From nobody Sat Oct 4 17:30:17 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD14D2F9992 for ; Wed, 13 Aug 2025 19:23:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755113007; cv=none; b=fdf+J6NdqErghsTihYeQJawLGMtBEk5dIS9j6/8fMKdUm5iDsWyNgNm3wQEQRNeS44rXNuUoCek09u36Tc23dXU5U5S/GDhkU5Lqjd9VXeX2GKVh0L7v2eNc9QDDUWM/W8hDu+NIuN+c60eUMqjC97uG1+E5esplQFKHIJRbErg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755113007; c=relaxed/simple; bh=odDD8SbrUA/Us8WVd664Wi2+XyRFRFLnt1lNe/4JBsc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hdEBLHw/t57lkir3ebAd+s1YjX4b9h9eiVySO1AojHbYrKD3WFbMhOEvmZQVpSFLmPoKhZYoQZ7eYRSgUPXR0sR4Pp/GdsgEmsIh+EoV2uCHhskrq798Jl5BiLa3Tn+XiQ/c0pizkYOUW3UUkp/pYL8l/63pxZou7Onv67dxgvM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=e5hzWv1a; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="e5hzWv1a" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1755113004; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jgbMTcNiqkXJF3R6x+5VhGOD4G8jt3bfqCPXMbYMCOY=; b=e5hzWv1ajXhsgr59jpQvCMtpPQHTRvLf7J/jBLijZEP0h/Fg/mcK9jX8Wgr+R3vT2mdRUA wjXNZJ1Uk+fN1ww3qWIDNoJki2D6I6gqYyZCvQrs2E7cF343D6/XuUctMjDQ5ipj0mY56k 0BDqR40erIONzMbH/h1X/eC0QDWZeo4= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-274-mZkleHuzP5SvVYQcUEruWg-1; Wed, 13 Aug 2025 15:23:21 -0400 X-MC-Unique: mZkleHuzP5SvVYQcUEruWg-1 X-Mimecast-MFC-AGG-ID: mZkleHuzP5SvVYQcUEruWg_1755112999 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CA0D9195608E; Wed, 13 Aug 2025 19:23:18 +0000 (UTC) Received: from intellaptop.redhat.com (unknown [10.22.81.148]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id CED181955F16; Wed, 13 Aug 2025 19:23:16 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: Sean Christopherson , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , Thomas Gleixner , Paolo Bonzini , x86@kernel.org, Borislav Petkov , linux-kernel@vger.kernel.org, Maxim Levitsky Subject: [PATCH 1/3] KVM: x86: Warn if KVM tries to deliver an #APF completion when APF is not enabled Date: Wed, 13 Aug 2025 15:23:11 -0400 Message-ID: <20250813192313.132431-2-mlevitsk@redhat.com> In-Reply-To: <20250813192313.132431-1-mlevitsk@redhat.com> References: <20250813192313.132431-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" KVM flushes the APF queue completely when the asynchronous pagefault is disabled, therefore this case should not occur. Signed-off-by: Maxim Levitsky --- arch/x86/kvm/x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index a1c49bc681c4..9018d56b4b0a 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -13466,7 +13466,7 @@ void kvm_arch_async_page_present_queued(struct kvm_= vcpu *vcpu) =20 bool kvm_arch_can_dequeue_async_page_present(struct kvm_vcpu *vcpu) { - if (!kvm_pv_async_pf_enabled(vcpu)) + if (WARN_ON_ONCE(!kvm_pv_async_pf_enabled(vcpu))) return true; else return kvm_lapic_enabled(vcpu) && apf_pageready_slot_free(vcpu); --=20 2.49.0 From nobody Sat Oct 4 17:30:17 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0EDE2F99B2 for ; Wed, 13 Aug 2025 19:23:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755113009; cv=none; b=dtzxYQxgKZzd18I4K/6hlSgKwod6v6Q80cHPiN1BAcJy5kqz0h3EZG7pQYeSuulRbBb8zFvvDlGLPmoZDhTpTvf9Ind0Fy9D9trwD8fM10nRo3MKfslKLORjJsPU6N90o2SwYppH2CPgmIp0J57BjSqw8nelKytsm5KDQaNo3ZY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755113009; c=relaxed/simple; bh=yxcC6PLyvoIXiffU0zsBAi0/CVilixTwnZojV2rns+4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aoy0NI4pDAzC+a4jvAuxykj79NCUT0+UxFjNqoFOJbMMS+Fy0fHCbJ5O8U6UkAAkRzQGTvhabbAoFpWonz4ILFEUgQbFqn3Qt72a/sGljQzZGlLNBWZM1uclEULB30IA1d0w6Qd6U2OeII1DGvb+z8q7KUix9M9IxsmHL+wXgyM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ScnC9RAf; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ScnC9RAf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1755113006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PibFBteea+MuunP9PzGwGNdUntQRuEWOqjmto8Lktc4=; b=ScnC9RAfm9JTLsxCVzcY2W6VcSj3dnguMrkO0f8XuRkdrVlIKMKkpODBVNGgEGJGTtvzOL lvDU2nnfTxQrNSf1sFIv9zWHVv3tIXCjySmgdJTX7USy4CnatoJYrQ3avmaW9kJNNHm6EV cgUIYfoZSfSf7hZ6ktOd/LgZivKL1Gg= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-680-b_EBlnJHMJO6R14sPRUe4w-1; Wed, 13 Aug 2025 15:23:23 -0400 X-MC-Unique: b_EBlnJHMJO6R14sPRUe4w-1 X-Mimecast-MFC-AGG-ID: b_EBlnJHMJO6R14sPRUe4w_1755113001 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6CF551956058; Wed, 13 Aug 2025 19:23:21 +0000 (UTC) Received: from intellaptop.redhat.com (unknown [10.22.81.148]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 1FBDF195608F; Wed, 13 Aug 2025 19:23:18 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: Sean Christopherson , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , Thomas Gleixner , Paolo Bonzini , x86@kernel.org, Borislav Petkov , linux-kernel@vger.kernel.org, Maxim Levitsky Subject: [PATCH 2/3] KVM: x86: Fix a semi theoretical bug in kvm_arch_async_page_present_queued Date: Wed, 13 Aug 2025 15:23:12 -0400 Message-ID: <20250813192313.132431-3-mlevitsk@redhat.com> In-Reply-To: <20250813192313.132431-1-mlevitsk@redhat.com> References: <20250813192313.132431-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" Fix a semi theoretical race condition in reading of page_ready_pending in kvm_arch_async_page_present_queued. Only trust the value of page_ready_pending if the guest is about to enter guest mode (vcpu->mode). To achieve this, read the vcpu->mode using smp_load_acquire which is paired with smp_store_release in vcpu_enter_guest. Then only if vcpu_mode is IN_GUEST_MODE, trust the value of the page_ready_pending because it was written before and therefore its correct value is visible. Also if the above mentioned check is true, avoid raising the request on the target vCPU. Signed-off-by: Maxim Levitsky --- arch/x86/kvm/x86.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 9018d56b4b0a..3d45a4cd08a4 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -13459,9 +13459,14 @@ void kvm_arch_async_page_present(struct kvm_vcpu *= vcpu, =20 void kvm_arch_async_page_present_queued(struct kvm_vcpu *vcpu) { - kvm_make_request(KVM_REQ_APF_READY, vcpu); - if (!vcpu->arch.apf.pageready_pending) + /* Pairs with smp_store_release in vcpu_enter_guest. */ + bool in_guest_mode =3D (smp_load_acquire(&vcpu->mode) =3D=3D IN_GUEST_MOD= E); + bool page_ready_pending =3D READ_ONCE(vcpu->arch.apf.pageready_pending); + + if (!in_guest_mode || !page_ready_pending) { + kvm_make_request(KVM_REQ_APF_READY, vcpu); kvm_vcpu_kick(vcpu); + } } =20 bool kvm_arch_can_dequeue_async_page_present(struct kvm_vcpu *vcpu) --=20 2.49.0 From nobody Sat Oct 4 17:30:17 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80447309DC8 for ; Wed, 13 Aug 2025 19:23:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755113011; cv=none; b=S3ooGKHmt6fKOhUpIET+o6c3hlOYjU7BzEDFOkXeahW1MnOhv9OY7fcgqT6kCqpJ1iNZ2nPDsvocuBuuwyLx+kWt96Udu1/MzSt+xDn9Lbo7EdYR0jcAKt0nuvXFhn1O2NrH5SreTplXfsOlCGjzrVn+sS6wgZL+C+xrrou3FPA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755113011; c=relaxed/simple; bh=WrZiC3yintwTEHzCwmrJW2sxgMlptqFr7NyVVui6y2g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RXi1UcZRZ9sjfsE3O+iiWC8QoNgoL+myX86sRamcba6c4GFuTn+ESesqum4ff2CKrO1dgeURSw73z6H+6tEyStH0mRHrf05WZKJqbDE3HSO614VUXTKAr4TSv3BbabDwqJ9mPyeo9N/8efUcNHEVfbaNsppOuyl9at+FKdq+q1Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Nb8rKPgR; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Nb8rKPgR" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1755113008; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RG8e3jlgteGbX5xrgI1qpHzDVK7pfheXycxrt2lf9j4=; b=Nb8rKPgRdMLC7SJgZFkdlga42Rqun8LEB9vEv6TZcwtTM/hszoByYBvTfanAODW8mZZT68 PYUeh76cCpMewhFqnA7lDV1o7jVANHCZmy0IgOCpeGV8gdqucd1klCmk50CEHGV2v69jpU Kh7lmvAdnEQ7kO1QeQ8RQ/NUEslKNC0= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-653-GiD2sf_qM4yT4xtrwpT80w-1; Wed, 13 Aug 2025 15:23:25 -0400 X-MC-Unique: GiD2sf_qM4yT4xtrwpT80w-1 X-Mimecast-MFC-AGG-ID: GiD2sf_qM4yT4xtrwpT80w_1755113003 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C543A180034F; Wed, 13 Aug 2025 19:23:23 +0000 (UTC) Received: from intellaptop.redhat.com (unknown [10.22.81.148]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id AE788195608F; Wed, 13 Aug 2025 19:23:21 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: Sean Christopherson , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , Thomas Gleixner , Paolo Bonzini , x86@kernel.org, Borislav Petkov , linux-kernel@vger.kernel.org, Maxim Levitsky Subject: [PATCH 3/3] KVM: x86: Fix the interaction between SMM and the asynchronous pagefault Date: Wed, 13 Aug 2025 15:23:13 -0400 Message-ID: <20250813192313.132431-4-mlevitsk@redhat.com> In-Reply-To: <20250813192313.132431-1-mlevitsk@redhat.com> References: <20250813192313.132431-1-mlevitsk@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" Currently a #SMI can cause KVM to drop an #APF ready event and subsequently causes the guest to never resume the task that is waiting for it. This can result in tasks becoming permanently stuck within the guest. This happens because KVM flushes the APF queue without notifying the guest of completed APF requests when the guest exits to real mode. And the SMM exit code calls kvm_set_cr0 with CR.PE =3D=3D 0, which triggers this code. It must be noted that while this flush is reasonable to do for the actual real mode entry, it is actually achieves nothing because it is too late to flush this queue on SMM exit. To fix this, avoid doing this flush altogether, and handle the real mode entry/exits in the same way KVM already handles the APIC enable/disable events: APF completion events are not injected while APIC is disabled, and once APIC is re-enabled, KVM raises the KVM_REQ_APF_READY request which causes the first pending #APF ready event to be injected prior to entry to the guest mode. This change also has the side benefit of preserving #APF events if the guest temporarily enters real mode - for example, to call firmware - although such usage should be extermery rare in modern operating systems. Signed-off-by: Maxim Levitsky --- arch/x86/kvm/x86.c | 11 +++++++---- arch/x86/kvm/x86.h | 1 + 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 3d45a4cd08a4..5dfe166025bf 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1118,15 +1118,18 @@ void kvm_post_set_cr0(struct kvm_vcpu *vcpu, unsign= ed long old_cr0, unsigned lon } =20 if ((cr0 ^ old_cr0) & X86_CR0_PG) { - kvm_clear_async_pf_completion_queue(vcpu); - kvm_async_pf_hash_reset(vcpu); - /* * Clearing CR0.PG is defined to flush the TLB from the guest's * perspective. */ if (!(cr0 & X86_CR0_PG)) kvm_make_request(KVM_REQ_TLB_FLUSH_GUEST, vcpu); + + /* + * Re-check APF completion events, when the guest re-enables paging. + */ + if ((cr0 & X86_CR0_PG) && kvm_pv_async_pf_enabled(vcpu)) + kvm_make_request(KVM_REQ_APF_READY, vcpu); } =20 if ((cr0 ^ old_cr0) & KVM_MMU_CR0_ROLE_BITS) @@ -3547,7 +3550,7 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct = msr_data *msr_info) return 0; } =20 -static inline bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu) +bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu) { u64 mask =3D KVM_ASYNC_PF_ENABLED | KVM_ASYNC_PF_DELIVERY_AS_INT; =20 diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h index bcfd9b719ada..3949c938a88d 100644 --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -698,5 +698,6 @@ int ____kvm_emulate_hypercall(struct kvm_vcpu *vcpu, in= t cpl, }) =20 int kvm_emulate_hypercall(struct kvm_vcpu *vcpu); +bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu); =20 #endif --=20 2.49.0