From: Sean Christopherson <seanjc@google.com>
To: David Matlack <dmatlack@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Marc Zyngier <maz@kernel.org>,
Huacai Chen <chenhuacai@kernel.org>,
Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>,
Anup Patel <anup@brainfault.org>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Andrew Jones <drjones@redhat.com>,
Ben Gardon <bgardon@google.com>, Peter Xu <peterx@redhat.com>,
maciej.szmigiero@oracle.com,
"moderated list:KERNEL VIRTUAL MACHINE FOR ARM64 (KVM/arm64)"
<kvmarm@lists.cs.columbia.edu>,
"open list:KERNEL VIRTUAL MACHINE FOR MIPS (KVM/mips)"
<linux-mips@vger.kernel.org>,
"open list:KERNEL VIRTUAL MACHINE FOR MIPS (KVM/mips)"
<kvm@vger.kernel.org>,
"open list:KERNEL VIRTUAL MACHINE FOR RISC-V (KVM/riscv)"
<kvm-riscv@lists.infradead.org>,
Peter Feiner <pfeiner@google.com>
Subject: Re: [PATCH v4 15/20] KVM: x86/mmu: Cache the access bits of shadowed translations
Date: Fri, 6 May 2022 19:47:13 +0000 [thread overview]
Message-ID: <YnV7QUOkYVg+Ktnl@google.com> (raw)
In-Reply-To: <20220422210546.458943-16-dmatlack@google.com>
On Fri, Apr 22, 2022, David Matlack wrote:
> diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
> index a8a755e1561d..97bf53b29b88 100644
> --- a/arch/x86/kvm/mmu/paging_tmpl.h
> +++ b/arch/x86/kvm/mmu/paging_tmpl.h
> @@ -978,7 +978,8 @@ static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
> }
>
> /*
> - * Using the cached information from sp->gfns is safe because:
> + * Using the information in sp->shadowed_translation (kvm_mmu_page_get_gfn()
> + * and kvm_mmu_page_get_access()) is safe because:
> * - The spte has a reference to the struct page, so the pfn for a given gfn
> * can't change unless all sptes pointing to it are nuked first.
> *
> @@ -1052,12 +1053,15 @@ static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
> if (sync_mmio_spte(vcpu, &sp->spt[i], gfn, pte_access))
> continue;
>
> - if (gfn != sp->gfns[i]) {
> + if (gfn != kvm_mmu_page_get_gfn(sp, i)) {
> drop_spte(vcpu->kvm, &sp->spt[i]);
> flush = true;
> continue;
> }
>
> + if (pte_access != kvm_mmu_page_get_access(sp, i))
> + kvm_mmu_page_set_access(sp, i, pte_access);
Very tangentially related, and more an FYI than anything else (I'll send a patch
separately)... Replying here because this got me wondering about the validity of
pte_access.
There's an existing bug for nEPT here, which I proved after 3 hours of fighting
with KUT's EPT tests (ugh).
1. execute-only EPT entries are supported
2. L1 creates a upper-level RW EPTE and a 4kb leaf RW EPTE
3. L2 accesses the address; KVM installs a SPTE
4. L1 modifies the leaf EPTE to be X-only, and does INVEPT
5. ept_sync_page() creates a SPTE with pte_access=0 / RWX=0
The logic for pte_access (just above this code) is:
pte_access = sp->role.access;
pte_access &= FNAME(gpte_access)(gpte);
The parent guest EPTE is 'RW', and so sp->role.access is 'RW'. When the new 'X'
EPTE is ANDed with the 'RW' parent protections, the result is a RWX=0 SPTE. This
is only possible if execute-only is supported, because otherwise PTEs are always
readable, i.e. shadow_present_mask is non-zero.
I don't think anything bad happens per se, but it's odd to have a !PRESENT in
hardware, shadow-present SPTE. I think the correct/easiest fix is:
diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
index b025decf610d..f8ea881cfce6 100644
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -1052,7 +1052,7 @@ static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
if (sync_mmio_spte(vcpu, &sp->spt[i], gfn, pte_access))
continue;
- if (gfn != sp->gfns[i]) {
+ if ((!pte_access && !shadow_present_mask) || gfn != sp->gfns[i]) {
drop_spte(vcpu->kvm, &sp->spt[i]);
flush = true;
continue;
diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
index 75c9e87d446a..9ad60662beac 100644
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -101,6 +101,8 @@ bool make_spte(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
u64 spte = SPTE_MMU_PRESENT_MASK;
bool wrprot = false;
+ WARN_ON_ONCE(!pte_access && !shadow_present_mask);
+
if (sp->role.ad_disabled)
spte |= SPTE_TDP_AD_DISABLED_MASK;
else if (kvm_mmu_page_ad_need_write_protect(sp))
> +
> sptep = &sp->spt[i];
> spte = *sptep;
> host_writable = spte & shadow_host_writable_mask;
> --
> 2.36.0.rc2.479.g8af0fa9b8e-goog
>
WARNING: multiple messages have this Message-ID (diff)
From: Sean Christopherson <seanjc@google.com>
To: David Matlack <dmatlack@google.com>
Cc: Marc Zyngier <maz@kernel.org>, Albert Ou <aou@eecs.berkeley.edu>,
"open list:KERNEL VIRTUAL MACHINE FOR MIPS \(KVM/mips\)"
<kvm@vger.kernel.org>, Huacai Chen <chenhuacai@kernel.org>,
"open list:KERNEL VIRTUAL MACHINE FOR MIPS \(KVM/mips\)"
<linux-mips@vger.kernel.org>,
Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
"open list:KERNEL VIRTUAL MACHINE FOR RISC-V \(KVM/riscv\)"
<kvm-riscv@lists.infradead.org>,
Paul Walmsley <paul.walmsley@sifive.com>,
Ben Gardon <bgardon@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
maciej.szmigiero@oracle.com,
"moderated list:KERNEL VIRTUAL MACHINE FOR ARM64 \(KVM/arm64\)"
<kvmarm@lists.cs.columbia.edu>, Peter Feiner <pfeiner@google.com>
Subject: Re: [PATCH v4 15/20] KVM: x86/mmu: Cache the access bits of shadowed translations
Date: Fri, 6 May 2022 19:47:13 +0000 [thread overview]
Message-ID: <YnV7QUOkYVg+Ktnl@google.com> (raw)
In-Reply-To: <20220422210546.458943-16-dmatlack@google.com>
On Fri, Apr 22, 2022, David Matlack wrote:
> diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
> index a8a755e1561d..97bf53b29b88 100644
> --- a/arch/x86/kvm/mmu/paging_tmpl.h
> +++ b/arch/x86/kvm/mmu/paging_tmpl.h
> @@ -978,7 +978,8 @@ static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
> }
>
> /*
> - * Using the cached information from sp->gfns is safe because:
> + * Using the information in sp->shadowed_translation (kvm_mmu_page_get_gfn()
> + * and kvm_mmu_page_get_access()) is safe because:
> * - The spte has a reference to the struct page, so the pfn for a given gfn
> * can't change unless all sptes pointing to it are nuked first.
> *
> @@ -1052,12 +1053,15 @@ static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
> if (sync_mmio_spte(vcpu, &sp->spt[i], gfn, pte_access))
> continue;
>
> - if (gfn != sp->gfns[i]) {
> + if (gfn != kvm_mmu_page_get_gfn(sp, i)) {
> drop_spte(vcpu->kvm, &sp->spt[i]);
> flush = true;
> continue;
> }
>
> + if (pte_access != kvm_mmu_page_get_access(sp, i))
> + kvm_mmu_page_set_access(sp, i, pte_access);
Very tangentially related, and more an FYI than anything else (I'll send a patch
separately)... Replying here because this got me wondering about the validity of
pte_access.
There's an existing bug for nEPT here, which I proved after 3 hours of fighting
with KUT's EPT tests (ugh).
1. execute-only EPT entries are supported
2. L1 creates a upper-level RW EPTE and a 4kb leaf RW EPTE
3. L2 accesses the address; KVM installs a SPTE
4. L1 modifies the leaf EPTE to be X-only, and does INVEPT
5. ept_sync_page() creates a SPTE with pte_access=0 / RWX=0
The logic for pte_access (just above this code) is:
pte_access = sp->role.access;
pte_access &= FNAME(gpte_access)(gpte);
The parent guest EPTE is 'RW', and so sp->role.access is 'RW'. When the new 'X'
EPTE is ANDed with the 'RW' parent protections, the result is a RWX=0 SPTE. This
is only possible if execute-only is supported, because otherwise PTEs are always
readable, i.e. shadow_present_mask is non-zero.
I don't think anything bad happens per se, but it's odd to have a !PRESENT in
hardware, shadow-present SPTE. I think the correct/easiest fix is:
diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
index b025decf610d..f8ea881cfce6 100644
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -1052,7 +1052,7 @@ static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
if (sync_mmio_spte(vcpu, &sp->spt[i], gfn, pte_access))
continue;
- if (gfn != sp->gfns[i]) {
+ if ((!pte_access && !shadow_present_mask) || gfn != sp->gfns[i]) {
drop_spte(vcpu->kvm, &sp->spt[i]);
flush = true;
continue;
diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
index 75c9e87d446a..9ad60662beac 100644
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -101,6 +101,8 @@ bool make_spte(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
u64 spte = SPTE_MMU_PRESENT_MASK;
bool wrprot = false;
+ WARN_ON_ONCE(!pte_access && !shadow_present_mask);
+
if (sp->role.ad_disabled)
spte |= SPTE_TDP_AD_DISABLED_MASK;
else if (kvm_mmu_page_ad_need_write_protect(sp))
> +
> sptep = &sp->spt[i];
> spte = *sptep;
> host_writable = spte & shadow_host_writable_mask;
> --
> 2.36.0.rc2.479.g8af0fa9b8e-goog
>
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
next prev parent reply other threads:[~2022-05-06 19:47 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-22 21:05 [PATCH v4 00/20] KVM: Extend Eager Page Splitting to the shadow MMU David Matlack
2022-04-22 21:05 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 01/20] KVM: x86/mmu: Optimize MMU page cache lookup for all direct SPs David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-07 7:46 ` Lai Jiangshan
2022-05-07 7:46 ` Lai Jiangshan
2022-04-22 21:05 ` [PATCH v4 02/20] KVM: x86/mmu: Use a bool for direct David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-07 7:46 ` Lai Jiangshan
2022-05-07 7:46 ` Lai Jiangshan
2022-04-22 21:05 ` [PATCH v4 03/20] KVM: x86/mmu: Derive shadow MMU page role from parent David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-05 21:50 ` Sean Christopherson
2022-05-05 21:50 ` Sean Christopherson
2022-05-09 22:10 ` David Matlack
2022-05-09 22:10 ` David Matlack
2022-05-10 2:38 ` Lai Jiangshan
2022-05-10 2:38 ` Lai Jiangshan
2022-05-07 8:28 ` Lai Jiangshan
2022-05-07 8:28 ` Lai Jiangshan
2022-05-09 21:04 ` David Matlack
2022-05-09 21:04 ` David Matlack
2022-05-10 2:58 ` Lai Jiangshan
2022-05-10 2:58 ` Lai Jiangshan
2022-05-10 13:31 ` Sean Christopherson
2022-05-10 13:31 ` Sean Christopherson
2022-05-12 16:10 ` David Matlack
2022-05-12 16:10 ` David Matlack
2022-05-13 18:26 ` David Matlack
2022-05-13 18:26 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 04/20] KVM: x86/mmu: Decompose kvm_mmu_get_page() into separate functions David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-05 21:58 ` Sean Christopherson
2022-05-05 21:58 ` Sean Christopherson
2022-04-22 21:05 ` [PATCH v4 05/20] KVM: x86/mmu: Consolidate shadow page allocation and initialization David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-05 22:10 ` Sean Christopherson
2022-05-05 22:10 ` Sean Christopherson
2022-05-09 20:53 ` David Matlack
2022-05-09 20:53 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 06/20] KVM: x86/mmu: Rename shadow MMU functions that deal with shadow pages David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-05 22:15 ` Sean Christopherson
2022-05-05 22:15 ` Sean Christopherson
2022-04-22 21:05 ` [PATCH v4 07/20] KVM: x86/mmu: Move guest PT write-protection to account_shadowed() David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-05 22:51 ` Sean Christopherson
2022-05-05 22:51 ` Sean Christopherson
2022-05-09 21:18 ` David Matlack
2022-05-09 21:18 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 08/20] KVM: x86/mmu: Pass memory caches to allocate SPs separately David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-05 23:00 ` Sean Christopherson
2022-05-05 23:00 ` Sean Christopherson
2022-04-22 21:05 ` [PATCH v4 09/20] KVM: x86/mmu: Replace vcpu with kvm in kvm_mmu_alloc_shadow_page() David Matlack
2022-04-22 21:05 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 10/20] KVM: x86/mmu: Pass kvm pointer separately from vcpu to kvm_mmu_find_shadow_page() David Matlack
2022-04-22 21:05 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 11/20] KVM: x86/mmu: Allow for NULL vcpu pointer in __kvm_mmu_get_shadow_page() David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-05 23:33 ` Sean Christopherson
2022-05-05 23:33 ` Sean Christopherson
2022-05-09 21:26 ` David Matlack
2022-05-09 21:26 ` David Matlack
2022-05-09 22:56 ` Sean Christopherson
2022-05-09 22:56 ` Sean Christopherson
2022-05-09 23:59 ` David Matlack
2022-05-09 23:59 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 12/20] KVM: x86/mmu: Pass const memslot to rmap_add() David Matlack
2022-04-22 21:05 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 13/20] KVM: x86/mmu: Decouple rmap_add() and link_shadow_page() from kvm_vcpu David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-05 23:46 ` Sean Christopherson
2022-05-05 23:46 ` Sean Christopherson
2022-05-09 21:27 ` David Matlack
2022-05-09 21:27 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 14/20] KVM: x86/mmu: Update page stats in __rmap_add() David Matlack
2022-04-22 21:05 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 15/20] KVM: x86/mmu: Cache the access bits of shadowed translations David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-06 19:47 ` Sean Christopherson [this message]
2022-05-06 19:47 ` Sean Christopherson
2022-05-09 16:10 ` Sean Christopherson
2022-05-09 16:10 ` Sean Christopherson
2022-05-09 21:29 ` David Matlack
2022-05-09 21:29 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 16/20] KVM: x86/mmu: Extend make_huge_page_split_spte() for the shadow MMU David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-09 16:22 ` Sean Christopherson
2022-05-09 16:22 ` Sean Christopherson
2022-05-09 21:31 ` David Matlack
2022-05-09 21:31 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 17/20] KVM: x86/mmu: Zap collapsible SPTEs at all levels in " David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-09 16:31 ` Sean Christopherson
2022-05-09 16:31 ` Sean Christopherson
2022-05-09 21:34 ` David Matlack
2022-05-09 21:34 ` David Matlack
2022-04-22 21:05 ` [PATCH v4 18/20] KVM: x86/mmu: Refactor drop_large_spte() David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-09 16:36 ` Sean Christopherson
2022-05-09 16:36 ` Sean Christopherson
2022-04-22 21:05 ` [PATCH v4 19/20] KVM: Allow for different capacities in kvm_mmu_memory_cache structs David Matlack
2022-04-22 21:05 ` David Matlack
2022-04-23 8:08 ` kernel test robot
2022-04-23 8:08 ` kernel test robot
2022-04-24 15:21 ` kernel test robot
2022-04-24 15:21 ` kernel test robot
2022-04-22 21:05 ` [PATCH v4 20/20] KVM: x86/mmu: Extend Eager Page Splitting to nested MMUs David Matlack
2022-04-22 21:05 ` David Matlack
2022-05-07 7:51 ` Lai Jiangshan
2022-05-07 7:51 ` Lai Jiangshan
2022-05-09 21:40 ` David Matlack
2022-05-09 21:40 ` David Matlack
2022-05-09 16:48 ` Sean Christopherson
2022-05-09 16:48 ` Sean Christopherson
2022-05-09 21:44 ` David Matlack
2022-05-09 21:44 ` David Matlack
2022-05-09 22:47 ` Sean Christopherson
2022-05-09 22:47 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YnV7QUOkYVg+Ktnl@google.com \
--to=seanjc@google.com \
--cc=aleksandar.qemu.devel@gmail.com \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=bgardon@google.com \
--cc=chenhuacai@kernel.org \
--cc=dmatlack@google.com \
--cc=drjones@redhat.com \
--cc=kvm-riscv@lists.infradead.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-mips@vger.kernel.org \
--cc=maciej.szmigiero@oracle.com \
--cc=maz@kernel.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=pfeiner@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.