[v3,05/18] x86/reboot: Disable virtualization during reboot iff callback is registered
Message ID | 20230512235026.808058-6-seanjc@google.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp5462576vqo; Fri, 12 May 2023 16:53:00 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7DOYsmzOO/y4lrAks0V8zwJW2JzNmQg7N4PbIH+k7Tlgrqse9ufWcvLoaZCJ8SdyqhjdrJ X-Received: by 2002:a17:90a:d193:b0:250:91f7:f66c with SMTP id fu19-20020a17090ad19300b0025091f7f66cmr17574863pjb.27.1683935579708; Fri, 12 May 2023 16:52:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683935579; cv=none; d=google.com; s=arc-20160816; b=xMrU0kLuYK9RVRN9bKqCa4YcSMyj4KrQwjh6J3j0vnZ2t4aA+hIkbrK0qtzWxECjGs UBLoYsJQBhNFL8d5Ytv5f1f5f6hZ2XNO/xI5VHFK2dEHF70XEdJqK6tH0qpiyXeEQ19N p+/8+/cTbgEthmpP2L1WW7ZODG5dKF7Aurx23mwwyLohkbJK6yXr1surTT00L9P2UaNK Iq9WaHqRzIg9ruByQ+zQhBvHF5Pj8OySwc05rRvofez1QXJrp1o1uP8PNRdDepH+NR8q MAhC2elVdcDvYm8Rv8aGgSifPO2INQwksTf4aUK4lse2eWTCgkRxxhiVoVRLJ4+NWCRC Z+HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=qe0nkbWmCyKJWkQTDDVLIYD5KqVMDGWynhMHlJu7zeU=; b=tpCIptU0XM7Ahedt8wKIQOX7C7/+j6sZtbMsrO04/48yULMFgycXh6kSkq7qNevFy7 herNppjZENBp+Ft4dKjkjWzflcxYYBoxuFDZnfklnvGX5KtWDcG4OP6BzyWF/NA+FJL4 6CHGOlFFo1XchGg/zXYO9Mv7xBabDr2aemskMbEaTx3ReJGwjd88kHTz4XmUShrlxc1G sm5THsIBWnAFCv1VCDkX6QQM7HhW33QoS5olW//u3RNo5LlTLZKKAHVgFbXRKNI6VDsI BRtMN1Q19W/XQIh3r63tcAkm8e4wuBGOy1DeoUuA+WsGzbHH14SGUwm4CHeAqKtyW64B QdEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=kuAgRvu3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q63-20020a17090a1b4500b00233f3034302si23755185pjq.46.2023.05.12.16.52.47; Fri, 12 May 2023 16:52:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=kuAgRvu3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241131AbjELXu5 (ORCPT <rfc822;peekingduck44@gmail.com> + 99 others); Fri, 12 May 2023 19:50:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240898AbjELXus (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Fri, 12 May 2023 19:50:48 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 339E935A6 for <linux-kernel@vger.kernel.org>; Fri, 12 May 2023 16:50:40 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-ba71ed074ceso5953360276.0 for <linux-kernel@vger.kernel.org>; Fri, 12 May 2023 16:50:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1683935439; x=1686527439; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=qe0nkbWmCyKJWkQTDDVLIYD5KqVMDGWynhMHlJu7zeU=; b=kuAgRvu3zYo75pMBLrsRWnCeJ6ZWtulbQUnM7oeEwamoK+Zc5KgVon4oD78DPBbWJ/ paP5o3BlKZZai9QliuryvolqTkGnu7dwmvN5aXHU3vA0cBm836XGpDkcL6uzXYYSKsFE It71ivzWEZpyzTW73EHv5HbVEhM12XFcE6/pv4EugGd2+YoD4xnLzrjMAgYuXFTUuMsF lLfsSpC7gfP9BS+ss0xjTpZ9LEvne+rjriNsbVTIewGLvyChSUM7vy6aSV0AJnC/aFov qqUnJMNuqephjTPbZtNpuyzV2BJKXtsnUedsBl5q1DlogroDOv5wa4Xp09Eo2ab1Uzln WbRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683935439; x=1686527439; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qe0nkbWmCyKJWkQTDDVLIYD5KqVMDGWynhMHlJu7zeU=; b=BthjzqUdnjBTsbCg7cqRhRyQTMcqY+L+b4uk2jqUrDtPkt4mgQsLJBur5cCA3o3cuL ic9LGFrkjHnqUCoUelduZYBuQrxRsNomQIvKaMnEvTZWVQKBnR1PjADMY9Ud/NRsliyh PNFIPAAFdyVIj+L6JmSOF75vg1M3NG6PegOOhh8VVSxluxjENRu6DXCHxWHr1cHfVU6n 1mOflE3LUzfDStmxzs0UBFY8nC3Q8SbdMVwxMo80ml59JdCciIMVlBVswbgBeWg16Vas fb7vYopJWoVKe5qaeImSRYyY8bOB8XAsyfYOVkF3sk9IUyQjEWJ8SsJk6BSgg+5GbBEv YUow== X-Gm-Message-State: AC+VfDzVZSrnTgwoTAZmp69GF6elYD6wWlyk4qplXNiD/5QRb1QYGrIC mYwhnL8qjc/t0wFinZQo925LHOi2NJM= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a81:78ce:0:b0:55d:9e7c:72c0 with SMTP id t197-20020a8178ce000000b0055d9e7c72c0mr17732359ywc.0.1683935439368; Fri, 12 May 2023 16:50:39 -0700 (PDT) Reply-To: Sean Christopherson <seanjc@google.com> Date: Fri, 12 May 2023 16:50:13 -0700 In-Reply-To: <20230512235026.808058-1-seanjc@google.com> Mime-Version: 1.0 References: <20230512235026.808058-1-seanjc@google.com> X-Mailer: git-send-email 2.40.1.606.ga4b1b128d6-goog Message-ID: <20230512235026.808058-6-seanjc@google.com> Subject: [PATCH v3 05/18] x86/reboot: Disable virtualization during reboot iff callback is registered From: Sean Christopherson <seanjc@google.com> To: Sean Christopherson <seanjc@google.com>, Paolo Bonzini <pbonzini@redhat.com> Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Cooper <Andrew.Cooper3@citrix.com>, Kai Huang <kai.huang@intel.com>, Chao Gao <chao.gao@intel.com> Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1765734434700544468?= X-GMAIL-MSGID: =?utf-8?q?1765734434700544468?= |
Series |
x86/reboot: KVM: Clean up "emergency" virt code
|
|
Commit Message
Sean Christopherson
May 12, 2023, 11:50 p.m. UTC
Attempt to disable virtualization during an emergency reboot if and only
if there is a registered virt callback, i.e. iff a hypervisor (KVM) is
active. If there's no active hypervisor, then the CPU can't be operating
with VMX or SVM enabled (barring an egregious bug).
Note, IRQs are disabled, which prevents KVM from coming along and enabling
virtualization after the fact.
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
arch/x86/kernel/reboot.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
Comments
On Fri, 2023-05-12 at 16:50 -0700, Sean Christopherson wrote: > Attempt to disable virtualization during an emergency reboot if and only > if there is a registered virt callback, i.e. iff a hypervisor (KVM) is > active. If there's no active hypervisor, then the CPU can't be operating > with VMX or SVM enabled (barring an egregious bug). > > Note, IRQs are disabled, which prevents KVM from coming along and enabling > virtualization after the fact. > > Signed-off-by: Sean Christopherson <seanjc@google.com> > --- > arch/x86/kernel/reboot.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c > index 92b380e199a3..20f7bdabc52e 100644 > --- a/arch/x86/kernel/reboot.c > +++ b/arch/x86/kernel/reboot.c > @@ -22,7 +22,6 @@ > #include <asm/reboot_fixups.h> > #include <asm/reboot.h> > #include <asm/pci_x86.h> > -#include <asm/virtext.h> > #include <asm/cpu.h> > #include <asm/nmi.h> > #include <asm/smp.h> > @@ -545,7 +544,7 @@ static void emergency_reboot_disable_virtualization(void) > * Do the NMI shootdown even if virtualization is off on _this_ CPU, as > * other CPUs may have virtualization enabled. > */ > - if (cpu_has_vmx() || cpu_has_svm(NULL)) { > + if (rcu_access_pointer(cpu_emergency_virt_callback)) { > /* Safely force _this_ CPU out of VMX/SVM operation. */ > cpu_emergency_disable_virtualization(); IIUC, for cpu_emergency_disable_virtualization() itself, looks it's OK to not having the pointer check, since it internally will do rcu_dereference() inside RCU critical section anyway. But nmi_shootdown_cpus_on_restart() is called after cpu_emergency_disable_virtualization(), and having the pointer check here can avoid sending NMI to remote cpus if there's no active hypervisor. Am I missing something? If not, is it worth to call this out in changelog? > > -- > 2.40.1.606.ga4b1b128d6-goog >
On Mon, May 22, 2023, Kai Huang wrote: > On Fri, 2023-05-12 at 16:50 -0700, Sean Christopherson wrote: > > Attempt to disable virtualization during an emergency reboot if and only > > if there is a registered virt callback, i.e. iff a hypervisor (KVM) is > > active. If there's no active hypervisor, then the CPU can't be operating > > with VMX or SVM enabled (barring an egregious bug). > > > > Note, IRQs are disabled, which prevents KVM from coming along and enabling > > virtualization after the fact. > > > > Signed-off-by: Sean Christopherson <seanjc@google.com> > > --- > > arch/x86/kernel/reboot.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c > > index 92b380e199a3..20f7bdabc52e 100644 > > --- a/arch/x86/kernel/reboot.c > > +++ b/arch/x86/kernel/reboot.c > > @@ -22,7 +22,6 @@ > > #include <asm/reboot_fixups.h> > > #include <asm/reboot.h> > > #include <asm/pci_x86.h> > > -#include <asm/virtext.h> > > #include <asm/cpu.h> > > #include <asm/nmi.h> > > #include <asm/smp.h> > > @@ -545,7 +544,7 @@ static void emergency_reboot_disable_virtualization(void) > > * Do the NMI shootdown even if virtualization is off on _this_ CPU, as > > * other CPUs may have virtualization enabled. > > */ > > - if (cpu_has_vmx() || cpu_has_svm(NULL)) { > > + if (rcu_access_pointer(cpu_emergency_virt_callback)) { > > /* Safely force _this_ CPU out of VMX/SVM operation. */ > > cpu_emergency_disable_virtualization(); > > > IIUC, for cpu_emergency_disable_virtualization() itself, looks it's OK to not > having the pointer check, since it internally will do rcu_dereference() inside > RCU critical section anyway. > > But nmi_shootdown_cpus_on_restart() is called after > cpu_emergency_disable_virtualization(), and having the pointer check here can > avoid sending NMI to remote cpus if there's no active hypervisor. > > Am I missing something? If not, is it worth to call this out in changelog? No, you're not missing anything. I agree it's worth a line in the changelog. Dropping the "spurious" NMI should be a-ok, but explicitly calling out the side effect could be helpful for debug if something is silently relying on the NMI.
On Mon, 2023-05-22 at 10:51 -0700, Sean Christopherson wrote: > On Mon, May 22, 2023, Kai Huang wrote: > > On Fri, 2023-05-12 at 16:50 -0700, Sean Christopherson wrote: > > > Attempt to disable virtualization during an emergency reboot if and only > > > if there is a registered virt callback, i.e. iff a hypervisor (KVM) is > > > active. If there's no active hypervisor, then the CPU can't be operating > > > with VMX or SVM enabled (barring an egregious bug). > > > > > > Note, IRQs are disabled, which prevents KVM from coming along and enabling > > > virtualization after the fact. > > > > > > Signed-off-by: Sean Christopherson <seanjc@google.com> > > > --- > > > arch/x86/kernel/reboot.c | 3 +-- > > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > > > diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c > > > index 92b380e199a3..20f7bdabc52e 100644 > > > --- a/arch/x86/kernel/reboot.c > > > +++ b/arch/x86/kernel/reboot.c > > > @@ -22,7 +22,6 @@ > > > #include <asm/reboot_fixups.h> > > > #include <asm/reboot.h> > > > #include <asm/pci_x86.h> > > > -#include <asm/virtext.h> > > > #include <asm/cpu.h> > > > #include <asm/nmi.h> > > > #include <asm/smp.h> > > > @@ -545,7 +544,7 @@ static void emergency_reboot_disable_virtualization(void) > > > * Do the NMI shootdown even if virtualization is off on _this_ CPU, as > > > * other CPUs may have virtualization enabled. > > > */ > > > - if (cpu_has_vmx() || cpu_has_svm(NULL)) { > > > + if (rcu_access_pointer(cpu_emergency_virt_callback)) { > > > /* Safely force _this_ CPU out of VMX/SVM operation. */ > > > cpu_emergency_disable_virtualization(); > > > > > > IIUC, for cpu_emergency_disable_virtualization() itself, looks it's OK to not > > having the pointer check, since it internally will do rcu_dereference() inside > > RCU critical section anyway. > > > > But nmi_shootdown_cpus_on_restart() is called after > > cpu_emergency_disable_virtualization(), and having the pointer check here can > > avoid sending NMI to remote cpus if there's no active hypervisor. > > > > Am I missing something? If not, is it worth to call this out in changelog? > > No, you're not missing anything. I agree it's worth a line in the changelog. > Dropping the "spurious" NMI should be a-ok, but explicitly calling out the side > effect could be helpful for debug if something is silently relying on the NMI. Yeah my thinking too. Thanks.
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c index 92b380e199a3..20f7bdabc52e 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -22,7 +22,6 @@ #include <asm/reboot_fixups.h> #include <asm/reboot.h> #include <asm/pci_x86.h> -#include <asm/virtext.h> #include <asm/cpu.h> #include <asm/nmi.h> #include <asm/smp.h> @@ -545,7 +544,7 @@ static void emergency_reboot_disable_virtualization(void) * Do the NMI shootdown even if virtualization is off on _this_ CPU, as * other CPUs may have virtualization enabled. */ - if (cpu_has_vmx() || cpu_has_svm(NULL)) { + if (rcu_access_pointer(cpu_emergency_virt_callback)) { /* Safely force _this_ CPU out of VMX/SVM operation. */ cpu_emergency_disable_virtualization();