[MODERATED] [RFC PATCH 5/6] kvm: handle host mode irqs 5

From: Nicolai Stange <nstange@suse.de>
To: speck@linutronix.de
Subject: [MODERATED] [RFC PATCH 5/6] kvm: handle host mode irqs 5
Date: Sun, 22 Jul 2018 13:06:02 +0200	[thread overview]
Message-ID: <433a9d8f013ff5d2eb096ade984fbd307296c267.1532339695.git.nstange@suse.de> (raw)
In-Reply-To: <cover.1532339695.git.nstange@suse.de>

As part of its L1TF mitigation in conditional mode, the vmx code flushes
the L1d cache on VMENTRY if the preceeding VMEXIT was caused by an external
interrupt, for example.

This covers interrupts issued in the first part of a
VMENTER->VMEXIT->VMENTER cycle. However, those taken in the second part,
i.e. while in host mode, are not being handled yet.

Use the recently added kernel_mode_irq_gen generation counter to detect
those. Make it available by selecting X86_TRACK_KERNEL_MODE_IRQS from the
KVM_INTEL Kconfig option.

Introduce a new field, ->last_kernel_mode_irq_gen, to struct kvm_vcpu_arch.
Store a snapshot of kernel_mode_irq_gen to it right after VMEXIT when
interrupts are still disabled.

Let the VMENTER conditional flushing logic in vmx_l1d_flush() compare that
snapshot against the current value and cause a L1d flush if they don't
match. Note that interrupts are disabled again when vmx_l1d_flush() runs
and this extends up to the actual VM entry.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Nicolai Stange <nstange@suse.de>
---
 arch/x86/include/asm/kvm_host.h |  1 +
 arch/x86/kvm/Kconfig            |  1 +
 arch/x86/kvm/vmx.c              | 20 +++++++++++++++++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 57d418061c55..3831f0eada4b 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -716,6 +716,7 @@ struct kvm_vcpu_arch {
 
 	/* Flush the L1 Data cache for L1TF mitigation on VMENTER */
 	bool l1tf_flush_l1d;
+	unsigned int last_kernel_mode_irq_gen;
 };
 
 struct kvm_lpage_info {
diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index 92fd433c50b9..78372b792927 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -64,6 +64,7 @@ config KVM_INTEL
 	depends on KVM
 	# for perf_guest_get_msrs():
 	depends on CPU_SUP_INTEL
+	select X86_TRACK_KERNEL_MODE_IRQS
 	---help---
 	  Provides support for KVM on Intel processors equipped with the VT
 	  extensions.
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index ec955b870756..3db17606c418 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9701,8 +9701,23 @@ static void vmx_l1d_flush(struct kvm_vcpu *vcpu)
 		 * handlers.
 		 */
 		vcpu->arch.l1tf_flush_l1d = false;
-		if (!flush_l1d)
+
+		/*
+		 * Flush the L1d if
+		 *  - an unsafe VMEXIT handler had been executed or
+		 *  - an interrupt handler had been run after the last
+		 *    VMEXIT, either directly or indirectly from
+		 *    vmx_handle_external_intr().
+		 *
+		 * Note that if we're on a different CPU than the one
+		 * where ->last_kernel_mode_irq_gen was taken, then
+		 * flush_l1d is set anyway.
+		 */
+		if (!flush_l1d &&
+		    (vcpu->arch.last_kernel_mode_irq_gen ==
+		     *this_cpu_ptr(&kernel_mode_irq_gen))) {
 			return;
+		}
 	}
 
 	vcpu->stat.l1d_flush++;
@@ -10435,6 +10450,9 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 	vmx_complete_atomic_exit(vmx);
 	vmx_recover_nmi_blocking(vmx);
 	vmx_complete_interrupts(vmx);
+
+	vcpu->arch.last_kernel_mode_irq_gen =
+		*this_cpu_ptr(&kernel_mode_irq_gen);
 }
 STACK_FRAME_NON_STANDARD(vmx_vcpu_run);
 
-- 
2.13.7
