Several architectures have latent bugs around guest entry/exit,
including:

1) Enabling interrupts during an RCU EQS, allowing interrupt handlers to
   run without RCU watching.

2) Using (potentially) instrumented code between guest_enter() and
   guest_exit(), allowing instrumentation handlers to run without RCU
   watching.

3) Not informing lockdep and tracing about interrupt masking, or
   informing in an incorrect order (e.g. relative to entering/exiting an
   RCU EQS).

4) Unbalanced entry/exit accounting in some cases (which may or may not
   result in functional problems).

Overall, the architectures affected are:

  arm64, mips, powerpc, riscv, s390, x86

This series reworks the common code to make handling these issues
earier, and for the following architectures fixes those issues by
conversion to new helper functions:

  arm64, mips, riscv, x86

The core, arm64, and x86 patches have reviews from the relevant
maintainers, and I think those are good-to-go. I have not yet had
acks/reviews for the mips and riscv patches. I'm fairly certain the
riscv patch is correct by virtue of it being so simple, and I'm
relatively confident that the mips patch is correct (though I may have
missed additional issues), but I have no way of testing either so I've
placed them at the end of the series where they can easily be dropped if
necessary.

This series does NOT fix the following architectures, which will need
more substantial changes to architecture-specific entry logic and/or
sequencing:

  powerpc, s390

... and I assume it would be preferable to fix the common code and
simple cases now, such that those can be addressed in subsequent
follow-ups.

Since v1 [1]:
* Add arch_in_rcu_eqs()
* Convert s390
* Rename exit_to_guest_mode() -> guest_state_enter_irqoff()
* Rename enter_from_guest_mode() -> guest_state_exit_irqoff()
* Various commit message cleanups

Since v2 [2]:
* Rebase to v5.17-rc2
* Fixup mips exit handling
* Drop arch_in_rcu_eqs() & s390 patches

I've pushed the series (based on v5.17-rc2) to my kvm/entry-rework branch:

  https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kvm/entry-rework
  git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git kvm/entry-rework

This version of the series is tagged as kvm-entry-rework-20220201.

[1] https://lore.kernel.org/r/20220111153539.2532246-1-mark.rutland@arm.com/
[2] https://lore.kernel.org/r/20220119105854.3160683-1-mark.rutland@arm.com/

Thanks,


Mark Rutland (5):
  kvm: add guest_state_{enter,exit}_irqoff()
  kvm/arm64: rework guest entry logic
  kvm/x86: rework guest entry logic
  kvm/riscv: rework guest entry logic
  kvm/mips: rework guest entry logic

 arch/arm64/kvm/arm.c     |  51 +++++++++++-------
 arch/mips/kvm/mips.c     |  50 +++++++++++++++--
 arch/riscv/kvm/vcpu.c    |  44 +++++++++------
 arch/x86/kvm/svm/svm.c   |   4 +-
 arch/x86/kvm/vmx/vmx.c   |   4 +-
 arch/x86/kvm/x86.c       |   4 +-
 arch/x86/kvm/x86.h       |  45 ----------------
 include/linux/kvm_host.h | 112 +++++++++++++++++++++++++++++++++++++--
 8 files changed, 222 insertions(+), 92 deletions(-)

-- 
2.30.2

Am 01.02.22 um 14:29 schrieb Mark Rutland:
> Several architectures have latent bugs around guest entry/exit,
> including:

Thanks for looking into this.

> 
> 1) Enabling interrupts during an RCU EQS, allowing interrupt handlers to
>     run without RCU watching.
> 
> 2) Using (potentially) instrumented code between guest_enter() and
>     guest_exit(), allowing instrumentation handlers to run without RCU
>     watching.
> 
> 3) Not informing lockdep and tracing about interrupt masking, or
>     informing in an incorrect order (e.g. relative to entering/exiting an
>     RCU EQS).
> 
> 4) Unbalanced entry/exit accounting in some cases (which may or may not
>     result in functional problems).
> 
> Overall, the architectures affected are:
> 
>    arm64, mips, powerpc, riscv, s390, x86
> 
> This series reworks the common code to make handling these issues
> earier, and for the following architectures fixes those issues by
> conversion to new helper functions:
> 
>    arm64, mips, riscv, x86
> 
> The core, arm64, and x86 patches have reviews from the relevant
> maintainers, and I think those are good-to-go. I have not yet had
> acks/reviews for the mips and riscv patches. I'm fairly certain the
> riscv patch is correct by virtue of it being so simple, and I'm
> relatively confident that the mips patch is correct (though I may have
> missed additional issues), but I have no way of testing either so I've
> placed them at the end of the series where they can easily be dropped if
> necessary.
> 
> This series does NOT fix the following architectures, which will need
> more substantial changes to architecture-specific entry logic and/or
> sequencing:
> 
>    powerpc, s390

Right, s390 is more complicated as we need to modify the page fault handling.
For the time being we should be as bad/good as before with the deprecated old
guest_enter/exit_irqoff. I will test this to be sure.


> 
> ... and I assume it would be preferable to fix the common code and
> simple cases now, such that those can be addressed in subsequent
> follow-ups.
> 
> Since v1 [1]:
> * Add arch_in_rcu_eqs()
> * Convert s390
> * Rename exit_to_guest_mode() -> guest_state_enter_irqoff()
> * Rename enter_from_guest_mode() -> guest_state_exit_irqoff()
> * Various commit message cleanups
> 
> Since v2 [2]:
> * Rebase to v5.17-rc2
> * Fixup mips exit handling
> * Drop arch_in_rcu_eqs() & s390 patches
> 
> I've pushed the series (based on v5.17-rc2) to my kvm/entry-rework branch:
> 
>    https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kvm/entry-rework
>    git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git kvm/entry-rework
> 
> This version of the series is tagged as kvm-entry-rework-20220201.
> 
> [1] https://lore.kernel.org/r/20220111153539.2532246-1-mark.rutland@arm.com/
> [2] https://lore.kernel.org/r/20220119105854.3160683-1-mark.rutland@arm.com/
> 
> Thanks,
> 
> 
> Mark Rutland (5):
>    kvm: add guest_state_{enter,exit}_irqoff()
>    kvm/arm64: rework guest entry logic
>    kvm/x86: rework guest entry logic
>    kvm/riscv: rework guest entry logic
>    kvm/mips: rework guest entry logic
> 
>   arch/arm64/kvm/arm.c     |  51 +++++++++++-------
>   arch/mips/kvm/mips.c     |  50 +++++++++++++++--
>   arch/riscv/kvm/vcpu.c    |  44 +++++++++------
>   arch/x86/kvm/svm/svm.c   |   4 +-
>   arch/x86/kvm/vmx/vmx.c   |   4 +-
>   arch/x86/kvm/x86.c       |   4 +-
>   arch/x86/kvm/x86.h       |  45 ----------------
>   include/linux/kvm_host.h | 112 +++++++++++++++++++++++++++++++++++++--
>   8 files changed, 222 insertions(+), 92 deletions(-)
> 

On 2/1/22 14:29, Mark Rutland wrote:
> I've pushed the series (based on v5.17-rc2) to my kvm/entry-rework branch:
> 
>    https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kvm/entry-rework
>    git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git kvm/entry-rework

Thanks!  I cherry-picked the basic, x86 and mips patches to kvm.git's 
master branch (I did not use your branch in order to leave arm64 and 
riscv to the respective maintainers).

Paolo

> This version of the series is tagged as kvm-entry-rework-20220201.
> 
> [1] https://lore.kernel.org/r/20220111153539.2532246-1-mark.rutland@arm.com/
> [2] https://lore.kernel.org/r/20220119105854.3160683-1-mark.rutland@arm.com/
> 
> Thanks,
> 
> 
> Mark Rutland (5):
>    kvm: add guest_state_{enter,exit}_irqoff()
>    kvm/arm64: rework guest entry logic
>    kvm/x86: rework guest entry logic
>    kvm/riscv: rework guest entry logic
>    kvm/mips: rework guest entry logic
> 
>   arch/arm64/kvm/arm.c     |  51 +++++++++++-------
>   arch/mips/kvm/mips.c     |  50 +++++++++++++++--
>   arch/riscv/kvm/vcpu.c    |  44 +++++++++------
>   arch/x86/kvm/svm/svm.c   |   4 +-
>   arch/x86/kvm/vmx/vmx.c   |   4 +-
>   arch/x86/kvm/x86.c       |   4 +-
>   arch/x86/kvm/x86.h       |  45 ----------------
>   include/linux/kvm_host.h | 112 +++++++++++++++++++++++++++++++++++++--
>   8 files changed, 222 insertions(+), 92 deletions(-)
> 

On Tue, 01 Feb 2022 15:59:47 +0000,
Paolo Bonzini <pbonzini@redhat.com> wrote:
> 
> On 2/1/22 14:29, Mark Rutland wrote:
> > I've pushed the series (based on v5.17-rc2) to my kvm/entry-rework branch:
> > 
> >    https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kvm/entry-rework
> >    git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git kvm/entry-rework
> 
> Thanks!  I cherry-picked the basic, x86 and mips patches to kvm.git's
> master branch (I did not use your branch in order to leave arm64 and
> riscv to the respective maintainers).

How do you want to play this one? I was expecting a stable base
(containing only the initial patch) on top of a common tag (like
-rc1).

Or do you expect arm64 and riscv to have their own copy of patch #1?

	M.

-- 
Without deviation from the norm, progress is not possible.

On Tue, Feb 01, 2022 at 04:59:47PM +0100, Paolo Bonzini wrote:
> On 2/1/22 14:29, Mark Rutland wrote:
> > I've pushed the series (based on v5.17-rc2) to my kvm/entry-rework branch:
> > 
> >    https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kvm/entry-rework
> >    git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git kvm/entry-rework
> 
> Thanks!  I cherry-picked the basic, x86 and mips patches to kvm.git's master
> branch (I did not use your branch in order to leave arm64 and riscv to the
> respective maintainers).

Since everything's dependent upon that core patch, IIUC that's going to make it
a pain for them to queue things.

How are you expecting the arm64 and riscv maintainers to queue things? Queue
their own copies of that core patch?

Thanks,
Mark.

> Paolo
> 
> > This version of the series is tagged as kvm-entry-rework-20220201.
> > 
> > [1] https://lore.kernel.org/r/20220111153539.2532246-1-mark.rutland@arm.com/
> > [2] https://lore.kernel.org/r/20220119105854.3160683-1-mark.rutland@arm.com/
> > 
> > Thanks,
> > 
> > 
> > Mark Rutland (5):
> >    kvm: add guest_state_{enter,exit}_irqoff()
> >    kvm/arm64: rework guest entry logic
> >    kvm/x86: rework guest entry logic
> >    kvm/riscv: rework guest entry logic
> >    kvm/mips: rework guest entry logic
> > 
> >   arch/arm64/kvm/arm.c     |  51 +++++++++++-------
> >   arch/mips/kvm/mips.c     |  50 +++++++++++++++--
> >   arch/riscv/kvm/vcpu.c    |  44 +++++++++------
> >   arch/x86/kvm/svm/svm.c   |   4 +-
> >   arch/x86/kvm/vmx/vmx.c   |   4 +-
> >   arch/x86/kvm/x86.c       |   4 +-
> >   arch/x86/kvm/x86.h       |  45 ----------------
> >   include/linux/kvm_host.h | 112 +++++++++++++++++++++++++++++++++++++--
> >   8 files changed, 222 insertions(+), 92 deletions(-)
> > 
> 

On 2/1/22 17:22, Mark Rutland wrote:
> On Tue, Feb 01, 2022 at 04:59:47PM +0100, Paolo Bonzini wrote:
>> On 2/1/22 14:29, Mark Rutland wrote:
>>> I've pushed the series (based on v5.17-rc2) to my kvm/entry-rework branch:
>>>
>>>     https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kvm/entry-rework
>>>     git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git kvm/entry-rework
>>
>> Thanks!  I cherry-picked the basic, x86 and mips patches to kvm.git's master
>> branch (I did not use your branch in order to leave arm64 and riscv to the
>> respective maintainers).
> 
> Since everything's dependent upon that core patch, IIUC that's going to make it
> a pain for them to queue things.
> 
> How are you expecting the arm64 and riscv maintainers to queue things? Queue
> their own copies of that core patch?

The kvm.git master branch has a stable commit id, so the KVM/ARM and 
KVM/RISCV maintainers can just base their pull request to me on it. 
Alternatively, if they prefer it that way, I can get it quickly to Linus.

Paolo

On Tue, 01 Feb 2022 17:10:35 +0000,
Paolo Bonzini <pbonzini@redhat.com> wrote:
> 
> On 2/1/22 17:22, Mark Rutland wrote:
> > On Tue, Feb 01, 2022 at 04:59:47PM +0100, Paolo Bonzini wrote:
> >> On 2/1/22 14:29, Mark Rutland wrote:
> >>> I've pushed the series (based on v5.17-rc2) to my kvm/entry-rework branch:
> >>> 
> >>>     https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kvm/entry-rework
> >>>     git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git kvm/entry-rework
> >> 
> >> Thanks!  I cherry-picked the basic, x86 and mips patches to kvm.git's master
> >> branch (I did not use your branch in order to leave arm64 and riscv to the
> >> respective maintainers).
> > 
> > Since everything's dependent upon that core patch, IIUC that's going to make it
> > a pain for them to queue things.
> > 
> > How are you expecting the arm64 and riscv maintainers to queue things? Queue
> > their own copies of that core patch?
> 
> The kvm.git master branch has a stable commit id, so the KVM/ARM and
> KVM/RISCV maintainers can just base their pull request to me on
> it. Alternatively, if they prefer it that way, I can get it quickly to
> Linus.

In which case, please add the arm64 patch to the mix. I'm not rebasing
my current queue.

	M.

-- 
Without deviation from the norm, progress is not possible.