From patchwork Wed Nov 23 23:12:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mingwei Zhang X-Patchwork-Id: 25236 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp3079385wrr; Wed, 23 Nov 2022 15:14:40 -0800 (PST) X-Google-Smtp-Source: AA0mqf58/YAE1g3Mz8/zvBmDsTA55LLqiC45IGZXCQ1+AUVlL24M2RnkzrMhHC3n512TnHZ7V7Id X-Received: by 2002:a17:906:504:b0:7b5:2d9f:4019 with SMTP id j4-20020a170906050400b007b52d9f4019mr16243746eja.536.1669245280463; Wed, 23 Nov 2022 15:14:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669245280; cv=none; d=google.com; s=arc-20160816; b=MpoaVQWx7LpA8/Bxw+jcFKRyFk4xil9qx6QFx5d5l2XRMjBA7Tbu7Ox/UnvUATwX6b w1255tBhytVJ/XFEfnxSVPUI4WCpCg+30dk+m3k8TDsr9qd1q5pNMcLHLQdKEdE1aNKS vjtPOuf0cxQMiS8rCvFWATfXC7dWfcx2FDMojpnTG9mi2dTkS7V1kXmS5e1/zoNjllTb We5SGhNn5/4iKH7DwCmZ1+Hlos+Z1ozXtoJQQioZalelYm9Y3EWrLOIMrNYOY1ODI/x0 QXJq5iKXqV/BVKnZJaH4XjiSQ5spfaDWbCGVoiy4und9ft9ONJq9nfL8wly82oUr1QOr CRTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date :reply-to:dkim-signature; bh=7lw8YVpJ4QcZaXBDWGwmxkYvUldKaoqYfJTtdfuKylU=; b=JqzAbhUlJgal5doFqvLkrUFW6xgOdsIfN9aNrpayYsz6txocq4n8fRo1lUKHBesM7J dwPwwDlooHjmfJ4tHwWq/Mz7YKl9ZCtQUhwfqOsrVieeW9TtB2KSMUPnlY1noSaE7E4/ cUTWYMsj09ZLGRA4JV6Q19Eh6KBzmdUfAtmW0hQkX9Y7JIS+Y8bq9NQhSkbL3SGyxiUr 7C2af994etDT4I5XqDv/naF6ASZDLA+h1WXt0lRYhgG6lYSNW7kJPgU7LHTw9Yp5cXAK VPLIiXi3LzF9tp0rxNNmdEXp8qLshG0swWHxG+6KLWBcafuP8NSOvn/tAQeAaVHIYfTC gxZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ddvdcMc3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ss28-20020a170907c01c00b0078b96068bc0si13162476ejc.79.2022.11.23.15.14.17; Wed, 23 Nov 2022 15:14:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ddvdcMc3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229662AbiKWXMW (ORCPT + 99 others); Wed, 23 Nov 2022 18:12:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229489AbiKWXMV (ORCPT ); Wed, 23 Nov 2022 18:12:21 -0500 Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com [IPv6:2607:f8b0:4864:20::1049]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 526DA942FB for ; Wed, 23 Nov 2022 15:12:17 -0800 (PST) Received: by mail-pj1-x1049.google.com with SMTP id a3-20020a17090a8c0300b00218bfce4c03so2113033pjo.1 for ; Wed, 23 Nov 2022 15:12:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:reply-to:from:to:cc :subject:date:message-id:reply-to; bh=7lw8YVpJ4QcZaXBDWGwmxkYvUldKaoqYfJTtdfuKylU=; b=ddvdcMc3xKmgvJD3lQ7hmpQ9aEIKO8R/NZcLfG+Fzm+3riFXWUreazQwD3yLXCa0JR tIeqov/4hpP7Mha75D7lkHIRjHtdOLkA0JTypDmIKyMxYvUUSFV3Jgr8Td1CJafK3Dz7 cFe1jO0aIBQtwDVNTJlGXJ8++Y7UBxyJKaTOf5B7Bq40rCOZ+oXUCcd0QF34qZcNraZE bJDrCYMudkYm1RTOr27lnoSAihsvxfVTfdec8KckYVawlD1Hfu3BSw27ZjKwxw7+dAfO u7PPW85RszwPiwlpSp+WnGMn1uv3gxK/HXrN3U4Ss72f/2SIno+RR3zguNqgXS0A9tMY kD9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:reply-to :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7lw8YVpJ4QcZaXBDWGwmxkYvUldKaoqYfJTtdfuKylU=; b=WMn+FzFOuyUAPgpVbvUwhJHfPq/9WOCUHk11PQ9sImmDoDUpOTuKeZSKGScCc75GtN 9Lra2UwuG08WhQj50Sdxu6HSECrJTxIVIC5YWabqTQ6qYUyIgwIK2VoGPHB2ZSsL1rdJ uqW9AFqwOSyk+0MxtGlRnb8sALsGkj4WN/mIpJ69X3GPWuJ9qlJ1IGn8N8WRb7NfCQet xutGWxMroCSP8KajYs2Xp7L/7Z58C75c1+44bLVhva2g0oB7CgtP8P9S55pJbXx+cuL/ GE29mUwaM3AeGpMcNPHyIG0VBv3AZOdxCKexsZsmiWyGUaG6B1kCTtKRPMG/guchhedm XHvg== X-Gm-Message-State: ANoB5pmMDppW9AnjfaKMMX0QLIuuOb0DbntHw+MZw8cXrdSal/5ut9Um 293Fq7zRSVWawtU7ntP3nk40mBf9i/rW X-Received: from mizhang-super.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:1071]) (user=mizhang job=sendgmr) by 2002:a17:90a:df8c:b0:20a:fee1:8f69 with SMTP id p12-20020a17090adf8c00b0020afee18f69mr3055296pjv.0.1669245136574; Wed, 23 Nov 2022 15:12:16 -0800 (PST) Reply-To: Mingwei Zhang Date: Wed, 23 Nov 2022 23:12:06 +0000 Mime-Version: 1.0 X-Mailer: git-send-email 2.38.1.584.g0f3c55d4c2-goog Message-ID: <20221123231206.274392-1-mizhang@google.com> Subject: [RFC PATCH] KVM: x86/mmu: replace BUG() with KVM_BUG() in shadow mmu From: Mingwei Zhang To: Sean Christopherson , Paolo Bonzini Cc: "H. Peter Anvin" , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Nagareddy Reddy , Jim Mattson , David Matlack , Mingwei Zhang X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750330539276417338?= X-GMAIL-MSGID: =?utf-8?q?1750330539276417338?= Replace BUG() in pte_list_remove() with KVM_BUG() to avoid crashing the host. MMU bug is difficult to discover due to various racing conditions and corner cases and thus it extremely hard to debug. The situation gets much worse when it triggers the shutdown of a host. Host machine crash eliminates everything including the potential clues for debugging. From cloud computing service perspective, BUG() or BUG_ON() is probably no longer appropriate as the host reliability is top priority. Crashing the physical machine is almost never a good option as it eliminates innocent VMs and cause service outage in a larger scope. Even worse, if attacker can reliably triggers this code by diverting the control flow or corrupting the memory, then this becomes vm-of-death attack. This is a huge attack vector to cloud providers, as the death of one single host machine is not the end of the story. Without manual interferences, a failed cloud job may be dispatched to other hosts and continue host crashes until all of them are dead. Because of the above reasons, shrink the scope of crash to the target VM only. Cc: Nagareddy Reddy Cc: Jim Mattson Cc: David Matlack Signed-off-by: Mingwei Zhang --- arch/x86/kvm/mmu/mmu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index 4736d7849c60..075d31b0db9c 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -955,12 +955,12 @@ static void pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head) if (!rmap_head->val) { pr_err("%s: %p 0->BUG\n", __func__, spte); - BUG(); + KVM_BUG(); } else if (!(rmap_head->val & 1)) { rmap_printk("%p 1->0\n", spte); if ((u64 *)rmap_head->val != spte) { pr_err("%s: %p 1->BUG\n", __func__, spte); - BUG(); + KVM_BUG(); } rmap_head->val = 0; } else { @@ -979,7 +979,7 @@ static void pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head) desc = desc->more; } pr_err("%s: %p many->many\n", __func__, spte); - BUG(); + KVM_BUG(); } }