From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7E09C433F5 for ; Mon, 4 Oct 2021 09:57:26 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 94636610A5 for ; Mon, 4 Oct 2021 09:57:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 94636610A5 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Subject:Cc:To:From:Message-ID:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Je42GoVE6ThmYcMYAylrgxtUfm8hD4XIt4s2/a+Uvgg=; b=OJ2il34dciDtV0 ThXS3E3ks61RWpUax6YF7ROwXRx4eN/dNF/ni32sN1BBylqRCZOu6wG8MIzAdBF/lp5rFJQ3YpEHb yHvDf+K3iKKLci4bgJQHRux+b4xjo+b4731Mwbt6wGAJ5tCknBfQkXHqJX9bQznBSFtEDN84KWBhs 5lg7suIMZ3jd7Kw340m/7APlTjIDV6Wih0ElySvOZeu/8KPHn6rl0xpVL33f8qTWm7W1Q3GtBvxe3 zD4fCptinKC7qGeL6el7KjPmExzqcSu/5KToNClxmRFr1Mqzul9R0GO7mWyn73/DRGDhv9veUM79g XTiJFIBxnaBHMg2AIPhg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mXKgz-005rTT-H4; Mon, 04 Oct 2021 09:55:29 +0000 Received: from mail.kernel.org ([198.145.29.99]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mXKgm-005rQX-Bm for linux-arm-kernel@lists.infradead.org; Mon, 04 Oct 2021 09:55:17 +0000 Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BBA336128A; Mon, 4 Oct 2021 09:55:15 +0000 (UTC) Received: from sofa.misterjones.org ([185.219.108.64] helo=why.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mXKgj-00EaLM-Na; Mon, 04 Oct 2021 10:55:13 +0100 Date: Mon, 04 Oct 2021 10:55:13 +0100 Message-ID: <87bl45ru66.wl-maz@kernel.org> From: Marc Zyngier To: Quentin Perret Cc: James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Fuad Tabba , David Brazdil , linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH 1/2] KVM: arm64: Fix host stage-2 PGD refcount In-Reply-To: <20211004090328.540941-2-qperret@google.com> References: <20211004090328.540941-1-qperret@google.com> <20211004090328.540941-2-qperret@google.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: qperret@google.com, james.morse@arm.com, alexandru.elisei@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, will@kernel.org, tabba@google.com, dbrazdil@google.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kernel-team@android.com X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211004_025516_454985_39BC5272 X-CRM114-Status: GOOD ( 29.23 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Quentin, On Mon, 04 Oct 2021 10:03:13 +0100, Quentin Perret wrote: > > The KVM page-table library refcounts the pages of concatenated stage-2 > PGDs individually. However, the host's stage-2 PGD is currently managed > by EL2 as a single high-order compound page, which can cause the > refcount of the tail pages to reach 0 when they really shouldn't, hence > corrupting the page-table. nit: this comment only applies to the protected mode, right? As far as I can tell, 'classic' KVM is just fine. > > Fix this by introducing a new hyp_split_page() helper in the EL2 page > allocator (matching EL1's split_page() function), and make use of it uber nit: split_page() is not an EL1 function. more of a standard kernel function. > from host_s2_zalloc_page(). > > Fixes: 1025c8c0c6ac ("KVM: arm64: Wrap the host with a stage 2") > Suggested-by: Will Deacon > Signed-off-by: Quentin Perret > --- > arch/arm64/kvm/hyp/include/nvhe/gfp.h | 1 + > arch/arm64/kvm/hyp/nvhe/mem_protect.c | 6 +++++- > arch/arm64/kvm/hyp/nvhe/page_alloc.c | 14 ++++++++++++++ > 3 files changed, 20 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/kvm/hyp/include/nvhe/gfp.h b/arch/arm64/kvm/hyp/include/nvhe/gfp.h > index fb0f523d1492..0a048dc06a7d 100644 > --- a/arch/arm64/kvm/hyp/include/nvhe/gfp.h > +++ b/arch/arm64/kvm/hyp/include/nvhe/gfp.h > @@ -24,6 +24,7 @@ struct hyp_pool { > > /* Allocation */ > void *hyp_alloc_pages(struct hyp_pool *pool, unsigned short order); > +void hyp_split_page(struct hyp_page *page); > void hyp_get_page(struct hyp_pool *pool, void *addr); > void hyp_put_page(struct hyp_pool *pool, void *addr); > > diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c > index bacd493a4eac..93a79736c283 100644 > --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c > +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c > @@ -35,7 +35,11 @@ const u8 pkvm_hyp_id = 1; > > static void *host_s2_zalloc_pages_exact(size_t size) > { > - return hyp_alloc_pages(&host_s2_pool, get_order(size)); > + void *addr = hyp_alloc_pages(&host_s2_pool, get_order(size)); > + > + hyp_split_page(hyp_virt_to_page(addr)); The only reason this doesn't lead to a subsequent memory leak is that concatenated page tables are always a power of two, right? If so, that deserves a comment, because I don't think this works in the general case unless you actively free the pages that are between size and (1 << order). > + > + return addr; > } > > static void *host_s2_zalloc_page(void *pool) > diff --git a/arch/arm64/kvm/hyp/nvhe/page_alloc.c b/arch/arm64/kvm/hyp/nvhe/page_alloc.c > index 41fc25bdfb34..a6e874e61a40 100644 > --- a/arch/arm64/kvm/hyp/nvhe/page_alloc.c > +++ b/arch/arm64/kvm/hyp/nvhe/page_alloc.c > @@ -193,6 +193,20 @@ void hyp_get_page(struct hyp_pool *pool, void *addr) > hyp_spin_unlock(&pool->lock); > } > > +void hyp_split_page(struct hyp_page *p) > +{ > + unsigned short order = p->order; > + unsigned int i; > + > + p->order = 0; > + for (i = 1; i < (1 << order); i++) { > + struct hyp_page *tail = p + i; > + > + tail->order = 0; > + hyp_set_page_refcounted(tail); > + } > +} > + > void *hyp_alloc_pages(struct hyp_pool *pool, unsigned short order) > { > unsigned short i = order; Thanks, M. -- Without deviation from the norm, progress is not possible. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel