From: Sean Christopherson <seanjc@google.com>
To: Marc Zyngier <maz@kernel.org>,
Oliver Upton <oliver.upton@linux.dev>,
Tianrui Zhao <zhaotianrui@loongson.cn>,
Bibo Mao <maobibo@loongson.cn>,
Huacai Chen <chenhuacai@kernel.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Anup Patel <anup@brainfault.org>, Paul Walmsley <pjw@kernel.org>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Janosch Frank <frankja@linux.ibm.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
"Kirill A. Shutemov" <kas@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
kvm@vger.kernel.org, loongarch@lists.linux.dev,
linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org,
x86@kernel.org, linux-coco@lists.linux.dev,
linux-kernel@vger.kernel.org, Ira Weiny <ira.weiny@intel.com>,
Kai Huang <kai.huang@intel.com>,
Binbin Wu <binbin.wu@linux.intel.com>,
Michael Roth <michael.roth@amd.com>,
Yan Zhao <yan.y.zhao@intel.com>,
Vishal Annapurve <vannapurve@google.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Ackerley Tng <ackerleytng@google.com>
Subject: [PATCH v4 00/28] KVM: x86/mmu: TDX post-populate cleanups
Date: Thu, 30 Oct 2025 13:09:23 -0700 [thread overview]
Message-ID: <20251030200951.3402865-1-seanjc@google.com> (raw)
Non-x86 folks, as with v3, patches 1 and 2 are likely the only thing of
interest here. They make kvm_arch_vcpu_async_ioctl() mandatory and then
rename it to kvm_arch_vcpu_unlocked_ioctl().
As for the x86 side...
Clean up the TDX post-populate paths (and many tangentially related paths) to
address locking issues between gmem and TDX's post-populate hook[*], and
within KVM itself (KVM doesn't ensure full mutual exclusivity between paths
that for all intents and purposes the TDX-Module requires to be serialized).
I apologize if I missed any trailers or feedback, I think I got everything...
[*] http://lore.kernel.org/all/aG_pLUlHdYIZ2luh@google.com
v4:
- Collect reviews/acks.
- Add a lockdep assertion in kvm_tdp_mmu_map_private_pfn(). [Yan]
- Wrap kvm_tdp_mmu_map_private_pfn() with CONFIG_KVM_GUEST_MEMFD=y. [test bot]
- Improve (or add) comments. [Kai, and probably others]
- s/spte/mirror_spte to make it clear what's being passed in
- Update set_external_spte() to take @mirror_spte as well. [Yan]
- Move the KVM_BUG_ON() on tdh_mr_extend() failure to the end. [Rick]
- Take "all" the locks in tdx_vm_ioctl(). [Kai]
- WARN if KVM attempts to map SPTEs into an invalid root. [Yan]
- Use tdx_flush_vp_on_cpu() instead of tdx_disassociate_vp() when freeing
a vCPU in VCPU_TD_STATE_UNINITIALIZED state. [Yan]
v3:
- https://lore.kernel.org/all/20251017003244.186495-1-seanjc@google.com
- Collect more reviews.
- Add the async_ioctl() => unlocked_ioctl() patches, and use the "unlocked"
variant in the TDX vCPU sub-ioctls so they can take kvm->lock outside of
vcpu->mutex.
- Add a patch to document that vcpu->mutex is taken *outside* kvm->slots_lock.
- Add the tdx_vm_state_guard CLASS() to take kvm->lock, all vcpu->mutex locks,
and kvm->slots_lock, in order to make tdx_td_init(), tdx_td_finalize(),
tdx_vcpu_init_mem_region(), and tdx_vcpu_init() mutually exclusive with
each other, and mutually exclusvie with basically anything that can result
in contending one of the TDX-Module locks (can't remember which one).
- Refine the changelog for the "Drop PROVE_MMU=y" patch. [Binbin]
v2:
- Collect a few reviews (and ignore some because the patches went away).
[Rick, Kai, Ira]
- Move TDH_MEM_PAGE_ADD under mmu_lock and drop nr_premapped. [Yan, Rick]
- Force max_level = PG_LEVEL_4K straightaway. [Yan]
- s/kvm_tdp_prefault_page/kvm_tdp_page_prefault. [Rick]
- Use Yan's version of "Say no to pinning!". [Yan, Rick]
- Tidy up helpers and macros to reduce boilerplate and copy+pate code, and
to eliminate redundant/dead code (e.g. KVM_BUG_ON() the same error
multiple times).
- KVM_BUG_ON() if TDH_MR_EXTEND fails (I convinced myself it can't).
v1: https://lore.kernel.org/all/20250827000522.4022426-1-seanjc@google.com
Sean Christopherson (26):
KVM: Make support for kvm_arch_vcpu_async_ioctl() mandatory
KVM: Rename kvm_arch_vcpu_async_ioctl() to
kvm_arch_vcpu_unlocked_ioctl()
KVM: TDX: Drop PROVE_MMU=y sanity check on to-be-populated mappings
KVM: x86/mmu: Add dedicated API to map guest_memfd pfn into TDP MMU
KVM: x86/mmu: WARN if KVM attempts to map into an invalid TDP MMU root
Revert "KVM: x86/tdp_mmu: Add a helper function to walk down the TDP
MMU"
KVM: x86/mmu: Rename kvm_tdp_map_page() to kvm_tdp_page_prefault()
KVM: TDX: Return -EIO, not -EINVAL, on a KVM_BUG_ON() condition
KVM: TDX: Fold tdx_sept_drop_private_spte() into
tdx_sept_remove_private_spte()
KVM: x86/mmu: Drop the return code from
kvm_x86_ops.remove_external_spte()
KVM: TDX: WARN if mirror SPTE doesn't have full RWX when creating
S-EPT mapping
KVM: TDX: Avoid a double-KVM_BUG_ON() in tdx_sept_zap_private_spte()
KVM: TDX: Use atomic64_dec_return() instead of a poor equivalent
KVM: TDX: Fold tdx_mem_page_record_premap_cnt() into its sole caller
KVM: TDX: ADD pages to the TD image while populating mirror EPT
entries
KVM: TDX: Fold tdx_sept_zap_private_spte() into
tdx_sept_remove_private_spte()
KVM: TDX: Combine KVM_BUG_ON + pr_tdx_error() into TDX_BUG_ON()
KVM: TDX: Derive error argument names from the local variable names
KVM: TDX: Assert that mmu_lock is held for write when removing S-EPT
entries
KVM: TDX: Add macro to retry SEAMCALLs when forcing vCPUs out of guest
KVM: TDX: Add tdx_get_cmd() helper to get and validate sub-ioctl
command
KVM: TDX: Convert INIT_MEM_REGION and INIT_VCPU to "unlocked" vCPU
ioctl
KVM: TDX: Use guard() to acquire kvm->lock in tdx_vm_ioctl()
KVM: TDX: Don't copy "cmd" back to userspace for KVM_TDX_CAPABILITIES
KVM: TDX: Guard VM state transitions with "all" the locks
KVM: TDX: Bug the VM if extending the initial measurement fails
Yan Zhao (2):
KVM: TDX: Drop superfluous page pinning in S-EPT management
KVM: TDX: Fix list_add corruption during vcpu_load()
arch/arm64/kvm/arm.c | 6 +
arch/loongarch/kvm/Kconfig | 1 -
arch/loongarch/kvm/vcpu.c | 4 +-
arch/mips/kvm/Kconfig | 1 -
arch/mips/kvm/mips.c | 4 +-
arch/powerpc/kvm/Kconfig | 1 -
arch/powerpc/kvm/powerpc.c | 4 +-
arch/riscv/kvm/Kconfig | 1 -
arch/riscv/kvm/vcpu.c | 4 +-
arch/s390/kvm/Kconfig | 1 -
arch/s390/kvm/kvm-s390.c | 4 +-
arch/x86/include/asm/kvm-x86-ops.h | 1 +
arch/x86/include/asm/kvm_host.h | 7 +-
arch/x86/kvm/mmu.h | 3 +-
arch/x86/kvm/mmu/mmu.c | 87 +++-
arch/x86/kvm/mmu/tdp_mmu.c | 50 +--
arch/x86/kvm/vmx/main.c | 9 +
arch/x86/kvm/vmx/tdx.c | 659 ++++++++++++++---------------
arch/x86/kvm/vmx/tdx.h | 8 +-
arch/x86/kvm/vmx/x86_ops.h | 1 +
arch/x86/kvm/x86.c | 13 +
include/linux/kvm_host.h | 14 +-
virt/kvm/Kconfig | 3 -
virt/kvm/kvm_main.c | 6 +-
24 files changed, 468 insertions(+), 424 deletions(-)
base-commit: 4cc167c50eb19d44ac7e204938724e685e3d8057
--
2.51.1.930.gacf6e81ea2-goog
next reply other threads:[~2025-10-30 20:09 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-30 20:09 Sean Christopherson [this message]
2025-10-30 20:09 ` [PATCH v4 01/28] KVM: Make support for kvm_arch_vcpu_async_ioctl() mandatory Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 02/28] KVM: Rename kvm_arch_vcpu_async_ioctl() to kvm_arch_vcpu_unlocked_ioctl() Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 03/28] KVM: TDX: Drop PROVE_MMU=y sanity check on to-be-populated mappings Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 04/28] KVM: x86/mmu: Add dedicated API to map guest_memfd pfn into TDP MMU Sean Christopherson
2025-10-31 7:58 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 05/28] KVM: x86/mmu: WARN if KVM attempts to map into an invalid TDP MMU root Sean Christopherson
2025-10-30 22:17 ` Huang, Kai
2025-10-30 20:09 ` [PATCH v4 06/28] Revert "KVM: x86/tdp_mmu: Add a helper function to walk down the TDP MMU" Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 07/28] KVM: x86/mmu: Rename kvm_tdp_map_page() to kvm_tdp_page_prefault() Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 08/28] KVM: TDX: Drop superfluous page pinning in S-EPT management Sean Christopherson
2025-10-31 8:29 ` Yan Zhao
2025-10-31 17:12 ` Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 09/28] KVM: TDX: Return -EIO, not -EINVAL, on a KVM_BUG_ON() condition Sean Christopherson
2025-10-30 22:20 ` Huang, Kai
2025-10-30 20:09 ` [PATCH v4 10/28] KVM: TDX: Fold tdx_sept_drop_private_spte() into tdx_sept_remove_private_spte() Sean Christopherson
2025-10-31 8:23 ` Yan Zhao
2025-10-30 20:09 ` [PATCH v4 11/28] KVM: x86/mmu: Drop the return code from kvm_x86_ops.remove_external_spte() Sean Christopherson
2025-10-30 22:26 ` Huang, Kai
2025-10-30 20:09 ` [PATCH v4 12/28] KVM: TDX: WARN if mirror SPTE doesn't have full RWX when creating S-EPT mapping Sean Christopherson
2025-10-30 22:59 ` Huang, Kai
2025-10-30 23:40 ` Sean Christopherson
2025-10-30 23:59 ` Huang, Kai
2025-10-31 8:19 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 13/28] KVM: TDX: Avoid a double-KVM_BUG_ON() in tdx_sept_zap_private_spte() Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 14/28] KVM: TDX: Use atomic64_dec_return() instead of a poor equivalent Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 15/28] KVM: TDX: Fold tdx_mem_page_record_premap_cnt() into its sole caller Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 16/28] KVM: TDX: ADD pages to the TD image while populating mirror EPT entries Sean Christopherson
2025-10-31 8:54 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 17/28] KVM: TDX: Fold tdx_sept_zap_private_spte() into tdx_sept_remove_private_spte() Sean Christopherson
2025-10-31 8:56 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 18/28] KVM: TDX: Combine KVM_BUG_ON + pr_tdx_error() into TDX_BUG_ON() Sean Christopherson
2025-10-30 23:20 ` Huang, Kai
2025-10-31 8:58 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 19/28] KVM: TDX: Derive error argument names from the local variable names Sean Christopherson
2025-10-31 9:00 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 20/28] KVM: TDX: Assert that mmu_lock is held for write when removing S-EPT entries Sean Christopherson
2025-10-30 23:03 ` Huang, Kai
2025-10-31 9:05 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 21/28] KVM: TDX: Add macro to retry SEAMCALLs when forcing vCPUs out of guest Sean Christopherson
2025-10-30 23:05 ` Huang, Kai
2025-10-31 9:08 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 22/28] KVM: TDX: Add tdx_get_cmd() helper to get and validate sub-ioctl command Sean Christopherson
2025-10-31 9:11 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 23/28] KVM: TDX: Convert INIT_MEM_REGION and INIT_VCPU to "unlocked" vCPU ioctl Sean Christopherson
2025-10-31 9:15 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 24/28] KVM: TDX: Use guard() to acquire kvm->lock in tdx_vm_ioctl() Sean Christopherson
2025-10-31 9:17 ` Binbin Wu
2025-10-30 20:09 ` [PATCH v4 25/28] KVM: TDX: Don't copy "cmd" back to userspace for KVM_TDX_CAPABILITIES Sean Christopherson
2025-10-30 23:06 ` Huang, Kai
2025-10-30 20:09 ` [PATCH v4 26/28] KVM: TDX: Guard VM state transitions with "all" the locks Sean Christopherson
2025-10-30 23:08 ` Huang, Kai
2025-10-31 8:26 ` Yan Zhao
2025-10-31 17:34 ` Sean Christopherson
2025-11-03 1:36 ` Yan Zhao
2025-10-30 20:09 ` [PATCH v4 27/28] KVM: TDX: Bug the VM if extending the initial measurement fails Sean Christopherson
2025-10-30 23:09 ` Huang, Kai
2025-11-04 6:16 ` Binbin Wu
2025-11-04 18:02 ` Sean Christopherson
2025-10-30 20:09 ` [PATCH v4 28/28] KVM: TDX: Fix list_add corruption during vcpu_load() Sean Christopherson
2025-10-30 23:12 ` Huang, Kai
2025-10-30 23:19 ` [PATCH v4 00/28] KVM: x86/mmu: TDX post-populate cleanups Huang, Kai
2025-10-31 8:54 ` Yan Zhao
2025-10-31 17:28 ` Edgecombe, Rick P
2025-11-04 17:58 ` Sean Christopherson
2025-11-10 15:37 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251030200951.3402865-1-seanjc@google.com \
--to=seanjc@google.com \
--cc=ackerleytng@google.com \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=binbin.wu@linux.intel.com \
--cc=borntraeger@linux.ibm.com \
--cc=chenhuacai@kernel.org \
--cc=frankja@linux.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=ira.weiny@intel.com \
--cc=kai.huang@intel.com \
--cc=kas@kernel.org \
--cc=kvm-riscv@lists.infradead.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=loongarch@lists.linux.dev \
--cc=maddy@linux.ibm.com \
--cc=maobibo@loongson.cn \
--cc=maz@kernel.org \
--cc=michael.roth@amd.com \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=pbonzini@redhat.com \
--cc=pjw@kernel.org \
--cc=rick.p.edgecombe@intel.com \
--cc=vannapurve@google.com \
--cc=x86@kernel.org \
--cc=yan.y.zhao@intel.com \
--cc=zhaotianrui@loongson.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).