Received: by 2002:ab2:3319:0:b0:1ef:7a0f:c32d with SMTP id i25csp329614lqc; Thu, 7 Mar 2024 20:58:49 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXZOBSHaBggRHmxTqeix/moEsQPmvAT0Ta68inI1LM9bh8U5oNxtT2yUylF8J7RJqPIQtuaqeUJuBEquyw//Cy1xOVYE1baxiLbP7jGzg== X-Google-Smtp-Source: AGHT+IFdLOJlgoo0uKQlfrGXitUpPXIslbgCJtVxW9DpWGrHSTHFrX+chRuM4lTP8PMPOh3wSrtg X-Received: by 2002:a05:6a21:32a9:b0:1a1:6a60:6b0b with SMTP id yt41-20020a056a2132a900b001a16a606b0bmr6471508pzb.10.1709873929469; Thu, 07 Mar 2024 20:58:49 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709873929; cv=pass; d=google.com; s=arc-20160816; b=TxpYaSpAddewsoxU4A0gfMwZjpyph53Q+Bo2OUmg4Y2H0aTQnCVAJGt5JcnnDyX5/t A9PqP1QUd6JZT0usQUHC7WGOM3v2XhRm3DnbyPzCS0zJicgPZek81G3HEokte0LJ6Dz+ /Sc4yfVZqmIhuDO+HqsjwTabBao169Fq2RJrULxCU3531k86IQYH1jq+vclOqlrrszZ7 L2oYEUm/QVUnQUT+bN6Kes4dc63VplfpHzTSP5fDOE/eBadP9YoOLGp+G43dAwhoADQa z+Fk73FUJhhhKjsFWhRZzP552ctvjbnG/MhFWyycZ4D0wHntG2WNZLWviM87lF1Pu7W9 yegg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=7wSiB7tVru17u/qGe6DT9hDojQevUHFNy19vLp+bcHE=; fh=A4iw5QxNVdA3riROn5Qb3bx4lYbSO9D5/HiDyRZmbBM=; b=oJk7OdOZrcE5POzZYFTYnj1YVxr7SU33DC8q8iDDkVzetdvRabtzg25rlSq/+cfxFV 5TPYa6mhvpnxPLwqtGrHPqXZm0AtzS80ZFcVTH/4oa/Dyo51JNwLK8sCiTFlXr0zs0G/ h7CHC8Trr6ak9yoDRIpGJP6e9d336UYuCb7kvve1S46FdpIolAjzj27JlgdmSygwBj0g Jo5vcp2Szbpf6HdItPz7i2NyZJdj4/xiQMUCpRiD6QIBmKJHmR0lH/oo4xvCNxsGTI+Z svuLtzHJpP6S4vjp6Bavzwq6KK17lUkngRcFI0YwmzhYO3Kz5TOzt534lO26pwwAJ0+Q qcGw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=FfgQrOcX; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-96514-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-96514-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d1-20020a170902cec100b001d721475ff1si15886901plg.106.2024.03.07.20.58.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 20:58:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-96514-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=FfgQrOcX; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-96514-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-96514-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 29F0D2838A4 for ; Fri, 8 Mar 2024 04:58:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id ED69F2E832; Fri, 8 Mar 2024 04:58:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="FfgQrOcX" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F9BC2D608; Fri, 8 Mar 2024 04:58:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.12 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709873918; cv=none; b=eb7B+wQXuLPVh+H7g4ZJvgQaAMVeX0VB7Wg51n+eONPd+pRzx2sntaHQiJxQClLpp9pe7GrZE20ugMQK1aP6EWHV4idIJosGj+fxMQKLLFMDBtpUKNOrOmOz8rWOqj75KsUWWJ5vImSCEjdUkpcS0QPVtrKEnAUzRzNP7rUTaNg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709873918; c=relaxed/simple; bh=jy0XW6HpXLjNKng6SUOk46z3P56Zbsjo+182MvNZfNQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=FdWd+2u2kqlRVjQOMUj6+oOTnKRf9krIAxosZ/PeJ78nfK6yKJmqr4xqcexmxTSxdOsF/Kq2R7IvlmZmD0OmsNGg9FR7kALTryzIwEXBYn3eUQ6zJB7PgNrq25tTdVLwKvza90VfLlI9+YtETwrJfM5Awkyq5DVgpJjzUovZlVs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=FfgQrOcX; arc=none smtp.client-ip=198.175.65.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1709873916; x=1741409916; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=jy0XW6HpXLjNKng6SUOk46z3P56Zbsjo+182MvNZfNQ=; b=FfgQrOcXxMJKfCJC8EBFf2vjhn/q1GqXnsy6QZ05oGtlpZjPK0XqyB6Q qYWhGwwOzEUQVrycKb7t5NiKIVOb9FJgII9ON1+sfqFznBWK9BNJE1+UX 4CIh978wR6+LYW2oKI8MFTqVwLi9gxZNTc9kxsAbBNOSXKL6Hpf1Kuzgu faeGsZb5C3uXtRIHOkjhX5JJ+ju1FvmsWgx9Q+cZk2CmNeGiFvbznu9o9 m7KIx9Z7JizbBPHvPjynR3HS0NY+C/uWJaMEVI/bfFyieJFkymuyS9OQ0 ONn/HALPK5Ly/u0RRMn8qgrDNXnqc2b1wxCBopCggbSsuaq9ouvFtX1w8 w==; X-IronPort-AV: E=McAfee;i="6600,9927,11006"; a="16013259" X-IronPort-AV: E=Sophos;i="6.07,108,1708416000"; d="scan'208";a="16013259" Received: from orviesa004.jf.intel.com ([10.64.159.144]) by orvoesa104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Mar 2024 20:58:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,108,1708416000"; d="scan'208";a="15022427" Received: from yilunxu-optiplex-7050.sh.intel.com (HELO localhost) ([10.239.159.165]) by orviesa004.jf.intel.com with ESMTP; 07 Mar 2024 20:58:33 -0800 Date: Fri, 8 Mar 2024 12:54:16 +0800 From: Xu Yilun To: Sean Christopherson Cc: Paolo Bonzini , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yan Zhao , Isaku Yamahata , Michael Roth , Yu Zhang , Chao Peng , Fuad Tabba , David Matlack Subject: Re: [PATCH 09/16] KVM: x86/mmu: Move private vs. shared check above slot validity checks Message-ID: References: <20240228024147.41573-1-seanjc@google.com> <20240228024147.41573-10-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240228024147.41573-10-seanjc@google.com> On Tue, Feb 27, 2024 at 06:41:40PM -0800, Sean Christopherson wrote: > Prioritize private vs. shared gfn attribute checks above slot validity > checks to ensure a consistent userspace ABI. E.g. as is, KVM will exit to > userspace if there is no memslot, but emulate accesses to the APIC access > page even if the attributes mismatch. > > Fixes: 8dd2eee9d526 ("KVM: x86/mmu: Handle page fault for private memory") > Cc: Yu Zhang > Cc: Chao Peng > Cc: Fuad Tabba > Cc: Michael Roth > Cc: Isaku Yamahata > Signed-off-by: Sean Christopherson > --- > arch/x86/kvm/mmu/mmu.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c > index 9206cfa58feb..58c5ae8be66c 100644 > --- a/arch/x86/kvm/mmu/mmu.c > +++ b/arch/x86/kvm/mmu/mmu.c > @@ -4365,11 +4365,6 @@ static int __kvm_faultin_pfn(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault > return RET_PF_EMULATE; > } > > - if (fault->is_private != kvm_mem_is_private(vcpu->kvm, fault->gfn)) { > - kvm_mmu_prepare_memory_fault_exit(vcpu, fault); > - return -EFAULT; > - } > - > if (fault->is_private) > return kvm_faultin_pfn_private(vcpu, fault); > > @@ -4410,6 +4405,16 @@ static int kvm_faultin_pfn(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault, > fault->mmu_seq = vcpu->kvm->mmu_invalidate_seq; > smp_rmb(); > > + /* > + * Check for a private vs. shared mismatch *after* taking a snapshot of > + * mmu_invalidate_seq, as changes to gfn attributes are guarded by the > + * invalidation notifier. I didn't see how mmu_invalidate_seq influences gfn attribute judgement. And there is no synchronization between the below check and kvm_vm_set_mem_attributes(), the gfn attribute could still be changing after the snapshot. So why this comment? Thanks, Yilun > + */ > + if (fault->is_private != kvm_mem_is_private(vcpu->kvm, fault->gfn)) { > + kvm_mmu_prepare_memory_fault_exit(vcpu, fault); > + return -EFAULT; > + } > + > /* > * Check for a relevant mmu_notifier invalidation event before getting > * the pfn from the primary MMU, and before acquiring mmu_lock. > -- > 2.44.0.278.ge034bb2e1d-goog > >