Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp447587iob; Wed, 18 May 2022 05:50:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1yd85aY0pBH7wQn9Or9kAAvui5P1QLIppP3ZtSy+jtXxfizi3uCW5t9nua3o2EqNhFxPK X-Received: by 2002:a62:e819:0:b0:510:693e:b20c with SMTP id c25-20020a62e819000000b00510693eb20cmr27693082pfi.60.1652878234881; Wed, 18 May 2022 05:50:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652878234; cv=none; d=google.com; s=arc-20160816; b=ZSaviWhzbWu1T656YVI6sdflfBdqIM1ZxlkFc7Wj/RrdcD5X2J/EgW++yqROdiQm9z YfVWXF66bXvynXy0GCBOviEo7gDYkwGW95ybFvi4++Eg/n2V17eM+NbIvTChVuVbqzri tVv1wD3yjswjmG75qdWf417t7XTg360fj00uJ0oVkejibZxhtHCWwbpF9OwMAPxSKD5l fsiAMsPR522eZOJXQvGxniVuKS074ExnsVUckFbfZwXDdpGRTKr5/m0To/HSARwogvsA bvuhWQKaJbZR2ZffYG9Q0RqUQG+p2LTxQUe2lBEeb0jM75docZ6wqJI2/2V+wKPogjay 3Kqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=ZnwAbpuf8out8csgmDT/1EJa0Dp/wEa0FwZfSMt3EgU=; b=kkLO0zeWCrHay/Re29HNvMU00J8HkePqobzROZWo+uJY81s0WTNyp13wFKIZDbm0Jl JHJSEWjXJQVH0xUcZI38Q6HeVsce0ilq3/uF4bhtjI54iORn8FXTN8jTskKWWZrO9rA0 5yHqDvH/HU5524CndWDtyh/iocriK+vS4jGMWDbX1KHMYuSYHuzsEyJtZL2ymirPdRxI VlulW6qkWFvrKwKhtT51OinGevZHWsvS9MUTNrlxwUjRpmCQ1/oDsLBEoheSHue6rMTK dYnK6LUy8PnramYBV1HNLbHTg/D4kw8US6NY2KZ6mx8HjiD4GTNU/lfk1DXkuLJ0AHYV qIFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GOBErIXs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id lp17-20020a17090b4a9100b001dc4e0e712asi7495463pjb.125.2022.05.18.05.50.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 May 2022 05:50:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GOBErIXs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CB8A01A6ADC; Wed, 18 May 2022 05:45:26 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237503AbiERMof (ORCPT + 99 others); Wed, 18 May 2022 08:44:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237066AbiERMoQ (ORCPT ); Wed, 18 May 2022 08:44:16 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 514311B1CF3 for ; Wed, 18 May 2022 05:39:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1652877419; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZnwAbpuf8out8csgmDT/1EJa0Dp/wEa0FwZfSMt3EgU=; b=GOBErIXs3/zEA4CSTUtoeosDptFtxiIP/LJ77BE8owQzkfrBtCN/8aGV2sxglx5Q5wjQsj UgPoRlieYBs2p+1J0qvpvHolIT5MxW6mdpWHU3KeR8VgfqIxUkViEpVI9t8TPEJRzEaafs iShXf+Cz2JUFyvY1iDGB3PKg4nwX58g= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-382-rJch5im4PDmw0Q0Y98zPcg-1; Wed, 18 May 2022 08:36:52 -0400 X-MC-Unique: rJch5im4PDmw0Q0Y98zPcg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id AC5BF398CA60; Wed, 18 May 2022 12:36:51 +0000 (UTC) Received: from starship (unknown [10.40.192.55]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0B23940CF8EE; Wed, 18 May 2022 12:36:45 +0000 (UTC) Message-ID: <670fdf36585b1bf7c367cff4ab0653f4c7de8808.camel@redhat.com> Subject: Re: [RFC PATCH v3 02/19] KVM: x86: inhibit APICv/AVIC when the guest and/or host changes apic id/base from the defaults. From: Maxim Levitsky To: Chao Gao Cc: kvm@vger.kernel.org, Wanpeng Li , Vitaly Kuznetsov , Jani Nikula , Paolo Bonzini , Tvrtko Ursulin , Rodrigo Vivi , Zhenyu Wang , Joonas Lahtinen , Tom Lendacky , Ingo Molnar , David Airlie , Thomas Gleixner , Dave Hansen , x86@kernel.org, intel-gfx@lists.freedesktop.org, Sean Christopherson , Daniel Vetter , Borislav Petkov , Joerg Roedel , linux-kernel@vger.kernel.org, Jim Mattson , Zhi Wang , Brijesh Singh , "H. Peter Anvin" , intel-gvt-dev@lists.freedesktop.org, dri-devel@lists.freedesktop.org Date: Wed, 18 May 2022 15:36:44 +0300 In-Reply-To: <20220518115056.GA18087@gao-cwp> References: <20220427200314.276673-1-mlevitsk@redhat.com> <20220427200314.276673-3-mlevitsk@redhat.com> <20220518082811.GA8765@gao-cwp> <8c78939bf01a98554696add10e17b07631d97a28.camel@redhat.com> <20220518115056.GA18087@gao-cwp> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5 (3.36.5-2.fc32) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2022-05-18 at 19:51 +0800, Chao Gao wrote: > On Wed, May 18, 2022 at 12:50:27PM +0300, Maxim Levitsky wrote: > > > > struct kvm_arch { > > > > @@ -1258,6 +1260,7 @@ struct kvm_arch { > > > > hpa_t hv_root_tdp; > > > > spinlock_t hv_root_tdp_lock; > > > > #endif > > > > + bool apic_id_changed; > > > > > > What's the value of this boolean? No one reads it. > > > > I use it in later patches to kill the guest during nested VM entry > > if it attempts to use nested AVIC after any vCPU changed APIC ID. > > > > I mentioned this boolean in the commit description. > > > > This boolean avoids the need to go over all vCPUs and checking > > if they still have the initial apic id. > > Do you want to kill the guest if APIC base got changed? If yes, > you can check if APICV_INHIBIT_REASON_RO_SETTINGS is set and save > the boolean. Yep, I thrown in the apic base just because I can. It doesn't matter to my nested AVIC logic at all, but since it is also something that guests don't change, I also don't care if this will lead to inhibit and killing the guest if it attempts to use nested AVIC. That boolean should have the same value as the APICV_INHIBIT_REASON_RO_SETTINGS inhibit, so yes I can instead check if the inhibit is active. I don't know if that is cleaner that this boolean though, individual inhibit value is currently not something that anybody uses in logic. Best regards, Maxim Levitsky > > > In the future maybe we can introduce a more generic 'taint' > > bitmap with various flags like that, indicating that the guest > > did something unexpected. > > > > BTW, the other option in regard to the nested AVIC is just to ignore this issue completely. > > The code itself always uses vcpu_id's, thus regardless of when/how often the guest changes > > its apic ids, my code would just use the initial APIC ID values consistently. > > > > In this case I won't need this boolean. > > > > > > }; > > > > > > > > struct kvm_vm_stat { > > > > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c > > > > index 66b0eb0bda94e..8996675b3ef4c 100644 > > > > --- a/arch/x86/kvm/lapic.c > > > > +++ b/arch/x86/kvm/lapic.c > > > > @@ -2038,6 +2038,19 @@ static void apic_manage_nmi_watchdog(struct kvm_lapic *apic, u32 lvt0_val) > > > > } > > > > } > > > > > > > > +static void kvm_lapic_check_initial_apic_id(struct kvm_lapic *apic) > > > > +{ > > > > + if (kvm_apic_has_initial_apic_id(apic)) > > > > + return; > > > > + > > > > + pr_warn_once("APIC ID change is unsupported by KVM"); > > > > > > It is misleading because changing xAPIC ID is supported by KVM; it just > > > isn't compatible with APICv. Probably this pr_warn_once() should be > > > removed. > > > > Honestly since nobody uses this feature, I am not sure if to call this supported, > > I am sure that KVM has more bugs in regard of using non standard APIC ID. > > This warning might hopefuly make someone complain about it if this > > feature is actually used somewhere. > > Now I got you. It is fine to me. >