From nobody Sun Feb 8 00:49:25 2026 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB00C8632B for ; Fri, 2 May 2025 22:34:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746225301; cv=none; b=f1Q1U5LkKnbxkpqEML/evFmnPX91WS+3nLGVFnMl7V+U988iyOszmrugJuvReMaHNvIDiRyzuXVVtSeOVcJhwp2lCzdAAcAKpkVf7zuLuDq0eEtxGqkrGdxnh9Mh/ECzYFY8nE2AHccYbVpSxflNQn2ba6MWeh5RlBN7nfuaU0s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746225301; c=relaxed/simple; bh=jfXsnIIu2VwY0c7zeFjxjocJ4orROMa5yuTcrfzPiZw=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=X8sZw0anO4QmQG+KKVR3eKrib279dPmwuIqk50h9/lBRwJGtCv9tpeHDAfSPcC+YANp+HGE7aNqsQ9r3Jlf75KmqqKt67R3rGSbkMPQRgvVjEW33kAEJF0WDik87LWef0cFZ99repQknBqUQdgw9D8rV3sCcaL6wepkuYLC2MGU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Ij9ysuqP; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Ij9ysuqP" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-3055f2e1486so3882998a91.0 for ; Fri, 02 May 2025 15:34:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1746225299; x=1746830099; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:reply-to:from:to:cc :subject:date:message-id:reply-to; bh=KWVFcVyteM0rANhl8jUHaWIPAf+EazchM+HNHio5hZg=; b=Ij9ysuqPhaKQa2iqJtaujgY5AWGr9mG9/RTExbyKQ0eJ0d3ovcCfADgLlxCslrqOds b2VdApiZbH6rBR6AtIQetA74oDYJeH+RhBsJFy7216duL7WQX29T99x6cO70Jf5ddfpz 9GvXUApTKWAiP7arRTuEkz+fxqmivFWAS5uFubwY5g2flcfHG38ift1wH3rRGFrxNSzV Nm7wreS3yu5tHdJKTTgj/JFhWJyPvsFF8vLJKcV4sgqgdMGtB52BtqdrsZvjJxUTb6vj QrxMuPgGOZvN4jeoXtLLN8EPRBN/7oVo8N2HRVOQjufzuLtkTSGBUkggR1r46omVJQ/y KgAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746225299; x=1746830099; h=cc:to:from:subject:message-id:mime-version:date:reply-to :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=KWVFcVyteM0rANhl8jUHaWIPAf+EazchM+HNHio5hZg=; b=UuCPx4aDOiqkegSCgxITt04MpJ33zZR26JL3FV2pkLs/VDDCPoyGes/a4f1gz0ueV2 GENPlc5GQe2Nyjrx9M5e1wDGXXxTQNRxw+SSIM/5sxpfxBsN18bHLIN6VUYUbmteZvvb Y4/i2zLgXzrpd59N7Bt8vSS3Mt4f34gtIUx33jlyYkQidjNPh72LGRhsP5EE0Z0zwCwZ v/GfhbHrjQijlgicEy0ulylpRehehS16iBhnSh27SRN4nB0BttpT4lKHulIFYEFohDa9 P0cYT/iTkp1+IwDo7vicUaLz3foCzF3G1DLsgmU13PF+6G+f5T+Inp36q9IpkHuBVZ3U IHnA== X-Forwarded-Encrypted: i=1; AJvYcCWe5mC4CiDgaK4TIdYTRR2hwqPGPys04Y4beRj8Jq0A/5opQXG+reyaN/RdBGNAGAl5zc7fF6yuBJxgwrQ=@vger.kernel.org X-Gm-Message-State: AOJu0YywDtC/RddKKzvR8V2OC9v5t+V+G96GVbJLsXoduvSEqxZcGiMa /K1ESj3bTC8HY2OOXdmjouPAqoJ2dw4e56fwM5ZNCy8SWVUMp88ctNFVHlYyTxGm49SPasLr+Vd tzA== X-Google-Smtp-Source: AGHT+IF80pgQ+j2xTDzPXwHebe4UI50ZVfwHe6IkhFUfpDgyVqGJc1Jvql34RQu3S0D0rnfWmpMDMB/HWeQ= X-Received: from pjuj6.prod.google.com ([2002:a17:90a:d006:b0:2fc:d77:541]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90a:d648:b0:2ff:53a4:74f0 with SMTP id 98e67ed59e1d1-30a4e6aa8d7mr7031771a91.29.1746225299268; Fri, 02 May 2025 15:34:59 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 2 May 2025 15:34:56 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.49.0.906.g1f30a19c02-goog Message-ID: <20250502223456.887618-1-seanjc@google.com> Subject: [PATCH] KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Michael Larabel , Borislav Petkov Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Set the magic BP_SPEC_REDUCE bit to mitigate SRSO when running VMs if and only if KVM has at least one active VM. Leaving the bit set at all times unfortunately degrades performance by a wee bit more than expected. Use a dedicated spinlock and counter instead of hooking virtualization enablement, as changing the behavior of kvm.enable_virt_at_load based on SRSO_BP_SPEC_REDUCE is painful, and has its own drawbacks, e.g. could result in performance issues for flows that are sensitive to VM creation latency. Similarly, don't bother optimizing the 1=3D>N and N=3D>1 transitions, e.g. = by using atomic_inc_return() to avoid taking the spinlock, as ensuring that BP_SPEC_REDUCE is guaranteed to be set before KVM_RUN is non-trivial. KVM already serializes VM creation against kvm_lock (to add the VM to vm_list), and the spinlock will only be held for a handful of cycles for the 1<=3D>N cases. I.e. the complexity needed to ensure correctness outweighs the marginal benefits of eliding the lock. See the Link for details. Link: https://lore.kernel.org/all/aBOnzNCngyS_pQIW@google.com Fixes: 8442df2b49ed ("x86/bugs: KVM: Add support for SRSO_MSR_FIX") Reported-by: Michael Larabel Closes: https://www.phoronix.com/review/linux-615-amd-regression Cc: Borislav Petkov Signed-off-by: Sean Christopherson --- arch/x86/kvm/svm/svm.c | 43 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index cc1c721ba067..364959fd1040 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -607,9 +607,6 @@ static void svm_disable_virtualization_cpu(void) kvm_cpu_svm_disable(); =20 amd_pmu_disable_virt(); - - if (cpu_feature_enabled(X86_FEATURE_SRSO_BP_SPEC_REDUCE)) - msr_clear_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT); } =20 static int svm_enable_virtualization_cpu(void) @@ -687,9 +684,6 @@ static int svm_enable_virtualization_cpu(void) rdmsr(MSR_TSC_AUX, sev_es_host_save_area(sd)->tsc_aux, msr_hi); } =20 - if (cpu_feature_enabled(X86_FEATURE_SRSO_BP_SPEC_REDUCE)) - msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT); - return 0; } =20 @@ -5032,10 +5026,46 @@ static void svm_vcpu_deliver_sipi_vector(struct kvm= _vcpu *vcpu, u8 vector) sev_vcpu_deliver_sipi_vector(vcpu, vector); } =20 +#ifdef CONFIG_CPU_MITIGATIONS +static DEFINE_SPINLOCK(srso_lock); +static int srso_nr_vms; + +static void svm_toggle_srso_spec_reduce(void *set) +{ + if (set) + msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT); + else + msr_clear_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT); +} + +static void svm_srso_add_remove_vm(int count) +{ + bool set; + + if (!cpu_feature_enabled(X86_FEATURE_SRSO_BP_SPEC_REDUCE)) + return; + + guard(spinlock)(&srso_lock); + + set =3D !srso_nr_vms; + srso_nr_vms +=3D count; + + WARN_ON_ONCE(srso_nr_vms < 0); + if (!set && srso_nr_vms) + return; + + on_each_cpu(svm_toggle_srso_spec_reduce, (void *)set, 1); +} +#else +static void svm_srso_add_remove_vm(int count) { } +#endif + static void svm_vm_destroy(struct kvm *kvm) { avic_vm_destroy(kvm); sev_vm_destroy(kvm); + + svm_srso_add_remove_vm(-1); } =20 static int svm_vm_init(struct kvm *kvm) @@ -5061,6 +5091,7 @@ static int svm_vm_init(struct kvm *kvm) return ret; } =20 + svm_srso_add_remove_vm(1); return 0; } =20 base-commit: 45eb29140e68ffe8e93a5471006858a018480a45 --=20 2.49.0.906.g1f30a19c02-goog