All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Paolo Bonzini" <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH 21/24] KVM: x86/mmu: Obsolete all roots if memattr contains gPTEs
Date: Thu, 16 Jul 2026 18:40:09 +0000	[thread overview]
Message-ID: <20260716184010.1412D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260716181456.402786-22-pbonzini@redhat.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Unbounded iteration over a potentially massive guest-controlled GFN range while holding `mmu_lock` for write causes host soft lockups.
- [High] Invalidated TDP MMU roots are never zapped, leading to a massive permanent memory leak of page tables and root references.
- [Medium] A `trace_printk()` call was left in the production code path, creating an information leak and triggering a prominent boot warning.
--

--- Patch [21]: [PATCH 21/24] KVM: x86/mmu: Obsolete all roots if memattr contains gPTEs ---
commit 6d375c0ae74e01be130495175a78c166ea5a1aac
Author: Nicolas Saenz Julienne <nsaenz@amazon.com>

KVM: x86/mmu: Obsolete all roots if memattr contains gPTEs

This commit introduces a mechanism to zap obsolete pages and all mmu roots
when applying memory protection attributes against a GPTE page.

> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> index 8e85f672a08d5..676bc6b61f032 100644
> --- a/arch/x86/kvm/mmu/mmu.c
> +++ b/arch/x86/kvm/mmu/mmu.c

[ ... ]

> @@ -8281,6 +8297,33 @@ bool kvm_arch_post_set_memory_attributes(struct kvm *kvm,
>  				hugepage_set_mixed(slot, gfn, level);
>  		}
>  	}
> +
> +	/*
> +	 * There are special considerations when applying an memory protection
> +	 * attibute against a GPTE page. If set read-only, access/dirty bits
> +	 * within that page shouldn't be updated. If set non-accesible,
> +	 * accessing a virtual address that requires traversing that GPTE page
> +	 * should fault.
> +	 *
> +	 * On TDP enabled guests, the CPU faults on the GPTE address upon
> +	 * detecting such a situation.
> +	 *
> +	 * On non-TDP, upon detecting this situation, and based on the fact it
> +	 * should be a rare occasion, invalidate all the mmu roots.
> +	 */
> +	for (gfn_t gfn = range->start; gfn < range->end; gfn++) {

[Severity: High]
Does this unbounded loop over a guest-controlled range cause host soft
lockups? It iterates over every 4K page from range->start to range->end
while kvm->mmu_lock is held for write, disabling preemption. If a massive
range is passed (e.g., hundreds of gigabytes), iterating millions of pages
without yielding could stall the host CPU.

> +		for_each_gfn_valid_sp_with_gptes(kvm, sp, gfn) {
> +			gen_update = true;
> +			trace_printk("needs gen update! %llx\n", gfn);

[Severity: Medium]
Is this trace_printk() intended for production? Using it unconditionally
allocates tracing ring buffers globally and emits a prominent warning to
dmesg at boot, which is generally avoided in upstream code.

> +			goto exit_loop;
> +		}
> +	}
> +exit_loop:
> +	if (gen_update)
> +		__kvm_mmu_zap_all_fast(kvm);
> +
> +	// todo: what to do with kvm_tdp_mmu_zap_invalidated_roots()?

[Severity: High]
Does this sequence leak KVM MMU page tables and root structures?

When tdp_mmu_enabled is true, __kvm_mmu_zap_all_fast() marks TDP roots as
invalid and takes a reference to them via kvm_tdp_mmu_invalidate_roots().

The caller must subsequently invoke kvm_tdp_mmu_zap_invalidated_roots()
to consume these scheduled roots and put the gifted references. Since this
cleanup step is skipped here, the roots appear to be leaked permanently.

> +	// add kvm_arch_post_set_memory_attributes_unlocked?
> +	return false;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260716181456.402786-1-pbonzini@redhat.com?part=21

  reply	other threads:[~2026-07-16 18:40 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-16 18:14 [RFC PATCH 00/24] KVM: x86: Introduce memory protection attributes Paolo Bonzini
2026-07-16 18:14 ` [PATCH 01/24] KVM: selftests: Take into account mixed memory fault flags Paolo Bonzini
2026-07-16 18:14 ` [PATCH 02/24] KVM: Define and communicate KVM_EXIT_MEMORY_FAULT RWX flags to userspace Paolo Bonzini
2026-07-16 18:34   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 03/24] KVM: x86: hyperv: Introduce memory fault on hcalls with bad ingpas Paolo Bonzini
2026-07-16 18:34   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 04/24] KVM: x86/mmu: intersect writability from __kvm_faultin_pfn with fault->map_writable Paolo Bonzini
2026-07-16 18:14 ` [PATCH 05/24] KVM: x86/mmu: Extend map_writable to a full ACC_* mask Paolo Bonzini
2026-07-16 18:39   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 06/24] KVM: x86: Avoid warning when installing non-private memory attributes Paolo Bonzini
2026-07-16 18:42   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 07/24] KVM: x86/mmu: Init memslot hugepage information for non-private_mem VMs too Paolo Bonzini
2026-07-16 18:14 ` [PATCH 08/24] KVM: pass kvm == NULL case to kvm_arch_has_private_mem Paolo Bonzini
2026-07-16 18:14 ` [PATCH 09/24] KVM: Introduce NR/NW/NX memory attributes Paolo Bonzini
2026-07-16 18:39   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 10/24] KVM: Include memory protections in result of gfn->hva conversion Paolo Bonzini
2026-07-16 18:29   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 11/24] KVM: Take memory protections into account in kvm_read/write_guest() Paolo Bonzini
2026-07-16 18:36   ` sashiko-bot
2026-07-16 19:17   ` Edgecombe, Rick P
2026-07-16 18:14 ` [PATCH 12/24] KVM: Encapsulate memattrs array into anonymous struct Paolo Bonzini
2026-07-16 18:14 ` [PATCH 13/24] KVM: Introduce kvm_check_gen()/kvm_memslots_check_gen() Paolo Bonzini
2026-07-16 18:26   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 14/24] KVM: Introduce a generation number for memory attributes Paolo Bonzini
2026-07-16 18:36   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 15/24] KVM: Take memory protections into account for accesses with cached gfn->hva Paolo Bonzini
2026-07-16 18:46   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 16/24] KVM: pfncache: Fail to refresh if it contains memory protections Paolo Bonzini
2026-07-16 18:14 ` [PATCH 17/24] KVM: x86/mmu: Take memory protection attributes into account during faults Paolo Bonzini
2026-07-16 19:13   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 18/24] KVM: x86/mmu: Issue memory fault exit if walk failed due to memory attribute Paolo Bonzini
2026-07-16 18:47   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 19/24] KVM: x86/mmu: Do not update accessed/dirty if guest PTE is read-only Paolo Bonzini
2026-07-16 18:40   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 20/24] KVM: x86/mmu: Do not prefetch sptes on gfns backed by memory attributes Paolo Bonzini
2026-07-16 18:35   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 21/24] KVM: x86/mmu: Obsolete all roots if memattr contains gPTEs Paolo Bonzini
2026-07-16 18:40   ` sashiko-bot [this message]
2026-07-16 18:14 ` [PATCH 22/24] KVM: x86: selftests: Introduce memory attributes test Paolo Bonzini
2026-07-16 18:42   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 23/24] KVM: x86: selftests: Introduce memory attributes PTE test Paolo Bonzini
2026-07-16 18:49   ` sashiko-bot
2026-07-16 18:14 ` [PATCH 24/24] KVM: x86: selftests: Introduce memory attributes side-channel tests Paolo Bonzini
2026-07-16 18:54   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260716184010.1412D1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=kvm@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.