Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp276851imn; Mon, 25 Jul 2022 16:18:34 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vhSU1AsG0o1i1ER+8J9c8bhnwZ4EB4rFSogb60yQqW48luJ3T76CtM5UqDAk4shWrOEJk/ X-Received: by 2002:a17:907:67b0:b0:72b:972c:53df with SMTP id qu48-20020a17090767b000b0072b972c53dfmr12089898ejc.37.1658791114174; Mon, 25 Jul 2022 16:18:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658791114; cv=none; d=google.com; s=arc-20160816; b=b5G0KoqqIlnbYLiKGxA5Vscsfo05QcaICjZV6nZRAZZDH0l87Wr9BwjhuSSYdILZ18 2Z+J8ifHghnRpsqSMwRFbT4S0Yp/112+JlNuRRmqSJUuYYAraLsvMVvr0dkUWJ+4Ke1X YCYm40QTT4f6K9bWXWzLgrTSq61RDT8zrcOSLL4/mDyGCcg9TB4NilQtczXeuG7XRTCG mD1n2CxmrvaAYFBecDy9/Rbj7Hth/TyE6lOiD1Yinn1VDHRuonMCz/9xGTFY16Icb+hy CL8vJcNvgkMTAWwCLE86Ejw/Xk0zZowmPB9+ZqgknWJ+KOCg7ueGApKHit4qpXEi6WU4 hU/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=zXrD0XfSPKahmDrSf74MEl6lfENsuuP1HaDWaHeJatM=; b=VsZ7aw7/0MmOe7yraaQQfiJE3ANHpG9kKzhDeDGGKyNrtmM+B3hPhCTQQ0csE6ek+F pQ//0fYtf+a0pLjRn6gOShwNLr9b4Nm3Wjdl6hNawzOzTXLhCuNucGrmhML4xlkTLPEw Ed7cMx2u2NuBx9eT72XQo0zJuqbPVNGIiULms36+++zcS8NV8pvTbxwZcDg022HFFTKh +buIO8CznA0kHzmzNzN5TxlAmPv3vxxS3umwUb88K42fNunYGLzovxQ7EPSqKR45T74q 76jje7dq4YDxhOsTKxz5o1f9vRETGHpbihWkfjRRm3Tb+j2g1ypuXZMfcj1IrAXAQYOR jV+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=OfVw64Pz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hu8-20020a170907a08800b0072b46f19da4si12657711ejc.441.2022.07.25.16.18.08; Mon, 25 Jul 2022 16:18:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=OfVw64Pz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232047AbiGYXQN (ORCPT + 99 others); Mon, 25 Jul 2022 19:16:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45730 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229764AbiGYXQK (ORCPT ); Mon, 25 Jul 2022 19:16:10 -0400 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D1AA1F2EA for ; Mon, 25 Jul 2022 16:16:09 -0700 (PDT) Received: by mail-pj1-x102d.google.com with SMTP id y1so3706626pja.4 for ; Mon, 25 Jul 2022 16:16:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=zXrD0XfSPKahmDrSf74MEl6lfENsuuP1HaDWaHeJatM=; b=OfVw64PzTiDyT7wzu2M1CFwX5oOEo8g1EKJ6VDOanqVFkzZpIseXlWg/ShT5Z6YQMH 6GU1++eXfmdXqrDIaZdPZOb/Am1VBRQGy9XHRJi0znsxa7njbdLGQf609f3icyynd8Gn 1PnpjrFTS6W6roJcx/xzgTX5h0q34docZ6poLHn8BIOlhq5R0KL81B8kqlRtmOmSxxnb onq0SmBQC7zGWkfa1+3jNrnkMzaWeD1GUVGjs/dGhKis3DpQGVXRdl6q7y89kJ+h3zvY lgxTknIVKx7ZBJg4mgH5SkUcelT7s+nzr6H811RrruasVf+2QzlHRi5lN9evFfwTibRI oyuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=zXrD0XfSPKahmDrSf74MEl6lfENsuuP1HaDWaHeJatM=; b=OX69spm5QUkV6HJoyqWJiFOm9cMN5dglBSwiQb1Hb/ALycrCWRHZXz/7JnHn86QqLg hQF+LjnWSrC5U1yFpU5ngqOwLi2WZrTkZAeFX5lo3olcyI56bmdvDhyVugWlQ9/+7R+q 4nM8qQDOmTXaEiM8sYUvqMaVHqhajfpA3YacV5kKPLfee+iwl2EDeJGggqdIi3JTEvyt XwffnVWHlHOA8r6MYNmlZWG/8fu/50otRoS7Y324BKQtLss5OQQcA53Lam0g30OlvL0+ 1jFJ9M6mvu3LHIBHT92N9PO2Kxf9olmXf5Xn/AGrCeO27tSdaNZl5pL7Hqiw6GI9xjXG VmgA== X-Gm-Message-State: AJIora+l/3OaP1gH4kSfJ17z2TKJTvrR5Tcy1cFo4m5LmKWcJzgGuu+h +BiMG25i2l2ur3ci2s9YBrYkoA== X-Received: by 2002:a17:90a:678a:b0:1f2:1caa:6416 with SMTP id o10-20020a17090a678a00b001f21caa6416mr16537162pjj.115.1658790968391; Mon, 25 Jul 2022 16:16:08 -0700 (PDT) Received: from google.com (223.103.125.34.bc.googleusercontent.com. [34.125.103.223]) by smtp.gmail.com with ESMTPSA id y28-20020aa7943c000000b0052b94e757ecsm10104781pfo.213.2022.07.25.16.16.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Jul 2022 16:16:07 -0700 (PDT) Date: Mon, 25 Jul 2022 16:16:02 -0700 From: David Matlack To: Sean Christopherson Cc: Paolo Bonzini , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yosry Ahmed , Mingwei Zhang , Ben Gardon Subject: Re: [PATCH v2 3/6] KVM: x86/mmu: Set disallowed_nx_huge_page in TDP MMU before setting SPTE Message-ID: References: <20220723012325.1715714-1-seanjc@google.com> <20220723012325.1715714-4-seanjc@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220723012325.1715714-4-seanjc@google.com> X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 23, 2022 at 01:23:22AM +0000, Sean Christopherson wrote: > Set nx_huge_page_disallowed in TDP MMU shadow pages before making the SP > visible to other readers, i.e. before setting its SPTE. This will allow > KVM to query the flag when determining if a shadow page can be replaced > by a NX huge page without violating the rules of the mitigation. It took me a minute to figure out why the same change isn't needed in the shadow MMU (it always holds the write-lock so it's impossible for another CPU to see an SP without a correct nx_huge_page_disallowed. If you send a v2 can you add a short blurb to that effect here? Otherwise, Reviewed-by: David Matlack > > Signed-off-by: Sean Christopherson > --- > arch/x86/kvm/mmu/mmu.c | 12 +++++------- > arch/x86/kvm/mmu/mmu_internal.h | 5 ++--- > arch/x86/kvm/mmu/tdp_mmu.c | 30 +++++++++++++++++------------- > 3 files changed, 24 insertions(+), 23 deletions(-) > > diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c > index 493cdf1c29ff..e9252e7cd5a2 100644 > --- a/arch/x86/kvm/mmu/mmu.c > +++ b/arch/x86/kvm/mmu/mmu.c > @@ -802,8 +802,7 @@ static void account_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp) > kvm_flush_remote_tlbs_with_address(kvm, gfn, 1); > } > > -static void untrack_possible_nx_huge_page(struct kvm *kvm, > - struct kvm_mmu_page *sp) > +void untrack_possible_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp) > { > if (list_empty(&sp->possible_nx_huge_page_link)) > return; > @@ -812,15 +811,14 @@ static void untrack_possible_nx_huge_page(struct kvm *kvm, > list_del_init(&sp->possible_nx_huge_page_link); > } > > -void unaccount_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp) > +static void unaccount_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp) > { > sp->nx_huge_page_disallowed = false; > > untrack_possible_nx_huge_page(kvm, sp); > } > > -static void track_possible_nx_huge_page(struct kvm *kvm, > - struct kvm_mmu_page *sp) > +void track_possible_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp) > { > if (!list_empty(&sp->possible_nx_huge_page_link)) > return; > @@ -830,8 +828,8 @@ static void track_possible_nx_huge_page(struct kvm *kvm, > &kvm->arch.possible_nx_huge_pages); > } > > -void account_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp, > - bool nx_huge_page_possible) > +static void account_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp, > + bool nx_huge_page_possible) > { > sp->nx_huge_page_disallowed = true; > > diff --git a/arch/x86/kvm/mmu/mmu_internal.h b/arch/x86/kvm/mmu/mmu_internal.h > index 83644a0167ab..2a887d08b722 100644 > --- a/arch/x86/kvm/mmu/mmu_internal.h > +++ b/arch/x86/kvm/mmu/mmu_internal.h > @@ -336,8 +336,7 @@ void disallowed_hugepage_adjust(struct kvm_page_fault *fault, u64 spte, int cur_ > > void *mmu_memory_cache_alloc(struct kvm_mmu_memory_cache *mc); > > -void account_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp, > - bool nx_huge_page_possible); > -void unaccount_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp); > +void track_possible_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp); > +void untrack_possible_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp); > > #endif /* __KVM_X86_MMU_INTERNAL_H */ > diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c > index a30983947fee..626c40ec2af9 100644 > --- a/arch/x86/kvm/mmu/tdp_mmu.c > +++ b/arch/x86/kvm/mmu/tdp_mmu.c > @@ -392,8 +392,10 @@ static void tdp_mmu_unlink_sp(struct kvm *kvm, struct kvm_mmu_page *sp, > lockdep_assert_held_write(&kvm->mmu_lock); > > list_del(&sp->link); > - if (sp->nx_huge_page_disallowed) > - unaccount_nx_huge_page(kvm, sp); > + if (sp->nx_huge_page_disallowed) { > + sp->nx_huge_page_disallowed = false; > + untrack_possible_nx_huge_page(kvm, sp); > + } > > if (shared) > spin_unlock(&kvm->arch.tdp_mmu_pages_lock); > @@ -1111,16 +1113,13 @@ static int tdp_mmu_map_handle_target_level(struct kvm_vcpu *vcpu, > * @kvm: kvm instance > * @iter: a tdp_iter instance currently on the SPTE that should be set > * @sp: The new TDP page table to install. > - * @account_nx: True if this page table is being installed to split a > - * non-executable huge page. > * @shared: This operation is running under the MMU lock in read mode. > * > * Returns: 0 if the new page table was installed. Non-0 if the page table > * could not be installed (e.g. the atomic compare-exchange failed). > */ > static int tdp_mmu_link_sp(struct kvm *kvm, struct tdp_iter *iter, > - struct kvm_mmu_page *sp, bool account_nx, > - bool shared) > + struct kvm_mmu_page *sp, bool shared) > { > u64 spte = make_nonleaf_spte(sp->spt, !kvm_ad_enabled()); > int ret = 0; > @@ -1135,8 +1134,6 @@ static int tdp_mmu_link_sp(struct kvm *kvm, struct tdp_iter *iter, > > spin_lock(&kvm->arch.tdp_mmu_pages_lock); > list_add(&sp->link, &kvm->arch.tdp_mmu_pages); > - if (account_nx) > - account_nx_huge_page(kvm, sp, true); > spin_unlock(&kvm->arch.tdp_mmu_pages_lock); > > return 0; > @@ -1149,6 +1146,7 @@ static int tdp_mmu_link_sp(struct kvm *kvm, struct tdp_iter *iter, > int kvm_tdp_mmu_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault) > { > struct kvm_mmu *mmu = vcpu->arch.mmu; > + struct kvm *kvm = vcpu->kvm; > struct tdp_iter iter; > struct kvm_mmu_page *sp; > int ret; > @@ -1185,9 +1183,6 @@ int kvm_tdp_mmu_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault) > } > > if (!is_shadow_present_pte(iter.old_spte)) { > - bool account_nx = fault->huge_page_disallowed && > - fault->req_level >= iter.level; > - > /* > * If SPTE has been frozen by another thread, just > * give up and retry, avoiding unnecessary page table > @@ -1199,10 +1194,19 @@ int kvm_tdp_mmu_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault) > sp = tdp_mmu_alloc_sp(vcpu); > tdp_mmu_init_child_sp(sp, &iter); > > - if (tdp_mmu_link_sp(vcpu->kvm, &iter, sp, account_nx, true)) { > + sp->nx_huge_page_disallowed = fault->huge_page_disallowed; > + > + if (tdp_mmu_link_sp(kvm, &iter, sp, true)) { > tdp_mmu_free_sp(sp); > break; > } > + > + if (fault->huge_page_disallowed && > + fault->req_level >= iter.level) { > + spin_lock(&kvm->arch.tdp_mmu_pages_lock); > + track_possible_nx_huge_page(kvm, sp); > + spin_unlock(&kvm->arch.tdp_mmu_pages_lock); > + } > } > } > > @@ -1490,7 +1494,7 @@ static int tdp_mmu_split_huge_page(struct kvm *kvm, struct tdp_iter *iter, > * correctness standpoint since the translation will be the same either > * way. > */ > - ret = tdp_mmu_link_sp(kvm, iter, sp, false, shared); > + ret = tdp_mmu_link_sp(kvm, iter, sp, shared); > if (ret) > goto out; > > -- > 2.37.1.359.gd136c6c3e2-goog >