Message ID | 20230207002156.521736-3-seanjc@google.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | KVM: SVM: Fix GATag bug for >256 vCPUs | expand |
On Tue, 7 Feb 2023 00:21:55 +0000 Sean Christopherson <seanjc@google.com> wrote: > From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> > > Define AVIC_VCPU_ID_MASK based on AVIC_PHYSICAL_MAX_INDEX, i.e. the mask > that effectively controls the largest guest physical APIC ID supported by > x2AVIC, instead of hardcoding the number of bits to 8 (and the number of > VM bits to 24). Is there any particular reason not to tie it to max supported by KVM KVM_MAX_VCPU_IDS? Another question: will guest fail to start when configured with more than 512 vCPUs or it will start broken? > > The AVIC GATag is programmed into the AMD IOMMU IRTE to provide a > reference back to KVM in case the IOMMU cannot inject an interrupt into a > non-running vCPU. In such a case, the IOMMU notifies software by creating > a GALog entry with the corresponded GATag, and KVM then uses the GATag to > find the correct VM+vCPU to kick. Dropping bit 8 from the GATag results > in kicking the wrong vCPU when targeting vCPUs with x2APIC ID > 255. > > Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode") > Cc: stable@vger.kernel.org > Reported-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com> > Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> > Co-developed-by: Sean Christopherson <seanjc@google.com> > Signed-off-by: Sean Christopherson <seanjc@google.com> > --- > arch/x86/kvm/svm/avic.c | 26 ++++++++++++++++++-------- > 1 file changed, 18 insertions(+), 8 deletions(-) > > diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c > index ca684979e90d..326341a22153 100644 > --- a/arch/x86/kvm/svm/avic.c > +++ b/arch/x86/kvm/svm/avic.c > @@ -27,19 +27,29 @@ > #include "irq.h" > #include "svm.h" > > -/* AVIC GATAG is encoded using VM and VCPU IDs */ > -#define AVIC_VCPU_ID_BITS 8 > -#define AVIC_VCPU_ID_MASK ((1 << AVIC_VCPU_ID_BITS) - 1) > +/* > + * Encode the arbitrary VM ID and the vCPU's default APIC ID, i.e the vCPU ID, > + * into the GATag so that KVM can retrieve the correct vCPU from a GALog entry > + * if an interrupt can't be delivered, e.g. because the vCPU isn't running. > + * > + * For the vCPU ID, use however many bits are currently allowed for the max > + * guest physical APIC ID (limited by the size of the physical ID table), and > + * use whatever bits remain to assign arbitrary AVIC IDs to VMs. Note, the > + * size of the GATag is defined by hardware (32 bits), but is an opaque value > + * as far as hardware is concerned. > + */ > +#define AVIC_VCPU_ID_MASK AVIC_PHYSICAL_MAX_INDEX_MASK > > -#define AVIC_VM_ID_BITS 24 > -#define AVIC_VM_ID_NR (1 << AVIC_VM_ID_BITS) > -#define AVIC_VM_ID_MASK ((1 << AVIC_VM_ID_BITS) - 1) > +#define AVIC_VM_ID_SHIFT HWEIGHT32(AVIC_PHYSICAL_MAX_INDEX_MASK) > +#define AVIC_VM_ID_MASK (GENMASK(31, AVIC_VM_ID_SHIFT) >> AVIC_VM_ID_SHIFT) > > -#define AVIC_GATAG(x, y) (((x & AVIC_VM_ID_MASK) << AVIC_VCPU_ID_BITS) | \ > +#define AVIC_GATAG(x, y) (((x & AVIC_VM_ID_MASK) << AVIC_VM_ID_SHIFT) | \ > (y & AVIC_VCPU_ID_MASK)) > -#define AVIC_GATAG_TO_VMID(x) ((x >> AVIC_VCPU_ID_BITS) & AVIC_VM_ID_MASK) > +#define AVIC_GATAG_TO_VMID(x) ((x >> AVIC_VM_ID_SHIFT) & AVIC_VM_ID_MASK) > #define AVIC_GATAG_TO_VCPUID(x) (x & AVIC_VCPU_ID_MASK) > > +static_assert(AVIC_GATAG(AVIC_VM_ID_MASK, AVIC_VCPU_ID_MASK) == -1u); > + > static bool force_avic; > module_param_unsafe(force_avic, bool, 0444); >
On 07/02/2023 08:33, Igor Mammedov wrote: > On Tue, 7 Feb 2023 00:21:55 +0000 > Sean Christopherson <seanjc@google.com> wrote: > >> From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> >> >> Define AVIC_VCPU_ID_MASK based on AVIC_PHYSICAL_MAX_INDEX, i.e. the mask >> that effectively controls the largest guest physical APIC ID supported by >> x2AVIC, instead of hardcoding the number of bits to 8 (and the number of >> VM bits to 24). > > Is there any particular reason not to tie it to max supported by KVM > KVM_MAX_VCPU_IDS? > > Another question: > will guest fail to start when configured with more than 512 vCPUs > or it will start broken? > I think the problem is not so much the GATag (which can really be anything at the resolution you want). It's more of an SVM limit AIUI. Provided you can't have GATAgs if you don't have guest-mode/AVIC active, then makes sense have the same limit on both. SVM seems to be limited to 256 vcpus in xAPIC mode or 512 vcpus in x2APIC mode[0]. IIUC You actually won't be able to create guests with more than 512vcpus as KVM bound checks those max limits very early in the vCPU init (see avic_init_vcpu()). I guess the alternative would an AVIC inhibit if vCPU count goes beyond those limits -- probably a must have once avic flips to 1 by default like Intel. [0] in APM Volume 2 15.29.4.3 Physical Address Pointer Restrictions, * All the addresses point to 4-Kbyte aligned data structures. Bits 11:0 are reserved (except for offset 0F8h) and should be set to zero. The lower 8 bits of offset 0F8h are used for the field AVIC_PHYSICAL_MAX_INDEX. VMRUN fails with #VMEXIT(VMEXIT_INVALID) if AVIC_PHYSICAL_MAX_INDEX is greater than 255 in xAVIC mode or greater than 511 in x2AVIC mode.
On Tue, Feb 07, 2023, Joao Martins wrote: > On 07/02/2023 08:33, Igor Mammedov wrote: > > On Tue, 7 Feb 2023 00:21:55 +0000 > > Sean Christopherson <seanjc@google.com> wrote: > > > >> From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> > >> > >> Define AVIC_VCPU_ID_MASK based on AVIC_PHYSICAL_MAX_INDEX, i.e. the mask > >> that effectively controls the largest guest physical APIC ID supported by > >> x2AVIC, instead of hardcoding the number of bits to 8 (and the number of > >> VM bits to 24). > > > > Is there any particular reason not to tie it to max supported by KVM > > KVM_MAX_VCPU_IDS? > > > > Another question: > > will guest fail to start when configured with more than 512 vCPUs > > or it will start broken? > > > > I think the problem is not so much the GATag (which can really be anything at > the resolution you want). It's more of an SVM limit AIUI. Provided you can't > have GATAgs if you don't have guest-mode/AVIC active, then makes sense have the > same limit on both. Yep. The physical ID table, which is needed to achieve full AVIC benefits for a vCPU, is a single 4KiB page that holds 512 64-bit entries. AIUI, the GATag is used if and only if the interrupt target is in the physical ID table, so using more GATag bits for vCPU ID is pointless. > SVM seems to be limited to 256 vcpus in xAPIC mode or 512 vcpus in x2APIC > mode[0]. IIUC You actually won't be able to create guests with more than > 512vcpus as KVM bound checks those max limits very early in the vCPU init (see > avic_init_vcpu()). I guess the alternative would an AVIC inhibit if vCPU count > goes beyond those limits -- probably a must have once avic flips to 1 by default > like Intel. I don't _think_ KVM would have to explicitly inhibit AVIC. I believe the fallout would be that vCPUs >= 512 would simply not be eligible for virtual interrupt delivery, e.g. KVM would get a "Invalid Target in IPI" exit. I haven't dug into the IOMMU side of things though, so it's possible something in that world would necessitate disabling (x2)AVIC. > [0] in APM Volume 2 15.29.4.3 Physical Address Pointer Restrictions, > > * All the addresses point to 4-Kbyte aligned data structures. Bits 11:0 are > reserved (except for offset 0F8h) and should be set to zero. The lower 8 bits of > offset 0F8h are used for the field AVIC_PHYSICAL_MAX_INDEX. VMRUN fails with > #VMEXIT(VMEXIT_INVALID) if AVIC_PHYSICAL_MAX_INDEX is greater than 255 in xAVIC > mode or greater than 511 in x2AVIC mode.
On 2/7/2023 7:21 AM, Sean Christopherson wrote: > From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> > > Define AVIC_VCPU_ID_MASK based on AVIC_PHYSICAL_MAX_INDEX, i.e. the mask > that effectively controls the largest guest physical APIC ID supported by > x2AVIC, instead of hardcoding the number of bits to 8 (and the number of > VM bits to 24). > > The AVIC GATag is programmed into the AMD IOMMU IRTE to provide a > reference back to KVM in case the IOMMU cannot inject an interrupt into a > non-running vCPU. In such a case, the IOMMU notifies software by creating > a GALog entry with the corresponded GATag, and KVM then uses the GATag to > find the correct VM+vCPU to kick. Dropping bit 8 from the GATag results > in kicking the wrong vCPU when targeting vCPUs with x2APIC ID > 255. > > Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode") > Cc: stable@vger.kernel.org > Reported-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com> > Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> > Co-developed-by: Sean Christopherson <seanjc@google.com> > Signed-off-by: Sean Christopherson <seanjc@google.com> > --- > arch/x86/kvm/svm/avic.c | 26 ++++++++++++++++++-------- > 1 file changed, 18 insertions(+), 8 deletions(-) > > diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c > index ca684979e90d..326341a22153 100644 > --- a/arch/x86/kvm/svm/avic.c > +++ b/arch/x86/kvm/svm/avic.c > @@ -27,19 +27,29 @@ > #include "irq.h" > #include "svm.h" > > -/* AVIC GATAG is encoded using VM and VCPU IDs */ > -#define AVIC_VCPU_ID_BITS 8 > -#define AVIC_VCPU_ID_MASK ((1 << AVIC_VCPU_ID_BITS) - 1) > +/* > + * Encode the arbitrary VM ID and the vCPU's default APIC ID, i.e the vCPU ID, > + * into the GATag so that KVM can retrieve the correct vCPU from a GALog entry > + * if an interrupt can't be delivered, e.g. because the vCPU isn't running. > + * > + * For the vCPU ID, use however many bits are currently allowed for the max > + * guest physical APIC ID (limited by the size of the physical ID table), and > + * use whatever bits remain to assign arbitrary AVIC IDs to VMs. Note, the > + * size of the GATag is defined by hardware (32 bits), but is an opaque value > + * as far as hardware is concerned. > + */ > +#define AVIC_VCPU_ID_MASK AVIC_PHYSICAL_MAX_INDEX_MASK > > -#define AVIC_VM_ID_BITS 24 > -#define AVIC_VM_ID_NR (1 << AVIC_VM_ID_BITS) > -#define AVIC_VM_ID_MASK ((1 << AVIC_VM_ID_BITS) - 1) > +#define AVIC_VM_ID_SHIFT HWEIGHT32(AVIC_PHYSICAL_MAX_INDEX_MASK) > +#define AVIC_VM_ID_MASK (GENMASK(31, AVIC_VM_ID_SHIFT) >> AVIC_VM_ID_SHIFT) > > -#define AVIC_GATAG(x, y) (((x & AVIC_VM_ID_MASK) << AVIC_VCPU_ID_BITS) | \ > +#define AVIC_GATAG(x, y) (((x & AVIC_VM_ID_MASK) << AVIC_VM_ID_SHIFT) | \ > (y & AVIC_VCPU_ID_MASK)) > -#define AVIC_GATAG_TO_VMID(x) ((x >> AVIC_VCPU_ID_BITS) & AVIC_VM_ID_MASK) > +#define AVIC_GATAG_TO_VMID(x) ((x >> AVIC_VM_ID_SHIFT) & AVIC_VM_ID_MASK) > #define AVIC_GATAG_TO_VCPUID(x) (x & AVIC_VCPU_ID_MASK) > > +static_assert(AVIC_GATAG(AVIC_VM_ID_MASK, AVIC_VCPU_ID_MASK) == -1u); > + > static bool force_avic; > module_param_unsafe(force_avic, bool, 0444); > Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> Thanks, Suravee
On 2/7/2023 11:38 PM, Sean Christopherson wrote: > On Tue, Feb 07, 2023, Joao Martins wrote: >> On 07/02/2023 08:33, Igor Mammedov wrote: >>> On Tue, 7 Feb 2023 00:21:55 +0000 >>> Sean Christopherson <seanjc@google.com> wrote: >>> >>>> From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> >>>> >>>> Define AVIC_VCPU_ID_MASK based on AVIC_PHYSICAL_MAX_INDEX, i.e. the mask >>>> that effectively controls the largest guest physical APIC ID supported by >>>> x2AVIC, instead of hardcoding the number of bits to 8 (and the number of >>>> VM bits to 24). >>> >>> Is there any particular reason not to tie it to max supported by KVM >>> KVM_MAX_VCPU_IDS? >>> >>> Another question: >>> will guest fail to start when configured with more than 512 vCPUs >>> or it will start broken? >>> >> >> I think the problem is not so much the GATag (which can really be anything at >> the resolution you want). It's more of an SVM limit AIUI. Provided you can't >> have GATAgs if you don't have guest-mode/AVIC active, then makes sense have the >> same limit on both. Correct. > Yep. The physical ID table, which is needed to achieve full AVIC benefits for a > vCPU, is a single 4KiB page that holds 512 64-bit entries. AIUI, the GATag is > used if and only if the interrupt target is in the physical ID table, so using > more GATag bits for vCPU ID is pointless. Correct. >> SVM seems to be limited to 256 vcpus in xAPIC mode or 512 vcpus in x2APIC >> mode[0]. IIUC You actually won't be able to create guests with more than >> 512vcpus as KVM bound checks those max limits very early in the vCPU init (see >> avic_init_vcpu()). I guess the alternative would an AVIC inhibit if vCPU count >> goes beyond those limits -- probably a must have once avic flips to 1 by default >> like Intel. > > I don't _think_ KVM would have to explicitly inhibit AVIC. I believe the fallout > would be that vCPUs >= 512 would simply not be eligible for virtual interrupt > delivery, e.g. KVM would get a "Invalid Target in IPI" exit. I haven't dug into > the IOMMU side of things though, so it's possible something in that world would > necessitate disabling (x2)AVIC. SVM-AVIC is independent of the IOMMU-AVIC. We can enable SVM-AVIC, and use the legacy IOMMU interrupt remapping mode IRTE[GuestMode]=0. However, I have not explored the case of combining of the two modes. I can look into it and experiment with this case. Thanks, Suravee >> [0] in APM Volume 2 15.29.4.3 Physical Address Pointer Restrictions, >> >> * All the addresses point to 4-Kbyte aligned data structures. Bits 11:0 are >> reserved (except for offset 0F8h) and should be set to zero. The lower 8 bits of >> offset 0F8h are used for the field AVIC_PHYSICAL_MAX_INDEX. VMRUN fails with >> #VMEXIT(VMEXIT_INVALID) if AVIC_PHYSICAL_MAX_INDEX is greater than 255 in xAVIC >> mode or greater than 511 in x2AVIC mode.
diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c index ca684979e90d..326341a22153 100644 --- a/arch/x86/kvm/svm/avic.c +++ b/arch/x86/kvm/svm/avic.c @@ -27,19 +27,29 @@ #include "irq.h" #include "svm.h" -/* AVIC GATAG is encoded using VM and VCPU IDs */ -#define AVIC_VCPU_ID_BITS 8 -#define AVIC_VCPU_ID_MASK ((1 << AVIC_VCPU_ID_BITS) - 1) +/* + * Encode the arbitrary VM ID and the vCPU's default APIC ID, i.e the vCPU ID, + * into the GATag so that KVM can retrieve the correct vCPU from a GALog entry + * if an interrupt can't be delivered, e.g. because the vCPU isn't running. + * + * For the vCPU ID, use however many bits are currently allowed for the max + * guest physical APIC ID (limited by the size of the physical ID table), and + * use whatever bits remain to assign arbitrary AVIC IDs to VMs. Note, the + * size of the GATag is defined by hardware (32 bits), but is an opaque value + * as far as hardware is concerned. + */ +#define AVIC_VCPU_ID_MASK AVIC_PHYSICAL_MAX_INDEX_MASK -#define AVIC_VM_ID_BITS 24 -#define AVIC_VM_ID_NR (1 << AVIC_VM_ID_BITS) -#define AVIC_VM_ID_MASK ((1 << AVIC_VM_ID_BITS) - 1) +#define AVIC_VM_ID_SHIFT HWEIGHT32(AVIC_PHYSICAL_MAX_INDEX_MASK) +#define AVIC_VM_ID_MASK (GENMASK(31, AVIC_VM_ID_SHIFT) >> AVIC_VM_ID_SHIFT) -#define AVIC_GATAG(x, y) (((x & AVIC_VM_ID_MASK) << AVIC_VCPU_ID_BITS) | \ +#define AVIC_GATAG(x, y) (((x & AVIC_VM_ID_MASK) << AVIC_VM_ID_SHIFT) | \ (y & AVIC_VCPU_ID_MASK)) -#define AVIC_GATAG_TO_VMID(x) ((x >> AVIC_VCPU_ID_BITS) & AVIC_VM_ID_MASK) +#define AVIC_GATAG_TO_VMID(x) ((x >> AVIC_VM_ID_SHIFT) & AVIC_VM_ID_MASK) #define AVIC_GATAG_TO_VCPUID(x) (x & AVIC_VCPU_ID_MASK) +static_assert(AVIC_GATAG(AVIC_VM_ID_MASK, AVIC_VCPU_ID_MASK) == -1u); + static bool force_avic; module_param_unsafe(force_avic, bool, 0444);