Re: [PATCH 0/4] KVM: x86/mmu: Zap invalid TDP MMU roots when unmapping

[Sean Christopherson <seanjc@google.com>]

On Wed, Dec 15, 2021, Paolo Bonzini wrote:
> On 12/15/21 02:15, Sean Christopherson wrote:
> > Patches 01-03 implement a bug fix by ensuring KVM zaps both valid and
> > invalid roots when unmapping a gfn range (including the magic "all" range).
> > Failure to zap invalid roots means KVM doesn't honor the mmu_notifier's
> > requirement that all references are dropped.
> > 
> > set_nx_huge_pages() is the most blatant offender, as it doesn't elevate
> > mm_users and so a VM's entire mm can be released, but the same underlying
> > bug exists for any "unmap" command from the mmu_notifier in combination
> > with a memslot update.  E.g. if KVM is deleting a memslot, and a
> > mmu_notifier hook acquires mmu_lock while it's dropped by
> > kvm_mmu_zap_all_fast(), the mmu_notifier hook will see the to-be-deleted
> > memslot but won't zap entries from the invalid roots.
> > 
> > Patch 04 is cleanup to reuse the common iterator for walking _only_
> > invalid roots.
> > 
> > Sean Christopherson (4):
> >    KVM: x86/mmu: Use common TDP MMU zap helper for MMU notifier unmap
> >      hook
> >    KVM: x86/mmu: Move "invalid" check out of kvm_tdp_mmu_get_root()
> >    KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU
> >    KVM: x86/mmu: Use common iterator for walking invalid TDP MMU roots
> > 
> >   arch/x86/kvm/mmu/tdp_mmu.c | 116 +++++++++++++++++--------------------
> >   arch/x86/kvm/mmu/tdp_mmu.h |   3 -
> >   2 files changed, 53 insertions(+), 66 deletions(-)
> > 
> 
> Queued 1-3 for 5.16 and 4 for 5.17.

Actually, can you please unqueue patch 4?  I think we can actually kill off
kvm_tdp_mmu_zap_invalidated_roots() entirely.  I don't know if that code will be
ready for 5.17, but if it is then this patch is unnecesary.  And if not, it
shouldn't be difficult to re-queue this a bit later.

Thanks!