On Wed, Mar 30, 2022, Jan Stancek wrote: > +CC kvm > > Issue seems to be that nx_huge_pages is not initialized (-1) and > attempted to be used as boolean when reading > /sys/module/kvm/parameters/nx_huge_pages Ugh, CONFIG_UBSAN_BOOL=y complains about a bool not being 0 or 1. What a pain. > CONFIG_KVM=Y, CONFIG_UBSAN=y, but kvm_mmu_module_init() doesn't > appear to run, since kvm detects no HW support: > # dmesg |grep kvm > [ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00 > [ 0.000003] kvm-clock: using sched offset of 1155425753112 cycles > [ 0.000007] clocksource: kvm-clock: mask: 0xffffffffffffffff > max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns > [ 0.045066] kvm-guest: PV spinlocks enabled > [ 0.705370] clocksource: Switched to clocksource kvm-clock > [ 0.913593] kvm: no hardware support for 'kvm_intel' > [ 0.915574] kvm: no hardware support for 'kvm_amd' > [ 2.284925] systemd[1]: Detected virtualization kvm. > [ 4.158909] Stack Depot allocating hash table with kvmalloc > [ 8.120446] systemd[1]: Detected virtualization kvm. > > Initializing 'nx_huge_pages' to 0 (in out branch) or write to > /sys/module/kvm/parameters/nx_huge_pages before read makes it go away > too: > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 02cf0a7e1d14..b3b8b9a22e20 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -8921,6 +8921,7 @@ int kvm_arch_init(void *opaque) > out_free_x86_emulator_cache: > kmem_cache_destroy(x86_emulator_cache); > out: > + nx_huge_pages = 0; This won't help, because nx_huge_pages is deliberately left as -1 if the vendor module isn't loaded, in which case kvm_arch_init() won't be reached. This would also incorrectly disable the mitigation. We could fix it by adding a proper accessor, but that's rather silly because KVM doesn't actually need to wait until a vendor module is loaded to finalize its value (-1 means "auto"). kvm.ko doesn't have its own module_init() hook on x86, but that's easily solved and I think less gross than having Schrödinger's param. I'll test and send a patch.
