Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4926245pxj; Tue, 22 Jun 2021 11:00:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzKhonM7EY41Y+77w/gPcjm8QThARLFH1rcc0UNgwcechnkJhtftYHIWfuR7JANbm6GeqLK X-Received: by 2002:a02:9109:: with SMTP id a9mr5172923jag.93.1624384801294; Tue, 22 Jun 2021 11:00:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624384801; cv=none; d=google.com; s=arc-20160816; b=NmxSAbGJLfVAsfUIS4oQysD7nFYRR1tPiAGyqoDMLXp7S4HfogFyjAZmK9pHazyckr dVMvBwQxJ4O8P2GGSBBQSq04ESQd3pHMEVdes23rbzcLTaAWJkbU0+MPK+gWUt6nQQ0o XG5H2jBMbaUhLBik6wH87kXeEx28Xnji9njz2h7Bzk8nZ+pD6pQBumVDs8u5SP5A4X4F f4B5oJhIBptX0cVY2xLf4O0FdLm4tLmqVY4DgkJP8UmgFb/Zr5F/zeMu7XqwFtEPtp8F XZsjv1z2qhwbCBGC6kV/1sCqq8goHcoMGKX2axpOK1v5hmxZxuYk2pUwYmPcpZpibFVk PU9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:reply-to:dkim-signature; bh=w2Kt+/2qENUIrhf0LV790hqbhtHihwRSzE//krnionw=; b=va4Fw3zV5C9YK4P5EhnRhD/JV9z8wjMaXdFLgn67Y6iGcs1NV9iQ34mtEyVeXIlfQZ 6vAme7NFGCDQkkcKUYWwLOhesph8ZuWtcrbAoLNnu2EG2CVBb19PJhIGVNyXjU5a0Rvk /627WeFPPniMgEUeOFMTcxFY3ZJZwPvL7dct6oMIgmcogntQK/NVwnHvHHzIRDo9Q5RL ckvOD0wL2khowPWuJ7cvZRYkHl/oXBk2OCGjmjEozo3kyVUcpvkg5y/Kh4yt6yJv9q1e lmHb/k84icNSiwcsCTyvS6Y0E7DUaXcPr02Ab/8qyVxysEbM9dVZCRpuq4OwS0KkpkqD CWUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=WOP77fC3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f12si12761201ioq.84.2021.06.22.10.59.49; Tue, 22 Jun 2021 11:00:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=WOP77fC3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232725AbhFVSBJ (ORCPT + 99 others); Tue, 22 Jun 2021 14:01:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232670AbhFVSAn (ORCPT ); Tue, 22 Jun 2021 14:00:43 -0400 Received: from mail-qt1-x84a.google.com (mail-qt1-x84a.google.com [IPv6:2607:f8b0:4864:20::84a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28807C061760 for ; Tue, 22 Jun 2021 10:58:22 -0700 (PDT) Received: by mail-qt1-x84a.google.com with SMTP id e20-20020ac85dd40000b029024ed7d58d2cso85900qtx.8 for ; Tue, 22 Jun 2021 10:58:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=reply-to:date:in-reply-to:message-id:mime-version:references :subject:from:to:cc; bh=w2Kt+/2qENUIrhf0LV790hqbhtHihwRSzE//krnionw=; b=WOP77fC3Ucs4V8/L6vxTB/JiH0DwuxnXT6BnGHWWO+6w3nDkR4dayPBlG3Kz4N3loF 6nzwP4ABmUvOQGpc/ZfhyXvTlYr1PA0Rawxk9ENqAY1+PPF8ykvgWEShpq8lDijd/xYM O8InonsZbIK7zabxNSsdWGRH7t1GWgq2l95mMPwCDZF2HWTd2/XpVKflZTh2MyAbgTPK ytoKjzM1evJ4/sTgqtYZLGY8vuqRId3e7lLzVw/XWA1Bl74jWZ9DNBu7qtNyXEQ7vXwP vqo+f7q8R0IOtGVqimnpjc8SUNp3ILAzsUA2hr6NSWv+3cm+wWrD7D5Pd0VATPRSzsce dONA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:date:in-reply-to:message-id :mime-version:references:subject:from:to:cc; bh=w2Kt+/2qENUIrhf0LV790hqbhtHihwRSzE//krnionw=; b=Vy0S1XCBr6wPe61XZN78bc9bZl50xqlHi6DMD45dAYybEf5rHXgU1LFFqIYKMzo+dP 3CYr3ME/8UAZXEL1zwNLcOAUem5BOk8ckRUDg2TjYF6KmyQF49iID1f8OD4kElHWCibB kuwttI3DUkzOIG8Mz/eVLyMzlwy/dNtQw7SyFQtccGv0feo+IKwMtPKz7aQOeNRMtHrO m1hpSoi5ICbN7shB/b5Q7eOMa+nEX2QsFVKCKQj/QQWcY0/zrpjAFFmwc+MPdDpFWw32 4DgXvUY5MNE8HKu+CaF1FzP4ScLktAl8fMlK0NsLx4VqEN47Plv17vQUAFzDVxneuMve v7QQ== X-Gm-Message-State: AOAM530MkFvJzGNDoZtaiEyrDIdQabtAFMLWvZx8e37LZv4nAZ35G1aL /65ZBTBogwVAunO4oUnzfMynQQzvctY= X-Received: from seanjc798194.pdx.corp.google.com ([2620:15c:f:10:5722:92ce:361f:3832]) (user=seanjc job=sendgmr) by 2002:a25:ada5:: with SMTP id z37mr6434317ybi.415.1624384701324; Tue, 22 Jun 2021 10:58:21 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 22 Jun 2021 10:56:56 -0700 In-Reply-To: <20210622175739.3610207-1-seanjc@google.com> Message-Id: <20210622175739.3610207-12-seanjc@google.com> Mime-Version: 1.0 References: <20210622175739.3610207-1-seanjc@google.com> X-Mailer: git-send-email 2.32.0.288.g62a8d224e6-goog Subject: [PATCH 11/54] KVM: x86/mmu: WARN and zap SP when sync'ing if MMU role mismatches From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yu Zhang , Maxim Levitsky Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When synchronizing a shadow page, WARN and zap the page if its mmu role isn't compatible with the current MMU context, where "compatible" is an exact match sans the bits that have no meaning in the overall MMU context or will be explicitly overwritten during the sync. Many of the helpers used by sync_page() are specific to the current context, updating a SMM vs. non-SMM shadow page would use the wrong memslots, updating L1 vs. L2 PTEs might work but would be extremely bizaree, and so on and so forth. Drop the guard with respect to 8-byte vs. 4-byte PTEs in __kvm_sync_page(), it was made useless when kvm_mmu_get_page() stopped trying to sync shadow pages irrespective of the current MMU context. Signed-off-by: Sean Christopherson --- arch/x86/kvm/mmu/mmu.c | 5 +---- arch/x86/kvm/mmu/paging_tmpl.h | 27 +++++++++++++++++++++++++-- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index 9f277c5bab76..2e2d66319325 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -1784,10 +1784,7 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm, static bool __kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp, struct list_head *invalid_list) { - union kvm_mmu_page_role mmu_role = vcpu->arch.mmu->mmu_role.base; - - if (sp->role.gpte_is_8_bytes != mmu_role.gpte_is_8_bytes || - vcpu->arch.mmu->sync_page(vcpu, sp) == 0) { + if (vcpu->arch.mmu->sync_page(vcpu, sp) == 0) { kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list); return false; } diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h index 52fffd68b522..b632606a87d6 100644 --- a/arch/x86/kvm/mmu/paging_tmpl.h +++ b/arch/x86/kvm/mmu/paging_tmpl.h @@ -1030,13 +1030,36 @@ static gpa_t FNAME(gva_to_gpa_nested)(struct kvm_vcpu *vcpu, gpa_t vaddr, */ static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp) { + union kvm_mmu_page_role mmu_role = vcpu->arch.mmu->mmu_role.base; int i, nr_present = 0; bool host_writable; gpa_t first_pte_gpa; int set_spte_ret = 0; - /* direct kvm_mmu_page can not be unsync. */ - BUG_ON(sp->role.direct); + /* + * Ignore various flags when verifying that it's safe to sync a shadow + * page using the current MMU context. + * + * - level: not part of the overall MMU role and will never match as the MMU's + * level tracks the root level + * - access: updated based on the new guest PTE + * - quadrant: not part of the overall MMU role (similar to level) + */ + const union kvm_mmu_page_role sync_role_ign = { + .level = 0xf, + .access = 0x7, + .quadrant = 0x3, + }; + + /* + * Direct pages can never be unsync, and KVM should never attempt to + * sync a shadow page for a different MMU context, e.g. if the role + * differs then the memslot lookup (SMM vs. non-SMM) will be bogus, the + * reserved bits checks will be wrong, etc... + */ + if (WARN_ON_ONCE(sp->role.direct || + (sp->role.word ^ mmu_role.word) & ~sync_role_ign.word)) + return 0; first_pte_gpa = FNAME(get_level1_sp_gpa)(sp); -- 2.32.0.288.g62a8d224e6-goog