gentle ping on this one? On Tue, Nov 29, 2022 at 11:12 AM Mingwei Zhang <mizhang@xxxxxxxxxx> wrote: > > Deprecate BUG() in pte_list_remove() in shadow mmu to avoid crashing a > physical machine. There are several reasons and motivations to do so: > > MMU bug is difficult to discover due to various racing conditions and > corner cases and thus it extremely hard to debug. The situation gets much > worse when it triggers the shutdown of a host. Host machine crash might > eliminates everything including the potential clues for debugging. > > From cloud computing service perspective, BUG() or BUG_ON() is probably no > longer appropriate as the host reliability is top priority. Crashing the > physical machine is almost never a good option as it eliminates innocent > VMs and cause service outage in a larger scope. Even worse, if attacker can > reliably triggers this code by diverting the control flow or corrupting the > memory, then this becomes vm-of-death attack. This is a huge attack vector > to cloud providers, as the death of one single host machine is not the end > of the story. Without manual interferences, a failed cloud job may be > dispatched to other hosts and continue host crashes until all of them are > dead. > > For the above reason, we propose the replacement of BUG() in > pte_list_remove() with KVM_BUG() to crash just the VM itself. > > v3 - v4: > - update code to integrate messages into KVM_BUG() [seanjc]. > - update commit message [seanjc]. > > v2 -> v3: > - plumb @kvm all the way to pte_list_remove() [seanjc, pbonzini] > - https://lore.kernel.org/lkml/20221128002043.1555543-1-mizhang@xxxxxxxxxx/ > > v1 -> v2: > - compile test the code. > - fill KVM_BUG() with kvm_get_running_vcpu()->kvm > - https://lore.kernel.org/all/20221124003505.424617-1-mizhang@xxxxxxxxxx/ > > rfc v1: > - https://lore.kernel.org/all/20221123231206.274392-1-mizhang@xxxxxxxxxx/ > > > Mingwei Zhang (2): > KVM: x86/mmu: plumb struct kvm all the way to pte_list_remove() > KVM: x86/mmu: replace BUG() with KVM_BUG() in shadow mmu > > arch/x86/kvm/mmu/mmu.c | 33 +++++++++++++++++---------------- > 1 file changed, 17 insertions(+), 16 deletions(-) > > -- > 2.38.1.584.g0f3c55d4c2-goog >
