--- /dev/null
+From d81cadbe164265337f149cf31c9462d7217c1eed Mon Sep 17 00:00:00 2001
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date: Mon, 4 Nov 2024 07:58:45 +0000
+Subject: KVM: SVM: Disable AVIC on SNP-enabled system without HvInUseWrAllowed feature
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+commit d81cadbe164265337f149cf31c9462d7217c1eed upstream.
+
+On SNP-enabled system, VMRUN marks AVIC Backing Page as in-use while
+the guest is running for both secure and non-secure guest. Any hypervisor
+write to the in-use vCPU's AVIC backing page (e.g. to inject an interrupt)
+will generate unexpected #PF in the host.
+
+Currently, attempt to run AVIC guest would result in the following error:
+
+ BUG: unable to handle page fault for address: ff3a442e549cc270
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x80000003) - RMP violation
+ PGD b6ee01067 P4D b6ee02067 PUD 10096d063 PMD 11c540063 PTE 80000001149cc163
+ SEV-SNP: PFN 0x1149cc unassigned, dumping non-zero entries in 2M PFN region: [0x114800 - 0x114a00]
+ ...
+
+Newer AMD system is enhanced to allow hypervisor to modify the backing page
+for non-secure guest on SNP-enabled system. This enhancement is available
+when the CPUID Fn8000_001F_EAX bit 30 is set (HvInUseWrAllowed).
+
+This table describes AVIC support matrix w.r.t. SNP enablement:
+
+ | Non-SNP system | SNP system
+-----------------------------------------------------
+ Non-SNP guest | AVIC Activate | AVIC Activate iff
+ | | HvInuseWrAllowed=1
+-----------------------------------------------------
+ SNP guest | N/A | Secure AVIC
+
+Therefore, check and disable AVIC in kvm_amd driver when the feature is not
+available on SNP-enabled system.
+
+See the AMD64 Architecture Programmer’s Manual (APM) Volume 2 for detail.
+(https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/
+programmer-references/40332.pdf)
+
+Fixes: 216d106c7ff7 ("x86/sev: Add SEV-SNP host initialization support")
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/20241104075845.7583-1-suravee.suthikulpanit@amd.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Cc: Naveen N Rao <naveen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 1 +
+ arch/x86/kvm/svm/avic.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -449,6 +449,7 @@
+ #define X86_FEATURE_SME_COHERENT (19*32+10) /* AMD hardware-enforced cache coherency */
+ #define X86_FEATURE_DEBUG_SWAP (19*32+14) /* "debug_swap" AMD SEV-ES full debug state swap support */
+ #define X86_FEATURE_SVSM (19*32+28) /* "svsm" SVSM present */
++#define X86_FEATURE_HV_INUSE_WR_ALLOWED (19*32+30) /* Allow Write to in-use hypervisor-owned pages */
+
+ /* AMD-defined Extended Feature 2 EAX, CPUID level 0x80000021 (EAX), word 20 */
+ #define X86_FEATURE_NO_NESTED_DATA_BP (20*32+ 0) /* No Nested Data Breakpoints */
+--- a/arch/x86/kvm/svm/avic.c
++++ b/arch/x86/kvm/svm/avic.c
+@@ -1199,6 +1199,12 @@ bool avic_hardware_setup(void)
+ return false;
+ }
+
++ if (cc_platform_has(CC_ATTR_HOST_SEV_SNP) &&
++ !boot_cpu_has(X86_FEATURE_HV_INUSE_WR_ALLOWED)) {
++ pr_warn("AVIC disabled: missing HvInUseWrAllowed on SNP-enabled system\n");
++ return false;
++ }
++
+ if (boot_cpu_has(X86_FEATURE_AVIC)) {
+ pr_info("AVIC enabled\n");
+ } else if (force_avic) {
--- /dev/null
+From eaaff9b6702e99be5d79135f2afa9fc48a0d59e0 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 20 Feb 2025 14:07:01 +0100
+Subject: netfilter: fib: avoid lookup if socket is available
+
+From: Florian Westphal <fw@strlen.de>
+
+commit eaaff9b6702e99be5d79135f2afa9fc48a0d59e0 upstream.
+
+In case the fib match is used from the input hook we can avoid the fib
+lookup if early demux assigned a socket for us: check that the input
+interface matches sk-cached one.
+
+Rework the existing 'lo bypass' logic to first check sk, then
+for loopback interface type to elide the fib lookup.
+
+This speeds up fib matching a little, before:
+93.08 GBit/s (no rules at all)
+75.1 GBit/s ("fib saddr . iif oif missing drop" in prerouting)
+75.62 GBit/s ("fib saddr . iif oif missing drop" in input)
+
+After:
+92.48 GBit/s (no rules at all)
+75.62 GBit/s (fib rule in prerouting)
+90.37 GBit/s (fib rule in input).
+
+Numbers for the 'no rules' and 'prerouting' are expected to
+closely match in-between runs, the 3rd/input test case exercises the
+the 'avoid lookup if cached ifindex in sk matches' case.
+
+Test used iperf3 via veth interface, lo can't be used due to existing
+loopback test.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nft_fib.h | 21 +++++++++++++++++++++
+ net/ipv4/netfilter/nft_fib_ipv4.c | 11 +++++------
+ net/ipv6/netfilter/nft_fib_ipv6.c | 19 ++++++++++---------
+ 3 files changed, 36 insertions(+), 15 deletions(-)
+
+--- a/include/net/netfilter/nft_fib.h
++++ b/include/net/netfilter/nft_fib.h
+@@ -18,6 +18,27 @@ nft_fib_is_loopback(const struct sk_buff
+ return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK;
+ }
+
++static inline bool nft_fib_can_skip(const struct nft_pktinfo *pkt)
++{
++ const struct net_device *indev = nft_in(pkt);
++ const struct sock *sk;
++
++ switch (nft_hook(pkt)) {
++ case NF_INET_PRE_ROUTING:
++ case NF_INET_INGRESS:
++ case NF_INET_LOCAL_IN:
++ break;
++ default:
++ return false;
++ }
++
++ sk = pkt->skb->sk;
++ if (sk && sk_fullsock(sk))
++ return sk->sk_rx_dst_ifindex == indev->ifindex;
++
++ return nft_fib_is_loopback(pkt->skb, indev);
++}
++
+ int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr, bool reset);
+ int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ const struct nlattr * const tb[]);
+--- a/net/ipv4/netfilter/nft_fib_ipv4.c
++++ b/net/ipv4/netfilter/nft_fib_ipv4.c
+@@ -70,6 +70,11 @@ void nft_fib4_eval(const struct nft_expr
+ const struct net_device *oif;
+ const struct net_device *found;
+
++ if (nft_fib_can_skip(pkt)) {
++ nft_fib_store_result(dest, priv, nft_in(pkt));
++ return;
++ }
++
+ /*
+ * Do not set flowi4_oif, it restricts results (for example, asking
+ * for oif 3 will get RTN_UNICAST result even if the daddr exits
+@@ -84,12 +89,6 @@ void nft_fib4_eval(const struct nft_expr
+ else
+ oif = NULL;
+
+- if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
+- nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
+- nft_fib_store_result(dest, priv, nft_in(pkt));
+- return;
+- }
+-
+ iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
+ if (!iph) {
+ regs->verdict.code = NFT_BREAK;
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -170,6 +170,11 @@ void nft_fib6_eval(const struct nft_expr
+ struct rt6_info *rt;
+ int lookup_flags;
+
++ if (nft_fib_can_skip(pkt)) {
++ nft_fib_store_result(dest, priv, nft_in(pkt));
++ return;
++ }
++
+ if (priv->flags & NFTA_FIB_F_IIF)
+ oif = nft_in(pkt);
+ else if (priv->flags & NFTA_FIB_F_OIF)
+@@ -181,17 +186,13 @@ void nft_fib6_eval(const struct nft_expr
+ return;
+ }
+
+- lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);
+-
+- if (nft_hook(pkt) == NF_INET_PRE_ROUTING ||
+- nft_hook(pkt) == NF_INET_INGRESS) {
+- if (nft_fib_is_loopback(pkt->skb, nft_in(pkt)) ||
+- nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) {
+- nft_fib_store_result(dest, priv, nft_in(pkt));
+- return;
+- }
++ if (nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) {
++ nft_fib_store_result(dest, priv, nft_in(pkt));
++ return;
+ }
+
++ lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);
++
+ *dest = 0;
+ rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb,
+ lookup_flags);
projects / thirdparty / kernel / stable-queue.git / commitdiff
