[MODERATED] Re: [PATCH v2] NX mitigations=off fix

[Pawan Gupta <pawan.kumar.gupta@linux.intel.com>]

From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 30 Oct 2019 21:28:24 -0700
Subject: [PATCH] kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

Problem: The global mitigation knob mitigations=off does not turn off
X86_BUG_ITLB_MULTIHIT mitigation.

Fix: Turn off the mitigation when ITLB_MULTIHIT mitigation mode is
"auto" and mitigations are turned off globally via cmdline
mitigations=off.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
Rebased on taa-master bundle. I do not have access to Thomas's repo.
This needs to go on top of Tyler's fix.

 Documentation/admin-guide/kernel-parameters.txt |  6 ++++++
 arch/x86/kvm/mmu.c                              | 10 ++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index e8e0a140a632..555236b92289 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2654,6 +2654,12 @@
 					       l1tf=off [X86]
 					       mds=off [X86]
 					       tsx_async_abort=off [X86]
+					       kvm.nx_huge_pages=off [X86]
+
+				Exceptions:
+					       This does not have any effect on
+					       kvm.nx_huge_pages when
+					       kvm.nx_huge_pages=force.
 
 			auto (default)
 				Mitigate all CPU vulnerabilities, but leave SMT
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index e6a5748a12d5..529589a42afb 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -6250,6 +6250,12 @@ static void kvm_set_mmio_spte_mask(void)
 	kvm_mmu_set_mmio_spte_mask(mask, mask, ACC_WRITE_MASK | ACC_USER_MASK);
 }
 
+static bool get_nx_auto_mode(void)
+{
+	/* Return true when CPU has the bug, and mitigations are ON */
+	return boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT) && !cpu_mitigations_off();
+}
+
 static void __set_nx_huge_pages(bool val)
 {
 	nx_huge_pages = itlb_multihit_kvm_mitigation = val;
@@ -6266,7 +6272,7 @@ static int set_nx_huge_pages(const char *val, const struct kernel_param *kp)
 	else if (sysfs_streq(val, "force"))
 		new_val = 1;
 	else if (sysfs_streq(val, "auto"))
-		new_val = boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT);
+		new_val = get_nx_auto_mode();
 	else if (strtobool(val, &new_val) < 0)
 		return -EINVAL;
 
@@ -6296,7 +6302,7 @@ int kvm_mmu_module_init(void)
 	int ret = -ENOMEM;
 
 	if (nx_huge_pages == -1)
-		__set_nx_huge_pages(boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT));
+		__set_nx_huge_pages(get_nx_auto_mode());
 
 	/*
 	 * MMU roles use union aliasing which is, generally speaking, an
-- 
2.20.1