Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp74587pxb;
        Fri, 15 Oct 2021 00:36:14 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy/OOOapmXiLJGR2H/gOuOZaUAi/kxoFXZtrcoTmp2DptSTTEQLrFY9d4AVS1XGXawmRZfM
X-Received: by 2002:a17:902:d887:b0:13e:e77:7a21 with SMTP id b7-20020a170902d88700b0013e0e777a21mr9579880plz.66.1634283374263;
        Fri, 15 Oct 2021 00:36:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1634283374; cv=none;
        d=google.com; s=arc-20160816;
        b=X3+wFyNgTaRzr/3ghHjzlLuF8NiA6cu8B9pqPt8Wu4b/cVIz8ofn/O57n9seTwz8JH
         B/k4anG2V3PVjpeP1ykOK1jP48OjxDQVhrOOPNBOoQ4MwE8J0//96EDh36bBUkcHnNkg
         ow/44NM6GEUMcySHpPYFxT+5so9KF+rmnSDj+jh7zKbMvVYukDgxMGQ/Vk9GUQ+iK+1x
         vvmxE4RJHp0spEpQ/asp7VvKaQ2lpgD05q4qzs+1/cqTTkWulYAjlD3waASUicxPVuZv
         dndTITJLQ7LAr1V6L7dT3NZaMbPw67BfGAKbQkwebMu7pwoME9k78lf/MlQqPJXQlnLM
         ypLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=KKAviLRUKqVjp43nqMLg6bveGxLDROIz4blReEr8Bmo=;
        b=xsWsFsv/m4vlFQkKS6hs1CbS8/rFKJAonwQH9/P8efEQEjtHSaeuzvUxzuYm9uGi4d
         UJ9m2NY7zgmX0tzpt/5fnOCY1++tpPSNXwiidT6Nr8JToiempdeGVlmk2dfDhvTzx2ug
         GWEm4SbwhVed2fYr7Ey6IOQ4c+ZniuVuifzI9fFYEJyrLjMT5na6k3dpi/ycKxoopYrW
         qdjMAsFhXw3iMRlrnAXCaFZSshLPZoNmRAdWuTvRSWeHVFjhy935y861J3XeW87LX/Zw
         ttCYwY8rSU2TTUKH5+cQbTfnhG6N5OXcSvMmXDis/kJq47TV7LpzbzSqIJ14WsljYKqS
         Fd1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=ZBD68KtE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 10si6146080pfl.261.2021.10.15.00.35.46;
        Fri, 15 Oct 2021 00:36:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=ZBD68KtE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234447AbhJOAMd (ORCPT <rfc822;scott.kim901@gmail.com>
        + 99 others); Thu, 14 Oct 2021 20:12:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58728 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233322AbhJOAMc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Oct 2021 20:12:32 -0400
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE2AEC061570
        for <linux-kernel@vger.kernel.org>; Thu, 14 Oct 2021 17:10:26 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id ls18so5971772pjb.3
        for <linux-kernel@vger.kernel.org>; Thu, 14 Oct 2021 17:10:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=KKAviLRUKqVjp43nqMLg6bveGxLDROIz4blReEr8Bmo=;
        b=ZBD68KtEuRuJ2LXGX2e4Bq5AGfrbJB7Ct4q5cPqaOIdkz8JGahpzAsLGlpbmGa0qj2
         HgTKgCzwXvVzOP6SUz7KzzNlWNh+tnwRWS20rjnszlEGubea5dq2zvlTU/CQg4R9ZITI
         vTcpu8c93VKGxm1TuBo1hNUo+LC6eRQtOQjqY691/6F3GL1EYIyoux9G8Bq37r68yUiq
         1ZSH61AKIqVtSF6z4dNYil5nXb3BlP+PgpmV3xO0JqjLA7b/44qUnrZ2OQbfX+CaMyoL
         4iGPd7aT4gg3DBpMvmh7xmVj5NW7ai9ibGHXGw1bGDe29In+oJwcG/GHgWpgXr73ZraR
         hP+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=KKAviLRUKqVjp43nqMLg6bveGxLDROIz4blReEr8Bmo=;
        b=ArDO9r+S4xXkCxTm4hryJzmnBel9XRvp4NrRPmCzqG4wPc8zyowzYRV3/f4sh8RlCZ
         W7Jv876EGs7BFdxmQgW6h93WwYcV/DarlLhoMSBpbsDI5Ia8PiYbYkWVhGKcElHyD8L7
         lKYhep3Aix6NiJNqcP8O3iLB6Hc4+93YkbysFiBvHIfajtbM58Qh8JqysgJF9Zyfb0UV
         s2gUgGwfWpVpLl0jRRv1cTZf9MCQ97R8Q6CMX0YYHdttHyYQw9ll0c7nN3L2QR6IJe23
         pXTf4BYuR0eVxLNSQZKMw7vwacWjwce9V2xeltm0nucfqjzlnGwV0dAG7vPtszJzzzez
         GR7g==
X-Gm-Message-State: AOAM530t45/ezqxGfYBOJU8z6olfoUvKCnyJlS8+Fwex0UtRCuxXt2z1
        8+5mT5vom6hSajF3XD6oRCmOhw==
X-Received: by 2002:a17:902:d2c6:b0:13f:1ecb:aefd with SMTP id n6-20020a170902d2c600b0013f1ecbaefdmr7991685plc.50.1634256626178;
        Thu, 14 Oct 2021 17:10:26 -0700 (PDT)
Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157])
        by smtp.gmail.com with ESMTPSA id x13sm3197813pge.37.2021.10.14.17.10.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 14 Oct 2021 17:10:25 -0700 (PDT)
Date:   Fri, 15 Oct 2021 00:10:21 +0000
From:   Sean Christopherson <seanjc@google.com>
To:     David Stevens <stevensd@chromium.org>
Cc:     Marc Zyngier <maz@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>,
        James Morse <james.morse@arm.com>,
        Alexandru Elisei <alexandru.elisei@arm.com>,
        Suzuki K Poulose <suzuki.poulose@arm.com>,
        Will Deacon <will@kernel.org>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>,
        linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu,
        open list <linux-kernel@vger.kernel.org>, kvm@vger.kernel.org
Subject: Re: [PATCH v4 4/4] KVM: mmu: remove over-aggressive warnings
Message-ID: <YWjG7XJ9rx5qLzm7@google.com>
References: <20210929042908.1313874-1-stevensd@google.com>
 <20210929042908.1313874-5-stevensd@google.com>
 <YWYiJy1Z7VZ0SxAd@google.com>
 <CAD=HUj5HCdBBU2z=yJCCiAhTj0ARj-8XpLqdVbam7Kt9af+SSA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAD=HUj5HCdBBU2z=yJCCiAhTj0ARj-8XpLqdVbam7Kt9af+SSA@mail.gmail.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Oct 13, 2021, David Stevens wrote:
> On Wed, Oct 13, 2021 at 9:02 AM Sean Christopherson <seanjc@google.com> wrote:
> >
> > On Wed, Sep 29, 2021, David Stevens wrote:
> > > From: David Stevens <stevensd@chromium.org>
> > >
> > > Remove two warnings that require ref counts for pages to be non-zero, as
> > > mapped pfns from follow_pfn may not have an initialized ref count.
> > >
> > > Signed-off-by: David Stevens <stevensd@chromium.org>
> > > ---
> > >  arch/x86/kvm/mmu/mmu.c | 7 -------
> > >  virt/kvm/kvm_main.c    | 2 +-
> > >  2 files changed, 1 insertion(+), 8 deletions(-)
> > >
> > > diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> > > index 5a1adcc9cfbc..3b469df63bcf 100644
> > > --- a/arch/x86/kvm/mmu/mmu.c
> > > +++ b/arch/x86/kvm/mmu/mmu.c
> > > @@ -617,13 +617,6 @@ static int mmu_spte_clear_track_bits(struct kvm *kvm, u64 *sptep)
> > >
> > >       pfn = spte_to_pfn(old_spte);
> > >
> > > -     /*
> > > -      * KVM does not hold the refcount of the page used by
> > > -      * kvm mmu, before reclaiming the page, we should
> > > -      * unmap it from mmu first.
> > > -      */
> > > -     WARN_ON(!kvm_is_reserved_pfn(pfn) && !page_count(pfn_to_page(pfn)));
> >
> > Have you actually observed false positives with this WARN?  I would expect anything
> > without a struct page to get filtered out by !kvm_is_reserved_pfn(pfn).
> 
> Those are the type of pfns that were responsible for CVE-2021-22543
> [1]. One specific example is that amdgpu uses ttm_pool, which makes
> higher order, non-compound allocation. Without the head/tail metadata,
> only the first base page in such an allocation has non-zero
> page_count.

Huh.  I hadn't actually read the CVE, or obviously thought critically about the
problem. :-)

> [1] https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584
> 
> > If you have observed false positives, I would strongly prefer we find a way to
> > keep the page_count() sanity check, it has proven very helpful in the past in
> > finding/debugging bugs during MMU development.
> 
> When we see a refcount of zero, I think we can look up spte->(gfn,
> slot)->hva->vma and determine whether or not the zero refcount is
> okay, based on vm_flags. That's kind of heavy for a debug check,
> although at least we'd only pay the cost for unusual mappings. But it
> still might make sense to switch to a MMU_WARN_ON, in that case. Or we
> could just ignore the cost, since at least from a superficial reading
> and some basic tests, tdp_mmu doesn't seem to execute this code path.
> 
> Thoughts? I'd lean towards MMU_WARN_ON, but I'd like to know what the
> maintainers' preferences are before sending an updated patch series.

MMU_WARN_ON is a poor choice, but only because no one turns it on.  I think we've
discussed turning it into a proper Kconfig (and killing off mmu_audit.c) multiple
times, but no one has actually followed through.

The TDP MMU indeed doesn't hit this path.  So I'd say just keep this patch as is
and punt the whole MMU_WARN_ON / audit cleanup to the future.  I bet if we spend
any time at all, we can think of a big pile of MMU sanity checks we could add to
KVM, i.e. this can be but one of many checks that applies to all flavors of MMUs.