From: Alexey Kardashevskiy <aik@amd.com>
To: <kvm@vger.kernel.org>
Cc: <x86@kernel.org>, <linux-kernel@vger.kernel.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
Sean Christopherson <seanjc@google.com>,
"Alexey Kardashevskiy" <aik@amd.com>
Subject: [PATCH kernel 8/9] KVM: SVM: Don't defer NMI unblocking until next exit for SEV-ES guests
Date: Thu, 15 Jun 2023 16:37:56 +1000 [thread overview]
Message-ID: <20230615063757.3039121-9-aik@amd.com> (raw)
In-Reply-To: <20230615063757.3039121-1-aik@amd.com>
From: Sean Christopherson <seanjc@google.com>
Immediately mark NMIs as unmasked in response to #VMGEXIT(NMI complete)
instead of setting awaiting_iret_completion and waiting until the *next*
VM-Exit to unmask NMIs. The whole point of "NMI complete" is that the
guest is responsible for telling the hypervisor when it's safe to inject
an NMI, i.e. there's no need to wait. And because there's no IRET to
single-step, the next VM-Exit could be a long time coming, i.e. KVM could
incorrectly hold an NMI pending for far longer than what is required and
expected.
Opportunistically fix a stale reference to HF_IRET_MASK.
Fixes: 916b54a7688b ("KVM: x86: Move HF_NMI_MASK and HF_IRET_MASK into "struct vcpu_svm"")
Fixes: 4444dfe4050b ("KVM: SVM: Add NMI support for an SEV-ES guest")
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
May be 916b54a7688b is not really necessary to mention to avoid triggering
the stable kernel backporting bot?
---
Changes:
v6:
* new to the series
---
arch/x86/kvm/svm/sev.c | 5 ++++-
arch/x86/kvm/svm/svm.c | 10 +++++-----
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 9c43cbdab022..4a426feab1b8 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2897,7 +2897,10 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu)
svm->sev_es.ghcb_sa);
break;
case SVM_VMGEXIT_NMI_COMPLETE:
- ret = svm_invoke_exit_handler(vcpu, SVM_EXIT_IRET);
+ ++vcpu->stat.nmi_window_exits;
+ svm->nmi_masked = false;
+ kvm_make_request(KVM_REQ_EVENT, vcpu);
+ ret = 1;
break;
case SVM_VMGEXIT_AP_HLT_LOOP:
ret = kvm_emulate_ap_reset_hold(vcpu);
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 1df99e9f8655..52f1d88e82a0 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2548,12 +2548,13 @@ static int iret_interception(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
+ WARN_ON_ONCE(sev_es_guest(vcpu->kvm));
+
++vcpu->stat.nmi_window_exits;
svm->awaiting_iret_completion = true;
svm_clr_iret_intercept(svm);
- if (!sev_es_guest(vcpu->kvm))
- svm->nmi_iret_rip = kvm_rip_read(vcpu);
+ svm->nmi_iret_rip = kvm_rip_read(vcpu);
kvm_make_request(KVM_REQ_EVENT, vcpu);
return 1;
@@ -3972,12 +3973,11 @@ static void svm_complete_interrupts(struct kvm_vcpu *vcpu)
svm->soft_int_injected = false;
/*
- * If we've made progress since setting HF_IRET_MASK, we've
+ * If we've made progress since setting awaiting_iret_completion, we've
* executed an IRET and can allow NMI injection.
*/
if (svm->awaiting_iret_completion &&
- (sev_es_guest(vcpu->kvm) ||
- kvm_rip_read(vcpu) != svm->nmi_iret_rip)) {
+ kvm_rip_read(vcpu) != svm->nmi_iret_rip) {
svm->awaiting_iret_completion = false;
svm->nmi_masked = false;
kvm_make_request(KVM_REQ_EVENT, vcpu);
--
2.40.1
next prev parent reply other threads:[~2023-06-15 6:47 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-15 6:37 [PATCH kernel 0/9] KVM: SEV: Enable AMD SEV-ES DebugSwap Alexey Kardashevskiy
2023-06-15 6:37 ` [PATCH kernel 1/9] KVM: SEV: move set_dr_intercepts/clr_dr_intercepts from the header Alexey Kardashevskiy
2023-06-15 6:37 ` [PATCH kernel 2/9] KVM: SEV: Move SEV's GP_VECTOR intercept setup to SEV Alexey Kardashevskiy
2023-06-15 6:37 ` [PATCH kernel 3/9] KVM: SVM: Rewrite sev_es_prepare_switch_to_guest()'s comment about swap types Alexey Kardashevskiy
2023-06-15 6:37 ` [PATCH kernel 4/9] KVM: SEV-ES: explicitly disable debug Alexey Kardashevskiy
2023-06-15 6:37 ` [PATCH kernel 5/9] KVM: SVM/SEV/SEV-ES: Rework intercepts Alexey Kardashevskiy
2023-06-30 21:49 ` Sean Christopherson
2023-07-03 2:01 ` Alexey Kardashevskiy
2023-06-15 6:37 ` [PATCH kernel 6/9] KVM: SEV: Enable data breakpoints in SEV-ES Alexey Kardashevskiy
2023-06-15 6:37 ` [PATCH kernel 7/9] KVM: SEV-ES: Eliminate #DB intercept when DebugSwap enabled Alexey Kardashevskiy
2023-06-15 6:37 ` Alexey Kardashevskiy [this message]
2023-06-15 6:37 ` [PATCH kernel 9/9] KVM: SVM: Don't try to pointlessly single-step SEV-ES guests for NMI window Alexey Kardashevskiy
2023-06-15 7:13 ` [PATCH kernel 0/9 v6] KVM: SEV: Enable AMD SEV-ES DebugSwap Alexey Kardashevskiy
2023-06-23 1:35 ` Alexey Kardashevskiy
2023-06-23 14:19 ` Sean Christopherson
2023-06-30 2:08 ` Alexey Kardashevskiy
2023-06-30 21:52 ` Sean Christopherson
2023-07-20 19:01 ` Alexey Kardashevskiy
2023-07-28 23:49 ` [PATCH kernel 0/9] " Sean Christopherson
2023-07-29 1:57 ` Alexey Kardashevskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230615063757.3039121-9-aik@amd.com \
--to=aik@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=seanjc@google.com \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox