From: Sean Christopherson <seanjc@google.com>
To: Xu Yilun <yilun.xu@linux.intel.com>
Cc: Chao Gao <chao.gao@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, Kiryl Shutsemau <kas@kernel.org>,
Paolo Bonzini <pbonzini@redhat.com>,
linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev,
kvm@vger.kernel.org, Dan Williams <dan.j.williams@intel.com>
Subject: Re: [PATCH v2 2/7] KVM: x86: Extract VMXON and EFER.SVME enablement to kernel
Date: Fri, 19 Dec 2025 07:40:11 -0800 [thread overview]
Message-ID: <aUVx20ZRjOzKgKqy@google.com> (raw)
In-Reply-To: <aUS06wE6IvFti8Le@yilunxu-OptiPlex-7050>
On Fri, Dec 19, 2025, Xu Yilun wrote:
> On Wed, Dec 17, 2025 at 11:01:59AM -0800, Sean Christopherson wrote:
> > On Wed, Dec 17, 2025, Xu Yilun wrote:
> > > Is it better we explicitly assert the preemption for x86_virt_get_cpu()
> > > rather than embed the check in __this_cpu_inc_return()? We are not just
> > > protecting the racing for the reference counter. We should ensure the
> > > "counter increase + x86_virt_call(get_cpu)" can't be preempted.
> >
> > I don't have a strong preference. Using __this_cpu_inc_return() without any
> > nearby preemption_{enable,disable}() calls makes it quite clears that preemption
> > is expected to be disabled by the caller. But I'm also ok being explicit.
>
> Looking into __this_cpu_inc_return(), it finally calls
> check_preemption_disabled() which doesn't strictly requires preemption.
> It only ensures the context doesn't switch to another CPU. If the caller
> is in cpuhp context, preemption is possible.
Hmm, right, the cpuhp thread is is_percpu_thread(), and KVM's hooks aren't
considered atomic and so run with IRQs enabled. In practice, it's "fine", because
TDX also exclusively does x86_virt_get_cpu() from cpuhp, i.e. the two users are
mutually exclusive, but relying on that behavior is gross.
> But in this x86_virt_get_cpu(), we need to ensure preemption disabled,
> otherwise caller A increases counter but hasn't do actual VMXON yet and
> get preempted. Caller B opts in and get the wrong info that VMX is
> already on, and fails on following vmx operations.
>
> On a second thought, maybe we disable preemption inside
> x86_virt_get_cpu() to protect the counter-vmxon racing, this is pure
> internal thing for this kAPI.
Ya, that'd be my preference.
Kai, question for you (or anyone else that might know):
Is there any **need** for tdx_cpu_enable() and try_init_module_global() to run
with IRQs disabled? AFAICT, the lockdep_assert_irqs_disabled() checks added by
commit 6162b310bc21 ("x86/virt/tdx: Add skeleton to enable TDX on demand") were
purely because, _when the code was written_, KVM enabled virtualization via IPI
function calls.
But by the time the KVM code landed upstream in commit fcdbdf63431c ("KVM: VMX:
Initialize TDX during KVM module load"), that was no longer true, thanks to
commit 9a798b1337af ("KVM: Register cpuhp and syscore callbacks when enabling
hardware") setting the stage for doing everything from task context.
However, rather than update the kernel side, e.g. to drop the lockdep assertions
and related comments, commit 9a798b1337af instead did this:
local_irq_save(flags);
r = tdx_cpu_enable();
local_irq_restore(flags);
Somewhat frustratingly, I poked at this when the reworked code was first posted
(https://lore.kernel.org/all/ZyJOiPQnBz31qLZ7@google.com), but it just got swept
under the rug :-(
: > > + /* tdx_cpu_enable() must be called with IRQ disabled */
: >
: > I don't find this comment helpfu. If it explained _why_ tdx_cpu_enable() requires
: > IRQs to be disabled, then I'd feel differently, but as is, IMO it doesn't add value.
:
: I'll remove the comment.
:
: >
: > > + local_irq_save(flags);
: > > + r = tdx_cpu_enable();
: > > + local_irq_restore(flags);
Unless TDX _needs_ IRQs to be disabled, I would strongly prefer to drop that code
in prep patches so that it doesn't become even harder to disentagle the history
to figure out why tdx_online_cpu() disables IRQs:
static int tdx_online_cpu(unsigned int cpu)
{
int ret;
guard(irqsave)(); <=============== why is this here!?!?!
ret = x86_virt_get_cpu(X86_FEATURE_VMX);
if (ret)
return ret;
ret = tdx_cpu_enable();
if (ret)
x86_virt_put_cpu(X86_FEATURE_VMX);
return ret;
}
Side topic, KVM's change in behavior also means this comment is stale (though I
think it's worth keeping the assertion, but with a comment saying it's hardening
and paranoia, not a strick requirement).
/*
* IRQs must be disabled as virtualization is enabled in hardware via
* function call IPIs, i.e. IRQs need to be disabled to guarantee
* virtualization stays disabled.
*/
lockdep_assert_irqs_disabled();
next prev parent reply other threads:[~2025-12-19 15:40 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-06 1:10 [PATCH v2 0/7] KVM: x86/tdx: Have TDX handle VMXON during bringup Sean Christopherson
2025-12-06 1:10 ` [PATCH v2 1/7] KVM: x86: Move kvm_rebooting to x86 Sean Christopherson
2025-12-09 7:46 ` Chao Gao
2026-01-05 17:48 ` Dave Hansen
2025-12-06 1:10 ` [PATCH v2 2/7] KVM: x86: Extract VMXON and EFER.SVME enablement to kernel Sean Christopherson
2025-12-07 7:22 ` dan.j.williams
2025-12-09 20:01 ` Sean Christopherson
2025-12-10 7:41 ` dan.j.williams
2025-12-10 14:20 ` Sean Christopherson
2025-12-24 11:07 ` Xu Yilun
2025-12-30 22:59 ` Sean Christopherson
2025-12-09 5:48 ` Chao Gao
2025-12-17 6:57 ` Xu Yilun
2025-12-17 19:01 ` Sean Christopherson
2025-12-19 2:14 ` Xu Yilun
2025-12-19 15:40 ` Sean Christopherson [this message]
2025-12-19 17:30 ` Dave Hansen
2025-12-19 21:12 ` Huang, Kai
2026-01-27 2:46 ` Binbin Wu
2025-12-19 17:45 ` Dave Hansen
2025-12-19 18:35 ` Sean Christopherson
2025-12-19 18:48 ` Dave Hansen
2025-12-06 1:10 ` [PATCH v2 3/7] KVM: x86/tdx: Do VMXON and TDX-Module initialization during subsys init Sean Christopherson
2025-12-07 7:25 ` dan.j.williams
2025-12-08 23:17 ` Sean Christopherson
2025-12-09 1:34 ` dan.j.williams
2025-12-09 7:06 ` Chao Gao
2025-12-12 18:56 ` Sean Christopherson
2025-12-06 1:10 ` [PATCH v2 4/7] x86/virt/tdx: Tag a pile of functions as __init, and globals as __ro_after_init Sean Christopherson
2025-12-09 4:17 ` dan.j.williams
2025-12-09 7:26 ` Chao Gao
2025-12-06 1:10 ` [PATCH v2 5/7] x86/virt/tdx: KVM: Consolidate TDX CPU hotplug handling Sean Christopherson
2025-12-09 4:19 ` dan.j.williams
2025-12-06 1:10 ` [PATCH v2 6/7] x86/virt/tdx: Use ida_is_empty() to detect if any TDs may be running Sean Christopherson
2025-12-09 4:19 ` dan.j.williams
2025-12-09 7:33 ` Chao Gao
2025-12-06 1:10 ` [PATCH v2 7/7] KVM: Bury kvm_{en,dis}able_virtualization() in kvm_main.c once more Sean Christopherson
2025-12-09 4:20 ` dan.j.williams
2025-12-09 7:37 ` Chao Gao
2025-12-08 2:49 ` [PATCH v2 0/7] KVM: x86/tdx: Have TDX handle VMXON during bringup Chao Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aUVx20ZRjOzKgKqy@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=chao.gao@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yilun.xu@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox