From patchwork Mon Feb 24 23:55:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 13989128 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 45249C021A4 for ; Mon, 24 Feb 2025 23:55:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:Reply-To:List-Subscribe:List-Help: List-Post:List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID :Mime-Version:Date:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=HV8CTL0mb7MzN28D42TUkC8mjYNE1HsiuH78GdVruNM=; b=bqaOpN2u3lURpI /7hb2BUSiTZEcB3fT4T8vwkpRoexyYTUJ8kCL/U/7qCelXriJ/fmWY+HM2lu+MPS0FpJE9fdBTpMz tMUr7dlTixWx6UF5gCkeMNkNZMqB42R3/xLARdYu9RtGkddKRtfEGLCH8sfc1h6JY3HaS6HcBmfMC z5YmGeVa3TylPNDmIB9oTcn8nFw1plkiGB/jiqUIRlXsWE9Xs5VMkHHni2EtnCNuKSfaSZpMMqO+O vKe6fWEn95I1vsOLqGFGsWycvitmghCcV5cFSYssIcQHmQTTZS4QpOx3M+JKQ7pzH1GExnRlDyFct cNrpMK70ib3Td4i/Ffzg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tmiIf-0000000FXw3-3dGf; Mon, 24 Feb 2025 23:55:49 +0000 Received: from mail-pj1-x104a.google.com ([2607:f8b0:4864:20::104a]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tmiIc-0000000FXtX-2thp for linux-riscv@lists.infradead.org; Mon, 24 Feb 2025 23:55:48 +0000 Received: by mail-pj1-x104a.google.com with SMTP id 98e67ed59e1d1-2f2a9f056a8so10746029a91.2 for ; Mon, 24 Feb 2025 15:55:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740441345; x=1741046145; darn=lists.infradead.org; h=cc:to:from:subject:message-id:mime-version:date:reply-to:from:to:cc :subject:date:message-id:reply-to; bh=G4yv5E3Df19Io1ieaPGo0Ai9BtJpUzyQSBdyF3aMs18=; b=1t0y8SQ7slHbT5Kja+PbItpxP7clzN1u64uZFWi288gzUs6X/x8m8uQ2zXGvIe53NJ TIQDPK0tZhZA9R5KTIl9TcYC9E1qUSil5edUkdEw28XMm0mIKMi0Qzqm/+4uNFVxYALJ 4G43EXtdujRtYZNNrNt9rng5jwGqQnWX+b5duCLGUMl3W2SZhDqwZqnyGZc8z70Bo1lF f2yURSBVchAElQSklo2qOmDXs+biCfShHksIlBzdzM1S9DHV+IGCyDW1r5oWtP5b30px uGsyji11RHG+SIKp0OOgQ/Thteiiql/KkqE+ZdJ11rpi+evae4uk7G/0TwGarXia5fed /fwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740441345; x=1741046145; h=cc:to:from:subject:message-id:mime-version:date:reply-to :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=G4yv5E3Df19Io1ieaPGo0Ai9BtJpUzyQSBdyF3aMs18=; b=psY+GESEI0byubN2QiVRSRPC5rRY++fpXyCn2nih4TZVpZF83ZHiSjQv7sAsxZW8PL kyiNdS/a5FbLw8bQemho7HsWJiYGo6Cuoc4gkFJxhGlz0eaIsNY7L2BTn2u++DWySjxE FgGL/2khw4QF2vINVdvEUfJA9ADZWaXVzp0wEP+IwF4LQl7XhyDVefG+FonuagAXIfi6 8dpzq+4NtIMO7+aQ/65zQN8U23MAuK8Z5OGTePI2Bn6JVDpYRzCnhKWjTJhe43MW66Lp xvdODAGyyOyuJ9xaOBSJ8x2uzEeHpVeOCDqniaWXkwQ390vhxUdtvf8lzlHBGkRIQpSw PAGg== X-Forwarded-Encrypted: i=1; AJvYcCVG5rAGrhgqvd120DjR8wSLHUZbKjVo6dHr2oIE7yG5eCombkzQ1kvvRiZrOmiR8sgDrwVcHd5b1OnWGQ==@lists.infradead.org X-Gm-Message-State: AOJu0Yw2waXgW/0wifPKR4vl5EsLr14hcV6yjTdrEspdxRrYY5Ca21Jt dpc7Ok9hu7jOgK+jLmmdaZ43U4I6ADBTFI0MtbZTNfiFl3D4HU+yGflOwlHPS5TNsQTL2znlObs eJw== X-Google-Smtp-Source: AGHT+IF6C3DtzvfIloHEkiuLmfsYJNF5ywoI3G+Dg7xZ6ws28dsFaD6h16rXeHiPC/2N2WbxQdNYNz9BqGc= X-Received: from pjbsd8.prod.google.com ([2002:a17:90b:5148:b0:2ea:5613:4d5d]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:5292:b0:2ee:7c65:ae8e with SMTP id 98e67ed59e1d1-2fce77a638fmr26853663a91.11.1740441345356; Mon, 24 Feb 2025 15:55:45 -0800 (PST) Date: Mon, 24 Feb 2025 15:55:35 -0800 Mime-Version: 1.0 X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: <20250224235542.2562848-1-seanjc@google.com> Subject: [PATCH 0/7] KVM: x86: nVMX IRQ fix and VM teardown cleanups From: Sean Christopherson To: Marc Zyngier , Oliver Upton , Tianrui Zhao , Bibo Mao , Huacai Chen , Madhavan Srinivasan , Anup Patel , Paul Walmsley , Palmer Dabbelt , Albert Ou , Christian Borntraeger , Janosch Frank , Claudio Imbrenda , Sean Christopherson , Paolo Bonzini Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, Aaron Lewis , Jim Mattson , Yan Zhao , Rick P Edgecombe , Kai Huang , Isaku Yamahata X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250224_155546_749715_0B316BD1 X-CRM114-Status: UNSURE ( 9.28 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Sean Christopherson Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org This was _supposed_ to be a tiny one-off patch to fix a nVMX bug where KVM fails to detect that, after nested VM-Exit, L1 has a pending IRQ (or NMI). But because x86's nested teardown flows are garbage (KVM simply forces a nested VM-Exit to put the vCPU back into L1), that simple fix snowballed. The immediate issue is that checking for a pending interrupt accesses the legacy PIC, and x86's kvm_arch_destroy_vm() currently frees the PIC before destroying vCPUs, i.e. checking for IRQs during the forced nested VM-Exit results in a NULL pointer deref (or use-after-free if KVM didn't nullify the PIC pointer). That's patch 1. Patch 2 is the original nVMX fix. The remaining patches attempt to bring a bit of sanity to x86's VM teardown code, which has accumulated a lot of cruft over the years. E.g. KVM currently unloads each vCPU's MMUs in a separate operation from destroying vCPUs, all because when guest SMP support was added, KVM had a kludgy MMU teardown flow that broken when a VM had more than one 1 vCPU. And that oddity lived on, for 18 years... Sean Christopherson (7): KVM: x86: Free vCPUs before freeing VM state KVM: nVMX: Process events on nested VM-Exit if injectable IRQ or NMI is pending KVM: Assert that a destroyed/freed vCPU is no longer visible KVM: x86: Don't load/put vCPU when unloading its MMU during teardown KVM: x86: Unload MMUs during vCPU destruction, not before KVM: x86: Fold guts of kvm_arch_sync_events() into kvm_arch_pre_destroy_vm() KVM: Drop kvm_arch_sync_events() now that all implementations are nops arch/arm64/include/asm/kvm_host.h | 2 -- arch/loongarch/include/asm/kvm_host.h | 1 - arch/mips/include/asm/kvm_host.h | 1 - arch/powerpc/include/asm/kvm_host.h | 1 - arch/riscv/include/asm/kvm_host.h | 2 -- arch/s390/include/asm/kvm_host.h | 1 - arch/x86/kvm/vmx/nested.c | 11 +++++++ arch/x86/kvm/x86.c | 42 ++++++++++----------------- include/linux/kvm_host.h | 1 - virt/kvm/kvm_main.c | 9 +++++- 10 files changed, 34 insertions(+), 37 deletions(-) base-commit: fed48e2967f402f561d80075a20c5c9e16866e53