On 29/07/2025 22:33, Sean Christopherson wrote:
> +static int tdx_terminate_vm(struct kvm *kvm)
> +{
> + if (kvm_trylock_all_vcpus(kvm))
> + return -EBUSY;
> +
> + kvm_vm_dead(kvm);
> + to_kvm_tdx(kvm)->vm_terminated = true;
> +
> + kvm_unlock_all_vcpus(kvm);
> +
> + tdx_mmu_release_hkid(kvm);
> +
> + return 0;
> +}
As I think I mentioned when removing vm_dead first came up,
I think we need more checks. I spent some time going through
the code and came up with what is below:
First, we need to avoid TDX VCPU sub-IOCTLs from racing with
tdx_mmu_release_hkid(). But having any TDX sub-IOCTL run after
KVM_TDX_TERMINATE_VM raises questions of what might happen, so
it is much simpler to understand, if that is not possible.
There are 3 options:
1. Require that KVM_TDX_TERMINATE_VM is valid only if
kvm_tdx->state == TD_STATE_RUNNABLE. Since currently all
the TDX sub-IOCTLs are for initialization, that would block
the opportunity for any to run after KVM_TDX_TERMINATE_VM.
2. Check vm_terminated in tdx_vm_ioctl() and tdx_vcpu_ioctl()
3. Test KVM_REQ_VM_DEAD in tdx_vm_ioctl() and tdx_vcpu_ioctl()
[ Note cannot check is_hkid_assigned() because that is racy ]
Secondly, I suggest we avoid SEAMCALLs that will fail and
result in KVM_BUG_ON() if HKID has been released.
There are 2 groups of those: MMU-related and TDVPS_ACCESSORS.
For the MMU-related, the following 2 functions should return
an error immediately if vm_terminated:
tdx_sept_link_private_spt()
tdx_sept_set_private_spte()
For that not be racy, extra synchronization is needed so that
vm_terminated can be reliably checked when holding mmu lock
i.e.
static int tdx_terminate_vm(struct kvm *kvm)
{
if (kvm_trylock_all_vcpus(kvm))
return -EBUSY;
kvm_vm_dead(kvm);
+
+ write_lock(&kvm->mmu_lock);
to_kvm_tdx(kvm)->vm_terminated = true;
+ write_unlock(&kvm->mmu_lock);
kvm_unlock_all_vcpus(kvm);
tdx_mmu_release_hkid(kvm);
return 0;
}
Finally, there are 2 TDVPS_ACCESSORS that need avoiding:
tdx_load_mmu_pgd()
skip td_vmcs_write64() if vm_terminated
tdx_protected_apic_has_interrupt()
skip td_state_non_arch_read64() if vm_terminated
