Re: [PATCH] KVM: x86: hyper-v: Don't auto-enable stimer during deserialization

[Sean Christopherson <seanjc@google.com>]

I'd prefer the shortlog be more explicit about the write coming from userspace, e.g.

  KVM: x86: hyper-v: Don't auto-enable stimer on write from userspace

A non-zero number of KVM's "deserialization" ioctls are used to stuff state
without a paired "serialization".  I doubt anyone is doing that with the Hyper-V
ioctls, but keeping things consistent is helpful for readers.

On Mon, Oct 16, 2023, Nicolas Saenz Julienne wrote:
> Hi Vitaly,
> 
> On Mon Oct 16, 2023 at 12:14 PM UTC, Vitaly Kuznetsov wrote:
> > Nicolas Saenz Julienne <nsaenz@amazon.com> writes:
> >
> > > By not honoring the 'stimer->config.enable' state during stimer
> > > deserialization we might introduce spurious timer interrupts. For

Avoid pronouns please.

> > > example through the following events:
> > >  - The stimer is configured in auto-enable mode.
> > >  - The stimer's count is set and the timer enabled.
> > >  - The stimer expires, an interrupt is injected.
> > >  - We live migrate the VM.

Same here.  "We" is already ambiguous, because the first usage is largely about
KVM, and the second usage here is much more about userspace and/or the actual
user.

> > >  - The stimer config and count are deserialized, auto-enable is ON, the
> > >    stimer is re-enabled.
> > >  - The stimer expires right away, and injects an unwarranted interrupt.
> > >
> > > So let's not change the stimer's enable state if the MSR write comes
> > > from user-space.

Don't hedge, firmly state what the patch does and why the change is necessary
and correct.  If it turns out the change is wrong, then the follow-up patch can
explain the situation.  But in the happy case where the change is correct, using
language that isn't assertive can result in 

> > > Fixes: 1f4b34f825e8 ("kvm/x86: Hyper-V SynIC timers")

Does this need a?

  Cc: stable@vger.kernel

> > > Signed-off-by: Nicolas Saenz Julienne <nsaenz@amazon.com>
> > > ---
> > >  arch/x86/kvm/hyperv.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
> > > index 7c2dac6824e2..9f1deb6aa131 100644
> > > --- a/arch/x86/kvm/hyperv.c
> > > +++ b/arch/x86/kvm/hyperv.c
> > > @@ -729,7 +729,7 @@ static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count,
> > >       stimer->count = count;
> > >       if (stimer->count == 0)
> > >               stimer->config.enable = 0;
> >
> > Can this branch be problematic too? E.g. if STIMER[X]_CONFIG is
> > deserialized after STIMER[X]_COUNT we may erroneously reset 'enable' to
> > 0, right? In fact, when MSRs are ordered like this:
> >
> > #define HV_X64_MSR_STIMER0_CONFIG               0x400000B0
> > #define HV_X64_MSR_STIMER0_COUNT                0x400000B1
> >
> > I would guess that we always de-serialize 'config' first. With
> > auto-enable, the timer will get enabled when writing 'count' but what
> > happens in other cases?
> >
> > Maybe the whole block needs to go under 'if (!host)' instead?
> 
> In either case, with 'enable == 1' && 'count == 0' we'll reset the timer
> in 'kvm_hv_process_stimers()'. So it's unlikely to cause any weirdness.
> That said, I think covering both cases is more correct. Will send a v2.

Agreed, I think it needs to be all or nothing, i.e. either process all side effects
of writing the count, or don't process any.