Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
* Andy Lutomirskiwrote: > Setting CONFIG_PARAVIRT=y has an unintended side effect: it silently > turns all rdmsr and wrmsr operations into the safe variants without > any checks that the operations actually succeed. > > This is IMO awful: it papers over bugs. In particular, KVM gueests > might be unwittingly depending on this behavior because > CONFIG_KVM_GUEST currently depends on CONFIG_PARAVIRT. I'm not > aware of any such problems, but applying this series would be a good > way to shake them out. > > Fix it so that the MSR operations work the same on CONFIG_PARAVIRT=n > and CONFIG_PARAVIRT=y as long as Xen isn't being used. The Xen > maintainers are welcome to make a similar change on top of this. > > Since there's plenty of time before the next merge window, I think > we should apply and fix anything that breaks. No, I think we should at most generate a warning instead, and not crash the kernel via rdmsr()! Most big distro kernels on bare metal have CONFIG_PARAVIRT=y (I checked Ubuntu and Fedora), so we are potentially exposing a lot of users to problems. Crashing the bootup on an unknown MSR is bad. Many MSR reads and writes are non-critical and returning the 'safe' result is much better than crashing or hanging the bootup. ( We should double check that rdmsr()/wrmsr() results are never left uninitialized, but are set to zero or so, for cases where the return code is not checked. ) Thanks, Ingo ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On 17/09/15 00:33, Andy Lutomirski wrote: > Setting CONFIG_PARAVIRT=y has an unintended side effect: it silently > turns all rdmsr and wrmsr operations into the safe variants without > any checks that the operations actually succeed. > > This is IMO awful: it papers over bugs. In particular, KVM gueests > might be unwittingly depending on this behavior because > CONFIG_KVM_GUEST currently depends on CONFIG_PARAVIRT. I'm not > aware of any such problems, but applying this series would be a good > way to shake them out. > > Fix it so that the MSR operations work the same on CONFIG_PARAVIRT=n > and CONFIG_PARAVIRT=y as long as Xen isn't being used. The Xen > maintainers are welcome to make a similar change on top of this. The Xen side of things need some further modification before this would be a safe operation to perform. On the wrmsr side of things alone, this is the list of things Xen currently objects to and injects #GP faults for. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c081 from 0xe023e008 to 0x00230010. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c082 from 0x82d0b000 to 0x81560060. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c083 from 0x82d0b020 to 0x81558100. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR 0174 from 0xe008 to 0x0010. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR 0175 from 0x8300ac0f7fc0 to 0x. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR 0176 from 0x82d08023fd50 to 0x815616d0. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c083 from 0x82d0b020 to 0x81561910. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c084 from 0x00074700 to 0x00047700. However, it would be certainly be worth teaching PVops not to play with MSRs it doesn't own. ~Andrew ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On 17/09/2015 11:31, Borislav Petkov wrote: > >> > Crashing the bootup on an unknown MSR is bad. Many MSR reads and writes >> > are >> > non-critical and returning the 'safe' result is much better than crashing >> > or >> > hanging the bootup. > ... and prepending all MSR accesses with feature/CPUID checks is probably > almost > impossible. That's not a big deal, that's what *_safe is for. The problem is that there are definitely some cases where the *_safe version is not being used. I agree with Ingo that we should start with a WARN. For example: - give the read_msr and write_msr hooks the same prototype as the safe variants - make the virt platforms always return "no error" for the unsafe variants (I understand if your first reaction is "ouch", but this effectively is already the current behavior) - change rdmsr/wrmsr/rdmsrl/wrmsrl to WARN if the read_msr and write_msr hooks return an error Paolo ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On 17/09/2015 10:58, Peter Zijlstra wrote: > But the far greater problem I have with the whole virt thing is that > you cannot use rdmsr_safe() to probe if an MSR exists at all because, as > you told me, these virt thingies return 0 for all 'unknown' MSRs instead > of faulting. At least for KVM, that behavior is opt-in (the ignore_msrs parameter) and no distro that I know enables it by default. Paolo ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
However, the difference between one CONFIG and another is quite frankly crazy. We should explicitly use the safe versions where this is appropriate, and then yes, we should do this. Yet another reason the paravirt code is batshit crazy. On September 17, 2015 2:31:34 AM PDT, Borislav Petkovwrote: >On Thu, Sep 17, 2015 at 09:19:20AM +0200, Ingo Molnar wrote: >> Most big distro kernels on bare metal have CONFIG_PARAVIRT=y (I >checked Ubuntu and >> Fedora), so we are potentially exposing a lot of users to problems. > >+ SUSE. > >> Crashing the bootup on an unknown MSR is bad. Many MSR reads and >writes are >> non-critical and returning the 'safe' result is much better than >crashing or >> hanging the bootup. > >... and prepending all MSR accesses with feature/CPUID checks is >probably almost >impossible. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Wed, Sep 16, 2015 at 04:33:11PM -0700, Andy Lutomirski wrote: > Setting CONFIG_PARAVIRT=y has an unintended side effect: it silently > turns all rdmsr and wrmsr operations into the safe variants without > any checks that the operations actually succeed. > > This is IMO awful: it papers over bugs. In particular, KVM gueests > might be unwittingly depending on this behavior because > CONFIG_KVM_GUEST currently depends on CONFIG_PARAVIRT. I'm not > aware of any such problems, but applying this series would be a good > way to shake them out. > > Fix it so that the MSR operations work the same on CONFIG_PARAVIRT=n > and CONFIG_PARAVIRT=y as long as Xen isn't being used. The Xen > maintainers are welcome to make a similar change on top of this. > > Since there's plenty of time before the next merge window, I think > we should apply and fix anything that breaks. > > Doing this is probably a prerequisite to sanely decoupling > CONFIG_KVM_GUEST and CONFIG_PARAVIRT, which would probably make > Arjan and the rest of the Clear Containers people happy :) So I actually like this, although by Ingo's argument, its a tad risky. But the far greater problem I have with the whole virt thing is that you cannot use rdmsr_safe() to probe if an MSR exists at all because, as you told me, these virt thingies return 0 for all 'unknown' MSRs instead of faulting. ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Thu, Sep 17, 2015 at 09:19:20AM +0200, Ingo Molnar wrote: > Most big distro kernels on bare metal have CONFIG_PARAVIRT=y (I checked > Ubuntu and > Fedora), so we are potentially exposing a lot of users to problems. + SUSE. > Crashing the bootup on an unknown MSR is bad. Many MSR reads and writes are > non-critical and returning the 'safe' result is much better than crashing or > hanging the bootup. ... and prepending all MSR accesses with feature/CPUID checks is probably almost impossible. -- Regards/Gruss, Boris. ECO tip #101: Trim your mails when you reply. -- ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Thu, Sep 17, 2015 at 01:40:30PM +0200, Paolo Bonzini wrote: > > > On 17/09/2015 10:58, Peter Zijlstra wrote: > > But the far greater problem I have with the whole virt thing is that > > you cannot use rdmsr_safe() to probe if an MSR exists at all because, as > > you told me, these virt thingies return 0 for all 'unknown' MSRs instead > > of faulting. > > At least for KVM, that behavior is opt-in (the ignore_msrs parameter) > and no distro that I know enables it by default. Ah, that would be good news. Andy earlier argued I could not rely on rdmsr_safe() faulting on unknown MSRs. If practically we can there's some code I can simplify :-) ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Thu, Sep 17, 2015 at 08:17:18AM -0700, Andy Lutomirski wrote: > > Ah, that would be good news. Andy earlier argued I could not rely on > > rdmsr_safe() faulting on unknown MSRs. If practically we can there's > > some code I can simplify :-) > > I was taking about QEMU TCG, not KVM. Just for my education, TCG is the thing without _any_ hardware assist? The thing you fear to use because it cannot boot a kernel this side of tomorrow etc.. ? ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Thu, Sep 17, 2015 at 8:17 AM, Peter Zijlstrawrote: > On Thu, Sep 17, 2015 at 08:17:18AM -0700, Andy Lutomirski wrote: > >> > Ah, that would be good news. Andy earlier argued I could not rely on >> > rdmsr_safe() faulting on unknown MSRs. If practically we can there's >> > some code I can simplify :-) >> >> I was taking about QEMU TCG, not KVM. > > Just for my education, TCG is the thing without _any_ hardware assist? Yes. > The thing you fear to use because it cannot boot a kernel this side of > tomorrow etc.. ? I actually use it on a semi-regular basis. It appears to boot a normal kernel correctly and surprisingly quickly. It's important for a silly reason. Asking KVM on an Intel host to emulate an AMD CPU or vice versa results in a chimera: I get an Opteron that's "GenuineIntel", which causes Linux to treat it as Intel, which means it gets the Intel quirks (SYSENTER in long mode, no X86_BUG_SYSRET_SS_ATTRS, etc) instead of the AMD quirks (SYSCALL in compat mode, etc). So, if I want to test compat SYSCALL, I have to use TCG, which will actually do a decent job of emulating an AMD CPU for me. Maybe Paolo can fix QEMU to fail bad MSR accesses for real... --Andy -- Andy Lutomirski AMA Capital Management, LLC ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On 17/09/2015 17:26, Andy Lutomirski wrote: > Maybe Paolo can fix QEMU to fail bad MSR accesses for real... I was afraid of someone proposing exactly that. :) I can do it since the list of MSRs can be lifted from KVM. Let's first see the direction these patches go... Paolo ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
( We should double check that rdmsr()/wrmsr() results are never left uninitialized, but are set to zero or so, for cases where the return code is not checked. ) It sure looks like native_read_msr_safe doesn't clear the output if the rdmsr fails. I'd suggest to return some poison not just 0... less likely to get interesting surprises that are insane hard to debug/diagnose ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Thu, Sep 17, 2015 at 12:19 AM, Ingo Molnarwrote: > > * Andy Lutomirski wrote: > >> Setting CONFIG_PARAVIRT=y has an unintended side effect: it silently >> turns all rdmsr and wrmsr operations into the safe variants without >> any checks that the operations actually succeed. >> >> This is IMO awful: it papers over bugs. In particular, KVM gueests >> might be unwittingly depending on this behavior because >> CONFIG_KVM_GUEST currently depends on CONFIG_PARAVIRT. I'm not >> aware of any such problems, but applying this series would be a good >> way to shake them out. >> >> Fix it so that the MSR operations work the same on CONFIG_PARAVIRT=n >> and CONFIG_PARAVIRT=y as long as Xen isn't being used. The Xen >> maintainers are welcome to make a similar change on top of this. >> >> Since there's plenty of time before the next merge window, I think >> we should apply and fix anything that breaks. > > No, I think we should at most generate a warning instead, and not crash the > kernel > via rdmsr()! > > Most big distro kernels on bare metal have CONFIG_PARAVIRT=y (I checked > Ubuntu and > Fedora), so we are potentially exposing a lot of users to problems. > > Crashing the bootup on an unknown MSR is bad. Many MSR reads and writes are > non-critical and returning the 'safe' result is much better than crashing or > hanging the bootup. > Should we do that for CONFIG_PARAVIRT=n, too? It would be straightforward to rig this up (temporarily?) on top of these patches. To keep bloat down, we might want to implement it in do_general_protection rather than sticking it in native_read_msr. wrmsr is a different beast, since we can fail due to writing the wrong value to an otherwise valid MSR. Given that MSR screwups can very easily be security holes, I'm not sure that warning and blindly continuing on an unchecked failed wrmsr is a good idea. In any event, I think it's nuts that CONFIG_PARAVIRT changes this behavior. We should pick something sane and stick with it. CONFIG_PARAVIRT=n appears to work just fine on bare metal in lots of deployments, especially pre-KVM. CONFIG_PARAVIRT=n also appears to work fine under KVM, and I use it frequently. > ( We should double check that rdmsr()/wrmsr() results are never left > uninitialized, but are set to zero or so, for cases where the return code > is not > checked. ) It sure looks like native_read_msr_safe doesn't clear the output if the rdmsr fails. --Andy ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On 17/09/15 16:27, Borislav Petkov wrote: > On Thu, Sep 17, 2015 at 01:39:26PM +0200, Paolo Bonzini wrote: >> That's not a big deal, that's what *_safe is for. The problem is that >> there are definitely some cases where the *_safe version is not being used. > I mean to do feature checks which assure you that those MSRs are > there so you don't need the safe variants. And that is not always > easy/possible. > There are plenty of non-architectural MSRs in use which don't have feature bits. Xen used to have problems booting when using the masking MSRs when booting virtualised. Nowadays it uses a cpu vendor check and _safe() probe to detect support. ~Andrew ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On 17/09/2015 17:31, Arjan van de Ven wrote: >> >> What about 0 + WARN? > > why 0? > > 0xdeadbeef or any other pattern (even 0x3636363636) makes more sense (of > course also WARN... but most folks don't read dmesg for WARNs) > > (it's the same thing we do for list or slab poison stuff) Sorry, brain fart. That makes sense for the safe variants. It would require some auditing though. Paolo ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Thu, Sep 17, 2015 at 04:32:53PM +0100, Andrew Cooper wrote: > There are plenty of non-architectural MSRs in use which don't have > feature bits. That's exactly what the "possible" adjective was supposed to represent. -- Regards/Gruss, Boris. ECO tip #101: Trim your mails when you reply. -- ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On 9/17/2015 8:29 AM, Paolo Bonzini wrote: On 17/09/2015 17:27, Arjan van de Ven wrote: ( We should double check that rdmsr()/wrmsr() results are never left uninitialized, but are set to zero or so, for cases where the return code is not checked. ) It sure looks like native_read_msr_safe doesn't clear the output if the rdmsr fails. I'd suggest to return some poison not just 0... What about 0 + WARN? why 0? 0xdeadbeef or any other pattern (even 0x3636363636) makes more sense (of course also WARN... but most folks don't read dmesg for WARNs) (it's the same thing we do for list or slab poison stuff) ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Thu, Sep 17, 2015 at 01:39:26PM +0200, Paolo Bonzini wrote: > That's not a big deal, that's what *_safe is for. The problem is that > there are definitely some cases where the *_safe version is not being used. I mean to do feature checks which assure you that those MSRs are there so you don't need the safe variants. And that is not always easy/possible. -- Regards/Gruss, Boris. ECO tip #101: Trim your mails when you reply. -- ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On 09/17/2015 05:10 AM, Andrew Cooper wrote: On 17/09/15 00:33, Andy Lutomirski wrote: Setting CONFIG_PARAVIRT=y has an unintended side effect: it silently turns all rdmsr and wrmsr operations into the safe variants without any checks that the operations actually succeed. This is IMO awful: it papers over bugs. In particular, KVM gueests might be unwittingly depending on this behavior because CONFIG_KVM_GUEST currently depends on CONFIG_PARAVIRT. I'm not aware of any such problems, but applying this series would be a good way to shake them out. Fix it so that the MSR operations work the same on CONFIG_PARAVIRT=n and CONFIG_PARAVIRT=y as long as Xen isn't being used. The Xen maintainers are welcome to make a similar change on top of this. The Xen side of things need some further modification before this would be a safe operation to perform. On the wrmsr side of things alone, this is the list of things Xen currently objects to and injects #GP faults for. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c081 from 0xe023e008 to 0x00230010. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c082 from 0x82d0b000 to 0x81560060. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c083 from 0x82d0b020 to 0x81558100. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR 0174 from 0xe008 to 0x0010. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR 0175 from 0x8300ac0f7fc0 to 0x. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR 0176 from 0x82d08023fd50 to 0x815616d0. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c083 from 0x82d0b020 to 0x81561910. (XEN) traps.c:2692:d0v0 Domain attempted WRMSR c084 from 0x00074700 to 0x00047700. However, it would be certainly be worth teaching PVops not to play with MSRs it doesn't own. PVops already knows about those. There is even has a comment about how we shouldn't touch those MSRs. And yet three lines later we still write them. -boris ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Sep 17, 2015 5:33 AM, "Peter Zijlstra"wrote: > > On Thu, Sep 17, 2015 at 01:40:30PM +0200, Paolo Bonzini wrote: > > > > > > On 17/09/2015 10:58, Peter Zijlstra wrote: > > > But the far greater problem I have with the whole virt thing is that > > > you cannot use rdmsr_safe() to probe if an MSR exists at all because, as > > > you told me, these virt thingies return 0 for all 'unknown' MSRs instead > > > of faulting. > > > > At least for KVM, that behavior is opt-in (the ignore_msrs parameter) > > and no distro that I know enables it by default. > > Ah, that would be good news. Andy earlier argued I could not rely on > rdmsr_safe() faulting on unknown MSRs. If practically we can there's > some code I can simplify :-) I was taking about QEMU TCG, not KVM. --Andy ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
* Andy Lutomirskiwrote: > On Thu, Sep 17, 2015 at 12:19 AM, Ingo Molnar wrote: > > > > * Andy Lutomirski wrote: > > > >> Setting CONFIG_PARAVIRT=y has an unintended side effect: it silently > >> turns all rdmsr and wrmsr operations into the safe variants without > >> any checks that the operations actually succeed. > >> > >> This is IMO awful: it papers over bugs. In particular, KVM gueests > >> might be unwittingly depending on this behavior because > >> CONFIG_KVM_GUEST currently depends on CONFIG_PARAVIRT. I'm not > >> aware of any such problems, but applying this series would be a good > >> way to shake them out. > >> > >> Fix it so that the MSR operations work the same on CONFIG_PARAVIRT=n > >> and CONFIG_PARAVIRT=y as long as Xen isn't being used. The Xen > >> maintainers are welcome to make a similar change on top of this. > >> > >> Since there's plenty of time before the next merge window, I think > >> we should apply and fix anything that breaks. > > > > No, I think we should at most generate a warning instead, and not crash the > > kernel > > via rdmsr()! > > > > Most big distro kernels on bare metal have CONFIG_PARAVIRT=y (I checked > > Ubuntu and > > Fedora), so we are potentially exposing a lot of users to problems. > > > > Crashing the bootup on an unknown MSR is bad. Many MSR reads and writes are > > non-critical and returning the 'safe' result is much better than crashing or > > hanging the bootup. > > > > Should we do that for CONFIG_PARAVIRT=n, too? Absolutely. PARAVIRT=n should not behave differently from PARAVIRT=y on bare metal. > It would be straightforward to rig this up (temporarily?) on top of these > patches. To keep bloat down, we might want to implement it in > do_general_protection rather than sticking it in native_read_msr. Fair enough. > wrmsr is a different beast, since we can fail due to writing the wrong value > to > an otherwise valid MSR. Given that MSR screwups can very easily be security > holes, I'm not sure that warning and blindly continuing on an unchecked > failed > wrmsr is a good idea. So the fact is that right now we are silently ignoring failures there, and have been doing that for some time. The right first step is to live with that and start generating low-key, once-per-bootup warnings at most, and see how frequent (and how serious) they are. We could add a (default disabled) CONFIG_PANIC_ON_UNKNOWN_MSR=y option if that's really a serious concern. > In any event, I think it's nuts that CONFIG_PARAVIRT changes this > behavior. We should pick something sane and stick with it. Absolutely - and as it happens, the 'does not crash the kernel' PARAVIRT=y accidental behavior is actually quite close to what we wanted for a long time, so let's make it official - and add a warning to make sure we are aware of problems. But don't turn 'potential problems' into showstopper bugs such as a hard to debug early boot crash, which to most Linux users means a black screen on bootup! > > ( We should double check that rdmsr()/wrmsr() results are never left > > uninitialized, but are set to zero or so, for cases where the return code > > is not > > checked. ) > > It sure looks like native_read_msr_safe doesn't clear the output if the rdmsr > fails. Yeah, that should be fixed, to make such soft failures deterministic. Thanks, Ingo ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
On Thu, Sep 17, 2015 at 10:30 AM, Ingo Molnarwrote: > > * Andy Lutomirski wrote: > >> On Thu, Sep 17, 2015 at 12:19 AM, Ingo Molnar wrote: >> > >> > * Andy Lutomirski wrote: >> > >> >> Setting CONFIG_PARAVIRT=y has an unintended side effect: it silently >> >> turns all rdmsr and wrmsr operations into the safe variants without >> >> any checks that the operations actually succeed. >> >> >> >> This is IMO awful: it papers over bugs. In particular, KVM gueests >> >> might be unwittingly depending on this behavior because >> >> CONFIG_KVM_GUEST currently depends on CONFIG_PARAVIRT. I'm not >> >> aware of any such problems, but applying this series would be a good >> >> way to shake them out. >> >> >> >> Fix it so that the MSR operations work the same on CONFIG_PARAVIRT=n >> >> and CONFIG_PARAVIRT=y as long as Xen isn't being used. The Xen >> >> maintainers are welcome to make a similar change on top of this. >> >> >> >> Since there's plenty of time before the next merge window, I think >> >> we should apply and fix anything that breaks. >> > >> > No, I think we should at most generate a warning instead, and not crash >> > the kernel >> > via rdmsr()! >> > >> > Most big distro kernels on bare metal have CONFIG_PARAVIRT=y (I checked >> > Ubuntu and >> > Fedora), so we are potentially exposing a lot of users to problems. >> > >> > Crashing the bootup on an unknown MSR is bad. Many MSR reads and writes are >> > non-critical and returning the 'safe' result is much better than crashing >> > or >> > hanging the bootup. >> > >> >> Should we do that for CONFIG_PARAVIRT=n, too? > > Absolutely. PARAVIRT=n should not behave differently from PARAVIRT=y on bare > metal. > >> It would be straightforward to rig this up (temporarily?) on top of these >> patches. To keep bloat down, we might want to implement it in >> do_general_protection rather than sticking it in native_read_msr. > > Fair enough. > >> wrmsr is a different beast, since we can fail due to writing the wrong value >> to >> an otherwise valid MSR. Given that MSR screwups can very easily be security >> holes, I'm not sure that warning and blindly continuing on an unchecked >> failed >> wrmsr is a good idea. > > So the fact is that right now we are silently ignoring failures there, and > have > been doing that for some time. The right first step is to live with that and > start > generating low-key, once-per-bootup warnings at most, and see how frequent > (and > how serious) they are. > > We could add a (default disabled) CONFIG_PANIC_ON_UNKNOWN_MSR=y option if > that's > really a serious concern. Could we abuse panic_on_oops for this purpose? > >> In any event, I think it's nuts that CONFIG_PARAVIRT changes this >> behavior. We should pick something sane and stick with it. > > Absolutely - and as it happens, the 'does not crash the kernel' PARAVIRT=y > accidental behavior is actually quite close to what we wanted for a long > time, so > let's make it official - and add a warning to make sure we are aware of > problems. > > But don't turn 'potential problems' into showstopper bugs such as a hard to > debug > early boot crash, which to most Linux users means a black screen on bootup! > Fair enough. --Andy ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
[Xen-devel] [PATCH 0/3] x86/paravirt: Fix baremetal paravirt MSR ops
Setting CONFIG_PARAVIRT=y has an unintended side effect: it silently turns all rdmsr and wrmsr operations into the safe variants without any checks that the operations actually succeed. This is IMO awful: it papers over bugs. In particular, KVM gueests might be unwittingly depending on this behavior because CONFIG_KVM_GUEST currently depends on CONFIG_PARAVIRT. I'm not aware of any such problems, but applying this series would be a good way to shake them out. Fix it so that the MSR operations work the same on CONFIG_PARAVIRT=n and CONFIG_PARAVIRT=y as long as Xen isn't being used. The Xen maintainers are welcome to make a similar change on top of this. Since there's plenty of time before the next merge window, I think we should apply and fix anything that breaks. Doing this is probably a prerequisite to sanely decoupling CONFIG_KVM_GUEST and CONFIG_PARAVIRT, which would probably make Arjan and the rest of the Clear Containers people happy :) Andy Lutomirski (3): x86/paravirt: Add _safe to the read_msr and write_msr PV hooks x86/paravirt: Add paravirt_{read,write}_msr x86/paravirt: Make "unsafe" MSR accesses unsafe even if PARAVIRT=y arch/x86/include/asm/paravirt.h | 45 +-- arch/x86/include/asm/paravirt_types.h | 12 +++--- arch/x86/kernel/paravirt.c| 6 +++-- arch/x86/xen/enlighten.c | 27 +++-- 4 files changed, 65 insertions(+), 25 deletions(-) -- 2.4.3 ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel