1. Patchew
  2. linux
  3. [PATCH 0/2] x86/split_lock: Fix and enhancement for TDX guest
  4. View patch

[PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest

Xiaoyao Li posted 2 patches 5 days, 12 hours ago
[PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Xiaoyao Li 5 days, 12 hours ago 
When the host enables split lock detection feature, the split lock from
guests (normal or TDX) triggers #AC. The #AC caused by split lock access
within a normal guest triggers a VM Exit and is handled in the host.
The #AC caused by split lock access within a TDX guest does not trigger
a VM Exit and instead it's delivered to the guest self.

The default "warning" mode of handling split lock depends on being able
to temporarily disable detection to recover from the split lock event.
But the MSR that disables detection is not accessible to a guest.

This means that TDX guests today can not disable the feature or use
the "warning" mode (which is the default). But, they can use the "fatal"
mode.

Force TDX guests to use the "fatal" mode.

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
---
 arch/x86/kernel/cpu/bus_lock.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bus_lock.c b/arch/x86/kernel/cpu/bus_lock.c
index 981f8b1f0792..f278e4ea3dd4 100644
--- a/arch/x86/kernel/cpu/bus_lock.c
+++ b/arch/x86/kernel/cpu/bus_lock.c
@@ -315,9 +315,24 @@ void bus_lock_init(void)
 	wrmsrq(MSR_IA32_DEBUGCTLMSR, val);
 }
 
+static bool split_lock_fatal(void)
+{
+	if (sld_state == sld_fatal)
+		return true;
+
+	/*
+	 * TDX guests can not disable split lock detection.
+	 * Force them into the fatal behavior.
+	 */
+	if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
+		return true;
+
+	return false;
+}
+
 bool handle_user_split_lock(struct pt_regs *regs, long error_code)
 {
-	if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal)
+	if ((regs->flags & X86_EFLAGS_AC) || split_lock_fatal())
 		return false;
 	split_lock_warn(regs->ip);
 	return true;
-- 
2.43.0
Re: [PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Kiryl Shutsemau 5 days, 11 hours ago 
On Wed, Nov 26, 2025 at 06:02:03PM +0800, Xiaoyao Li wrote:
> When the host enables split lock detection feature, the split lock from
> guests (normal or TDX) triggers #AC. The #AC caused by split lock access
> within a normal guest triggers a VM Exit and is handled in the host.
> The #AC caused by split lock access within a TDX guest does not trigger
> a VM Exit and instead it's delivered to the guest self.
> 
> The default "warning" mode of handling split lock depends on being able
> to temporarily disable detection to recover from the split lock event.
> But the MSR that disables detection is not accessible to a guest.
> 
> This means that TDX guests today can not disable the feature or use
> the "warning" mode (which is the default). But, they can use the "fatal"
> mode.
> 
> Force TDX guests to use the "fatal" mode.
> 
> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
> ---
>  arch/x86/kernel/cpu/bus_lock.c | 17 ++++++++++++++++-
>  1 file changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/cpu/bus_lock.c b/arch/x86/kernel/cpu/bus_lock.c
> index 981f8b1f0792..f278e4ea3dd4 100644
> --- a/arch/x86/kernel/cpu/bus_lock.c
> +++ b/arch/x86/kernel/cpu/bus_lock.c
> @@ -315,9 +315,24 @@ void bus_lock_init(void)
>  	wrmsrq(MSR_IA32_DEBUGCTLMSR, val);
>  }
>  
> +static bool split_lock_fatal(void)
> +{
> +	if (sld_state == sld_fatal)
> +		return true;
> +
> +	/*
> +	 * TDX guests can not disable split lock detection.
> +	 * Force them into the fatal behavior.
> +	 */
> +	if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
> +		return true;
> +
> +	return false;
> +}
> +
>  bool handle_user_split_lock(struct pt_regs *regs, long error_code)
>  {
> -	if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal)
> +	if ((regs->flags & X86_EFLAGS_AC) || split_lock_fatal())
>  		return false;

Maybe it would be cleaner to make it conditional on
cpu_model_supports_sld instead of special-casing TDX guest?

#AC on any platfrom when we didn't asked for it suppose to be fatal, no?

>  	split_lock_warn(regs->ip);
>  	return true;
> -- 
> 2.43.0
> 

-- 
  Kiryl Shutsemau / Kirill A. Shutemov
Re: [PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Xiaoyao Li 5 days, 10 hours ago 
On 11/26/2025 7:25 PM, Kiryl Shutsemau wrote:
> On Wed, Nov 26, 2025 at 06:02:03PM +0800, Xiaoyao Li wrote:
>> When the host enables split lock detection feature, the split lock from
>> guests (normal or TDX) triggers #AC. The #AC caused by split lock access
>> within a normal guest triggers a VM Exit and is handled in the host.
>> The #AC caused by split lock access within a TDX guest does not trigger
>> a VM Exit and instead it's delivered to the guest self.
>>
>> The default "warning" mode of handling split lock depends on being able
>> to temporarily disable detection to recover from the split lock event.
>> But the MSR that disables detection is not accessible to a guest.
>>
>> This means that TDX guests today can not disable the feature or use
>> the "warning" mode (which is the default). But, they can use the "fatal"
>> mode.
>>
>> Force TDX guests to use the "fatal" mode.
>>
>> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
>> ---
>>   arch/x86/kernel/cpu/bus_lock.c | 17 ++++++++++++++++-
>>   1 file changed, 16 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/kernel/cpu/bus_lock.c b/arch/x86/kernel/cpu/bus_lock.c
>> index 981f8b1f0792..f278e4ea3dd4 100644
>> --- a/arch/x86/kernel/cpu/bus_lock.c
>> +++ b/arch/x86/kernel/cpu/bus_lock.c
>> @@ -315,9 +315,24 @@ void bus_lock_init(void)
>>   	wrmsrq(MSR_IA32_DEBUGCTLMSR, val);
>>   }
>>   
>> +static bool split_lock_fatal(void)
>> +{
>> +	if (sld_state == sld_fatal)
>> +		return true;
>> +
>> +	/*
>> +	 * TDX guests can not disable split lock detection.
>> +	 * Force them into the fatal behavior.
>> +	 */
>> +	if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
>> +		return true;
>> +
>> +	return false;
>> +}
>> +
>>   bool handle_user_split_lock(struct pt_regs *regs, long error_code)
>>   {
>> -	if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal)
>> +	if ((regs->flags & X86_EFLAGS_AC) || split_lock_fatal())
>>   		return false;
> 
> Maybe it would be cleaner to make it conditional on
> cpu_model_supports_sld instead of special-casing TDX guest?
> 
> #AC on any platfrom when we didn't asked for it suppose to be fatal, no?

But TDX is the only one has such special non-architectural behavior.

For example, for normal VMs under KVM, the behavior is x86 
architectural. MSR_TEST_CTRL is not accessible to normal VMs, and no 
split lock #AC will be delivered to the normal VMs because it's handled 
by KVM.

>>   	split_lock_warn(regs->ip);
>>   	return true;
>> -- 
>> 2.43.0
>>
>
Re: [PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Kiryl Shutsemau 5 days, 9 hours ago 
On Wed, Nov 26, 2025 at 08:17:18PM +0800, Xiaoyao Li wrote:
> On 11/26/2025 7:25 PM, Kiryl Shutsemau wrote:
> > On Wed, Nov 26, 2025 at 06:02:03PM +0800, Xiaoyao Li wrote:
> > > When the host enables split lock detection feature, the split lock from
> > > guests (normal or TDX) triggers #AC. The #AC caused by split lock access
> > > within a normal guest triggers a VM Exit and is handled in the host.
> > > The #AC caused by split lock access within a TDX guest does not trigger
> > > a VM Exit and instead it's delivered to the guest self.
> > > 
> > > The default "warning" mode of handling split lock depends on being able
> > > to temporarily disable detection to recover from the split lock event.
> > > But the MSR that disables detection is not accessible to a guest.
> > > 
> > > This means that TDX guests today can not disable the feature or use
> > > the "warning" mode (which is the default). But, they can use the "fatal"
> > > mode.
> > > 
> > > Force TDX guests to use the "fatal" mode.
> > > 
> > > Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
> > > ---
> > >   arch/x86/kernel/cpu/bus_lock.c | 17 ++++++++++++++++-
> > >   1 file changed, 16 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/arch/x86/kernel/cpu/bus_lock.c b/arch/x86/kernel/cpu/bus_lock.c
> > > index 981f8b1f0792..f278e4ea3dd4 100644
> > > --- a/arch/x86/kernel/cpu/bus_lock.c
> > > +++ b/arch/x86/kernel/cpu/bus_lock.c
> > > @@ -315,9 +315,24 @@ void bus_lock_init(void)
> > >   	wrmsrq(MSR_IA32_DEBUGCTLMSR, val);
> > >   }
> > > +static bool split_lock_fatal(void)
> > > +{
> > > +	if (sld_state == sld_fatal)
> > > +		return true;
> > > +
> > > +	/*
> > > +	 * TDX guests can not disable split lock detection.
> > > +	 * Force them into the fatal behavior.
> > > +	 */
> > > +	if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
> > > +		return true;
> > > +
> > > +	return false;
> > > +}
> > > +
> > >   bool handle_user_split_lock(struct pt_regs *regs, long error_code)
> > >   {
> > > -	if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal)
> > > +	if ((regs->flags & X86_EFLAGS_AC) || split_lock_fatal())
> > >   		return false;
> > 
> > Maybe it would be cleaner to make it conditional on
> > cpu_model_supports_sld instead of special-casing TDX guest?
> > 
> > #AC on any platfrom when we didn't asked for it suppose to be fatal, no?
> 
> But TDX is the only one has such special non-architectural behavior.
> 
> For example, for normal VMs under KVM, the behavior is x86 architectural.
> MSR_TEST_CTRL is not accessible to normal VMs, and no split lock #AC will be
> delivered to the normal VMs because it's handled by KVM.

How does it contradict what I suggested?

For both normal VMs and TDX guest, cpu_model_supports_sld will not be
set to true. So check for cpu_model_supports_sld here is going to be
NOP, unless #AC actually delivered, like we have in TDX case. Handling
it as fatal is sane behaviour in such case regardless if it TDX.

And we don't need to make the check explicitly about TDX guest.

-- 
  Kiryl Shutsemau / Kirill A. Shutemov
Re: [PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Xiaoyao Li 4 days, 20 hours ago 
On 11/26/2025 9:35 PM, Kiryl Shutsemau wrote:
> On Wed, Nov 26, 2025 at 08:17:18PM +0800, Xiaoyao Li wrote:
>> On 11/26/2025 7:25 PM, Kiryl Shutsemau wrote:
>>> On Wed, Nov 26, 2025 at 06:02:03PM +0800, Xiaoyao Li wrote:
>>>> When the host enables split lock detection feature, the split lock from
>>>> guests (normal or TDX) triggers #AC. The #AC caused by split lock access
>>>> within a normal guest triggers a VM Exit and is handled in the host.
>>>> The #AC caused by split lock access within a TDX guest does not trigger
>>>> a VM Exit and instead it's delivered to the guest self.
>>>>
>>>> The default "warning" mode of handling split lock depends on being able
>>>> to temporarily disable detection to recover from the split lock event.
>>>> But the MSR that disables detection is not accessible to a guest.
>>>>
>>>> This means that TDX guests today can not disable the feature or use
>>>> the "warning" mode (which is the default). But, they can use the "fatal"
>>>> mode.
>>>>
>>>> Force TDX guests to use the "fatal" mode.
>>>>
>>>> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
>>>> ---
>>>>    arch/x86/kernel/cpu/bus_lock.c | 17 ++++++++++++++++-
>>>>    1 file changed, 16 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/arch/x86/kernel/cpu/bus_lock.c b/arch/x86/kernel/cpu/bus_lock.c
>>>> index 981f8b1f0792..f278e4ea3dd4 100644
>>>> --- a/arch/x86/kernel/cpu/bus_lock.c
>>>> +++ b/arch/x86/kernel/cpu/bus_lock.c
>>>> @@ -315,9 +315,24 @@ void bus_lock_init(void)
>>>>    	wrmsrq(MSR_IA32_DEBUGCTLMSR, val);
>>>>    }
>>>> +static bool split_lock_fatal(void)
>>>> +{
>>>> +	if (sld_state == sld_fatal)
>>>> +		return true;
>>>> +
>>>> +	/*
>>>> +	 * TDX guests can not disable split lock detection.
>>>> +	 * Force them into the fatal behavior.
>>>> +	 */
>>>> +	if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
>>>> +		return true;
>>>> +
>>>> +	return false;
>>>> +}
>>>> +
>>>>    bool handle_user_split_lock(struct pt_regs *regs, long error_code)
>>>>    {
>>>> -	if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal)
>>>> +	if ((regs->flags & X86_EFLAGS_AC) || split_lock_fatal())
>>>>    		return false;
>>>
>>> Maybe it would be cleaner to make it conditional on
>>> cpu_model_supports_sld instead of special-casing TDX guest?
>>>
>>> #AC on any platfrom when we didn't asked for it suppose to be fatal, no?
>>
>> But TDX is the only one has such special non-architectural behavior.
>>
>> For example, for normal VMs under KVM, the behavior is x86 architectural.
>> MSR_TEST_CTRL is not accessible to normal VMs, and no split lock #AC will be
>> delivered to the normal VMs because it's handled by KVM.
> 
> How does it contradict what I suggested?
> 
> For both normal VMs and TDX guest, cpu_model_supports_sld will not be
> set to true. So check for cpu_model_supports_sld here is going to be
> NOP, unless #AC actually delivered, like we have in TDX case. Handling
> it as fatal is sane behaviour in such case regardless if it TDX.
> 
> And we don't need to make the check explicitly about TDX guest.

Well, it depends on how defensive we would like to be, and whether to 
specialize or commonize the issue.

Either can work. If the preference and agreement are to commonize the 
issue, I can do it in v2. And in this direction, what should we do with 
the patch 2? just drop it since it's specialized for TDX ?
Re: [PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Kiryl Shutsemau 4 days, 6 hours ago 
On Thu, Nov 27, 2025 at 10:00:58AM +0800, Xiaoyao Li wrote:
> On 11/26/2025 9:35 PM, Kiryl Shutsemau wrote:
> > On Wed, Nov 26, 2025 at 08:17:18PM +0800, Xiaoyao Li wrote:
> > > On 11/26/2025 7:25 PM, Kiryl Shutsemau wrote:
> > > > On Wed, Nov 26, 2025 at 06:02:03PM +0800, Xiaoyao Li wrote:
> > > > > When the host enables split lock detection feature, the split lock from
> > > > > guests (normal or TDX) triggers #AC. The #AC caused by split lock access
> > > > > within a normal guest triggers a VM Exit and is handled in the host.
> > > > > The #AC caused by split lock access within a TDX guest does not trigger
> > > > > a VM Exit and instead it's delivered to the guest self.
> > > > > 
> > > > > The default "warning" mode of handling split lock depends on being able
> > > > > to temporarily disable detection to recover from the split lock event.
> > > > > But the MSR that disables detection is not accessible to a guest.
> > > > > 
> > > > > This means that TDX guests today can not disable the feature or use
> > > > > the "warning" mode (which is the default). But, they can use the "fatal"
> > > > > mode.
> > > > > 
> > > > > Force TDX guests to use the "fatal" mode.
> > > > > 
> > > > > Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
> > > > > ---
> > > > >    arch/x86/kernel/cpu/bus_lock.c | 17 ++++++++++++++++-
> > > > >    1 file changed, 16 insertions(+), 1 deletion(-)
> > > > > 
> > > > > diff --git a/arch/x86/kernel/cpu/bus_lock.c b/arch/x86/kernel/cpu/bus_lock.c
> > > > > index 981f8b1f0792..f278e4ea3dd4 100644
> > > > > --- a/arch/x86/kernel/cpu/bus_lock.c
> > > > > +++ b/arch/x86/kernel/cpu/bus_lock.c
> > > > > @@ -315,9 +315,24 @@ void bus_lock_init(void)
> > > > >    	wrmsrq(MSR_IA32_DEBUGCTLMSR, val);
> > > > >    }
> > > > > +static bool split_lock_fatal(void)
> > > > > +{
> > > > > +	if (sld_state == sld_fatal)
> > > > > +		return true;
> > > > > +
> > > > > +	/*
> > > > > +	 * TDX guests can not disable split lock detection.
> > > > > +	 * Force them into the fatal behavior.
> > > > > +	 */
> > > > > +	if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
> > > > > +		return true;
> > > > > +
> > > > > +	return false;
> > > > > +}
> > > > > +
> > > > >    bool handle_user_split_lock(struct pt_regs *regs, long error_code)
> > > > >    {
> > > > > -	if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal)
> > > > > +	if ((regs->flags & X86_EFLAGS_AC) || split_lock_fatal())
> > > > >    		return false;
> > > > 
> > > > Maybe it would be cleaner to make it conditional on
> > > > cpu_model_supports_sld instead of special-casing TDX guest?
> > > > 
> > > > #AC on any platfrom when we didn't asked for it suppose to be fatal, no?
> > > 
> > > But TDX is the only one has such special non-architectural behavior.
> > > 
> > > For example, for normal VMs under KVM, the behavior is x86 architectural.
> > > MSR_TEST_CTRL is not accessible to normal VMs, and no split lock #AC will be
> > > delivered to the normal VMs because it's handled by KVM.
> > 
> > How does it contradict what I suggested?
> > 
> > For both normal VMs and TDX guest, cpu_model_supports_sld will not be
> > set to true. So check for cpu_model_supports_sld here is going to be
> > NOP, unless #AC actually delivered, like we have in TDX case. Handling
> > it as fatal is sane behaviour in such case regardless if it TDX.
> > 
> > And we don't need to make the check explicitly about TDX guest.
> 
> Well, it depends on how defensive we would like to be, and whether to
> specialize or commonize the issue.
> 
> Either can work. If the preference and agreement are to commonize the issue,
> I can do it in v2. And in this direction, what should we do with the patch
> 2? just drop it since it's specialized for TDX ?

I am not sure. Leaving it as produces produces false messages which is
not good, but not critical.

Maybe just clear X86_FEATURE_BUS_LOCK_DETECT and stop pretending we
control split-lock behaviour from the guest?

-- 
  Kiryl Shutsemau / Kirill A. Shutemov
Re: [PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Xiaoyao Li 3 days, 20 hours ago 
On 11/28/2025 12:16 AM, Kiryl Shutsemau wrote:
> On Thu, Nov 27, 2025 at 10:00:58AM +0800, Xiaoyao Li wrote:
>> On 11/26/2025 9:35 PM, Kiryl Shutsemau wrote:
>>> On Wed, Nov 26, 2025 at 08:17:18PM +0800, Xiaoyao Li wrote:
>>>> On 11/26/2025 7:25 PM, Kiryl Shutsemau wrote:
>>>>> On Wed, Nov 26, 2025 at 06:02:03PM +0800, Xiaoyao Li wrote:
>>>>>> When the host enables split lock detection feature, the split lock from
>>>>>> guests (normal or TDX) triggers #AC. The #AC caused by split lock access
>>>>>> within a normal guest triggers a VM Exit and is handled in the host.
>>>>>> The #AC caused by split lock access within a TDX guest does not trigger
>>>>>> a VM Exit and instead it's delivered to the guest self.
>>>>>>
>>>>>> The default "warning" mode of handling split lock depends on being able
>>>>>> to temporarily disable detection to recover from the split lock event.
>>>>>> But the MSR that disables detection is not accessible to a guest.
>>>>>>
>>>>>> This means that TDX guests today can not disable the feature or use
>>>>>> the "warning" mode (which is the default). But, they can use the "fatal"
>>>>>> mode.
>>>>>>
>>>>>> Force TDX guests to use the "fatal" mode.
>>>>>>
>>>>>> Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
>>>>>> ---
>>>>>>     arch/x86/kernel/cpu/bus_lock.c | 17 ++++++++++++++++-
>>>>>>     1 file changed, 16 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/arch/x86/kernel/cpu/bus_lock.c b/arch/x86/kernel/cpu/bus_lock.c
>>>>>> index 981f8b1f0792..f278e4ea3dd4 100644
>>>>>> --- a/arch/x86/kernel/cpu/bus_lock.c
>>>>>> +++ b/arch/x86/kernel/cpu/bus_lock.c
>>>>>> @@ -315,9 +315,24 @@ void bus_lock_init(void)
>>>>>>     	wrmsrq(MSR_IA32_DEBUGCTLMSR, val);
>>>>>>     }
>>>>>> +static bool split_lock_fatal(void)
>>>>>> +{
>>>>>> +	if (sld_state == sld_fatal)
>>>>>> +		return true;
>>>>>> +
>>>>>> +	/*
>>>>>> +	 * TDX guests can not disable split lock detection.
>>>>>> +	 * Force them into the fatal behavior.
>>>>>> +	 */
>>>>>> +	if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST))
>>>>>> +		return true;
>>>>>> +
>>>>>> +	return false;
>>>>>> +}
>>>>>> +
>>>>>>     bool handle_user_split_lock(struct pt_regs *regs, long error_code)
>>>>>>     {
>>>>>> -	if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal)
>>>>>> +	if ((regs->flags & X86_EFLAGS_AC) || split_lock_fatal())
>>>>>>     		return false;
>>>>>
>>>>> Maybe it would be cleaner to make it conditional on
>>>>> cpu_model_supports_sld instead of special-casing TDX guest?
>>>>>
>>>>> #AC on any platfrom when we didn't asked for it suppose to be fatal, no?
>>>>
>>>> But TDX is the only one has such special non-architectural behavior.
>>>>
>>>> For example, for normal VMs under KVM, the behavior is x86 architectural.
>>>> MSR_TEST_CTRL is not accessible to normal VMs, and no split lock #AC will be
>>>> delivered to the normal VMs because it's handled by KVM.
>>>
>>> How does it contradict what I suggested?
>>>
>>> For both normal VMs and TDX guest, cpu_model_supports_sld will not be
>>> set to true. So check for cpu_model_supports_sld here is going to be
>>> NOP, unless #AC actually delivered, like we have in TDX case. Handling
>>> it as fatal is sane behaviour in such case regardless if it TDX.
>>>
>>> And we don't need to make the check explicitly about TDX guest.
>>
>> Well, it depends on how defensive we would like to be, and whether to
>> specialize or commonize the issue.
>>
>> Either can work. If the preference and agreement are to commonize the issue,
>> I can do it in v2. And in this direction, what should we do with the patch
>> 2? just drop it since it's specialized for TDX ?
> 
> I am not sure. Leaving it as produces produces false messages which is
> not good, but not critical.
> 
> Maybe just clear X86_FEATURE_BUS_LOCK_DETECT and stop pretending we
> control split-lock behaviour from the guest?

By clearing X86_FEATURE_BUS_LOCK_DETECT, the TDX guest log doens't print 
anything about split lock detection. But the TDX guest is still possible 
to get #AC on split locks, which seems no good as well.

More, it's overkill to clear X86_FEATURE_BUS_LOCK_DETECT. Clearing it 
means TDX guest cannot use X86_FEATURE_BUS_LOCK_DETECT to detect the bus 
lock happens from the guest userspace, even when the host doesn't enable 
split lock detection. For example, on cloud environment, if the 
customers want to run their legacy workload that can generate split 
locks, the CSP would have to disable slit lock detection in the host but 
use bus lock VM exit to catch the bus lock in the TDX guest. In this 
case, TDX guest is free to use X86_FEATURE_BUS_LOCK_DETECT and it works 
as expected.
Re: [PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Andrew Cooper 4 days, 5 hours ago 
> I am not sure. Leaving it as produces produces false messages which is
> not good, but not critical.
>
> Maybe just clear X86_FEATURE_BUS_LOCK_DETECT and stop pretending we
> control split-lock behaviour from the guest?

(Having just played with this mess for another task) you're talking
about two different things.

Sapphire Rapids has an architectural BUS_LOCK_DETECT (trap semantics,
#DB or VMExit), and a model-specific BUS_LOCK_DISABLE.

It's BUS_LOCK_DISABLE which generates #AC, with fault semantics,
preventing forward progress.  It also means the Bus Lock didn't happen,
and there's nothing to trigger the BUS_LOCK_DETECT (trap) behaviour.

Given that TDX is enabling BUS_LOCK_DISABLE, it's probably also enabling
UC_LOCK_DISABLE (causes #GP) too.

Looking at the backtrace:

  x86/split lock detection: #AC: split_lock/1176 took a split_lock trap at address: 0x5630b30921f9
  unchecked MSR access error: WRMSR to 0x33 (tried to write 0x0000000000000000) at rIP: 0xffffffff812a061f (native_write_msr+0xf/0x30)


First, "took a split_lock trap" is wrong.  It's a fault, not a trap.

Second, because the attempt to disable BUS_LOCK_DISABLE was blocked,
simply retrying the instruction will generate a new #AC and livelock. 
Linux probably ought to raise SIGSEGV with userspace, for want of
anything better to do.

It looks like software in a TDX VM will simply have to accept that it
cannot cause a bus lock.

~Andrew
Re: [PATCH 1/2] x86/split_lock: Don't try to handle user split lock in TDX guest
Posted by Xiaoyao Li 3 days, 20 hours ago 
Hi Andrew,

On 11/28/2025 12:55 AM, Andrew Cooper wrote:
>> I am not sure. Leaving it as produces produces false messages which is
>> not good, but not critical.
>>
>> Maybe just clear X86_FEATURE_BUS_LOCK_DETECT and stop pretending we
>> control split-lock behaviour from the guest?
> 
> (Having just played with this mess for another task) you're talking
> about two different things.
> 
> Sapphire Rapids has an architectural BUS_LOCK_DETECT (trap semantics,
> #DB or VMExit), and a model-specific BUS_LOCK_DISABLE.
> 
> It's BUS_LOCK_DISABLE which generates #AC, with fault semantics,
> preventing forward progress.  It also means the Bus Lock didn't happen,
> and there's nothing to trigger the BUS_LOCK_DETECT (trap) behaviour.
> 
> Given that TDX is enabling BUS_LOCK_DISABLE, it's probably also enabling
> UC_LOCK_DISABLE (causes #GP) too.

Well, more accurate, it's SPLIT_LOCK_DISABLE, not BUS_LOCK_DISABLE.(bus 
lock have two types: split lock and uc lock)

No, it's not TDX who is enabling SPLIT_LOCK_DISABLE, but the host. The 
default mode of Linux is "warn", so that by default the host Linux 
enables SPLIT_LOCK_DISABLE. And TDX module doesn't context switch 
MSR_TEST_CTRL when entering into the TDX vCPU because MSR_TEST_CTRL is 
not virtualizable. Thus SPLIT_LOCK_DISABLE remains enabled when TDX vCPU 
is running.

Regarding UC_LOCK_DISABLE, Linux doesn't enable it. Not sure if BIOS 
enables it or not (as far as I know, I don't see any bios enables it)

> Looking at the backtrace:
> 
>    x86/split lock detection: #AC: split_lock/1176 took a split_lock trap at address: 0x5630b30921f9
>    unchecked MSR access error: WRMSR to 0x33 (tried to write 0x0000000000000000) at rIP: 0xffffffff812a061f (native_write_msr+0xf/0x30)
> 
> 
> First, "took a split_lock trap" is wrong.  It's a fault, not a trap.

Hi x86 maintainers,

Should we fix it?

> Second, because the attempt to disable BUS_LOCK_DISABLE was blocked,
> simply retrying the instruction will generate a new #AC and livelock.
> Linux probably ought to raise SIGSEGV with userspace, for want of
> anything better to do.

This patch is just achieving this, while it raises the SIGBUS to userspace.

> It looks like software in a TDX VM will simply have to accept that it
> cannot cause a bus lock.

If the host doesn't enable SPLIT_LOCK_DISABLE, then split lock might not 
be fatal to TDX guests.

> ~Andrew

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.