~kamalmostafa/ubuntu/+source/linux/+git/bionic:lp1885184-kvm-flush

Last commit made on 2020-06-25
Get this branch:
git clone -b lp1885184-kvm-flush https://git.launchpad.net/~kamalmostafa/ubuntu/+source/linux/+git/bionic
Only Kamal Mostafa can upload to this branch. If you are Kamal Mostafa please log in for upload directions.

Branch merges

Branch information

Name:
lp1885184-kvm-flush
Repository:
lp:~kamalmostafa/ubuntu/+source/linux/+git/bionic

Recent commits

5fe0780... by Boris Ostrovsky

x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed

BugLink: https://bugs.launchpad.net/bugs/1885184

commit b043138246a41064527cf019a3d51d9f015e9796 upstream.

There is a potential race in record_steal_time() between setting
host-local vcpu->arch.st.steal.preempted to zero (i.e. clearing
KVM_VCPU_PREEMPTED) and propagating this value to the guest with
kvm_write_guest_cached(). Between those two events the guest may
still see KVM_VCPU_PREEMPTED in its copy of kvm_steal_time, set
KVM_VCPU_FLUSH_TLB and assume that hypervisor will do the right
thing. Which it won't.

Instad of copying, we should map kvm_steal_time and that will
guarantee atomicity of accesses to @preempted.

This is part of CVE-2019-3016.

Signed-off-by: Boris Ostrovsky <email address hidden>
Reviewed-by: Joao Martins <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
[bwh: Backported to 4.19: No tracepoint in record_steal_time().]
Signed-off-by: Ben Hutchings <email address hidden>
Signed-off-by: Sasha Levin <email address hidden>
Signed-off-by: Kamal Mostafa <email address hidden>

a786889... by Wanpeng Li <email address hidden>

KVM: X86: use paravirtualized TLB Shootdown

BugLink: https://bugs.launchpad.net/bugs/1885184

Remote TLB flush does a busy wait which is fine in bare-metal
scenario. But with-in the guest, the vcpus might have been pre-empted or
blocked. In this scenario, the initator vcpu would end up busy-waiting
for a long amount of time; it also consumes CPU unnecessarily to wake
up the target of the shootdown.

This patch set adds support for KVM's new paravirtualized TLB flush;
remote TLB flush does not wait for vcpus that are sleeping, instead
KVM will flush the TLB as soon as the vCPU starts running again.

The improvement is clearly visible when the host is overcommitted; in this
case, the PV TLB flush (in addition to avoiding the wait on the main CPU)
prevents preempted vCPUs from stealing precious execution time from the
running ones.

Testing on a Xeon Gold 6142 2.6GHz 2 sockets, 32 cores, 64 threads,
so 64 pCPUs, and each VM is 64 vCPUs.

ebizzy -M
              vanilla optimized boost
1VM 46799 48670 4%
2VM 23962 42691 78%
3VM 16152 37539 132%

Cc: Paolo Bonzini <email address hidden>
Cc: Radim Krčmář <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Signed-off-by: Wanpeng Li <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
Signed-off-by: Radim Krčmář <email address hidden>
(backported from commit 858a43aae23672d46fe802a41f4748f322965182)
Signed-off-by: Kamal Mostafa <email address hidden>

f3539c7... by Wanpeng Li <email address hidden>

KVM: X86: Add KVM_VCPU_PREEMPTED

BugLink: https://bugs.launchpad.net/bugs/1885184

The next patch will add another bit to the preempted field in
kvm_steal_time. Define a constant for bit 0 (the only one that is
currently used).

Cc: Paolo Bonzini <email address hidden>
Cc: Radim Krčmář <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Signed-off-by: Wanpeng Li <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
Signed-off-by: Radim Krčmář <email address hidden>
(backported from commit fa55eedd6328d3072e82218a2346b8752253af2d)
Signed-off-by: Kamal Mostafa <email address hidden>

d6af5c9... by Wanpeng Li <email address hidden>

KVM: X86: support paravirtualized help for TLB shootdowns

BugLink: https://bugs.launchpad.net/bugs/1885184

When running on a virtual machine, IPIs are expensive when the target
CPU is sleeping. Thus, it is nice to be able to avoid them for TLB
shootdowns. KVM can just do the flush via INVVPID on the guest's behalf
the next time the CPU is scheduled.

Cc: Paolo Bonzini <email address hidden>
Cc: Radim Krčmář <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Signed-off-by: Wanpeng Li <email address hidden>
[Use "&" to test the bit instead of "==". - Paolo]
Signed-off-by: Paolo Bonzini <email address hidden>
Signed-off-by: Radim Krčmář <email address hidden>
(backported from commit f38a7b75267f1fb240a8178cbcb16d66dd37aac8)
Signed-off-by: Kamal Mostafa <email address hidden>

e34279b... by Thadeu Lima de Souza Cascardo

UBUNTU: Ubuntu-4.15.0-109.110

Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

fdd974f... by Thadeu Lima de Souza Cascardo

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

18c34ae... by Thadeu Lima de Souza Cascardo

UBUNTU: update dkms package versions

BugLink: https://bugs.launchpad.net/bugs/1786013
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

9cce5bf... by Kleber Sacilotto de Souza

UBUNTU: [Packaging]: ignore wireguard modules when wireguard is disabled

When the build of wireguard modules is disabled, its modules should be
ignored, just like when zfs is disabled.

Ignore: yes
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

49ad88c... by Andy Whitcroft

UBUNTU: [Config] wireguard -- enable on all architectures

Signed-off-by: Andy Whitcroft <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

c01749e... by Andy Whitcroft

UBUNTU: [Packaging] wireguard -- add support for building signed .ko

Add support for building, signing, and shipping the wireguard.ko from
the wireguard-dkms package. Drop this into the linux-modules package.

BugLink: https://bugs.launchpad.net/bugs/1861284
Signed-off-by: Andy Whitcroft <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>