[v3,05/18] x86/reboot: Disable virtualization during reboot iff callback is registered
| Message ID | 20230512235026.808058-6-seanjc@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp5462576vqo;
Fri, 12 May 2023 16:53:00 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ7DOYsmzOO/y4lrAks0V8zwJW2JzNmQg7N4PbIH+k7Tlgrqse9ufWcvLoaZCJ8SdyqhjdrJ
X-Received: by 2002:a17:90a:d193:b0:250:91f7:f66c with SMTP id
fu19-20020a17090ad19300b0025091f7f66cmr17574863pjb.27.1683935579708;
Fri, 12 May 2023 16:52:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683935579; cv=none;
d=google.com; s=arc-20160816;
b=xMrU0kLuYK9RVRN9bKqCa4YcSMyj4KrQwjh6J3j0vnZ2t4aA+hIkbrK0qtzWxECjGs
UBLoYsJQBhNFL8d5Ytv5f1f5f6hZ2XNO/xI5VHFK2dEHF70XEdJqK6tH0qpiyXeEQ19N
p+/8+/cTbgEthmpP2L1WW7ZODG5dKF7Aurx23mwwyLohkbJK6yXr1surTT00L9P2UaNK
Iq9WaHqRzIg9ruByQ+zQhBvHF5Pj8OySwc05rRvofez1QXJrp1o1uP8PNRdDepH+NR8q
MAhC2elVdcDvYm8Rv8aGgSifPO2INQwksTf4aUK4lse2eWTCgkRxxhiVoVRLJ4+NWCRC
Z+HA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:from:subject:message-id:references
:mime-version:in-reply-to:date:reply-to:dkim-signature;
bh=qe0nkbWmCyKJWkQTDDVLIYD5KqVMDGWynhMHlJu7zeU=;
b=tpCIptU0XM7Ahedt8wKIQOX7C7/+j6sZtbMsrO04/48yULMFgycXh6kSkq7qNevFy7
herNppjZENBp+Ft4dKjkjWzflcxYYBoxuFDZnfklnvGX5KtWDcG4OP6BzyWF/NA+FJL4
6CHGOlFFo1XchGg/zXYO9Mv7xBabDr2aemskMbEaTx3ReJGwjd88kHTz4XmUShrlxc1G
sm5THsIBWnAFCv1VCDkX6QQM7HhW33QoS5olW//u3RNo5LlTLZKKAHVgFbXRKNI6VDsI
BRtMN1Q19W/XQIh3r63tcAkm8e4wuBGOy1DeoUuA+WsGzbHH14SGUwm4CHeAqKtyW64B
QdEA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=kuAgRvu3;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
q63-20020a17090a1b4500b00233f3034302si23755185pjq.46.2023.05.12.16.52.47;
Fri, 12 May 2023 16:52:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=kuAgRvu3;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S241131AbjELXu5 (ORCPT <rfc822;peekingduck44@gmail.com>
+ 99 others); Fri, 12 May 2023 19:50:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51112 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S240898AbjELXus (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 12 May 2023 19:50:48 -0400
Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com
[IPv6:2607:f8b0:4864:20::b4a])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 339E935A6
for <linux-kernel@vger.kernel.org>;
Fri, 12 May 2023 16:50:40 -0700 (PDT)
Received: by mail-yb1-xb4a.google.com with SMTP id
3f1490d57ef6-ba71ed074ceso5953360276.0
for <linux-kernel@vger.kernel.org>;
Fri, 12 May 2023 16:50:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20221208; t=1683935439; x=1686527439;
h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
:date:reply-to:from:to:cc:subject:date:message-id:reply-to;
bh=qe0nkbWmCyKJWkQTDDVLIYD5KqVMDGWynhMHlJu7zeU=;
b=kuAgRvu3zYo75pMBLrsRWnCeJ6ZWtulbQUnM7oeEwamoK+Zc5KgVon4oD78DPBbWJ/
paP5o3BlKZZai9QliuryvolqTkGnu7dwmvN5aXHU3vA0cBm836XGpDkcL6uzXYYSKsFE
It71ivzWEZpyzTW73EHv5HbVEhM12XFcE6/pv4EugGd2+YoD4xnLzrjMAgYuXFTUuMsF
lLfsSpC7gfP9BS+ss0xjTpZ9LEvne+rjriNsbVTIewGLvyChSUM7vy6aSV0AJnC/aFov
qqUnJMNuqephjTPbZtNpuyzV2BJKXtsnUedsBl5q1DlogroDOv5wa4Xp09Eo2ab1Uzln
WbRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1683935439; x=1686527439;
h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
:date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=qe0nkbWmCyKJWkQTDDVLIYD5KqVMDGWynhMHlJu7zeU=;
b=BthjzqUdnjBTsbCg7cqRhRyQTMcqY+L+b4uk2jqUrDtPkt4mgQsLJBur5cCA3o3cuL
ic9LGFrkjHnqUCoUelduZYBuQrxRsNomQIvKaMnEvTZWVQKBnR1PjADMY9Ud/NRsliyh
PNFIPAAFdyVIj+L6JmSOF75vg1M3NG6PegOOhh8VVSxluxjENRu6DXCHxWHr1cHfVU6n
1mOflE3LUzfDStmxzs0UBFY8nC3Q8SbdMVwxMo80ml59JdCciIMVlBVswbgBeWg16Vas
fb7vYopJWoVKe5qaeImSRYyY8bOB8XAsyfYOVkF3sk9IUyQjEWJ8SsJk6BSgg+5GbBEv
YUow==
X-Gm-Message-State: AC+VfDzVZSrnTgwoTAZmp69GF6elYD6wWlyk4qplXNiD/5QRb1QYGrIC
mYwhnL8qjc/t0wFinZQo925LHOi2NJM=
X-Received: from zagreus.c.googlers.com
([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
(user=seanjc job=sendgmr) by 2002:a81:78ce:0:b0:55d:9e7c:72c0 with SMTP id
t197-20020a8178ce000000b0055d9e7c72c0mr17732359ywc.0.1683935439368; Fri, 12
May 2023 16:50:39 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 12 May 2023 16:50:13 -0700
In-Reply-To: <20230512235026.808058-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230512235026.808058-1-seanjc@google.com>
X-Mailer: git-send-email 2.40.1.606.ga4b1b128d6-goog
Message-ID: <20230512235026.808058-6-seanjc@google.com>
Subject: [PATCH v3 05/18] x86/reboot: Disable virtualization during reboot iff
callback is registered
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Andrew Cooper <Andrew.Cooper3@citrix.com>,
Kai Huang <kai.huang@intel.com>, Chao Gao <chao.gao@intel.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1765734434700544468?=
X-GMAIL-MSGID: =?utf-8?q?1765734434700544468?=
|
| Series |
x86/reboot: KVM: Clean up "emergency" virt code
|
|
Commit Message
Sean Christopherson
May 12, 2023, 11:50 p.m. UTC
Attempt to disable virtualization during an emergency reboot if and only
if there is a registered virt callback, i.e. iff a hypervisor (KVM) is
active. If there's no active hypervisor, then the CPU can't be operating
with VMX or SVM enabled (barring an egregious bug).
Note, IRQs are disabled, which prevents KVM from coming along and enabling
virtualization after the fact.
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
arch/x86/kernel/reboot.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
Comments
On Fri, 2023-05-12 at 16:50 -0700, Sean Christopherson wrote: > Attempt to disable virtualization during an emergency reboot if and only > if there is a registered virt callback, i.e. iff a hypervisor (KVM) is > active. If there's no active hypervisor, then the CPU can't be operating > with VMX or SVM enabled (barring an egregious bug). > > Note, IRQs are disabled, which prevents KVM from coming along and enabling > virtualization after the fact. > > Signed-off-by: Sean Christopherson <seanjc@google.com> > --- > arch/x86/kernel/reboot.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c > index 92b380e199a3..20f7bdabc52e 100644 > --- a/arch/x86/kernel/reboot.c > +++ b/arch/x86/kernel/reboot.c > @@ -22,7 +22,6 @@ > #include <asm/reboot_fixups.h> > #include <asm/reboot.h> > #include <asm/pci_x86.h> > -#include <asm/virtext.h> > #include <asm/cpu.h> > #include <asm/nmi.h> > #include <asm/smp.h> > @@ -545,7 +544,7 @@ static void emergency_reboot_disable_virtualization(void) > * Do the NMI shootdown even if virtualization is off on _this_ CPU, as > * other CPUs may have virtualization enabled. > */ > - if (cpu_has_vmx() || cpu_has_svm(NULL)) { > + if (rcu_access_pointer(cpu_emergency_virt_callback)) { > /* Safely force _this_ CPU out of VMX/SVM operation. */ > cpu_emergency_disable_virtualization(); IIUC, for cpu_emergency_disable_virtualization() itself, looks it's OK to not having the pointer check, since it internally will do rcu_dereference() inside RCU critical section anyway. But nmi_shootdown_cpus_on_restart() is called after cpu_emergency_disable_virtualization(), and having the pointer check here can avoid sending NMI to remote cpus if there's no active hypervisor. Am I missing something? If not, is it worth to call this out in changelog? > > -- > 2.40.1.606.ga4b1b128d6-goog >
On Mon, May 22, 2023, Kai Huang wrote: > On Fri, 2023-05-12 at 16:50 -0700, Sean Christopherson wrote: > > Attempt to disable virtualization during an emergency reboot if and only > > if there is a registered virt callback, i.e. iff a hypervisor (KVM) is > > active. If there's no active hypervisor, then the CPU can't be operating > > with VMX or SVM enabled (barring an egregious bug). > > > > Note, IRQs are disabled, which prevents KVM from coming along and enabling > > virtualization after the fact. > > > > Signed-off-by: Sean Christopherson <seanjc@google.com> > > --- > > arch/x86/kernel/reboot.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c > > index 92b380e199a3..20f7bdabc52e 100644 > > --- a/arch/x86/kernel/reboot.c > > +++ b/arch/x86/kernel/reboot.c > > @@ -22,7 +22,6 @@ > > #include <asm/reboot_fixups.h> > > #include <asm/reboot.h> > > #include <asm/pci_x86.h> > > -#include <asm/virtext.h> > > #include <asm/cpu.h> > > #include <asm/nmi.h> > > #include <asm/smp.h> > > @@ -545,7 +544,7 @@ static void emergency_reboot_disable_virtualization(void) > > * Do the NMI shootdown even if virtualization is off on _this_ CPU, as > > * other CPUs may have virtualization enabled. > > */ > > - if (cpu_has_vmx() || cpu_has_svm(NULL)) { > > + if (rcu_access_pointer(cpu_emergency_virt_callback)) { > > /* Safely force _this_ CPU out of VMX/SVM operation. */ > > cpu_emergency_disable_virtualization(); > > > IIUC, for cpu_emergency_disable_virtualization() itself, looks it's OK to not > having the pointer check, since it internally will do rcu_dereference() inside > RCU critical section anyway. > > But nmi_shootdown_cpus_on_restart() is called after > cpu_emergency_disable_virtualization(), and having the pointer check here can > avoid sending NMI to remote cpus if there's no active hypervisor. > > Am I missing something? If not, is it worth to call this out in changelog? No, you're not missing anything. I agree it's worth a line in the changelog. Dropping the "spurious" NMI should be a-ok, but explicitly calling out the side effect could be helpful for debug if something is silently relying on the NMI.
On Mon, 2023-05-22 at 10:51 -0700, Sean Christopherson wrote: > On Mon, May 22, 2023, Kai Huang wrote: > > On Fri, 2023-05-12 at 16:50 -0700, Sean Christopherson wrote: > > > Attempt to disable virtualization during an emergency reboot if and only > > > if there is a registered virt callback, i.e. iff a hypervisor (KVM) is > > > active. If there's no active hypervisor, then the CPU can't be operating > > > with VMX or SVM enabled (barring an egregious bug). > > > > > > Note, IRQs are disabled, which prevents KVM from coming along and enabling > > > virtualization after the fact. > > > > > > Signed-off-by: Sean Christopherson <seanjc@google.com> > > > --- > > > arch/x86/kernel/reboot.c | 3 +-- > > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > > > diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c > > > index 92b380e199a3..20f7bdabc52e 100644 > > > --- a/arch/x86/kernel/reboot.c > > > +++ b/arch/x86/kernel/reboot.c > > > @@ -22,7 +22,6 @@ > > > #include <asm/reboot_fixups.h> > > > #include <asm/reboot.h> > > > #include <asm/pci_x86.h> > > > -#include <asm/virtext.h> > > > #include <asm/cpu.h> > > > #include <asm/nmi.h> > > > #include <asm/smp.h> > > > @@ -545,7 +544,7 @@ static void emergency_reboot_disable_virtualization(void) > > > * Do the NMI shootdown even if virtualization is off on _this_ CPU, as > > > * other CPUs may have virtualization enabled. > > > */ > > > - if (cpu_has_vmx() || cpu_has_svm(NULL)) { > > > + if (rcu_access_pointer(cpu_emergency_virt_callback)) { > > > /* Safely force _this_ CPU out of VMX/SVM operation. */ > > > cpu_emergency_disable_virtualization(); > > > > > > IIUC, for cpu_emergency_disable_virtualization() itself, looks it's OK to not > > having the pointer check, since it internally will do rcu_dereference() inside > > RCU critical section anyway. > > > > But nmi_shootdown_cpus_on_restart() is called after > > cpu_emergency_disable_virtualization(), and having the pointer check here can > > avoid sending NMI to remote cpus if there's no active hypervisor. > > > > Am I missing something? If not, is it worth to call this out in changelog? > > No, you're not missing anything. I agree it's worth a line in the changelog. > Dropping the "spurious" NMI should be a-ok, but explicitly calling out the side > effect could be helpful for debug if something is silently relying on the NMI. Yeah my thinking too. Thanks.
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c index 92b380e199a3..20f7bdabc52e 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -22,7 +22,6 @@ #include <asm/reboot_fixups.h> #include <asm/reboot.h> #include <asm/pci_x86.h> -#include <asm/virtext.h> #include <asm/cpu.h> #include <asm/nmi.h> #include <asm/smp.h> @@ -545,7 +544,7 @@ static void emergency_reboot_disable_virtualization(void) * Do the NMI shootdown even if virtualization is off on _this_ CPU, as * other CPUs may have virtualization enabled. */ - if (cpu_has_vmx() || cpu_has_svm(NULL)) { + if (rcu_access_pointer(cpu_emergency_virt_callback)) { /* Safely force _this_ CPU out of VMX/SVM operation. */ cpu_emergency_disable_virtualization();