KVM: x86/mmu: Retry page fault if root is invalidated by memslot update

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Bail from the page fault handler if the root shadow page was obsoleted by
a memslot update. Do the check _after_ acuiring mmu_lock, as the TDP MMU
doesn't rely on the memslot/MMU generation, and instead relies on the
root being explicit marked invalid by kvm_mmu_zap_all_fast(), which takes
mmu_lock for write.

For the TDP MMU, inserting a SPTE into an obsolete root can leak a SP if
kvm_tdp_mmu_zap_invalidated_roots() has already zapped the SP, i.e. has
moved past the gfn associated with the SP.

For other MMUs, the resulting behavior is far more convoluted, though
unlikely to be truly problematic. Installing SPs/SPTEs into the obsolete
root isn't directly problematic, as the obsolete root will be unloaded
and dropped before the vCPU re-enters the guest. But because the legacy
MMU tracks shadow pages by their role, any SP created by the fault can
can be reused in the new post-reload root. Again, that _shouldn't_ be
problematic as any leaf child SPTEs will be created for the current/valid
memslot generation, and kvm_mmu_get_page() will not reuse child SPs from
the old generation as they will be flagged as obsolete. But, given that
continuing with the fault is pointess (the root will be unloaded), apply
the check to all MMUs.

Fixes: b7cccd397f31 ("KVM: x86/mmu: Fast invalidation for TDP MMU")
Cc: stable@vger.kernel.org
Cc: Ben Gardon <bgardon@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211120045046.3940942-5-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

authored by

Sean Christopherson and committed by

Paolo Bonzini 4 years ago a955cad8 bfbb307c

+23 -3

2 changed files

expand all

arch

x86

kvm

mmu

mmu.c

paging_tmpl.h

+21 -2

arch/x86/kvm/mmu/mmu.c

··· 1936 1936 1937 1937 static bool is_obsolete_sp(struct kvm *kvm, struct kvm_mmu_page *sp) 1938 1938 { 1939 - return sp->role.invalid || 1939 + if (sp->role.invalid) 1940 + return true; 1941 + 1942 + /* TDP MMU pages due not use the MMU generation. */ 1943 + return !sp->tdp_mmu_page && 1940 1944 unlikely(sp->mmu_valid_gen != kvm->arch.mmu_valid_gen); 1941 1945 } 1942 1946 ··· 3980 3976 return true; 3981 3977 } 3982 3978 3979 + /* 3980 + * Returns true if the page fault is stale and needs to be retried, i.e. if the 3981 + * root was invalidated by a memslot update or a relevant mmu_notifier fired. 3982 + */ 3983 + static bool is_page_fault_stale(struct kvm_vcpu *vcpu, 3984 + struct kvm_page_fault *fault, int mmu_seq) 3985 + { 3986 + if (is_obsolete_sp(vcpu->kvm, to_shadow_page(vcpu->arch.mmu->root_hpa))) 3987 + return true; 3988 + 3989 + return fault->slot && 3990 + mmu_notifier_retry_hva(vcpu->kvm, mmu_seq, fault->hva); 3991 + } 3992 + 3983 3993 static int direct_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault) 3984 3994 { 3985 3995 bool is_tdp_mmu_fault = is_tdp_mmu(vcpu->arch.mmu); ··· 4031 4013 else 4032 4014 write_lock(&vcpu->kvm->mmu_lock); 4033 4015 4034 - if (fault->slot && mmu_notifier_retry_hva(vcpu->kvm, mmu_seq, fault->hva)) 4016 + if (is_page_fault_stale(vcpu, fault, mmu_seq)) 4035 4017 goto out_unlock; 4018 + 4036 4019 r = make_mmu_pages_available(vcpu); 4037 4020 if (r) 4038 4021 goto out_unlock;

+2 -1

arch/x86/kvm/mmu/paging_tmpl.h

··· 911 911 912 912 r = RET_PF_RETRY; 913 913 write_lock(&vcpu->kvm->mmu_lock); 914 - if (fault->slot && mmu_notifier_retry_hva(vcpu->kvm, mmu_seq, fault->hva)) 914 + 915 + if (is_page_fault_stale(vcpu, fault, mmu_seq)) 915 916 goto out_unlock; 916 917 917 918 kvm_mmu_audit(vcpu, AUDIT_PRE_PAGE_FAULT);

Configure Feed

Configure Feed