Re: [patch 2/2] x86/kvm/vmx: Prevent split lock detection induced #AC wreckage

From: Sean Christopherson
Date: Thu Apr 02 2020 - 12:04:50 EST


On Thu, Apr 02, 2020 at 03:44:00PM +0000, Nadav Amit wrote:
> > On Apr 2, 2020, at 8:30 AM, Sean Christopherson <sean.j.christopherson@xxxxxxxxx> wrote:
> >
> > On Thu, Apr 02, 2020 at 02:33:00PM +0200, Thomas Gleixner wrote:
> >> Without at least minimal handling for split lock detection induced #AC, VMX
> >> will just run into the same problem as the VMWare hypervisor, which was
> >> reported by Kenneth.
> >>
> >> It will inject the #AC blindly into the guest whether the guest is prepared
> >> or not.
> >>
> >> Add the minimal required handling for it:
> >>
> >> - Check guest state whether CR0.AM is enabled and EFLAGS.AC is set. If
> >> so, then the #AC originated from CPL3 and the guest has is prepared to
> >> handle it. In this case it does not matter whether the #AC is due to a
> >> split lock or a regular unaligned check.
> >>
> >> - Invoke a minimal split lock detection handler. If the host SLD mode is
> >> sld_warn, then handle it in the same way as user space handling works:
> >> Emit a warning, disable SLD and mark the current task with TIF_SLD.
> >> With that resume the guest without injecting #AC.
> >>
> >> If the host mode is sld_fatal or sld_off, emit a warning and deliver
> >> the exception to user space which can crash and burn itself.
> >>
> >> Mark the module with MOD_INFO(sld_safe, "Y") so the module loader does not
> >> force SLD off.
> >
> > Some comments below. But, any objection to taking Xiaoyao's patches that
> > do effectively the same things, minus the MOD_INFO()? I'll repost them in
> > reply to this thread.
>
> IIUC they also deal with emulated split-lock accesses in the host, during
> instruction emulation [1]. This seems also to be required, although I am not
> sure the approach that he took once emulation encounters a split-lock is
> robust.

Yep. It's "robust" in the sense that KVM won't panic the host. It's not
robust from the perspective that it could possibly hose the guest. But, no
sane, well-behaved guest should reach that particular emulator path on a
split-lock enabled system.

> [1] https://lore.kernel.org/lkml/20200324151859.31068-5-xiaoyao.li@xxxxxxxxx/