On Tue, Jun 23, 2020 at 03:40:03PM +0200, Joerg Roedel wrote: > On Tue, Jun 23, 2020 at 02:52:01PM +0200, Peter Zijlstra wrote: > > You only have that guarantee when any SNP #VC from kernel is an > > automatic panic. But in that case, what's the point of having the > > recursion count? > > It is not a recursion count, it is a stack-recursion check. Basically > walk down the stack and look if your current stack is already in use. > Yes, this can be optimized, but that is what is needed. > > IIRC the current prototype code for SNP just pre-validates all memory in > the VM and doesn't support moving pages around on the host. So any #VC > SNP exception would be fatal, yes. > > In a scenario with on-demand validation of guest pages and support for > guest-assisted page-moving on the HV side it would be more complicated. > Basically all memory that is accessed during #VC exception handling must > stay validated at all times, including the IST stack. > > So saying this, I don't understand why _all_ SNP #VC exceptions from > kernel space must be fatal? Ah, because I hadn't thought of the stack-recursion check. So basically when your exception frame points to your own IST, you die. That sounds like something we should have in generic IST code.
