Re: General protection fault in `switch_mm_irqs_off()`

From: Lendacky, Thomas
Date: Thu Jan 10 2019 - 10:56:10 EST


On 1/10/19 7:57 AM, Paul Menzel wrote:
> Dear Borislav,
>
>
> On 01/09/19 22:11, Borislav Petkov wrote:
>> On Wed, Jan 09, 2019 at 05:34:11PM +0100, Paul Menzel wrote:
>>> Is there a way to trace the value of `boot_cpu_data` from
>>> `arch/x86/include/asm/cpufeature.h` with some Linux Kernel magic?
>>>
>>> #define boot_cpu_has(bit) cpu_has(&boot_cpu_data, bit)
>>>
>>> Or is rebuilding with print statements the only solution?
>>
>> Yes. Just apply this and catch output. It is a wild guess anyway as
>> this whole deal looks really strange but at least it should not #GP the
>> machine.
>>
>> ---
>> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
>> index dad12b767ba0..ec4688779900 100644
>> --- a/arch/x86/include/asm/nospec-branch.h
>> +++ b/arch/x86/include/asm/nospec-branch.h
>> @@ -284,6 +284,9 @@ static inline void indirect_branch_prediction_barrier(void)
>> {
>> u64 val = PRED_CMD_IBPB;
>>
>> + if (WARN_ON(boot_cpu_has(X86_FEATURE_USE_IBPB)))
>> + return;
>> +
>> alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
>> }
>>
>> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
>> index 1de0f4170178..4ed4cc99a2c0 100644
>> --- a/arch/x86/kernel/cpu/bugs.c
>> +++ b/arch/x86/kernel/cpu/bugs.c
>> @@ -371,6 +371,8 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
>> if (boot_cpu_has(X86_FEATURE_IBPB)) {
>> setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
>>
>> + pr_err("%s: set X86_FEATURE_USE_IBPB\n", __func__);
>> +
>> switch (cmd) {
>> case SPECTRE_V2_USER_CMD_FORCE:
>> case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
>
> Thank you very much. Indeed, the machine does not crash. I used Linusâ
> master branch for testing, and applied your patch on top. Please find
> the full log attached.

Checking the original log file again, it showed the mitigation message
for IBPB that is just after the above switch statement, so this print
output is expected. What about applying this patch on top of the patch
from Boris:

---
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index cb28e98a0659..b0ea6886ef15 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -779,6 +779,7 @@ static void init_speculation_control(struct cpuinfo_x86 *c)
set_cpu_cap(c, X86_FEATURE_IBRS);
set_cpu_cap(c, X86_FEATURE_IBPB);
set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
+ pr_err("%s: set X86_FEATURE_IBPB via X86_FEATURE_SPEC_CTRL: cpuid 0x07[EDX]=%#x\n", __func__, cpuid_edx(0x07));
}

if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
@@ -793,8 +794,10 @@ static void init_speculation_control(struct cpuinfo_x86 *c)
set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
}

- if (cpu_has(c, X86_FEATURE_AMD_IBPB))
+ if (cpu_has(c, X86_FEATURE_AMD_IBPB)) {
set_cpu_cap(c, X86_FEATURE_IBPB);
+ pr_err("%s: set X86_FEATURE_IBPB via X86_FEATURE_AMD_IBPB: cpuid 0x80000008[EBX]=%#x\n", __func__, cpuid_ebx(0x80000008));
+ }

if (cpu_has(c, X86_FEATURE_AMD_STIBP)) {
set_cpu_cap(c, X86_FEATURE_STIBP);
--

Thanks,
Tom

>
> ```
> $ git describe --tags origin/master
> v5.0-rc1-26-g500cf822f80f
> $ dmesg
> [â]
> [ 7.262018] microcode: CPU0: patch_level=0x0600063e
> [â]
> [ 3.198107] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
> [â]
> [ 8.786863] Run /init as init process
> [ 8.792006] WARNING: CPU: 1 PID: 0 at ./arch/x86/include/asm/nospec-branch.h:287 switch_mm_irqs_off+0x5ec/0x680
> [ 8.802384] Modules linked in:
> [ 8.805586] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc1.mx64.236-00027-ged01f563987a #1
> [ 8.814529] Hardware name: ASUS KGPE-D16/KGPE-D16, BIOS 4.9-213-gdb866ba200 01/08/2019
> [ 8.822677] RIP: 0010:switch_mm_irqs_off+0x5ec/0x680
> [ 8.827801] Code: 31 d2 31 f6 e8 95 4a da 00 49 8b 06 48 85 c0 75 e7 e8 88 ee 06 00 44 89 fe 48 c7 c7 c0 a1 46 82 e8 69 88 06 00 e9 57 fc ff ff <0f> 0b e9 d3 fa ff ff 0f 0b e9 6b ff ff ff 0f 0b e9 22 fe ff ff 0f
> [ 8.847001] RSP: 0018:ffffc900062bfe20 EFLAGS: 00010003
> [ 8.852374] RAX: 052a310401c13fff RBX: ffff88881b748800 RCX: 0000000000000000
> [ 8.859655] RDX: 0000000000000001 RSI: ffff88881caed080 RDI: ffff88881b748800
> [ 8.866952] RBP: ffffc900062bfe70 R08: 000000020c098c00 R09: 0000000000000000
> [ 8.874237] R10: ffffc900062bfe88 R11: 0000000000000000 R12: ffffffff8247e460
> [ 8.881529] R13: 0000000000000000 R14: 0000000000000001 R15: ffff88881db28f00
> [ 8.888810] FS: 0000000000000000(0000) GS:ffff88881fa40000(0000) knlGS:0000000000000000
> [ 8.897146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 8.903066] CR2: 0000000000000000 CR3: 000000000240e000 CR4: 00000000000406e0
> [ 8.910398] Call Trace:
> [ 8.912994] ? __schedule+0x1b9/0x7b0
> [ 8.916795] __schedule+0x1b9/0x7b0
> [ 8.920436] schedule_idle+0x1e/0x40
> [ 8.924155] do_idle+0x146/0x200
> [ 8.927577] cpu_startup_entry+0x19/0x20
> [ 8.931641] start_secondary+0x183/0x1b0
> [ 8.935722] secondary_startup_64+0xa4/0xb0
> [ 8.940066] ---[ end trace 948cf50690b0f4b1 ]---
> ```
>
>
> Kind regards,
>
> Paul
>