Re: [PATCH v3 03/37] KVM: nVMX: Invalidate all EPTP contexts when emulating INVEPT for L1

From: Vitaly Kuznetsov
Date: Mon Mar 23 2020 - 11:24:15 EST

Next message: Alan Stern: "Re: [PATCH v7 1/5] usb: hci: add hc_driver as argument for usb_hcd_pci_probe"
Previous message: Joel Fernandes: "Re: [PATCH] sched: Use RCU-sched in core-scheduling balancing logic"
In reply to: Sean Christopherson: "[PATCH v3 03/37] KVM: nVMX: Invalidate all EPTP contexts when emulating INVEPT for L1"
Next in thread: Sean Christopherson: "Re: [PATCH v3 03/37] KVM: nVMX: Invalidate all EPTP contexts when emulating INVEPT for L1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sean Christopherson <sean.j.christopherson@xxxxxxxxx> writes:

> Free all L2 (guest_mmu) roots when emulating INVEPT for L1. Outstanding
> changes to the EPT tables managed by L1 need to be recognized, and
> relying on KVM to always flush L2's EPTP context on nested VM-Enter is
> dangerous.
>
> Similar to handle_invpcid(), rely on kvm_mmu_free_roots() to do a remote
> TLB flush if necessary, e.g. if L1 has never entered L2 then there is
> nothing to be done.
>
> Nuking all L2 roots is overkill for the single-context variant, but it's
> the safe and easy bet. A more precise zap mechanism will be added in
> the future. Add a TODO to call out that KVM only needs to invalidate
> affected contexts.
>
> Fixes: b119019847fbc ("kvm: nVMX: Remove unnecessary sync_roots from handle_invept")
> Reported-by: Jim Mattson <jmattson@xxxxxxxxxx>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
> ---
> arch/x86/kvm/vmx/nested.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index f3774cef4fd4..9624cea4ed9f 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -5160,12 +5160,12 @@ static int handle_invept(struct kvm_vcpu *vcpu)
> if (!nested_vmx_check_eptp(vcpu, operand.eptp))
> return nested_vmx_failValid(vcpu,
> VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
> +
> + /* TODO: sync only the target EPTP context. */
> fallthrough;
> case VMX_EPT_EXTENT_GLOBAL:
> - /*
> - * TODO: Sync the necessary shadow EPT roots here, rather than
> - * at the next emulated VM-entry.
> - */
> + kvm_mmu_free_roots(vcpu, &vcpu->arch.guest_mmu,
> + KVM_MMU_ROOTS_ALL);
> break;

An ignorant reader may wonder "and how do we know that L1 actaully uses
EPT" as he may find out that guest_mmu is not being used otherwise. The
answer to the question will likely be "if L1 doesn't use EPT for some of
its guests than there's nothing we should do here as we will be
resetting root_mmu when switching to/from them". Hope the ignorant
reviewer typing this is not very wrong :-)

> default:
> BUG_ON(1);

Reviewed-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>

--
Vitaly

Next message: Alan Stern: "Re: [PATCH v7 1/5] usb: hci: add hc_driver as argument for usb_hcd_pci_probe"
Previous message: Joel Fernandes: "Re: [PATCH] sched: Use RCU-sched in core-scheduling balancing logic"
In reply to: Sean Christopherson: "[PATCH v3 03/37] KVM: nVMX: Invalidate all EPTP contexts when emulating INVEPT for L1"
Next in thread: Sean Christopherson: "Re: [PATCH v3 03/37] KVM: nVMX: Invalidate all EPTP contexts when emulating INVEPT for L1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]