Received: by 2002:a4a:311b:0:0:0:0:0 with SMTP id k27-v6csp4782071ooa; Tue, 14 Aug 2018 10:28:14 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwdl6Jvhs35TsRn+GatTR9UfWT6ag0dmsDvDOSDz5rb5IcVAjknAa8s+LKw90lV/XXtvDkT X-Received: by 2002:a65:658d:: with SMTP id u13-v6mr22282282pgv.20.1534267694593; Tue, 14 Aug 2018 10:28:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534267694; cv=none; d=google.com; s=arc-20160816; b=F72qGuq5+QOLpOmoHljaikIkND7ea0L9ozfLoAy8bNQ9PsgwuUEtxXEWMLCykCZ9+/ 3UvvLsSSsRZKGJBnUjT0NHvcxGUGo8K6ySSSrwRKeaXtSlOo9wHYqYD77NqAjT2puzUd WEJYt5p+lDKCH6jf/nSOw5g7q0rmia99gpaq0YtuvFC84QsM+oaqtpa7kaqQgM6RpXeE kXy8yi5ojCeuCFRQFUIgCQC0BhBhEK+WlVT9tfb0xTXWvkouwUjlzb5fcIaMcPmQkgcQ UNKtj1obnPQ5ruya/TW7GH+19tWrX14Ly8fTtuJAiDNox90ieg+BBDvAH99Be4Hyn9K3 vHeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=TdcyKEuFYndQ1IBm4+QCLslMx390RGumoo6QPCtoXbk=; b=lEGkAmsxyvIzghlpwaOVtZZY1J5tb25qNU4uviDiZliEiM21mmbNAr5uAA9qqIHJVU M+fiZxAlZgbWBTt4THzkMSCLY+nCdwAOzYPXp3714bvWwDTYS2TwwJ+eH3HGQEvSwXBb 4mpTY0mtQV/SwQLjgxmC8DzUgd4Mtdlr0wE4DqXDPZIjs+UNp+X1+e0X1dwnc8XCH2EY GkG97Cy9lNtnNQxjDCcQlc1OgNx57OG1SYn3eMN/WnNjl2/7LrPEai4gv+JrhM8cyQ7U /2y3k8I4izsZPWZmeUpbe0vVKnJ83cRiR6ssB62AK/LtFVOqa0PaCz3RC5nvP7ZKwVMj iwWA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u189-v6si21355480pgb.635.2018.08.14.10.27.59; Tue, 14 Aug 2018 10:28:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388398AbeHNUOT (ORCPT + 99 others); Tue, 14 Aug 2018 16:14:19 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:51924 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387440AbeHNUOT (ORCPT ); Tue, 14 Aug 2018 16:14:19 -0400 Received: from localhost (unknown [194.244.16.108]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 55AC7D1D; Tue, 14 Aug 2018 17:26:12 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thomas Gleixner , Jiri Kosina , Josh Poimboeuf Subject: [PATCH 4.18 48/79] x86/l1tf: Handle EPT disabled state proper Date: Tue, 14 Aug 2018 19:17:07 +0200 Message-Id: <20180814171338.944469263@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180814171336.799314117@linuxfoundation.org> References: <20180814171336.799314117@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Thomas Gleixner If Extended Page Tables (EPT) are disabled or not supported, no L1D flushing is required. The setup function can just avoid setting up the L1D flush for the EPT=n case. Invoke it after the hardware setup has be done and enable_ept has the correct state and expose the EPT disabled state in the mitigation status as well. Signed-off-by: Thomas Gleixner Tested-by: Jiri Kosina Reviewed-by: Greg Kroah-Hartman Reviewed-by: Josh Poimboeuf Link: https://lkml.kernel.org/r/20180713142322.612160168@linutronix.de Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/vmx.h | 1 arch/x86/kernel/cpu/bugs.c | 9 ++-- arch/x86/kvm/vmx.c | 89 ++++++++++++++++++++++++--------------------- 3 files changed, 54 insertions(+), 45 deletions(-) --- a/arch/x86/include/asm/vmx.h +++ b/arch/x86/include/asm/vmx.h @@ -581,6 +581,7 @@ enum vmx_l1d_flush_state { VMENTER_L1D_FLUSH_NEVER, VMENTER_L1D_FLUSH_COND, VMENTER_L1D_FLUSH_ALWAYS, + VMENTER_L1D_FLUSH_EPT_DISABLED, }; extern enum vmx_l1d_flush_state l1tf_vmx_mitigation; --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -676,10 +676,11 @@ static void __init l1tf_select_mitigatio #if IS_ENABLED(CONFIG_KVM_INTEL) static const char *l1tf_vmx_states[] = { - [VMENTER_L1D_FLUSH_AUTO] = "auto", - [VMENTER_L1D_FLUSH_NEVER] = "vulnerable", - [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes", - [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes", + [VMENTER_L1D_FLUSH_AUTO] = "auto", + [VMENTER_L1D_FLUSH_NEVER] = "vulnerable", + [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes", + [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes", + [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled", }; static ssize_t l1tf_show_state(char *buf) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -13292,6 +13292,11 @@ static int __init vmx_setup_l1d_flush(vo if (!boot_cpu_has_bug(X86_BUG_L1TF)) return 0; + if (!enable_ept) { + l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_EPT_DISABLED; + return 0; + } + l1tf_vmx_mitigation = vmentry_l1d_flush; if (vmentry_l1d_flush == VMENTER_L1D_FLUSH_NEVER) @@ -13318,6 +13323,41 @@ static void vmx_cleanup_l1d_flush(void) l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO; } +static void vmx_exit(void) +{ +#ifdef CONFIG_KEXEC_CORE + RCU_INIT_POINTER(crash_vmclear_loaded_vmcss, NULL); + synchronize_rcu(); +#endif + + kvm_exit(); + +#if IS_ENABLED(CONFIG_HYPERV) + if (static_branch_unlikely(&enable_evmcs)) { + int cpu; + struct hv_vp_assist_page *vp_ap; + /* + * Reset everything to support using non-enlightened VMCS + * access later (e.g. when we reload the module with + * enlightened_vmcs=0) + */ + for_each_online_cpu(cpu) { + vp_ap = hv_get_vp_assist_page(cpu); + + if (!vp_ap) + continue; + + vp_ap->current_nested_vmcs = 0; + vp_ap->enlighten_vmentry = 0; + } + + static_branch_disable(&enable_evmcs); + } +#endif + vmx_cleanup_l1d_flush(); +} +module_exit(vmx_exit); + static int __init vmx_init(void) { int r; @@ -13351,14 +13391,17 @@ static int __init vmx_init(void) } #endif - r = vmx_setup_l1d_flush(); + r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx), + __alignof__(struct vcpu_vmx), THIS_MODULE); if (r) return r; - r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx), - __alignof__(struct vcpu_vmx), THIS_MODULE); + /* + * Must be called after kvm_init() so enable_ept is properly set up + */ + r = vmx_setup_l1d_flush(); if (r) { - vmx_cleanup_l1d_flush(); + vmx_exit(); return r; } @@ -13370,40 +13413,4 @@ static int __init vmx_init(void) return 0; } - -static void __exit vmx_exit(void) -{ -#ifdef CONFIG_KEXEC_CORE - RCU_INIT_POINTER(crash_vmclear_loaded_vmcss, NULL); - synchronize_rcu(); -#endif - - kvm_exit(); - -#if IS_ENABLED(CONFIG_HYPERV) - if (static_branch_unlikely(&enable_evmcs)) { - int cpu; - struct hv_vp_assist_page *vp_ap; - /* - * Reset everything to support using non-enlightened VMCS - * access later (e.g. when we reload the module with - * enlightened_vmcs=0) - */ - for_each_online_cpu(cpu) { - vp_ap = hv_get_vp_assist_page(cpu); - - if (!vp_ap) - continue; - - vp_ap->current_nested_vmcs = 0; - vp_ap->enlighten_vmentry = 0; - } - - static_branch_disable(&enable_evmcs); - } -#endif - vmx_cleanup_l1d_flush(); -} - -module_init(vmx_init) -module_exit(vmx_exit) +module_init(vmx_init);