From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751670AbdGaUFq (ORCPT ); Mon, 31 Jul 2017 16:05:46 -0400 Received: from mx1.redhat.com ([209.132.183.28]:42634 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751612AbdGaUFo (ORCPT ); Mon, 31 Jul 2017 16:05:44 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 48066C1E5B1C Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=pbonzini@redhat.com Date: Mon, 31 Jul 2017 16:05:42 -0400 (EDT) From: Paolo Bonzini To: Brijesh Singh Cc: kvm@vger.kernel.org, thomas lendacky , rkrcmar@redhat.com, joro@8bytes.org, x86@kernel.org, linux-kernel@vger.kernel.org, mingo@redhat.com, hpa@zytor.com, tglx@linutronix.de, bp@suse.de Message-ID: <98086274.371452.1501531542630.JavaMail.zimbra@redhat.com> In-Reply-To: References: <147992048887.27638.17559991037474542240.stgit@brijesh-build-machine> <147992049856.27638.17076562184960611399.stgit@brijesh-build-machine> <21b9f4db-f929-80f6-6ad2-6fa3b77f82c0@redhat.com> Subject: Re: [PATCH v2 1/3] kvm: svm: Add support for additional SVM NPF error codes MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [94.39.192.75, 10.4.196.4, 10.4.195.22] Thread-Topic: Add support for additional SVM NPF error codes Thread-Index: BA/pH1Byf+GRxHrLyC6qSQcYvYFBKA== X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 31 Jul 2017 20:05:44 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > There can be different cases where an L0->L2 shadow nested page table is > > marked read only, in particular when a page is read only in L1's nested > > page tables. If such a page is accessed by L2 while walking page tables > > it will cause a nested page fault (page table walks are write accesses). > > However, after kvm_mmu_unprotect_page you will get another page fault, > > and again in an endless stream. > > > > Instead, emulation would have caused a nested page fault vmexit, I think. > > If possible could you please give me some pointer on how to create this use > case so that we can get definitive answer. > > Looking at the code path is giving me indication that the new code > (the kvm_mmu_unprotect_page call) only happens if vcpu->arch.mmu_page_fault() > returns an indication that the instruction should be emulated. I would not > expect that to be the case scenario you described above since L1 making a page > read-only (this is a page table for L2) is an error and should result in #NPF > being injected into L1. The flow is: hardware walks page table; L2 page table points to read only memory -> pf_interception (code = -> kvm_handle_page_fault (need_unprotect = false) -> kvm_mmu_page_fault -> paging64_page_fault (for example) -> try_async_pf map_writable set to false -> paging64_fetch(write_fault = true, map_writable = false, prefault = false) -> mmu_set_spte(speculative = false, host_writable = false, write_fault = true) -> set_spte mmu_need_write_protect returns true return true write_fault == true -> set emulate = true return true return true return true emulate Without this patch, emulation would have called ..._gva_to_gpa_nested -> translate_nested_gpa -> paging64_gva_to_gpa -> paging64_walk_addr -> paging64_walk_addr_generic set fault (nested_page_fault=true) and then: kvm_propagate_fault -> nested_svm_inject_npf_exit > It's bit hard for me to visualize the code flow and > figure out exactly how that would happen, but I just tried booting nested > virtualization and it seem to be working okay. I don't expect the above to happen when booting a normal guest (usual L1 guests hardly have readonly mappings). > Is there a kvm-unit-test which I can run to trigger this scenario ? thanks No, there isn't. Paolo > -Brijesh >