Re: [RFC PATCH v2 12/23] KVM: x86/mmu: Introduce kvm_split_cross_boundary_leafs()

["Huang, Kai" <kai.huang@intel.com>]

On Fri, 2025-11-14 at 14:09 +0800, Yan Zhao wrote:
> On Thu, Nov 13, 2025 at 07:02:59PM +0800, Huang, Kai wrote:
> > On Thu, 2025-11-13 at 16:54 +0800, Yan Zhao wrote:
> > > On Tue, Nov 11, 2025 at 06:42:55PM +0800, Huang, Kai wrote:
> > > > On Thu, 2025-08-07 at 17:43 +0800, Yan Zhao wrote:
> > > > >  static int tdp_mmu_split_huge_pages_root(struct kvm *kvm,
> > > > >  					 struct kvm_mmu_page *root,
> > > > >  					 gfn_t start, gfn_t end,
> > > > > -					 int target_level, bool shared)
> > > > > +					 int target_level, bool shared,
> > > > > +					 bool only_cross_bounday, bool *flush)
> > > > >  {
> > > > >  	struct kvm_mmu_page *sp = NULL;
> > > > >  	struct tdp_iter iter;
> > > > > @@ -1589,6 +1596,13 @@ static int tdp_mmu_split_huge_pages_root(struct kvm *kvm,
> > > > >  	 * level into one lower level. For example, if we encounter a 1GB page
> > > > >  	 * we split it into 512 2MB pages.
> > > > >  	 *
> > > > > +	 * When only_cross_bounday is true, just split huge pages above the
> > > > > +	 * target level into one lower level if the huge pages cross the start
> > > > > +	 * or end boundary.
> > > > > +	 *
> > > > > +	 * No need to update @flush for !only_cross_bounday cases, which rely
> > > > > +	 * on the callers to do the TLB flush in the end.
> > > > > +	 *
> > > > 
> > > > s/only_cross_bounday/only_cross_boundary
> > > > 
> > > > From tdp_mmu_split_huge_pages_root()'s perspective, it's quite odd to only
> > > > update 'flush' when 'only_cross_bounday' is true, because
> > > > 'only_cross_bounday' can only results in less splitting.
> > > I have to say it's a reasonable point.
> > > 
> > > > I understand this is because splitting S-EPT mapping needs flush (at least
> > > > before non-block DEMOTE is implemented?).  Would it better to also let the
> > > Actually the flush is only required for !TDX cases.
> > > 
> > > For TDX, either the flush has been performed internally within
> > > tdx_sept_split_private_spt() 
> > > 
> > 
> > AFAICT tdx_sept_split_private_spt() only does tdh_mem_track(), so KVM should
> > still kick all vCPUs out of guest mode so other vCPUs can actually flush the
> > TLB?
> tdx_sept_split_private_spt() actually invokes tdx_track(), which performs the
> kicking off all vCPUs by invoking
> "kvm_make_all_cpus_request(kvm, KVM_REQ_OUTSIDE_GUEST_MODE)".

Oh thanks for the reminder.

Then I am kinda confused why do you need to return @flush, especially when
'only_cross_boundary' is true which is for TDX case?

So step back to where why this 'flush' is needed to be returned:

- For TDX ('only_cross_boundary == true'):

The caller doesn't need to flush TLB because it has already been done when huge
page is actually split.

- For non-TDX case ('only_cross_boundary == false'):

AFAICT the only user of tdp_mmu_split_huge_pages_root() is "eager hugepage
splitting" during log-dirty.  And per per the current implementation there are
two callers of tdp_mmu_split_huge_pages_root():

  kvm_mmu_try_split_huge_pages()
  kvm_mmu_slot_try_split_huge_pages()

But they are both void functions which neither return whether flush TLB is
needed, nor do TLB flush internally.

So I am kinda confused.

Perhaps you mean for "shared memory of TDX guest", the caller will also pass
'only_cross_boundary == true' and the caller needs to perform TLB flush?

[...]

> > 
> > Something like below:
> > 
> > @@ -1558,7 +1558,9 @@ static int tdp_mmu_split_huge_page(struct kvm *kvm, struct
> > tdp_iter *iter,
> >  static int tdp_mmu_split_huge_pages_root(struct kvm *kvm,
> >                                          struct kvm_mmu_page *root,
> >                                          gfn_t start, gfn_t end,
> > -                                        int target_level, bool shared)
> > +                                        int target_level, bool shared,
> > +                                        bool only_cross_boundary,
> > +                                        bool *split)
> >  {
> >         struct kvm_mmu_page *sp = NULL;
> >         struct tdp_iter iter;
> > @@ -1584,6 +1586,9 @@ static int tdp_mmu_split_huge_pages_root(struct kvm *kvm,
> >                 if (!is_shadow_present_pte(iter.old_spte) ||
> > !is_large_pte(iter.old_spte))
> >                         continue;
> >  
> > +               if (only_cross_boundary && !iter_cross_boundary(&iter, start,
> > end))
> > +                       continue;
> > +
> >                 if (!sp) {
> >                         rcu_read_unlock();
> >  
> > @@ -1618,6 +1623,7 @@ static int tdp_mmu_split_huge_pages_root(struct kvm *kvm,
> >                         goto retry;
> >  
> >                 sp = NULL;
> > +               *split = true;
> >         }
> >  
> >         rcu_read_unlock();
> This looks more reasonable for tdp_mmu_split_huge_pages_root();
> 
> Given that splitting only adds a new page to the paging structure (unlike page
> merging), I currently can't think of any current use cases that would be broken
> by the lack of TLB flush before tdp_mmu_iter_cond_resched() releases the
> mmu_lock.
> 
> This is because:
> 1) if the split is triggered in a fault path, the hardware shouldn't have cached
>    the old huge translation.
> 2) if the split is triggered in a zap or convert path,
>    - there shouldn't be concurrent faults on the range due to the protection of
>      mmu_invalidate_range*.
>    - for concurrent splits on the same range, though the other vCPUs may
>      temporally see stale huge TLB entries after they believe they have
>      performed a split, they will be kicked off to flush the cache soon after
>      tdp_mmu_split_huge_pages_root() returns in the first vCPU/host thread.
>      This should be acceptable since I don't see any special guest needs that
>      rely on pure splits.

Perhaps we should just go straight to the point:

  What does "hugepage split" do, and what's the consequence of not flushing TLB.

Per make_small_spte(), the new child PTEs will carry all bits of hugepage PTE
except they clear the 'hugepage bit (obviously)', and set the 'X' bit for NX
hugepage thing.

That means if we leave the stale hugepage TLB, the CPU is still able to find the
correct PFN and AFAICT there shouldn't be any other problem here.  For any fault
due to the stale hugepage TLB missing the 'X' permission, AFAICT KVM will just
treat this as a spurious fault, which isn't nice but should have no harm.

> 
> So I tend to agree with your suggestion though the implementation in this patch
> is safer.

I am perhaps still missing something, as I am still trying to precisely
understand in what cases you want to flush TLB when splitting hugepage.

I kinda tend to think you eventually want to flush TLB because eventually you
want to _ZAP_.  But needing to flush due to zap and needing to flush due to
split is kinda different I think.