1. 18 Nov, 2021 17 commits
    • Randy Dunlap's avatar
      riscv: kvm: fix non-kernel-doc comment block · 0e2e6419
      Randy Dunlap authored
      Don't use "/**" to begin a comment block for a non-kernel-doc comment.
      
      Prevents this docs build warning:
      
      vcpu_sbi.c:3: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
       * Copyright (c) 2019 Western Digital Corporation or its affiliates.
      
      Fixes: dea8ee31 ("RISC-V: KVM: Add SBI v0.1 support")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Cc: Atish Patra <atish.patra@wdc.com>
      Cc: Anup Patel <anup.patel@wdc.com>
      Cc: kvm@vger.kernel.org
      Cc: kvm-riscv@lists.infradead.org
      Cc: linux-riscv@lists.infradead.org
      Cc: Paul Walmsley <paul.walmsley@sifive.com>
      Cc: Palmer Dabbelt <palmer@dabbelt.com>
      Cc: Albert Ou <aou@eecs.berkeley.edu>
      Message-Id: <20211107034706.30672-1-rdunlap@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      0e2e6419
    • Paolo Bonzini's avatar
      Merge branch 'kvm-5.16-fixes' into kvm-master · 817506df
      Paolo Bonzini authored
      * Fixes for Xen emulation
      
      * Kill kvm_map_gfn() / kvm_unmap_gfn() and broken gfn_to_pfn_cache
      
      * Fixes for migration of 32-bit nested guests on 64-bit hypervisor
      
      * Compilation fixes
      
      * More SEV cleanups
      817506df
    • Sean Christopherson's avatar
      KVM: SEV: Fix typo in and tweak name of cmd_allowed_from_miror() · 8e38e96a
      Sean Christopherson authored
      Rename cmd_allowed_from_miror() to is_cmd_allowed_from_mirror(), fixing
      a typo and making it obvious that the result is a boolean where
      false means "not allowed".
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20211109215101.2211373-7-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      8e38e96a
    • Sean Christopherson's avatar
      KVM: SEV: Drop a redundant setting of sev->asid during initialization · ea410ef4
      Sean Christopherson authored
      Remove a fully redundant write to sev->asid during SEV/SEV-ES guest
      initialization.  The ASID is set a few lines earlier prior to the call to
      sev_platform_init(), which doesn't take "sev" as a param, i.e. can't
      muck with the ASID barring some truly magical behind-the-scenes code.
      
      No functional change intended.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20211109215101.2211373-6-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      ea410ef4
    • Sean Christopherson's avatar
      KVM: SEV: WARN if SEV-ES is marked active but SEV is not · 1bd00a42
      Sean Christopherson authored
      WARN if the VM is tagged as SEV-ES but not SEV.  KVM relies on SEV and
      SEV-ES being set atomically, and guards common flows with "is SEV", i.e.
      observing SEV-ES without SEV means KVM has a fatal bug.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20211109215101.2211373-5-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      1bd00a42
    • Sean Christopherson's avatar
      KVM: SEV: Set sev_info.active after initial checks in sev_guest_init() · a41fb26e
      Sean Christopherson authored
      Set sev_info.active during SEV/SEV-ES activation before calling any code
      that can potentially consume sev_info.es_active, e.g. set "active" and
      "es_active" as a pair immediately after the initial sanity checks.  KVM
      generally expects that es_active can be true if and only if active is
      true, e.g. sev_asid_new() deliberately avoids sev_es_guest() so that it
      doesn't get a false negative.  This will allow WARNing in sev_es_guest()
      if the VM is tagged as SEV-ES but not SEV.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20211109215101.2211373-4-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      a41fb26e
    • Sean Christopherson's avatar
      KVM: SEV: Disallow COPY_ENC_CONTEXT_FROM if target has created vCPUs · 79b11142
      Sean Christopherson authored
      Reject COPY_ENC_CONTEXT_FROM if the destination VM has created vCPUs.
      KVM relies on SEV activation to occur before vCPUs are created, e.g. to
      set VMCB flags and intercepts correctly.
      
      Fixes: 54526d1f ("KVM: x86: Support KVM VMs sharing SEV context")
      Cc: stable@vger.kernel.org
      Cc: Peter Gonda <pgonda@google.com>
      Cc: Marc Orr <marcorr@google.com>
      Cc: Sean Christopherson <seanjc@google.com>
      Cc: Nathan Tempelman <natet@google.com>
      Cc: Brijesh Singh <brijesh.singh@amd.com>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20211109215101.2211373-2-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      79b11142
    • David Woodhouse's avatar
      KVM: Kill kvm_map_gfn() / kvm_unmap_gfn() and gfn_to_pfn_cache · 357a18ad
      David Woodhouse authored
      In commit 7e2175eb ("KVM: x86: Fix recording of guest steal time /
      preempted status") I removed the only user of these functions because
      it was basically impossible to use them safely.
      
      There are two stages to the GFN->PFN mapping; first through the KVM
      memslots to a userspace HVA and then through the page tables to
      translate that HVA to an underlying PFN. Invalidations of the former
      were being handled correctly, but no attempt was made to use the MMU
      notifiers to invalidate the cache when the HVA->GFN mapping changed.
      
      As a prelude to reinventing the gfn_to_pfn_cache with more usable
      semantics, rip it out entirely and untangle the implementation of
      the unsafe kvm_vcpu_map()/kvm_vcpu_unmap() functions from it.
      
      All current users of kvm_vcpu_map() also look broken right now, and
      will be dealt with separately. They broadly fall into two classes:
      
      * Those which map, access the data and immediately unmap. This is
        mostly gratuitous and could just as well use the existing user
        HVA, and could probably benefit from a gfn_to_hva_cache as they
        do so.
      
      * Those which keep the mapping around for a longer time, perhaps
        even using the PFN directly from the guest. These will need to
        be converted to the new gfn_to_pfn_cache and then kvm_vcpu_map()
        can be removed too.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Message-Id: <20211115165030.7422-8-dwmw2@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      357a18ad
    • David Woodhouse's avatar
      KVM: nVMX: Use a gfn_to_hva_cache for vmptrld · cee66664
      David Woodhouse authored
      And thus another call to kvm_vcpu_map() can die.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Message-Id: <20211115165030.7422-7-dwmw2@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      cee66664
    • David Woodhouse's avatar
      KVM: nVMX: Use kvm_read_guest_offset_cached() for nested VMCS check · 7d0172b3
      David Woodhouse authored
      Kill another mostly gratuitous kvm_vcpu_map() which could just use the
      userspace HVA for it.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Message-Id: <20211115165030.7422-6-dwmw2@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      7d0172b3
    • David Woodhouse's avatar
      KVM: x86/xen: Use sizeof_field() instead of open-coding it · 6a834754
      David Woodhouse authored
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Message-Id: <20211115165030.7422-4-dwmw2@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      6a834754
    • David Woodhouse's avatar
      KVM: nVMX: Use kvm_{read,write}_guest_cached() for shadow_vmcs12 · 297d597a
      David Woodhouse authored
      Using kvm_vcpu_map() for reading from the guest is entirely gratuitous,
      when all we do is a single memcpy and unmap it again. Fix it up to use
      kvm_read_guest()... but in fact I couldn't bring myself to do that
      without also making it use a gfn_to_hva_cache for both that *and* the
      copy in the other direction.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Message-Id: <20211115165030.7422-5-dwmw2@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      297d597a
    • David Woodhouse's avatar
      KVM: x86/xen: Fix get_attr of KVM_XEN_ATTR_TYPE_SHARED_INFO · 4e843647
      David Woodhouse authored
      In commit 319afe68 ("KVM: xen: do not use struct gfn_to_hva_cache") we
      stopped storing this in-kernel as a GPA, and started storing it as a GFN.
      Which means we probably should have stopped calling gpa_to_gfn() on it
      when userspace asks for it back.
      
      Cc: stable@vger.kernel.org
      Fixes: 319afe68 ("KVM: xen: do not use struct gfn_to_hva_cache")
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Message-Id: <20211115165030.7422-2-dwmw2@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      4e843647
    • Maxim Levitsky's avatar
      KVM: x86/mmu: include EFER.LMA in extended mmu role · b8453cdc
      Maxim Levitsky authored
      Incorporate EFER.LMA into kvm_mmu_extended_role, as it used to compute the
      guest root level and is not reflected in kvm_mmu_page_role.level when TDP
      is in use.  When simply running the guest, it is impossible for EFER.LMA
      and kvm_mmu.root_level to get out of sync, as the guest cannot transition
      from PAE paging to 64-bit paging without toggling CR0.PG, i.e. without
      first bouncing through a different MMU context.  And stuffing guest state
      via KVM_SET_SREGS{,2} also ensures a full MMU context reset.
      
      However, if KVM_SET_SREGS{,2} is followed by KVM_SET_NESTED_STATE, e.g. to
      set guest state when migrating the VM while L2 is active, the vCPU state
      will reflect L2, not L1.  If L1 is using TDP for L2, then root_mmu will
      have been configured using L2's state, despite not being used for L2.  If
      L2.EFER.LMA != L1.EFER.LMA, and L2 is using PAE paging, then root_mmu will
      be configured for guest PAE paging, but will match the mmu_role for 64-bit
      paging and cause KVM to not reconfigure root_mmu on the next nested VM-Exit.
      
      Alternatively, the root_mmu's role could be invalidated after a successful
      KVM_SET_NESTED_STATE that yields vcpu->arch.mmu != vcpu->arch.root_mmu,
      i.e. that switches the active mmu to guest_mmu, but doing so is unnecessarily
      tricky, and not even needed if L1 and L2 do have the same role (e.g., they
      are both 64-bit guests and run with the same CR4).
      Suggested-by: default avatarSean Christopherson <seanjc@google.com>
      Signed-off-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Message-Id: <20211115131837.195527-3-mlevitsk@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b8453cdc
    • Maxim Levitsky's avatar
      KVM: nVMX: don't use vcpu->arch.efer when checking host state on nested state load · af957eeb
      Maxim Levitsky authored
      When loading nested state, don't use check vcpu->arch.efer to get the
      L1 host's 64-bit vs. 32-bit state and don't check it for consistency
      with respect to VM_EXIT_HOST_ADDR_SPACE_SIZE, as register state in vCPU
      may be stale when KVM_SET_NESTED_STATE is called---and architecturally
      does not exist.  When restoring L2 state in KVM, the CPU is placed in
      non-root where nested VMX code has no snapshot of L1 host state: VMX
      (conditionally) loads host state fields loaded on VM-exit, but they need
      not correspond to the state before entry.  A simple case occurs in KVM
      itself, where the host RIP field points to vmx_vmexit rather than the
      instruction following vmlaunch/vmresume.
      
      However, for the particular case of L1 being in 32- or 64-bit mode
      on entry, the exit controls can be treated instead as the source of
      truth regarding the state of L1 on entry, and can be used to check
      that vmcs12.VM_EXIT_HOST_ADDR_SPACE_SIZE matches vmcs12.HOST_EFER if
      vmcs12.VM_EXIT_LOAD_IA32_EFER is set.  The consistency check on CPU
      EFER vs. vmcs12.VM_EXIT_HOST_ADDR_SPACE_SIZE, instead, happens only
      on VM-Enter.  That's because, again, there's conceptually no "current"
      L1 EFER to check on KVM_SET_NESTED_STATE.
      Suggested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Message-Id: <20211115131837.195527-2-mlevitsk@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      af957eeb
    • David Woodhouse's avatar
      KVM: Fix steal time asm constraints · 964b7aa0
      David Woodhouse authored
      In 64-bit mode, x86 instruction encoding allows us to use the low 8 bits
      of any GPR as an 8-bit operand. In 32-bit mode, however, we can only use
      the [abcd] registers. For which, GCC has the "q" constraint instead of
      the less restrictive "r".
      
      Also fix st->preempted, which is an input/output operand rather than an
      input.
      
      Fixes: 7e2175eb ("KVM: x86: Fix recording of guest steal time / preempted status")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Message-Id: <89bf72db1b859990355f9c40713a34e0d2d86c98.camel@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      964b7aa0
    • Paul Durrant's avatar
      cpuid: kvm_find_kvm_cpuid_features() should be declared 'static' · dc23a511
      Paul Durrant authored
      The lack a static declaration currently results in:
      
      arch/x86/kvm/cpuid.c:128:26: warning: no previous prototype for function 'kvm_find_kvm_cpuid_features'
      
      when compiling with "W=1".
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: 760849b1 ("KVM: x86: Make sure KVM_CPUID_FEATURES really are KVM_CPUID_FEATURES")
      Signed-off-by: default avatarPaul Durrant <pdurrant@amazon.com>
      Message-Id: <20211115144131.5943-1-pdurrant@amazon.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      dc23a511
  2. 16 Nov, 2021 19 commits
  3. 12 Nov, 2021 3 commits
  4. 11 Nov, 2021 1 commit
    • Paolo Bonzini's avatar
      Merge branch 'kvm-5.16-fixes' into kvm-master · f5396f2d
      Paolo Bonzini authored
      * Fix misuse of gfn-to-pfn cache when recording guest steal time / preempted status
      
      * Fix selftests on APICv machines
      
      * Fix sparse warnings
      
      * Fix detection of KVM features in CPUID
      
      * Cleanups for bogus writes to MSR_KVM_PV_EOI_EN
      
      * Fixes and cleanups for MSR bitmap handling
      
      * Cleanups for INVPCID
      
      * Make x86 KVM_SOFT_MAX_VCPUS consistent with other architectures
      f5396f2d