Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp780364ybe; Fri, 13 Sep 2019 06:17:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqwUXOBBUNJoX7IcSMOMJS8kDmOOQbSRYLas9SMvQq+AgAQfecxbwbXl0+owPlAmJYkBuNpj X-Received: by 2002:aa7:dac5:: with SMTP id x5mr48141516eds.290.1568380639206; Fri, 13 Sep 2019 06:17:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568380639; cv=none; d=google.com; s=arc-20160816; b=H0Q2OXU/HBUTASzs8z/vKaLQj9c8smuCaGPFt5wQB8EZJ/49HAAxT/PcUlWik6pdj9 Ni9kFrGILziDl85Gnw+NrY+LeniX/kyD3xLRLy/EagwGl8bGw5h7wpsODa0rq/LqvH5P pgAtrnBX4VnItPtDS4GMbCLQUWNVcF8xsWUvvqbx7LCM8QFKzqWmtG3BAKbus0WkGHhV KWzi7xyLcAB3h1sEw1lpXpeNR72HgWv5GqBtM9MgPP7RT70vVYs8Dqo7gCYbOQycc6SA V8q2FSMOuKXyQwPWc0Rxe2wGOiJvrhXD9xLywk7Srnltcx2RxIK5Qhewm24r5/cDSRzs NRKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5EFn1QNUQAaRUjLEw4qWhTN4su1icZ6XDO/xYqxA1ao=; b=QlVIYnM5bcOlETsOhWhv9yjdMCVci7W/E5+HyKu5YXjoIiUSkRw9CEXxyJgD6rfM9+ tAs+0obbLqDK665NfTvBHJVaL14nqJ6wgqOhzTQ0JB+vGHm9Dz6HGQcNTT2XuuLgOUns 8dvou4WnPthz9kD23lYTkN4VZriYn4UFYC45Aq7tV+J2Bp8wGpuvmvFoo5FEPpAJIU9k pOzPOYUtJ+1JAvTMwVINaOPFxvaAGiCk1V+Tnsrm2CqxOsg0PO7TqtDgP0X/pNRSSi2a n3ehmZGcrRqYXqsywKId+lk+uxwKCebH7Dk/oTbWC6Zso42pwUAvgsfz/AULMbUFCd71 Y2gw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VYfOaKA4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id hb6si14143254ejb.1.2019.09.13.06.16.55; Fri, 13 Sep 2019 06:17:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VYfOaKA4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389440AbfIMNOA (ORCPT + 99 others); Fri, 13 Sep 2019 09:14:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:39790 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388309AbfIMNN7 (ORCPT ); Fri, 13 Sep 2019 09:13:59 -0400 Received: from localhost (unknown [104.132.45.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9175120CC7; Fri, 13 Sep 2019 13:13:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568380438; bh=KmeSFAnkxuACv75RkUKZMaeouCltjKXcCuUZlpk6AKk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VYfOaKA47GZtL6ZcE5h1h4uQtEODoThlOqdnAytjwqpsSU/IeCHsu6oKSDQ5UoQzb Z6dhbidSKOQyWzzyK3KqtAfn0/JCST6zuVEYsLt78MRHsreYX8amfXzTdEmdyw7hG4 Xz6Y8FEmzvrOe8ooXenk4vsGfDgznYMcfeDmaMzI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Mackerras , Sasha Levin Subject: [PATCH 4.19 064/190] KVM: PPC: Book3S HV: Fix race between kvm_unmap_hva_range and MMU mode switch Date: Fri, 13 Sep 2019 14:05:19 +0100 Message-Id: <20190913130604.871833303@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190913130559.669563815@linuxfoundation.org> References: <20190913130559.669563815@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 234ff0b729ad882d20f7996591a964965647addf ] Testing has revealed an occasional crash which appears to be caused by a race between kvmppc_switch_mmu_to_hpt and kvm_unmap_hva_range_hv. The symptom is a NULL pointer dereference in __find_linux_pte() called from kvm_unmap_radix() with kvm->arch.pgtable == NULL. Looking at kvmppc_switch_mmu_to_hpt(), it does indeed clear kvm->arch.pgtable (via kvmppc_free_radix()) before setting kvm->arch.radix to NULL, and there is nothing to prevent kvm_unmap_hva_range_hv() or the other MMU callback functions from being called concurrently with kvmppc_switch_mmu_to_hpt() or kvmppc_switch_mmu_to_radix(). This patch therefore adds calls to spin_lock/unlock on the kvm->mmu_lock around the assignments to kvm->arch.radix, and makes sure that the partition-scoped radix tree or HPT is only freed after changing kvm->arch.radix. This also takes the kvm->mmu_lock in kvmppc_rmap_reset() to make sure that the clearing of each rmap array (one per memslot) doesn't happen concurrently with use of the array in the kvm_unmap_hva_range_hv() or the other MMU callbacks. Fixes: 18c3640cefc7 ("KVM: PPC: Book3S HV: Add infrastructure for running HPT guests on radix host") Cc: stable@vger.kernel.org # v4.15+ Signed-off-by: Paul Mackerras Signed-off-by: Sasha Levin --- arch/powerpc/kvm/book3s_64_mmu_hv.c | 3 +++ arch/powerpc/kvm/book3s_hv.c | 15 +++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c index 68e14afecac85..a488c105b9234 100644 --- a/arch/powerpc/kvm/book3s_64_mmu_hv.c +++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c @@ -744,12 +744,15 @@ void kvmppc_rmap_reset(struct kvm *kvm) srcu_idx = srcu_read_lock(&kvm->srcu); slots = kvm_memslots(kvm); kvm_for_each_memslot(memslot, slots) { + /* Mutual exclusion with kvm_unmap_hva_range etc. */ + spin_lock(&kvm->mmu_lock); /* * This assumes it is acceptable to lose reference and * change bits across a reset. */ memset(memslot->arch.rmap, 0, memslot->npages * sizeof(*memslot->arch.rmap)); + spin_unlock(&kvm->mmu_lock); } srcu_read_unlock(&kvm->srcu, srcu_idx); } diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c index 083dcedba11ce..9595db30e6b87 100644 --- a/arch/powerpc/kvm/book3s_hv.c +++ b/arch/powerpc/kvm/book3s_hv.c @@ -3813,12 +3813,15 @@ static int kvmppc_hv_setup_htab_rma(struct kvm_vcpu *vcpu) /* Must be called with kvm->lock held and mmu_ready = 0 and no vcpus running */ int kvmppc_switch_mmu_to_hpt(struct kvm *kvm) { + kvmppc_rmap_reset(kvm); + kvm->arch.process_table = 0; + /* Mutual exclusion with kvm_unmap_hva_range etc. */ + spin_lock(&kvm->mmu_lock); + kvm->arch.radix = 0; + spin_unlock(&kvm->mmu_lock); kvmppc_free_radix(kvm); kvmppc_update_lpcr(kvm, LPCR_VPM1, LPCR_VPM1 | LPCR_UPRT | LPCR_GTSE | LPCR_HR); - kvmppc_rmap_reset(kvm); - kvm->arch.radix = 0; - kvm->arch.process_table = 0; return 0; } @@ -3831,10 +3834,14 @@ int kvmppc_switch_mmu_to_radix(struct kvm *kvm) if (err) return err; + kvmppc_rmap_reset(kvm); + /* Mutual exclusion with kvm_unmap_hva_range etc. */ + spin_lock(&kvm->mmu_lock); + kvm->arch.radix = 1; + spin_unlock(&kvm->mmu_lock); kvmppc_free_hpt(&kvm->arch.hpt); kvmppc_update_lpcr(kvm, LPCR_UPRT | LPCR_GTSE | LPCR_HR, LPCR_VPM1 | LPCR_UPRT | LPCR_GTSE | LPCR_HR); - kvm->arch.radix = 1; return 0; } -- 2.20.1