Re: [RFC PATCH] x86/split_lock: Disable SLD if an unaware (out-of-tree) module enables VMX

[Peter Zijlstra]

On Fri, Apr 03, 2020 at 09:30:07AM -0700, Sean Christopherson wrote:
> Hook into native CR4 writes to disable split-lock detection if CR4.VMXE
> is toggled on by an SDL-unaware entity, e.g. an out-of-tree hypervisor
> module.  Most/all VMX-based hypervisors blindly reflect #AC exceptions
> into the guest, or don't intercept #AC in the first place.  With SLD
> enabled, this results in unexpected #AC faults in the guest, leading to
> crashes in the guest and other undesirable behavior.
> 
> Reported-by: "Kenneth R. Crudup" <kenny@xxxxxxxxx>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Jessica Yu <jeyu@xxxxxxxxxx>
> Cc: Rasmus Villemoes <rasmus.villemoes@xxxxxxxxx>
> Cc: Kenneth R. Crudup <kenny@xxxxxxxxx>
> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> Cc: Fenghua Yu <fenghua.yu@xxxxxxxxx>
> Cc: Xiaoyao Li <xiaoyao.li@xxxxxxxxx>
> Cc: Nadav Amit <namit@xxxxxxxxxx>
> Cc: Thomas Hellstrom <thellstrom@xxxxxxxxxx>
> Cc: Tony Luck <tony.luck@xxxxxxxxx>
> Cc: Steven Rostedt <rostedt@xxxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: Jann Horn <jannh@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: David Laight <David.Laight@xxxxxxxxxx>
> Cc: Doug Covelli <dcovelli@xxxxxxxxxx>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
> ---
> 
> A bit ugly, but on the plus side the code is largely contained to intel.c.
> I think forgoing the on_all_cpus() remote kill is safe? 

How would it be safe? You can't control where the module text will be
ran, or how quickly.