Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3004011ybt; Mon, 22 Jun 2020 12:23:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx0zbBq8T67g1OQdHJTM23fqun635K2NzDsDWsE8yZ33s32DBpI8SDOuqvMlfj7T0E9Z4WD X-Received: by 2002:a50:fb14:: with SMTP id d20mr18597489edq.209.1592853782275; Mon, 22 Jun 2020 12:23:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592853782; cv=none; d=google.com; s=arc-20160816; b=s3PBfFnXQtffPONpeiGh6A94MVQ5gJY552mAgtP2/gCo4WtQ+pQMXPJ8WEMx7h2xUv 9dhGJrKVtlIN+5aFSS0Y2ROp3UQghXw7sTwMlw6pcuuu3maCILR0qeezBzTtKMe2Kz2Z fQ8gC0MJUQB+oSDmkFaiYw7N/CUZL3m3Pse6Hw4KErguQDgxILFQoKu9wtFOkCq1YJHS P4tYlC7qXuQi2mLBlLBOU9rzklzpAvxcTFBIAEit1ScsWaUqohxyktVPdIiCst7iDkd4 HhTmxvkQNxNg/Opm+kJaELaWW1nIvemTv/eZl+MeFzfhUqCTT6ZBJlMAQGDW6P52dNq/ Et4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:ironport-sdr:ironport-sdr; bh=UoZ8371jiEtC+QnekDYi5SBSxwtsMtBMdITstahn5Gk=; b=SQuwd5YCBfH+sAOlhcoqAGNXqliAkJehpq0b5RBhDQuv9XLdAtM+z7ANdW+LbTkXnp JEw9CV6yBXplO6rFgr9xuwnInml2KU0wpjUffrUCqxOHNW+zUskYTpUzK9nvYQI9tJxZ At9pLXXidshOmHP1cQSfABAorLpYuNTuAOdl0zanxxOMkLETjJZtpI2uW0PldBhcTrw8 PNvxAxZeWDJIhKCEK8k3zDArbJnbNLsHnXfMTB6KnlYywLwlxcKehlZB+LmIfYUKKSlQ WYiMCR+0n2H1fBxN2efJDcLX1twzHJvEVfcBvOVpmvOprl9oOvYMc1BfGrbOwC9pmoTe Ixyg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h14si2597260ejx.563.2020.06.22.12.22.39; Mon, 22 Jun 2020 12:23:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728303AbgFVTSy (ORCPT + 99 others); Mon, 22 Jun 2020 15:18:54 -0400 Received: from mga11.intel.com ([192.55.52.93]:65396 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728068AbgFVTSx (ORCPT ); Mon, 22 Jun 2020 15:18:53 -0400 IronPort-SDR: wrrSBOPmd16Q1WVpsKl6gCnksCDNcI2K4n6bbk+3Sdw9iZXUWzqNpWfF2YEno758VxMJoKNEUg AAyyGUgw0egA== X-IronPort-AV: E=McAfee;i="6000,8403,9660"; a="142104136" X-IronPort-AV: E=Sophos;i="5.75,268,1589266800"; d="scan'208";a="142104136" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jun 2020 12:18:52 -0700 IronPort-SDR: YVmGmOk4LxL2JOfJJgRpdCtim8lytnwabCI48Si0wsEpZcel5g8mmnT70/lza4l6ki1cS5jCpe 8nU3TqECXK3w== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,268,1589266800"; d="scan'208";a="478491690" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.152]) by fmsmga006.fm.intel.com with ESMTP; 22 Jun 2020 12:18:51 -0700 From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] KVM: x86/mmu: Don't put invalid SPs back on the list of active pages Date: Mon, 22 Jun 2020 12:18:50 -0700 Message-Id: <20200622191850.8529-1-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Delete a shadow page from the invalidation list instead of throwing it back on the list of active pages when it's a root shadow page with active users. Invalid active root pages will be explicitly freed by mmu_free_root_page() when the root_count hits zero, i.e. they don't need to be put on the active list to avoid leakage. Use sp->role.invalid to detect that a shadow page has already been zapped, i.e. is not on a list. WARN if an invalid page is encountered when zapping pages, as it should now be impossible. Signed-off-by: Sean Christopherson --- arch/x86/kvm/mmu/mmu.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index fdd05c233308..fa5bd3f987dd 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -2757,10 +2757,13 @@ static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm, if (!sp->root_count) { /* Count self */ (*nr_zapped)++; - list_move(&sp->link, invalid_list); + if (sp->role.invalid) + list_add(&sp->link, invalid_list); + else + list_move(&sp->link, invalid_list); kvm_mod_used_mmu_pages(kvm, -1); } else { - list_move(&sp->link, &kvm->arch.active_mmu_pages); + list_del(&sp->link); /* * Obsolete pages cannot be used on any vCPUs, see the comment @@ -5732,12 +5735,11 @@ static void kvm_zap_obsolete_pages(struct kvm *kvm) break; /* - * Skip invalid pages with a non-zero root count, zapping pages - * with a non-zero root count will never succeed, i.e. the page - * will get thrown back on active_mmu_pages and we'll get stuck - * in an infinite loop. + * Invalid pages should never land back on the list of active + * pages. Skip the bogus page, otherwise we'll get stuck in an + * infinite loop if the page gets put back on the list (again). */ - if (sp->role.invalid && sp->root_count) + if (WARN_ON(sp->role.invalid)) continue; /* @@ -6015,7 +6017,7 @@ void kvm_mmu_zap_all(struct kvm *kvm) spin_lock(&kvm->mmu_lock); restart: list_for_each_entry_safe(sp, node, &kvm->arch.active_mmu_pages, link) { - if (sp->role.invalid && sp->root_count) + if (WARN_ON(sp->role.invalid)) continue; if (__kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list, &ign)) goto restart; -- 2.26.0