fa7b933
> 
> --
> https://github.com/kvm-x86/linux/tree/next
> https://github.com/kvm-x86/linux/tree/fixes


Thanks a bunch Sean!
Re: [PATCH v4 0/4] x86/crash: Fix double NMI shootdown bug
Posted by Thomas Gleixner 3 years, 2 months ago 
On Wed, Nov 30 2022 at 23:36, Sean Christopherson wrote:

> Fix a double NMI shootdown bug found and debugged by Guilherme, who did all
> the hard work.  NMI shootdown is a one-time thing; the handler leaves NMIs
> blocked and enters halt.  At best, a second (or third...) shootdown is an
> expensive nop, at worst it can hang the kernel and prevent kexec'ing into
> a new kernel, e.g. prior to the hardening of register_nmi_handler(), a
> double shootdown resulted in a double list_add(), which is fatal when running
> with CONFIG_BUG_ON_DATA_CORRUPTION=y.
>
> With the "right" kexec/kdump configuration, emergency_vmx_disable_all() can
> be reached after kdump_nmi_shootdown_cpus() (currently the only two users
> of nmi_shootdown_cpus()).
>
> To fix, move the disabling of virtualization into crash_nmi_callback(),
> remove emergency_vmx_disable_all()'s callback, and do a shootdown for
> emergency_vmx_disable_all() if and only if a shootdown hasn't yet occurred.
> The only thing emergency_vmx_disable_all() cares about is disabling VMX/SVM
> (obviously), and since I can't envision a use case for an NMI shootdown that
> doesn't want to disable virtualization, doing that in the core handler means
> emergency_vmx_disable_all() only needs to ensure _a_ shootdown occurs, it
> doesn't care when that shootdown happened or what callback may have run.

Reviewed-by: Thomas Gleixner <tglx@linutronix.de>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.