From nobody Sun Dec 14 19:21:37 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 865CA2AEF5 for ; Thu, 22 May 2025 00:56:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875370; cv=none; b=SzDMs8v521xedNl9iTqJ59XdkTQfDq3Z6lR6TYAYHxZPj5NXFkX+YFHqfG0ORnOJiJ/t1G2MUGKZCwLllCzzUMCygSXptbnLidhkePUJv0XAZY/n4qqXJWHx2CfyIAzvboe10tdNOw3z8h8Dylmemm/OTsZ0USEQ4cSdSpmSvUQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875370; c=relaxed/simple; bh=WHJHFBiweDND1oa0JY9d43uNzZ923uYqP5l9sffMTRs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ICGsaobyxewy6n6zF2wMjl2fttAYXkq36NfPev1MXAZIfeK7ygOB+BMGx8wgFaWe4xQIRGmnwArQVyuK10dK/wuHhsHqjz22y7SgMdLs/XBsFCLdM5nEw4vDAqOyj2lWGvA2m72m9BARIxqr6MNUqBcwvzbQw+9fslqEFNpN21E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=TsPrqeSN; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="TsPrqeSN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747875366; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7iucTWsl9+it5oDIMq892Zuh83YvGMwat/qKMt6J/ZI=; b=TsPrqeSNyUvyw3S1o49f1P4gij7g9FtLnbvx4AWJV+M8SmH/Tomh7meEEtlA8xgXBiaZif vPY7k+GY7Ku6OWKZvSFjAV0cR+lQPdB9dVQghxx+axFQIRymqTXa7kYOdVhjN5o407QgUs 40HL1cPvIGFCR9Grhm3GaA0zvPuALuc= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-43--9gH1T-0OOCIRQUOnD75oQ-1; Wed, 21 May 2025 20:56:03 -0400 X-MC-Unique: -9gH1T-0OOCIRQUOnD75oQ-1 X-Mimecast-MFC-AGG-ID: -9gH1T-0OOCIRQUOnD75oQ_1747875361 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 7AA8918004A7; Thu, 22 May 2025 00:56:01 +0000 (UTC) Received: from intellaptop.lan (unknown [10.22.80.5]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 745B81956066; Thu, 22 May 2025 00:55:59 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: "H. Peter Anvin" , Thomas Gleixner , Sean Christopherson , Dave Hansen , Borislav Petkov , Ingo Molnar , linux-kernel@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Maxim Levitsky Subject: [PATCH v5 1/5] KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap Date: Wed, 21 May 2025 20:55:51 -0400 Message-ID: <20250522005555.55705-2-mlevitsk@redhat.com> In-Reply-To: <20250522005555.55705-1-mlevitsk@redhat.com> References: <20250522005555.55705-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Signed-off-by: Sean Christopherson --- arch/x86/include/asm/kvm_host.h | 6 +++++- arch/x86/kvm/svm/svm.c | 4 ++-- arch/x86/kvm/vmx/main.c | 6 +++--- arch/x86/kvm/vmx/tdx.c | 3 ++- arch/x86/kvm/vmx/vmx.c | 3 ++- arch/x86/kvm/vmx/x86_ops.h | 4 ++-- arch/x86/kvm/x86.c | 11 ++++++++--- 7 files changed, 24 insertions(+), 13 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index 6c06f3d6e081..72e7bb48e7ac 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1671,6 +1671,10 @@ static inline u16 kvm_lapic_irq_dest_mode(bool dest_= mode_logical) return dest_mode_logical ? APIC_DEST_LOGICAL : APIC_DEST_PHYSICAL; } =20 +enum kvm_x86_run_flags { + KVM_RUN_FORCE_IMMEDIATE_EXIT =3D BIT(0), +}; + struct kvm_x86_ops { const char *name; =20 @@ -1752,7 +1756,7 @@ struct kvm_x86_ops { =20 int (*vcpu_pre_run)(struct kvm_vcpu *vcpu); enum exit_fastpath_completion (*vcpu_run)(struct kvm_vcpu *vcpu, - bool force_immediate_exit); + u64 run_flags); int (*handle_exit)(struct kvm_vcpu *vcpu, enum exit_fastpath_completion exit_fastpath); int (*skip_emulated_instruction)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index cc1c721ba067..c8b8a9947057 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -4259,9 +4259,9 @@ static noinstr void svm_vcpu_enter_exit(struct kvm_vc= pu *vcpu, bool spec_ctrl_in guest_state_exit_irqoff(); } =20 -static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, - bool force_immediate_exit) +static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_f= lags) { + bool force_immediate_exit =3D run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT; struct vcpu_svm *svm =3D to_svm(vcpu); bool spec_ctrl_intercepted =3D msr_write_intercepted(vcpu, MSR_IA32_SPEC_= CTRL); =20 diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index 94d5d907d37b..a8e80d66e77a 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -176,12 +176,12 @@ static int vt_vcpu_pre_run(struct kvm_vcpu *vcpu) return vmx_vcpu_pre_run(vcpu); } =20 -static fastpath_t vt_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_= exit) +static fastpath_t vt_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) { if (is_td_vcpu(vcpu)) - return tdx_vcpu_run(vcpu, force_immediate_exit); + return tdx_vcpu_run(vcpu, run_flags); =20 - return vmx_vcpu_run(vcpu, force_immediate_exit); + return vmx_vcpu_run(vcpu, run_flags); } =20 static int vt_handle_exit(struct kvm_vcpu *vcpu, diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index b952bc673271..7dbfad28debc 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -1020,8 +1020,9 @@ static void tdx_load_host_xsave_state(struct kvm_vcpu= *vcpu) DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI | \ DEBUGCTLMSR_FREEZE_IN_SMM) =20 -fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) +fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) { + bool force_immediate_exit =3D run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT; struct vcpu_tdx *tdx =3D to_tdx(vcpu); struct vcpu_vt *vt =3D to_vt(vcpu); =20 diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index ef2d7208dd20..609563da270c 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -7324,8 +7324,9 @@ static noinstr void vmx_vcpu_enter_exit(struct kvm_vc= pu *vcpu, guest_state_exit_irqoff(); } =20 -fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) +fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) { + bool force_immediate_exit =3D run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT; struct vcpu_vmx *vmx =3D to_vmx(vcpu); unsigned long cr3, cr4; =20 diff --git a/arch/x86/kvm/vmx/x86_ops.h b/arch/x86/kvm/vmx/x86_ops.h index 6bf8be570b2e..e1dfacd6b41f 100644 --- a/arch/x86/kvm/vmx/x86_ops.h +++ b/arch/x86/kvm/vmx/x86_ops.h @@ -21,7 +21,7 @@ void vmx_vm_destroy(struct kvm *kvm); int vmx_vcpu_precreate(struct kvm *kvm); int vmx_vcpu_create(struct kvm_vcpu *vcpu); int vmx_vcpu_pre_run(struct kvm_vcpu *vcpu); -fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit); +fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags); void vmx_vcpu_free(struct kvm_vcpu *vcpu); void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event); void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu); @@ -132,7 +132,7 @@ void tdx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_ev= ent); void tdx_vcpu_free(struct kvm_vcpu *vcpu); void tdx_vcpu_load(struct kvm_vcpu *vcpu, int cpu); int tdx_vcpu_pre_run(struct kvm_vcpu *vcpu); -fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit); +fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags); void tdx_prepare_switch_to_guest(struct kvm_vcpu *vcpu); void tdx_vcpu_put(struct kvm_vcpu *vcpu); bool tdx_protected_apic_has_interrupt(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index f6ce044b090a..45e8a9eb438a 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10752,6 +10752,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) dm_request_for_irq_injection(vcpu) && kvm_cpu_accept_dm_intr(vcpu); fastpath_t exit_fastpath; + u64 run_flags; =20 bool req_immediate_exit =3D false; =20 @@ -10996,8 +10997,11 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) goto cancel_injection; } =20 - if (req_immediate_exit) + run_flags =3D 0; + if (req_immediate_exit) { + run_flags |=3D KVM_RUN_FORCE_IMMEDIATE_EXIT; kvm_make_request(KVM_REQ_EVENT, vcpu); + } =20 fpregs_assert_state_consistent(); if (test_thread_flag(TIF_NEED_FPU_LOAD)) @@ -11034,8 +11038,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) WARN_ON_ONCE((kvm_vcpu_apicv_activated(vcpu) !=3D kvm_vcpu_apicv_active(= vcpu)) && (kvm_get_apic_mode(vcpu) !=3D LAPIC_MODE_DISABLED)); =20 - exit_fastpath =3D kvm_x86_call(vcpu_run)(vcpu, - req_immediate_exit); + exit_fastpath =3D kvm_x86_call(vcpu_run)(vcpu, run_flags); if (likely(exit_fastpath !=3D EXIT_FASTPATH_REENTER_GUEST)) break; =20 @@ -11047,6 +11050,8 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) break; } =20 + run_flags =3D 0; + /* Note, VM-Exits that go down the "slow" path are accounted below. */ ++vcpu->stat.exits; } --=20 2.46.0 From nobody Sun Dec 14 19:21:37 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85B2813774D for ; Thu, 22 May 2025 00:56:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875372; cv=none; b=aZgWp8Q6ZdMoiyB/DlyKmtroHp9XT0lk+9q78XAtc8sBcbusbw5pl/npdzyDmVJsB3B3OKU4vUK9P6zWATuo3vNi0ZRMuERb5bZy2ujTrZ5lFipq3reEMMGhc1ADMI9v8grwB2Yty2Dv/XmsBCGtDithSU0kLwfdLE8cDUIHxSc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875372; c=relaxed/simple; bh=fGNP6SsyTt8OPgAbSjlCTnWQeNrQ/ijnj/9DTo/rvAQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oq8EOwmYOauDWu6UFMq/irPAm851toYjAAUsDviZ//L0hKsx2XYZOeIe2+jzlqnl++EbwT/uKAW/MXrlGGFVl2CUWcQvaEuab08FCdPHcv2nNe0RDktrDcCCMv0kCdQ4HOgl640GIFcdCb22MEmIAeOupyQJFKQHdqV6jQ4gG+U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=M6F7b/gb; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="M6F7b/gb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747875369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PDNmaVDcWXodOwzMrApEksITYRc+Beiuyl2aSYUu6vk=; b=M6F7b/gblTKY/yLR8yeoUUMGZlgE2Sg14iZxSc73EuyfjCtlSgOc68GUh+zqzKGXloWbFA iVf+ZdXfEE0IA89XVkbnunF/FmknFbbrWa+WE6box7bZG0j8FdEDyfBBInTfzrt59rh/2W 55qkLG18cv6gvQOH/b84yazBILX83os= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-682-gihpJDTIMmqmlJtti2DKPw-1; Wed, 21 May 2025 20:56:05 -0400 X-MC-Unique: gihpJDTIMmqmlJtti2DKPw-1 X-Mimecast-MFC-AGG-ID: gihpJDTIMmqmlJtti2DKPw_1747875364 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 321A81955DAB; Thu, 22 May 2025 00:56:04 +0000 (UTC) Received: from intellaptop.lan (unknown [10.22.80.5]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C188A1956066; Thu, 22 May 2025 00:56:01 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: "H. Peter Anvin" , Thomas Gleixner , Sean Christopherson , Dave Hansen , Borislav Petkov , Ingo Molnar , linux-kernel@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Maxim Levitsky Subject: [PATCH v5 2/5] KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag Date: Wed, 21 May 2025 20:55:52 -0400 Message-ID: <20250522005555.55705-3-mlevitsk@redhat.com> In-Reply-To: <20250522005555.55705-1-mlevitsk@redhat.com> References: <20250522005555.55705-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Instruct vendor code to load the guest's DR6 into hardware via a new KVM_RUN flag, and remove kvm_x86_ops.set_dr6(), whose sole purpose was to load vcpu->arch.dr6 into hardware when DR6 can be read/written directly by the guest. Signed-off-by: Sean Christopherson --- arch/x86/include/asm/kvm-x86-ops.h | 1 - arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kvm/svm/svm.c | 10 ++++++---- arch/x86/kvm/vmx/main.c | 9 --------- arch/x86/kvm/vmx/vmx.c | 9 +++------ arch/x86/kvm/x86.c | 2 +- 6 files changed, 11 insertions(+), 22 deletions(-) diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-= x86-ops.h index 79406bf07a1c..a2248817470c 100644 --- a/arch/x86/include/asm/kvm-x86-ops.h +++ b/arch/x86/include/asm/kvm-x86-ops.h @@ -49,7 +49,6 @@ KVM_X86_OP(set_idt) KVM_X86_OP(get_gdt) KVM_X86_OP(set_gdt) KVM_X86_OP(sync_dirty_debug_regs) -KVM_X86_OP(set_dr6) KVM_X86_OP(set_dr7) KVM_X86_OP(cache_reg) KVM_X86_OP(get_rflags) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index 72e7bb48e7ac..32ed568babcf 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1673,6 +1673,7 @@ static inline u16 kvm_lapic_irq_dest_mode(bool dest_m= ode_logical) =20 enum kvm_x86_run_flags { KVM_RUN_FORCE_IMMEDIATE_EXIT =3D BIT(0), + KVM_RUN_LOAD_GUEST_DR6 =3D BIT(1), }; =20 struct kvm_x86_ops { @@ -1725,7 +1726,6 @@ struct kvm_x86_ops { void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu); - void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value); void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value); void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index c8b8a9947057..026b28051fff 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -4308,10 +4308,13 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kv= m_vcpu *vcpu, u64 run_flags) svm_hv_update_vp_id(svm->vmcb, vcpu); =20 /* - * Run with all-zero DR6 unless needed, so that we can get the exact cause - * of a #DB. + * Run with all-zero DR6 unless the guest can write DR6 freely, so that + * KVM can get the exact cause of a #DB. Note, loading guest DR6 from + * KVM's snapshot is only necessary when DR accesses won't exit. */ - if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) + if (unlikely(run_flags & KVM_RUN_LOAD_GUEST_DR6)) + svm_set_dr6(vcpu, vcpu->arch.dr6); + else if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) svm_set_dr6(vcpu, DR6_ACTIVE_LOW); =20 clgi(); @@ -5119,7 +5122,6 @@ static struct kvm_x86_ops svm_x86_ops __initdata =3D { .set_idt =3D svm_set_idt, .get_gdt =3D svm_get_gdt, .set_gdt =3D svm_set_gdt, - .set_dr6 =3D svm_set_dr6, .set_dr7 =3D svm_set_dr7, .sync_dirty_debug_regs =3D svm_sync_dirty_debug_regs, .cache_reg =3D svm_cache_reg, diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index a8e80d66e77a..28f854055e2c 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -498,14 +498,6 @@ static void vt_set_gdt(struct kvm_vcpu *vcpu, struct d= esc_ptr *dt) vmx_set_gdt(vcpu, dt); } =20 -static void vt_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) -{ - if (is_td_vcpu(vcpu)) - return; - - vmx_set_dr6(vcpu, val); -} - static void vt_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) { if (is_td_vcpu(vcpu)) @@ -945,7 +937,6 @@ struct kvm_x86_ops vt_x86_ops __initdata =3D { .set_idt =3D vt_set_idt, .get_gdt =3D vt_get_gdt, .set_gdt =3D vt_set_gdt, - .set_dr6 =3D vt_set_dr6, .set_dr7 =3D vt_set_dr7, .sync_dirty_debug_regs =3D vt_sync_dirty_debug_regs, .cache_reg =3D vt_cache_reg, diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 609563da270c..9953de0cb32a 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5611,12 +5611,6 @@ void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu) set_debugreg(DR6_RESERVED, 6); } =20 -void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) -{ - lockdep_assert_irqs_disabled(); - set_debugreg(vcpu->arch.dr6, 6); -} - void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) { vmcs_writel(GUEST_DR7, val); @@ -7371,6 +7365,9 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 ru= n_flags) vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]); vcpu->arch.regs_dirty =3D 0; =20 + if (run_flags & KVM_RUN_LOAD_GUEST_DR6) + set_debugreg(vcpu->arch.dr6, 6); + /* * Refresh vmcs.HOST_CR3 if necessary. This must be done immediately * prior to VM-Enter, as the kernel may load a new ASID (PCID) any time diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 45e8a9eb438a..38875a38be52 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11019,7 +11019,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(vcpu->arch.eff_db[3], 3); /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); + run_flags |=3D KVM_RUN_LOAD_GUEST_DR6; } else if (unlikely(hw_breakpoint_active())) { set_debugreg(0, 7); } --=20 2.46.0 From nobody Sun Dec 14 19:21:37 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 012D6155A4D for ; Thu, 22 May 2025 00:56:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875376; cv=none; b=aNK04ADgrZrL8KKDqgVCl2Jp8+1xG/GrjyqMGMq6agRIg8Cxk7ro+3RV/2QoMiw1C0cFdDq0Bb7mS7XA14+AlSqqZkd3F+wb+ToKz4qWGafhgEAcYGxRChgZ9Visb9FEKtjjdncJo9eeiwaUA728XuGwFEJrbayHV+/4p7tn/4I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875376; c=relaxed/simple; bh=SBcTFOWblvTRZV0ciy3LajIn+btKaXHcFRkSjK2ep3Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CcLvcWtpjAXvz0e4g3/N6FxS+uE6/DVCwIc/r93cpB35rhcOKbzEJXBrk8IqCddW7V88Wj7uo8RZGc0kennTNDuy/6uZ6C4sV+6lvp9oSLd6T6jvJhi1yqiPrxC4b+tjsf/RhcY4f10j/dXKLNXOTEiqcLi+uud3TCk/T8koGLQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=PDZMj1DJ; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="PDZMj1DJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747875374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RSF3Pw04XxAwlf8ujRRM/pIVlPZ9S+nu3dIi3wffJjI=; b=PDZMj1DJhXWPKSHIMK5X67jLFRjvbvm7QUK5D0K7WH052CtARkOjOjDWpYdv1+khw7w1Dp ghpfB8kb+qxFFe9ruq4mN5D8GwD9gyYcRc9DZuEfMR05sNn6jLkU+rYbc4z02nPVLu/RNK glc3cgBzTapW4FZVZSCfCMb/Za6SRBc= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-396-YvDoV24LNX-atWdyhcQ15g-1; Wed, 21 May 2025 20:56:08 -0400 X-MC-Unique: YvDoV24LNX-atWdyhcQ15g-1 X-Mimecast-MFC-AGG-ID: YvDoV24LNX-atWdyhcQ15g_1747875367 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9E30C180098C; Thu, 22 May 2025 00:56:06 +0000 (UTC) Received: from intellaptop.lan (unknown [10.22.80.5]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 765DA19560B7; Thu, 22 May 2025 00:56:04 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: "H. Peter Anvin" , Thomas Gleixner , Sean Christopherson , Dave Hansen , Borislav Petkov , Ingo Molnar , linux-kernel@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Maxim Levitsky , Chao Gao Subject: [PATCH v5 3/5] KVM: nVMX: check vmcs12->guest_ia32_debugctl value given by L2 Date: Wed, 21 May 2025 20:55:53 -0400 Message-ID: <20250522005555.55705-4-mlevitsk@redhat.com> In-Reply-To: <20250522005555.55705-1-mlevitsk@redhat.com> References: <20250522005555.55705-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Content-Type: text/plain; charset="utf-8" Check the vmcs12 guest_ia32_debugctl value before loading it, to avoid L2 being able to load arbitrary values to hardware IA32_DEBUGCTL. Reviewed-by: Chao Gao Signed-off-by: Maxim Levitsky --- arch/x86/kvm/vmx/nested.c | 3 ++- arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/kvm/vmx/vmx.h | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index e073e3008b16..00f2b762710c 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -3146,7 +3146,8 @@ static int nested_vmx_check_guest_state(struct kvm_vc= pu *vcpu, return -EINVAL; =20 if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) && - CC(!kvm_dr7_valid(vmcs12->guest_dr7))) + (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) || + CC(vmcs12->guest_ia32_debugctl & ~vmx_get_supported_debugctl(vcpu, f= alse)))) return -EINVAL; =20 if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) && diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 9953de0cb32a..9046ee2e9a04 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2179,7 +2179,7 @@ static u64 nested_vmx_truncate_sysenter_addr(struct k= vm_vcpu *vcpu, return (unsigned long)data; } =20 -static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_ini= tiated) +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) { u64 debugctl =3D 0; =20 diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 6d1e40ecc024..eb924c2acfd0 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -414,6 +414,7 @@ static inline void vmx_set_intercept_for_msr(struct kvm= _vcpu *vcpu, u32 msr, } =20 void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); =20 /* * Note, early Intel manuals have the write-low and read-high bitmap offse= ts --=20 2.46.0 From nobody Sun Dec 14 19:21:37 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E8867155342 for ; Thu, 22 May 2025 00:56:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875377; cv=none; b=L33pEmouCplCR0zjqafnHiX2X5jnH9wt3JfJ4rqTukB3pIL+WY+NX1esOVc90D3u+Wm8fmuN/LXdRF9oHqirJTrHApHXWQbMpL8ytMmZxJrEVRzLbeqK0BPwrrap90F0Z7LyndfEslNkwjxz932rB0guC+hpkezq9aUIhvbcweU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875377; c=relaxed/simple; bh=Zp1RHEXT2hWrz/iBxuTQFP+sktEBXlp7S0w6GkPVWuQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=O9FwMwO28MmcKeesnJR5ezreVteETvC1cZCFn7YgvIPDUicYyxIqeS8NnMcxv1piIAuKbMB1azD6vi5Xm0FLjn7+RHldQhiZ3ffWJsi3HewOLDNwrKYpc6xIxiBGukfjj2CU5TlxPJx7lqmDsMt2Yh1AyLIzbizgrak7xXj5U4Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=R1V4z5k5; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="R1V4z5k5" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747875374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=egiQaKlG882xHvnXxJOJohJhG2/tS80sDRkBw5n8Lpc=; b=R1V4z5k5Zw5yGdzGVqibDrynPQoof954ucvrr+UveyFfxcdEhfrLVqP4Jff5PHXUcSdsIM ypnqINMx3atQAPwE8oMYf7lHeGuXkIs3J/02Uc+I1mpp7edj2dsB3kx6ptfR6OB4PW6S+X JVxLAw+2dFXMEpcfr76OIFt7IIr98OE= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-77-Yp-XUYY1PC-KWUK0HyPfWQ-1; Wed, 21 May 2025 20:56:10 -0400 X-MC-Unique: Yp-XUYY1PC-KWUK0HyPfWQ-1 X-Mimecast-MFC-AGG-ID: Yp-XUYY1PC-KWUK0HyPfWQ_1747875369 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 1DF4519560AA; Thu, 22 May 2025 00:56:09 +0000 (UTC) Received: from intellaptop.lan (unknown [10.22.80.5]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E10AF1956066; Thu, 22 May 2025 00:56:06 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: "H. Peter Anvin" , Thomas Gleixner , Sean Christopherson , Dave Hansen , Borislav Petkov , Ingo Molnar , linux-kernel@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Maxim Levitsky Subject: [PATCH v5 4/5] KVM: VMX: wrap guest access to IA32_DEBUGCTL with wrappers Date: Wed, 21 May 2025 20:55:54 -0400 Message-ID: <20250522005555.55705-5-mlevitsk@redhat.com> In-Reply-To: <20250522005555.55705-1-mlevitsk@redhat.com> References: <20250522005555.55705-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Content-Type: text/plain; charset="utf-8" Introduce two wrappers vmx_guest_debugctl_read and vmx_guest_debugctl_write which read/write the GUEST_IA32_DEBUGCTL vmcs field. In the next patch these wrappers will be used to hide the DEBUGCTLMSR_FREEZE_IN_SMM bit from the guest. Signed-off-by: Maxim Levitsky --- arch/x86/kvm/vmx/nested.c | 4 ++-- arch/x86/kvm/vmx/pmu_intel.c | 8 ++++---- arch/x86/kvm/vmx/vmx.c | 18 +++++++++++++++--- arch/x86/kvm/vmx/vmx.h | 2 ++ 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 00f2b762710c..b505f3f7e9ab 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2653,7 +2653,7 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, stru= ct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl); + vmx_guest_debugctl_write(vcpu, vmcs12->guest_ia32_debugctl); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); @@ -4789,7 +4789,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *v= cpu, __vmx_set_segment(vcpu, &seg, VCPU_SREG_LDTR); =20 kvm_set_dr(vcpu, 7, 0x400); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + vmx_guest_debugctl_write(vcpu, 0); =20 if (nested_vmx_load_msr(vcpu, vmcs12->vm_exit_msr_load_addr, vmcs12->vm_exit_msr_load_count)) diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c index 8a94b52c5731..578b4ef58260 100644 --- a/arch/x86/kvm/vmx/pmu_intel.c +++ b/arch/x86/kvm/vmx/pmu_intel.c @@ -652,11 +652,11 @@ static void intel_pmu_reset(struct kvm_vcpu *vcpu) */ static void intel_pmu_legacy_freezing_lbrs_on_pmi(struct kvm_vcpu *vcpu) { - u64 data =3D vmcs_read64(GUEST_IA32_DEBUGCTL); + u64 data =3D vmx_guest_debugctl_read(); =20 if (data & DEBUGCTLMSR_FREEZE_LBRS_ON_PMI) { data &=3D ~DEBUGCTLMSR_LBR; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); } } =20 @@ -729,7 +729,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) =20 if (!lbr_desc->event) { vmx_disable_lbr_msrs_passthrough(vcpu); - if (vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR) + if (vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR) goto warn; if (test_bit(INTEL_PMC_IDX_FIXED_VLBR, pmu->pmc_in_use)) goto warn; @@ -751,7 +751,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) =20 static void intel_pmu_cleanup(struct kvm_vcpu *vcpu) { - if (!(vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR)) + if (!(vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR)) intel_pmu_release_guest_lbr_event(vcpu); } =20 diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 9046ee2e9a04..cfab76b40780 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2154,7 +2154,7 @@ int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_dat= a *msr_info) msr_info->data =3D vmx->pt_desc.guest.addr_a[index / 2]; break; case MSR_IA32_DEBUGCTLMSR: - msr_info->data =3D vmcs_read64(GUEST_IA32_DEBUGCTL); + msr_info->data =3D vmx_guest_debugctl_read(); break; default: find_uret_msr: @@ -2194,6 +2194,16 @@ u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu= , bool host_initiated) return debugctl; } =20 +void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val) +{ + vmcs_write64(GUEST_IA32_DEBUGCTL, val); +} + +u64 vmx_guest_debugctl_read(void) +{ + return vmcs_read64(GUEST_IA32_DEBUGCTL); +} + /* * Writes msr value into the appropriate "register". * Returns 0 on success, non-0 otherwise. @@ -2279,7 +2289,8 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_dat= a *msr_info) VM_EXIT_SAVE_DEBUG_CONTROLS) get_vmcs12(vcpu)->guest_ia32_debugctl =3D data; =20 - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); + if (intel_pmu_lbr_is_enabled(vcpu) && !to_vmx(vcpu)->lbr_desc.event && (data & DEBUGCTLMSR_LBR)) intel_pmu_create_guest_lbr_event(vcpu); @@ -4795,7 +4806,8 @@ static void init_vmcs(struct vcpu_vmx *vmx) vmcs_write32(GUEST_SYSENTER_CS, 0); vmcs_writel(GUEST_SYSENTER_ESP, 0); vmcs_writel(GUEST_SYSENTER_EIP, 0); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + + vmx_guest_debugctl_write(&vmx->vcpu, 0); =20 if (cpu_has_vmx_tpr_shadow()) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0); diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index eb924c2acfd0..dffc0e18e5f7 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -415,6 +415,8 @@ static inline void vmx_set_intercept_for_msr(struct kvm= _vcpu *vcpu, u32 msr, =20 void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); +void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val); +u64 vmx_guest_debugctl_read(void); =20 /* * Note, early Intel manuals have the write-low and read-high bitmap offse= ts --=20 2.46.0 From nobody Sun Dec 14 19:21:37 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13EE417A2E1 for ; Thu, 22 May 2025 00:56:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875378; cv=none; b=ZeXRVAUO7Q8JMSH3zlEx5bLTtQoz0K2nq+8/Qp6T1qlAI5VhZ84BYi/y6Us6Yl1xICfsgy7s34N+urdZTuQl/aH+Ed1pfrlYM/JEZL6RYTB56yS6wgptSPeAiX4Hi64Nno/xXFaLScyRumxdDTB+4ay5cE7hUPjwfvOC7lbo3kk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747875378; c=relaxed/simple; bh=qVt1iIPPogfcBBlIDh5BDoYfefDZoeCnXCt+00WLO7c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=J/Fr7Hl5z/wcXHYKen7UdxkHAOSoziFQJT0yClgzVcjAl27UqUPKGy0pSzmPYDko5+pBNpY1Ws+URzHrBsgqNvGs81o7p4rsb7Hh7bPf0cTpjIzQEnWsQ0bdibloMd8Klx1Fu0cgoK68ZAuWYcfN94kd1X1SqMtzQeeNc5mYZl4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Stq/0XO0; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Stq/0XO0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747875374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nr3LJuaZ3sTnYMRa12I7e2LfVKiux5OI0/JCWBFGFhM=; b=Stq/0XO0kU16Pcj9gn6x2tMeEU5AtFPPhdIU3NTMFOHxYGV1O0WhbjNmY2CRYvwrDNwjcG luELLxGahcLo6CwIo0QyJ/r3Jl5e55rGWfB7YfR5CX4p7dSQk2A8JgIAn1f3Dh93hyHtCz wx3z8VuC6oFkN/52SExQdPGdxWOUY2w= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-466-pO8D-c7QPqOhPzjgjpMNpg-1; Wed, 21 May 2025 20:56:13 -0400 X-MC-Unique: pO8D-c7QPqOhPzjgjpMNpg-1 X-Mimecast-MFC-AGG-ID: pO8D-c7QPqOhPzjgjpMNpg_1747875371 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 891CE1956089; Thu, 22 May 2025 00:56:11 +0000 (UTC) Received: from intellaptop.lan (unknown [10.22.80.5]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 63AC419560B7; Thu, 22 May 2025 00:56:09 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: "H. Peter Anvin" , Thomas Gleixner , Sean Christopherson , Dave Hansen , Borislav Petkov , Ingo Molnar , linux-kernel@vger.kernel.org, x86@kernel.org, Paolo Bonzini , Maxim Levitsky Subject: [PATCH v5 5/5] KVM: VMX: preserve DEBUGCTLMSR_FREEZE_IN_SMM Date: Wed, 21 May 2025 20:55:55 -0400 Message-ID: <20250522005555.55705-6-mlevitsk@redhat.com> In-Reply-To: <20250522005555.55705-1-mlevitsk@redhat.com> References: <20250522005555.55705-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Content-Type: text/plain; charset="utf-8" Pass through the host's DEBUGCTL.DEBUGCTLMSR_FREEZE_IN_SMM to the guest GUEST_IA32_DEBUGCTL without the guest seeing this value. Since the value of the host DEBUGCTL can in theory change between VM runs, check if has changed, and if yes, then reload the GUEST_IA32_DEBUGCTL with the new value. Signed-off-by: Maxim Levitsky --- arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/vmx/vmx.c | 6 +++++- arch/x86/kvm/x86.c | 7 +++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index 32ed568babcf..6bbde18a5783 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1674,6 +1674,7 @@ static inline u16 kvm_lapic_irq_dest_mode(bool dest_m= ode_logical) enum kvm_x86_run_flags { KVM_RUN_FORCE_IMMEDIATE_EXIT =3D BIT(0), KVM_RUN_LOAD_GUEST_DR6 =3D BIT(1), + KVM_RUN_LOAD_DEBUGCTL =3D BIT(2), }; =20 struct kvm_x86_ops { diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index cfab76b40780..c70fe7cbede6 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2196,12 +2196,13 @@ u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcp= u, bool host_initiated) =20 void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val) { + val |=3D vcpu->arch.host_debugctl & DEBUGCTLMSR_FREEZE_IN_SMM; vmcs_write64(GUEST_IA32_DEBUGCTL, val); } =20 u64 vmx_guest_debugctl_read(void) { - return vmcs_read64(GUEST_IA32_DEBUGCTL); + return vmcs_read64(GUEST_IA32_DEBUGCTL) & ~DEBUGCTLMSR_FREEZE_IN_SMM; } =20 /* @@ -7380,6 +7381,9 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 ru= n_flags) if (run_flags & KVM_RUN_LOAD_GUEST_DR6) set_debugreg(vcpu->arch.dr6, 6); =20 + if (run_flags & KVM_RUN_LOAD_DEBUGCTL) + vmx_guest_debugctl_write(vcpu, vmx_guest_debugctl_read()); + /* * Refresh vmcs.HOST_CR3 if necessary. This must be done immediately * prior to VM-Enter, as the kernel may load a new ASID (PCID) any time diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 38875a38be52..3663cd6721ae 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10752,7 +10752,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) dm_request_for_irq_injection(vcpu) && kvm_cpu_accept_dm_intr(vcpu); fastpath_t exit_fastpath; - u64 run_flags; + u64 run_flags, debug_ctl; =20 bool req_immediate_exit =3D false; =20 @@ -11024,7 +11024,10 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(0, 7); } =20 - vcpu->arch.host_debugctl =3D get_debugctlmsr(); + debug_ctl =3D get_debugctlmsr(); + if (!vcpu->arch.guest_state_protected && (debug_ctl !=3D vcpu->arch.host_= debugctl)) + run_flags |=3D KVM_RUN_LOAD_DEBUGCTL; + vcpu->arch.host_debugctl =3D debug_ctl; =20 guest_timing_enter_irqoff(); =20 --=20 2.46.0