From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EB19C4332F for ; Sun, 5 Nov 2023 16:31:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AFEF880036; Sun, 5 Nov 2023 11:31:13 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id AADAA80018; Sun, 5 Nov 2023 11:31:13 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 927A380036; Sun, 5 Nov 2023 11:31:13 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 7EC9080018 for ; Sun, 5 Nov 2023 11:31:13 -0500 (EST) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 5BC7CA047B for ; Sun, 5 Nov 2023 16:31:13 +0000 (UTC) X-FDA: 81424440426.23.3ECA4F9 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf08.hostedemail.com (Postfix) with ESMTP id 88437160004 for ; Sun, 5 Nov 2023 16:31:11 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=CobIxbsR; spf=pass (imf08.hostedemail.com: domain of pbonzini@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=pbonzini@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1699201871; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=l34ekIngaKcFhf0rhv3qmzlwWTTBwpnOE8ik/JX6oMg=; b=snDYvtI+C3SASXFGGU0JZ8FXSZd9k6UDNrt2uVanXIXPDBzd/aPoqSypxxrNJHKbe/h0OO qh5dyKA+FyCJYxdnU098pfxTwLNHM98GM/Qc+3XPMlWWtP9ctv5C3juY9oShg2r5E5OWk/ zMyyTrXC5rleAS/p4fnOguWIS5bZuxo= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1699201871; a=rsa-sha256; cv=none; b=ztiewLI8xIBaGb1YBtIvrXnLC5h12Y6q5CUc3lnWeGeK8hsVW3BB0CvdQkOdPVb5LI6jpl 0wP1LZYRLZzFUpO9F7oeWIPKa8h81L1CjWpoWxLWRq/up1MGKQGSD57pas0XWAlvxDTzn1 LubgB5lnD+3OZIkyjR7DpfB9+0ezxTY= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=CobIxbsR; spf=pass (imf08.hostedemail.com: domain of pbonzini@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=pbonzini@redhat.com; dmarc=pass (policy=none) header.from=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1699201870; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=l34ekIngaKcFhf0rhv3qmzlwWTTBwpnOE8ik/JX6oMg=; b=CobIxbsRfhC/1B0bYmEXoabaEW2P+6a/TQiElN4vpSriW3V/IogK5+IfmIhZg4CG/W55Qr 4Ohb9mll+GC1gKrkhGf/H935N+JXmsvZVdU3bwdaNFzjuI2xXAIgjFqI5/n4cAGQRtsgOa 6FbgX+o6xaC30bcnGlwc3FHDNZr9dZ8= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-633-ILi5kzQvOwag3AnT1pmDQg-1; Sun, 05 Nov 2023 11:31:06 -0500 X-MC-Unique: ILi5kzQvOwag3AnT1pmDQg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 93FA9810FC0; Sun, 5 Nov 2023 16:31:04 +0000 (UTC) Received: from avogadro.redhat.com (unknown [10.39.192.93]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3AE452166B26; Sun, 5 Nov 2023 16:30:57 +0000 (UTC) From: Paolo Bonzini To: Paolo Bonzini , Marc Zyngier , Oliver Upton , Huacai Chen , Michael Ellerman , Anup Patel , Paul Walmsley , Palmer Dabbelt , Albert Ou , Sean Christopherson , Alexander Viro , Christian Brauner , "Matthew Wilcox (Oracle)" , Andrew Morton Cc: kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Xiaoyao Li , Xu Yilun , Chao Peng , Fuad Tabba , Jarkko Sakkinen , Anish Moorthy , David Matlack , Yu Zhang , Isaku Yamahata , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Vlastimil Babka , Vishal Annapurve , Ackerley Tng , Maciej Szmigiero , David Hildenbrand , Quentin Perret , Michael Roth , Wang , Liam Merwick , Isaku Yamahata , "Kirill A. Shutemov" Subject: [PATCH 02/34] KVM: Assert that mmu_invalidate_in_progress *never* goes negative Date: Sun, 5 Nov 2023 17:30:05 +0100 Message-ID: <20231105163040.14904-3-pbonzini@redhat.com> In-Reply-To: <20231105163040.14904-1-pbonzini@redhat.com> References: <20231105163040.14904-1-pbonzini@redhat.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6 X-Stat-Signature: fyr9etnt115tnxct6jywdmgp8xf9namg X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 88437160004 X-Rspam-User: X-HE-Tag: 1699201871-782626 X-HE-Meta: U2FsdGVkX1/uABfyt4xF3e2q5DDeXulO0AUAzz2l/UraSa+uAgG6AdUMs8kLGTo4MfSZelSoLH0TBO6q53lKrCsQ++dRYbbZm/xTmEhJaXI142Z0KgdTkSAZmUjuyi8b4VVofxiy773+Tekc0tvScQ1JB9BFzVKl4szxqT0OYyaALR8aQeT89O1bJZwahOZD854z3cUGRxrcfFGMeHBfFfxSw07rhiTfB5uyBbHLjxzqAZQ3h9bIiyKiqoUJXlrZsslMk/kTJY6UwG8En7EK1RkR2njQGJTEZalIUcmgJ1zXxA+sNqZyyvj9w0BBJjNiaT60h0Driy/6lE5wnhLmviwGdb7EPFF3J/+F0IaZNUiXhLCdESqF6yJOUTbVDcb3NUuwfILPWqW87MC7aE2VFUTHsE9hlTu/yH59gudEZCvE/VMK03Khf6IKxmOx4VxDBkdQ+PWeBBQ+4bgl0C8EkyfeNFjVEgyOunzUoJvc54PrgP90d8iaoocr9wZ48qAvVhB3+7Px8ixNFVvXiftlSDx5oFVhXugLvUHIjYEBmU8T/Ea5C6+QMhO67Pfax9or1A6vPGHd4RoTvz6lkkPNaRhDMpmJd3NLaLNQZcw2h0ztxKUh+tV06Dkrfnn5ds8YW8WzTHnqPePApy0dS737QvPyX8je/dAXM2H52ZGaTHlx/rLiPFLzCoAFgrA4qHO5lZBUE5M8GcD9nR3+wN5btZCf7CH/8F5oQe87w1j1PyOK3mtNJuIqteXOO/UqQJz9wRPOmdANJ5wtbuQkh0zKYzehDxmF6iv5z67QuRsdOvrAtyhZQhwMsuoV7021YXVeTj7ysYQ5GB2MUECZ3UJxagX2yL3VCCGw8L3NP34yz+AX7/kdbwwCO8yITosXMBXAgDZxIz/kvygbmXwcBcv2Tupci1VqrMUYUkeXE3P5bT2S3kpS/2GOcymi0vN66Z2nsHlYVjfI/F0cUv95aF5 /RGT4Eaa agJGYRQxCnQgNNlSQ1qeiqW1Fqq/zVX3oHYJtYfXZo4yMJ6iMmUG2pOWUNyid44W8YixnJwyvjpKHDhw9LWLuhWImbrllqArJT4RcYIA/i1fb8xR51WbrwfnGL9RhHd+0hrD14rgP1t3Gl3I2StV3kpH4raF9ePScASeptgKV4jNRmlMTRsLSJWIIf8tWap52jaHAXiSa0V+Q3DsAVg4yeQcVBc51Sn6lAdd3fMtSj+mgn4fujX9efqOJ8ZzHA1f8yqQEVFz2szln/ItHWdMUtxdGzsv2IkHqIBQKJFu2wFK66s49Qje6jMyhNo5KcjZ/HW0v X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Sean Christopherson Move the assertion on the in-progress invalidation count from the primary MMU's notifier path to KVM's common notification path, i.e. assert that the count doesn't go negative even when the invalidation is coming from KVM itself. Opportunistically convert the assertion to a KVM_BUG_ON(), i.e. kill only the affected VM, not the entire kernel. A corrupted count is fatal to the VM, e.g. the non-zero (negative) count will cause mmu_invalidate_retry() to block any and all attempts to install new mappings. But it's far from guaranteed that an end() without a start() is fatal or even problematic to anything other than the target VM, e.g. the underlying bug could simply be a duplicate call to end(). And it's much more likely that a missed invalidation, i.e. a potential use-after-free, would manifest as no notification whatsoever, not an end() without a start(). Signed-off-by: Sean Christopherson Reviewed-by: Paolo Bonzini Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Message-Id: <20231027182217.3615211-3-seanjc@google.com> Signed-off-by: Paolo Bonzini --- virt/kvm/kvm_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 0524933856d4..5a97e6c7d9c2 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -833,6 +833,7 @@ void kvm_mmu_invalidate_end(struct kvm *kvm, unsigned long start, * in conjunction with the smp_rmb in mmu_invalidate_retry(). */ kvm->mmu_invalidate_in_progress--; + KVM_BUG_ON(kvm->mmu_invalidate_in_progress < 0, kvm); } static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn, @@ -863,8 +864,6 @@ static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn, */ if (wake) rcuwait_wake_up(&kvm->mn_memslots_update_rcuwait); - - BUG_ON(kvm->mmu_invalidate_in_progress < 0); } static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn, -- 2.39.1