From: Chao Gao <chao.gao@intel.com>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, <kvm@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, Like Xu <like.xu.linux@gmail.com>
Subject: Re: [PATCH] KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled
Date: Mon, 4 Nov 2024 10:47:18 +0800 [thread overview]
Message-ID: <Zyg1tkDxNR6N16Ga@intel.com> (raw)
In-Reply-To: <20241031202011.1580522-1-seanjc@google.com>
On Thu, Oct 31, 2024 at 01:20:11PM -0700, Sean Christopherson wrote:
>When getting the current VPID, e.g. to emulate a guest TLB flush, return
>vpid01 if L2 is running but with VPID disabled, i.e. if VPID is disabled
>in vmcs12. Architecturally, if VPID is disabled, then the guest and host
>effectively share VPID=0. KVM emulates this behavior by using vpid01 when
>running an L2 with VPID disabled (see prepare_vmcs02_early_rare()), and so
>KVM must also treat vpid01 as the current VPID while L2 is active.
>
>Unconditionally treating vpid02 as the current VPID when L2 is active
>causes KVM to flush TLB entries for vpid02 instead of vpid01, which
>results in TLB entries from L1 being incorrectly preserved across nested
>VM-Enter to L2 (L2=>L1 isn't problematic, because the TLB flush after
>nested VM-Exit flushes vpid01).
>
>The bug manifests as failures in the vmx_apicv_test KVM-Unit-Test, as KVM
>incorrectly retains TLB entries for the APIC-access page across a nested
>VM-Enter.
>
>Opportunisticaly add comments at various touchpoints to explain the
>architectural requirements, and also why KVM uses vpid01 instead of vpid02.
>
>All credit goes to Chao, who root caused the issue and identified the fix.
>
>Link: https://lore.kernel.org/all/ZwzczkIlYGX+QXJz@intel.com
>Fixes: 2b4a5a5d5688 ("KVM: nVMX: Flush current VPID (L1 vs. L2) for KVM_REQ_TLB_FLUSH_GUEST")
>Cc: stable@vger.kernel.org
>Cc: Like Xu <like.xu.linux@gmail.com>
>Debugged-by: Chao Gao <chao.gao@intel.com>
>Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
I also ran the vmx_apicv_test KVM-Unit-Test. All failures are gone with this
patch applied. So,
Tested-by: Chao Gao <chao.gao@intel.com>
next prev parent reply other threads:[~2024-11-04 2:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-31 20:20 [PATCH] KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled Sean Christopherson
2024-11-04 2:47 ` Chao Gao [this message]
2024-11-05 5:56 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zyg1tkDxNR6N16Ga@intel.com \
--to=chao.gao@intel.com \
--cc=kvm@vger.kernel.org \
--cc=like.xu.linux@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.