| Message ID | 20231016095217.37574-1-nsaenz@amazon.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id
ib8csp3346383vqb;
Mon, 16 Oct 2023 02:53:07 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IEgWVRiSowJe0birdvFZEInI4MOzaTgtWpnlaWGSavgBDFkVo4dawKyQSq6IdP8iqLLnyot
X-Received: by 2002:a05:6a20:3d04:b0:13d:d5bd:758f with SMTP id
y4-20020a056a203d0400b0013dd5bd758fmr41535482pzi.6.1697449986926;
Mon, 16 Oct 2023 02:53:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697449986; cv=none;
d=google.com; s=arc-20160816;
b=pglvn0QcuFU+91oMDVHOfgPyesLhka/yBqqP8SUNQNV/Ryg2KUp1scUM9XrNu0H8vP
sgU+3y+OGCRvSD7wnioVzABEXXsRxuQxJfd7UMq0JNF6HqHsKKBUdQ+RGPmEamelWYl1
V67/3lx1tZf+NKI/kJR0dVbIcguVO62owAuYU4xR5Wo7CsMDd/eA+MgLSArR2XIshvNq
mhw7c7YYaqfoPMRqyaYG4m724G/xjD0Jxx3MR65XAlBgEJDqivDfYTbfdEPsHWd34F/Y
g/gT2RJMDj18j5ghz0t60JRwbYpw1aXQW5Xu6Vqde8zq/HrWhoJVkAA5yJRFrhw2zt1P
mD9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=ButIDiCErNxytD4vraOH8UFxC3RVH0U5V+UvXPw1a7g=;
fh=cbrnfej6n378P8uwLXfnJsTsOQkap1sIIK+NjSDLE94=;
b=SiKQvhT12jMY5MGb2S/K/gY89r+JNBJ8Xo02zXqIhvsYQrwRyy4XHSu4SiAN33Jrc4
HuJa/4ufjBtppnWZMfnHhXVE7+l79UHZC3+QQcpiHNfMlMS3TKja9L0CtaOcRx/i1xjk
G+Z+Tnc4TB4ARUMk29ozAB3qVp8kTrqK9HEVL+7yZR8CogRX6akkAQ+HvwKEh8T0Icir
szfqsB/Ud1gtValRdQrYp41zIxWc5bA/AdGUJv3nZ266wcj52vR0Ev57djU/pc4Wc7O5
oVGYSyVN033I59cOQdWXzAbjxtvKFrJi5jGp2z2CpQhzSek4GRZ+DCApoAWWUOiq3Zot
En/Q==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@amazon.com header.s=amazon201209
header.b="Ssiejja/";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:1 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com
Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1])
by mx.google.com with ESMTPS id
y15-20020a17090322cf00b001bb993caaedsi9199810plg.173.2023.10.16.02.53.06
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 16 Oct 2023 02:53:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:1 as permitted sender)
client-ip=2620:137:e000::3:1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@amazon.com header.s=amazon201209
header.b="Ssiejja/";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:1 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by morse.vger.email (Postfix) with ESMTP id CD57F80B908A;
Mon, 16 Oct 2023 02:53:03 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230219AbjJPJwy (ORCPT <rfc822;hjfbswb@gmail.com> + 18 others);
Mon, 16 Oct 2023 05:52:54 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54806 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231364AbjJPJww (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 16 Oct 2023 05:52:52 -0400
Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6FB64EB;
Mon, 16 Oct 2023 02:52:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209;
t=1697449971; x=1728985971;
h=from:to:cc:subject:date:message-id:mime-version:
content-transfer-encoding;
bh=ButIDiCErNxytD4vraOH8UFxC3RVH0U5V+UvXPw1a7g=;
b=Ssiejja/hK38qWRE9SUEsp772LG8ICprq7eIsIphbjiqmYRc6eM7uGIg
fqcXkPLKHKOdm9hNoKOg1DfgKXEZG06Wj3Uz9+fbLsgnDU/IyW2uwHYf0
kw+tlTziA9nbb/bjX3sCs1bRdv1H51AsVYgVCoXDjvykENq2sQ6yRYovt
4=;
X-IronPort-AV: E=Sophos;i="6.03,229,1694736000";
d="scan'208";a="362070535"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO
email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com) ([10.43.8.6])
by smtp-border-fw-6002.iad6.amazon.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Oct 2023 09:52:37 +0000
Received: from EX19D004EUC001.ant.amazon.com
(iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162])
by email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com
(Postfix) with ESMTPS id 0DFED487FA;
Mon, 16 Oct 2023 09:52:33 +0000 (UTC)
Received: from dev-dsk-nsaenz-1b-189b39ae.eu-west-1.amazon.com (10.13.235.138)
by EX19D004EUC001.ant.amazon.com (10.252.51.190) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.2.1118.37; Mon, 16 Oct 2023 09:52:29 +0000
From: Nicolas Saenz Julienne <nsaenz@amazon.com>
To: <kvm@vger.kernel.org>
CC: <vkuznets@redhat.com>, <seanjc@google.com>, <pbonzini@redhat.com>,
<tglx@linutronix.de>, <mingo@redhat.com>, <bp@alien8.de>,
<dave.hansen@linux.intel.com>, <x86@kernel.org>, <hpa@zytor.com>,
<graf@amazon.de>, <rkagan@amazon.de>,
<linux-kernel@vger.kernel.org>,
Nicolas Saenz Julienne <nsaenz@amazon.com>
Subject: [PATCH] KVM: x86: hyper-v: Don't auto-enable stimer during
deserialization
Date: Mon, 16 Oct 2023 09:52:17 +0000
Message-ID: <20231016095217.37574-1-nsaenz@amazon.com>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Originating-IP: [10.13.235.138]
X-ClientProxiedBy: EX19D037UWC003.ant.amazon.com (10.13.139.231) To
EX19D004EUC001.ant.amazon.com (10.252.51.190)
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]);
Mon, 16 Oct 2023 02:53:03 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1779905317498833042
X-GMAIL-MSGID: 1779905317498833042
|
| Series |
KVM: x86: hyper-v: Don't auto-enable stimer during deserialization
|
|
Commit Message
Nicolas Saenz Julienne
Oct. 16, 2023, 9:52 a.m. UTC
By not honoring the 'stimer->config.enable' state during stimer
deserialization we might introduce spurious timer interrupts. For
example through the following events:
- The stimer is configured in auto-enable mode.
- The stimer's count is set and the timer enabled.
- The stimer expires, an interrupt is injected.
- We live migrate the VM.
- The stimer config and count are deserialized, auto-enable is ON, the
stimer is re-enabled.
- The stimer expires right away, and injects an unwarranted interrupt.
So let's not change the stimer's enable state if the MSR write comes
from user-space.
Fixes: 1f4b34f825e8 ("kvm/x86: Hyper-V SynIC timers")
Signed-off-by: Nicolas Saenz Julienne <nsaenz@amazon.com>
---
arch/x86/kvm/hyperv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Nicolas Saenz Julienne <nsaenz@amazon.com> writes: > By not honoring the 'stimer->config.enable' state during stimer > deserialization we might introduce spurious timer interrupts. For > example through the following events: > - The stimer is configured in auto-enable mode. > - The stimer's count is set and the timer enabled. > - The stimer expires, an interrupt is injected. > - We live migrate the VM. > - The stimer config and count are deserialized, auto-enable is ON, the > stimer is re-enabled. > - The stimer expires right away, and injects an unwarranted interrupt. > > So let's not change the stimer's enable state if the MSR write comes > from user-space. > > Fixes: 1f4b34f825e8 ("kvm/x86: Hyper-V SynIC timers") > Signed-off-by: Nicolas Saenz Julienne <nsaenz@amazon.com> > --- > arch/x86/kvm/hyperv.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c > index 7c2dac6824e2..9f1deb6aa131 100644 > --- a/arch/x86/kvm/hyperv.c > +++ b/arch/x86/kvm/hyperv.c > @@ -729,7 +729,7 @@ static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count, > stimer->count = count; > if (stimer->count == 0) > stimer->config.enable = 0; Can this branch be problematic too? E.g. if STIMER[X]_CONFIG is deserialized after STIMER[X]_COUNT we may erroneously reset 'enable' to 0, right? In fact, when MSRs are ordered like this: #define HV_X64_MSR_STIMER0_CONFIG 0x400000B0 #define HV_X64_MSR_STIMER0_COUNT 0x400000B1 I would guess that we always de-serialize 'config' first. With auto-enable, the timer will get enabled when writing 'count' but what happens in other cases? Maybe the whole block needs to go under 'if (!host)' instead? > - else if (stimer->config.auto_enable) > + else if (stimer->config.auto_enable && !host) > stimer->config.enable = 1; > > if (stimer->config.enable)
Hi Vitaly, On Mon Oct 16, 2023 at 12:14 PM UTC, Vitaly Kuznetsov wrote: > Nicolas Saenz Julienne <nsaenz@amazon.com> writes: > > > By not honoring the 'stimer->config.enable' state during stimer > > deserialization we might introduce spurious timer interrupts. For > > example through the following events: > > - The stimer is configured in auto-enable mode. > > - The stimer's count is set and the timer enabled. > > - The stimer expires, an interrupt is injected. > > - We live migrate the VM. > > - The stimer config and count are deserialized, auto-enable is ON, the > > stimer is re-enabled. > > - The stimer expires right away, and injects an unwarranted interrupt. > > > > So let's not change the stimer's enable state if the MSR write comes > > from user-space. > > > > Fixes: 1f4b34f825e8 ("kvm/x86: Hyper-V SynIC timers") > > Signed-off-by: Nicolas Saenz Julienne <nsaenz@amazon.com> > > --- > > arch/x86/kvm/hyperv.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c > > index 7c2dac6824e2..9f1deb6aa131 100644 > > --- a/arch/x86/kvm/hyperv.c > > +++ b/arch/x86/kvm/hyperv.c > > @@ -729,7 +729,7 @@ static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count, > > stimer->count = count; > > if (stimer->count == 0) > > stimer->config.enable = 0; > > Can this branch be problematic too? E.g. if STIMER[X]_CONFIG is > deserialized after STIMER[X]_COUNT we may erroneously reset 'enable' to > 0, right? In fact, when MSRs are ordered like this: > > #define HV_X64_MSR_STIMER0_CONFIG 0x400000B0 > #define HV_X64_MSR_STIMER0_COUNT 0x400000B1 > > I would guess that we always de-serialize 'config' first. With > auto-enable, the timer will get enabled when writing 'count' but what > happens in other cases? > > Maybe the whole block needs to go under 'if (!host)' instead? In either case, with 'enable == 1' && 'count == 0' we'll reset the timer in 'kvm_hv_process_stimers()'. So it's unlikely to cause any weirdness. That said, I think covering both cases is more correct. Will send a v2. Nicolas
I'd prefer the shortlog be more explicit about the write coming from userspace, e.g. KVM: x86: hyper-v: Don't auto-enable stimer on write from userspace A non-zero number of KVM's "deserialization" ioctls are used to stuff state without a paired "serialization". I doubt anyone is doing that with the Hyper-V ioctls, but keeping things consistent is helpful for readers. On Mon, Oct 16, 2023, Nicolas Saenz Julienne wrote: > Hi Vitaly, > > On Mon Oct 16, 2023 at 12:14 PM UTC, Vitaly Kuznetsov wrote: > > Nicolas Saenz Julienne <nsaenz@amazon.com> writes: > > > > > By not honoring the 'stimer->config.enable' state during stimer > > > deserialization we might introduce spurious timer interrupts. For Avoid pronouns please. > > > example through the following events: > > > - The stimer is configured in auto-enable mode. > > > - The stimer's count is set and the timer enabled. > > > - The stimer expires, an interrupt is injected. > > > - We live migrate the VM. Same here. "We" is already ambiguous, because the first usage is largely about KVM, and the second usage here is much more about userspace and/or the actual user. > > > - The stimer config and count are deserialized, auto-enable is ON, the > > > stimer is re-enabled. > > > - The stimer expires right away, and injects an unwarranted interrupt. > > > > > > So let's not change the stimer's enable state if the MSR write comes > > > from user-space. Don't hedge, firmly state what the patch does and why the change is necessary and correct. If it turns out the change is wrong, then the follow-up patch can explain the situation. But in the happy case where the change is correct, using language that isn't assertive can result in > > > Fixes: 1f4b34f825e8 ("kvm/x86: Hyper-V SynIC timers") Does this need a? Cc: stable@vger.kernel > > > Signed-off-by: Nicolas Saenz Julienne <nsaenz@amazon.com> > > > --- > > > arch/x86/kvm/hyperv.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c > > > index 7c2dac6824e2..9f1deb6aa131 100644 > > > --- a/arch/x86/kvm/hyperv.c > > > +++ b/arch/x86/kvm/hyperv.c > > > @@ -729,7 +729,7 @@ static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count, > > > stimer->count = count; > > > if (stimer->count == 0) > > > stimer->config.enable = 0; > > > > Can this branch be problematic too? E.g. if STIMER[X]_CONFIG is > > deserialized after STIMER[X]_COUNT we may erroneously reset 'enable' to > > 0, right? In fact, when MSRs are ordered like this: > > > > #define HV_X64_MSR_STIMER0_CONFIG 0x400000B0 > > #define HV_X64_MSR_STIMER0_COUNT 0x400000B1 > > > > I would guess that we always de-serialize 'config' first. With > > auto-enable, the timer will get enabled when writing 'count' but what > > happens in other cases? > > > > Maybe the whole block needs to go under 'if (!host)' instead? > > In either case, with 'enable == 1' && 'count == 0' we'll reset the timer > in 'kvm_hv_process_stimers()'. So it's unlikely to cause any weirdness. > That said, I think covering both cases is more correct. Will send a v2. Agreed, I think it needs to be all or nothing, i.e. either process all side effects of writing the count, or don't process any.
Hi Sean, On Mon Oct 16, 2023 at 4:27 PM UTC, Sean Christopherson wrote: > I'd prefer the shortlog be more explicit about the write coming from userspace, e.g. > > KVM: x86: hyper-v: Don't auto-enable stimer on write from userspace > > A non-zero number of KVM's "deserialization" ioctls are used to stuff state > without a paired "serialization". I doubt anyone is doing that with the Hyper-V > ioctls, but keeping things consistent is helpful for readers. > > On Mon, Oct 16, 2023, Nicolas Saenz Julienne wrote: > > Hi Vitaly, > > > > On Mon Oct 16, 2023 at 12:14 PM UTC, Vitaly Kuznetsov wrote: > > > Nicolas Saenz Julienne <nsaenz@amazon.com> writes: > > > > > > > By not honoring the 'stimer->config.enable' state during stimer > > > > deserialization we might introduce spurious timer interrupts. For > > Avoid pronouns please. > > > > > example through the following events: > > > > - The stimer is configured in auto-enable mode. > > > > - The stimer's count is set and the timer enabled. > > > > - The stimer expires, an interrupt is injected. > > > > - We live migrate the VM. > > Same here. "We" is already ambiguous, because the first usage is largely about > KVM, and the second usage here is much more about userspace and/or the actual > user. > > > > > - The stimer config and count are deserialized, auto-enable is ON, the > > > > stimer is re-enabled. > > > > - The stimer expires right away, and injects an unwarranted interrupt. > > > > > > > > So let's not change the stimer's enable state if the MSR write comes > > > > from user-space. > > Don't hedge, firmly state what the patch does and why the change is necessary > and correct. If it turns out the change is wrong, then the follow-up patch can > explain the situation. But in the happy case where the change is correct, using > language that isn't assertive can result in > > > > > Fixes: 1f4b34f825e8 ("kvm/x86: Hyper-V SynIC timers") > > Does this need a? > > Cc: stable@vger.kernel Your reply raced with my v2. I'll rework the commit message, and send a third revision. Nicolas
diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index 7c2dac6824e2..9f1deb6aa131 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -729,7 +729,7 @@ static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count, stimer->count = count; if (stimer->count == 0) stimer->config.enable = 0; - else if (stimer->config.auto_enable) + else if (stimer->config.auto_enable && !host) stimer->config.enable = 1; if (stimer->config.enable)