Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1110513ybb; Fri, 20 Mar 2020 13:34:45 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvJsALVM6cOStSKz9pyN7zUU26sN3AeYYEx5DscTYfjfaq/4XKtThK7F9VQJVeWeb8HcFVl X-Received: by 2002:aca:4d86:: with SMTP id a128mr8219685oib.96.1584736485548; Fri, 20 Mar 2020 13:34:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584736485; cv=none; d=google.com; s=arc-20160816; b=B3tRvMmtvwO6ghwNQR0z2hJi7b5vP6Y1NdY49yCgS9yuYRBWlyeYC7wDjbqBK0Uxh1 eWdCAO3nK/Ilm0sOBk+Z8+oYFVC/pQcuoydhjcLn9RcXKY9aF8nH+6Dl/oPSCmItNf9b 8z6Q2UXJiQQB6EWkT5mU12NrHz5jesRA8FxLYD0F25/YknNGqJTLy7IGVikYX/O9Uq9N lpKoL1r4lpvdm2McCIv6hCp+qGRgGAxr6C7CU55Q82YiUnsxSYwHLuXkGnvWWTJ2oPyQ 57JuSVLja1wYZ6Xj7qyrwxBpNTiAkI6zvDeL8/j9l9MEkqo3o2mYykIYjDlzsM/AWm5Z W4GQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature; bh=+N0bQ4JlxAy2jfmVhmfgL9o3zKHhJL+I15S0ny2lKgs=; b=EIpfBxSV/aDqTvX9ySS1V1lQQO6WBWJ/voFAm/Ibc49NPYknRVrIP9lmN4039AaOZC u7uZt7CoE63veZsmO6OYPj/nee94j8+CknS7zLZNzuZz89U876Ck6UAmMeBtw6mqpu9l pf4umYJcLbtJlrLDF9hVtLk/s5+r4bx1WXFJhJeShKMXSs1k19A+CSRicTdE3dxMLn3Z juYesQ3OQSaXd7jl4Hye6wahJiPneGfmHFZp64VEQo/duAaOBIlnKeDb6Ha/4/MPRTL4 h1568A1ppyBsIU4k0FGXlKR12AYEdUqJoffjasii4pGW4XNaJ+s0CiUsPt3MZVNjx+Yn DNqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RLsZNvbz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u7si3412071otq.29.2020.03.20.13.34.32; Fri, 20 Mar 2020 13:34:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RLsZNvbz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726829AbgCTUeP (ORCPT + 99 others); Fri, 20 Mar 2020 16:34:15 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:38952 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726902AbgCTUeO (ORCPT ); Fri, 20 Mar 2020 16:34:14 -0400 Received: by mail-pg1-f194.google.com with SMTP id b22so3648866pgb.6 for ; Fri, 20 Mar 2020 13:34:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:mime-version; bh=+N0bQ4JlxAy2jfmVhmfgL9o3zKHhJL+I15S0ny2lKgs=; b=RLsZNvbzOdBVhWrbvFQr3CKCdKtnq0K+ohA8v7c0w2gc/e5LPRQ7JGoNHVRoeXa984 2z3VSPKSoz7GWala01EO5uP5GlkIL9GqUS1EeA4kAuhwaKOk9cWUv0Epbqx+W7fTHG26 F7GSf84Ed0e/vmNEPjG99lgw+qHi5S5N4O5Z7eWZI4tt13hwNTSs9RSZrckzBagL8Xec vB7KAdDqQ4/LDtPSw0rwyPF5jUdN/dbp0migODoWfLJveA8otGKFz4Vi4ZzssqyfKx7L Lq3fZqlYdRzjncLjUv324t9/cYxxu5IwiOO8MK7leI4eFF6Fp11guAennTNahV8u7/TW amlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version; bh=+N0bQ4JlxAy2jfmVhmfgL9o3zKHhJL+I15S0ny2lKgs=; b=V91/f0ZTDYGKktJ7G072QKE6Difn48hGY42GOCYfzPg2boE+3itqFbEn0c0Ea3uy9R P0rCByuGsemT6+KW4DKdVvDi2I9gl9dgi2CtWr1njtAeCQgQkgosGXN9IvHaLG/aXprB NiPpUeEer95EitkB5NXPtZ/i5NlZars7GalKHRFuAqwh0a95eV6fB+0zw/1aIrtZj3sB TEGYhNp+88lAFSEJEXH0Bn7WFVZ4tw91cHwtiMyGMeUWeX0Q+hARC1IRcYEWafKB5BX7 iSW6C6w1u2DWvtDQs5qyx+Nx/YRwgFCUNdvEAT+ZylDxvVqTMuWOJeW04obbUd7U+xPS 1BmA== X-Gm-Message-State: ANhLgQ1ySYNIUGlGOFw8tQie6smgt29+1loHhneDj+njI0S7+fFU5mFI UhrgctJQ3ucmAKYq99wVriKOXA== X-Received: by 2002:a63:d351:: with SMTP id u17mr10257174pgi.396.1584736453455; Fri, 20 Mar 2020 13:34:13 -0700 (PDT) Received: from [2620:15c:17:3:3a5:23a7:5e32:4598] ([2620:15c:17:3:3a5:23a7:5e32:4598]) by smtp.gmail.com with ESMTPSA id 93sm5153147pjo.43.2020.03.20.13.34.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Mar 2020 13:34:12 -0700 (PDT) Date: Fri, 20 Mar 2020 13:34:12 -0700 (PDT) From: David Rientjes X-X-Sender: rientjes@chino.kir.corp.google.com To: Tom Lendacky cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Brijesh Singh Subject: Re: [PATCH] KVM: SVM: Issue WBINVD after deactivating an SEV guest In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 20 Mar 2020, Tom Lendacky wrote: > Currently, CLFLUSH is used to flush SEV guest memory before the guest is > terminated (or a memory hotplug region is removed). However, CLFLUSH is > not enough to ensure that SEV guest tagged data is flushed from the cache. > > With 33af3a7ef9e6 ("KVM: SVM: Reduce WBINVD/DF_FLUSH invocations"), the > original WBINVD was removed. This then exposed crashes at random times > because of a cache flush race with a page that had both a hypervisor and > a guest tag in the cache. > > Restore the WBINVD when destroying an SEV guest and add a WBINVD to the > svm_unregister_enc_region() function to ensure hotplug memory is flushed > when removed. The DF_FLUSH can still be avoided at this point. > > Fixes: 33af3a7ef9e6 ("KVM: SVM: Reduce WBINVD/DF_FLUSH invocations") > Signed-off-by: Tom Lendacky Acked-by: David Rientjes Should this be marked for stable? Cc: stable@vger.kernel.org # 5.5+ > --- > arch/x86/kvm/svm.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > > diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c > index 08568ae9f7a1..d54cdca9c140 100644 > --- a/arch/x86/kvm/svm.c > +++ b/arch/x86/kvm/svm.c > @@ -1980,14 +1980,6 @@ static void sev_clflush_pages(struct page *pages[], unsigned long npages) > static void __unregister_enc_region_locked(struct kvm *kvm, > struct enc_region *region) > { > - /* > - * The guest may change the memory encryption attribute from C=0 -> C=1 > - * or vice versa for this memory range. Lets make sure caches are > - * flushed to ensure that guest data gets written into memory with > - * correct C-bit. > - */ > - sev_clflush_pages(region->pages, region->npages); > - > sev_unpin_memory(kvm, region->pages, region->npages); > list_del(®ion->list); > kfree(region); > @@ -2004,6 +1996,13 @@ static void sev_vm_destroy(struct kvm *kvm) > > mutex_lock(&kvm->lock); > > + /* > + * Ensure that all guest tagged cache entries are flushed before > + * releasing the pages back to the system for use. CLFLUSH will > + * not do this, so issue a WBINVD. > + */ > + wbinvd_on_all_cpus(); > + > /* > * if userspace was terminated before unregistering the memory regions > * then lets unpin all the registered memory. > @@ -7247,6 +7246,13 @@ static int svm_unregister_enc_region(struct kvm *kvm, > goto failed; > } > > + /* > + * Ensure that all guest tagged cache entries are flushed before > + * releasing the pages back to the system for use. CLFLUSH will > + * not do this, so issue a WBINVD. > + */ > + wbinvd_on_all_cpus(); > + > __unregister_enc_region_locked(kvm, region); > > mutex_unlock(&kvm->lock); > -- > 2.17.1 > >