From patchwork Mon Sep 6 12:25:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lai Jiangshan X-Patchwork-Id: 12476903 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 852A4C433EF for ; Mon, 6 Sep 2021 12:25:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5ACF160F92 for ; Mon, 6 Sep 2021 12:25:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241975AbhIFM0n (ORCPT ); Mon, 6 Sep 2021 08:26:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33116 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237245AbhIFM0m (ORCPT ); Mon, 6 Sep 2021 08:26:42 -0400 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53F7BC061575; Mon, 6 Sep 2021 05:25:38 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id j16so5531410pfc.2; Mon, 06 Sep 2021 05:25:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UmBZm6nsLJ37H9eh10vOWK3FkWVJCo2NauoZ+XB4cd0=; b=gWLNTCcRISfyVGlu17uPjXxYADtSl8OE5nVWpruGPxrrJ/BVt6g4rq/EtLQcEF+yij XnuzPXgQLVfbYWH0sP99ff552bnFy3DDA9T4w4oFdCo+9IKhmuHjrlcHiLeYbTakOkl3 DKhQdsU2QtuK/2QNQWQZJTG4ULIrBom0wUh1mbfBhLBr7JCj/0De90yIr9t8twQvnoBH uD0MwNg9Dyoh+QuqXMUgnYO6RuraC3mGHL3KT8NTDLVjCNvnD364P3I0ecH6DjgryiaX ug5q0159eMvb0Fy9aK1Vw5qH3x8GiQUdOlVKzM+iJmN/xvCsmXD3kVrDrOHGUm774/0q 0sYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UmBZm6nsLJ37H9eh10vOWK3FkWVJCo2NauoZ+XB4cd0=; b=e9bQmGCEiLc0NoT6emlscFgVqpjYl8OqQkIWPO9YgeoUTITSMIaqOvVzVNcBldQkgQ Jb4Ox3Y5lQTboP+6tvDoe816VZNKPQeFHAXGaFTY+gMKxndWo1szLailhEpi6kxXU7n/ hllkB7y1wnPEmC6ftPrZ5dvwK32xmGeMkn060wmSoCY5xnaEpRoOjtCTmtpJz0HBm9V3 e8TeDsB6PpJIowkZUwhciFVSvPGKccmhTxjo3uB7ic/tgGrDTz6mg+XirSRFsNYv6Z81 6F6/eo9Ppt0Jdu5g4vER2yAcalwtYmxTD2OwTiAQ0d01GAAq4efauNPukLKENUEyuaId F35g== X-Gm-Message-State: AOAM532aYUUkZrpHvzdYGnCngDa+uyS/cmwsAencEJJo6oCTEJLHItVg s1oK9OykUs24SHQHn67NntNJRFXxv4o= X-Google-Smtp-Source: ABdhPJwTb86ZckUvhutjrCJCv6YO6apn5oh4IL7MbeHd6BfMWZGI80bPyThgf2Nd9wen/D+mPCb7Hg== X-Received: by 2002:a63:4303:: with SMTP id q3mr12030866pga.375.1630931137543; Mon, 06 Sep 2021 05:25:37 -0700 (PDT) Received: from localhost ([47.251.3.230]) by smtp.gmail.com with ESMTPSA id e19sm7370242pfi.139.2021.09.06.05.25.36 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Sep 2021 05:25:37 -0700 (PDT) From: Lai Jiangshan To: linux-kernel@vger.kernel.org Cc: Sean Christopherson , Lai Jiangshan , Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , kvm@vger.kernel.org Subject: [PATCH V3 1/2] KVM: x86/mmu: Verify shadow walk doesn't terminate early in page faults Date: Mon, 6 Sep 2021 20:25:46 +0800 Message-Id: <20210906122547.263316-1-jiangshanlai@gmail.com> X-Mailer: git-send-email 2.19.1.6.gb485710b In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: Sean Christopherson WARN and bail if the shadow walk for faulting in a SPTE terminates early, i.e. doesn't reach the expected level because the walk encountered a terminal SPTE. The shadow walks for page faults are subtle in that they install non-leaf SPTEs (zapping leaf SPTEs if necessary!) in the loop body, and consume the newly created non-leaf SPTE in the loop control, e.g. __shadow_walk_next(). In other words, the walks guarantee that the walk will stop if and only if the target level is reached by installing non-leaf SPTEs to guarantee the walk remains valid. Opportunistically use fault->goal-level instead of it.level in FNAME(fetch) to further clarify that KVM always installs the leaf SPTE at the target level. Reviewed-by: Lai Jiangshan Signed-off-by: Sean Christopherson Signed-off-by: Lai Jiangshan --- arch/x86/kvm/mmu/mmu.c | 3 +++ arch/x86/kvm/mmu/paging_tmpl.h | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index 4853c033e6ce..538be037549d 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -3006,6 +3006,9 @@ static int __direct_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault) account_huge_nx_page(vcpu->kvm, sp); } + if (WARN_ON_ONCE(it.level != fault->goal_level)) + return -EFAULT; + ret = mmu_set_spte(vcpu, it.sptep, ACC_ALL, fault->write, fault->goal_level, base_gfn, fault->pfn, fault->prefault, fault->map_writable); diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h index 50ade6450ace..4d559d2d4d66 100644 --- a/arch/x86/kvm/mmu/paging_tmpl.h +++ b/arch/x86/kvm/mmu/paging_tmpl.h @@ -749,9 +749,12 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault, } } + if (WARN_ON_ONCE(it.level != fault->goal_level)) + return -EFAULT; + ret = mmu_set_spte(vcpu, it.sptep, gw->pte_access, fault->write, - it.level, base_gfn, fault->pfn, fault->prefault, - fault->map_writable); + fault->goal_level, base_gfn, fault->pfn, + fault->prefault, fault->map_writable); if (ret == RET_PF_SPURIOUS) return ret; From patchwork Mon Sep 6 12:25:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lai Jiangshan X-Patchwork-Id: 12476905 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03E8BC433EF for ; Mon, 6 Sep 2021 12:25:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DF33460F92 for ; Mon, 6 Sep 2021 12:25:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242129AbhIFM0u (ORCPT ); Mon, 6 Sep 2021 08:26:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242113AbhIFM0t (ORCPT ); Mon, 6 Sep 2021 08:26:49 -0400 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 044B4C061757; Mon, 6 Sep 2021 05:25:45 -0700 (PDT) Received: by mail-pj1-x102e.google.com with SMTP id c6so4225933pjv.1; Mon, 06 Sep 2021 05:25:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=I3HTbZGnmQhuCRpqJcoadcvR9lL+3dFcEiwvvQl7ZAE=; b=KIz/krz9aHxarGABT+60ibqwskMFXDl4B/g6XXBW/dfVRi0Eb6OyZ0ck9j3H0Q8Z0i HhyHeiPbWEdNloYkn60BRn2pkAZ+W/nKWDBvAUelWhuvUph4bOJsMSBsB85fxxLCdYu3 1izBaKg1LvpcUdG/8aj3gJz5kBa5x/4bCacbI+VzRAAxJB4kdbdm0pzVHeNtDs9njBlJ 0aQEymo/fkT4HTCaOrz63HNEEjZbrAU/K+jyEvm56Id8xODOzGr3kSR6g0obeID5WNh/ 7i/PmevEkFHvg47Y6Qgze58Z96ZYV7c9fVNgYG15gRNUc68uuP2ohiZslDD4PCvJpryg EA8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=I3HTbZGnmQhuCRpqJcoadcvR9lL+3dFcEiwvvQl7ZAE=; b=PfywD47B7QnzipSDKy7kzmfiI6J9OlM51+nd4zgzPFXcgBfdbrAGc2qvvAKUvxIQFE U3A98rWnuW6jvL8FfykeGR2smt/huF9GL8+q3rDD5TsKCX1GGZP08pIuz2V58pd+WFZk fzM9jdYkR8GaSJfPafl+P7v1/5ddmMCsfgNa2sphGj83N88i/xUhC2LEDKRw4HMkTI3K Rp4MNNB7mjmVL2CcvApg41IYRA8PJomHOtyPiLf5spvPOpnrqfYCWrqF4/6hoELqaSoV ALcVJnw7TmqwuERtb/W288TIzgO5n5QwCo8iO8XhJqx0z+F9JXgNZbBArXUsjwKOZr6d ZKsw== X-Gm-Message-State: AOAM531msI6TK8hyNw1dKoYMuf2we6peOh83KTrtb6XUx84sZKj4QWf/ wjLsfZJERgERmz/gq2TNPHVRACLoXYs= X-Google-Smtp-Source: ABdhPJxwjRrQRSXqOGEpyc8qeRTjfXUfFbKTFoILhT+YtsQHKo4iHpgr3rkdr8UgXs/EFs7c4DlySw== X-Received: by 2002:a17:90a:e2d1:: with SMTP id fr17mr13796575pjb.101.1630931144475; Mon, 06 Sep 2021 05:25:44 -0700 (PDT) Received: from localhost ([47.251.3.230]) by smtp.gmail.com with ESMTPSA id d5sm7505940pfo.186.2021.09.06.05.25.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Sep 2021 05:25:44 -0700 (PDT) From: Lai Jiangshan To: linux-kernel@vger.kernel.org Cc: Lai Jiangshan , Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , kvm@vger.kernel.org Subject: [PATCH V3 2/2] KVM: X86: Move PTE present check from loop body to __shadow_walk_next() Date: Mon, 6 Sep 2021 20:25:47 +0800 Message-Id: <20210906122547.263316-2-jiangshanlai@gmail.com> X-Mailer: git-send-email 2.19.1.6.gb485710b In-Reply-To: <20210906122547.263316-1-jiangshanlai@gmail.com> References: <20210906122547.263316-1-jiangshanlai@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: Lai Jiangshan So far, the loop bodies already ensure the PTE is present before calling __shadow_walk_next(): Some loop bodies simply exit with a !PRESENT directly and some other loop bodies, i.e. FNAME(fetch) and __direct_map() do not currently terminate their walks with a !PRESENT, but they get away with it because they install present non-leaf SPTEs in the loop itself. But checking pte present in __shadow_walk_next() is a more prudent way of programing and loop bodies will not need to always check it. It allows us removing unneeded is_shadow_present_pte() in the loop bodies. Terminating on !is_shadow_present_pte() is 100% the correct behavior, as walking past a !PRESENT SPTE would lead to attempting to read a the next level SPTE from a garbage iter->shadow_addr. Even some paths that do _not_ currently have a !is_shadow_present_pte() in the loop body is Ok since they will install present non-leaf SPTEs and the additional present check is just an NOP. The checking result in __shadow_walk_next() will be propagated to shadow_walk_okay() for being used in any for(;;) loop. Reviewed-by: Sean Christopherson Signed-off-by: Lai Jiangshan --- Changed from V2: Fix typo in the changelog reported by Sean Add Reviewed-by from Sean Changed from V1: Merge the two patches Update changelog Remove !is_shadow_present_pte() in FNAME(invlpg) arch/x86/kvm/mmu/mmu.c | 13 ++----------- arch/x86/kvm/mmu/paging_tmpl.h | 2 +- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index 538be037549d..26f6bd238a77 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -2223,7 +2223,7 @@ static bool shadow_walk_okay(struct kvm_shadow_walk_iterator *iterator) static void __shadow_walk_next(struct kvm_shadow_walk_iterator *iterator, u64 spte) { - if (is_last_spte(spte, iterator->level)) { + if (!is_shadow_present_pte(spte) || is_last_spte(spte, iterator->level)) { iterator->level = 0; return; } @@ -3159,9 +3159,6 @@ static u64 *fast_pf_get_last_sptep(struct kvm_vcpu *vcpu, gpa_t gpa, u64 *spte) for_each_shadow_entry_lockless(vcpu, gpa, iterator, old_spte) { sptep = iterator.sptep; *spte = old_spte; - - if (!is_shadow_present_pte(old_spte)) - break; } return sptep; @@ -3721,9 +3718,6 @@ static int get_walk(struct kvm_vcpu *vcpu, u64 addr, u64 *sptes, int *root_level spte = mmu_spte_get_lockless(iterator.sptep); sptes[leaf] = spte; - - if (!is_shadow_present_pte(spte)) - break; } return leaf; @@ -3838,11 +3832,8 @@ static void shadow_page_table_clear_flood(struct kvm_vcpu *vcpu, gva_t addr) u64 spte; walk_shadow_page_lockless_begin(vcpu); - for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) { + for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) clear_sp_write_flooding_count(iterator.sptep); - if (!is_shadow_present_pte(spte)) - break; - } walk_shadow_page_lockless_end(vcpu); } diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h index 4d559d2d4d66..72f358613786 100644 --- a/arch/x86/kvm/mmu/paging_tmpl.h +++ b/arch/x86/kvm/mmu/paging_tmpl.h @@ -982,7 +982,7 @@ static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva, hpa_t root_hpa) FNAME(update_pte)(vcpu, sp, sptep, &gpte); } - if (!is_shadow_present_pte(*sptep) || !sp->unsync_children) + if (!sp->unsync_children) break; } write_unlock(&vcpu->kvm->mmu_lock);