| Message ID | 20221213033030.83345-5-seanjc@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2610519wrr;
Mon, 12 Dec 2022 19:34:13 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf5KUEX23aKA7StLE3s+71nkeUUCd7dCQVajngjCZroDu+pxBs13perq9mF0u/qtu3jEMf9M
X-Received: by 2002:a05:6402:1f08:b0:462:330a:ce35 with SMTP id
b8-20020a0564021f0800b00462330ace35mr20279686edb.11.1670902453806;
Mon, 12 Dec 2022 19:34:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670902453; cv=none;
d=google.com; s=arc-20160816;
b=XxlOvHXWPpoFDP9lsyrwsgwv/rBmb+APZc4E7L9I//KMaeoma4tWWGdCmqbMntTvdu
L1kF8tv4uGngJdIP0MNcZENWZrQIHlx8YdnzBiZ5qKN4CwuW5YtFea6T1ZPjv38hssYF
X14J7ouDe/K9QC2VKC6PDBtmvtxsZhQC4oTcyUVNWkvpDR+lV1etEdVhj/vQJ6QPG2nE
ok9jIMwO1KOqtwV1kvIP+ESu2rUIdt+NS6qg6BPddaDAPpWiy8ciuJ5RniHM9jbx+rkF
AtMOB4XQN+U1yekRedMZ4YCuo9nWoX+3v2hB3hK5Dz9zhziZvh7nsN/fgjeBR7ZXoX+f
Wyfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:from:subject:message-id:references
:mime-version:in-reply-to:date:reply-to:dkim-signature;
bh=IBv/w73Qp92ge1mM27QBzL+EeWNcmNZL8sCukn+Lbm4=;
b=xoBU9b+CAgHXoM1isa8wQXFm0ILcXNSlRQf9ar+vi12RhOhgaC2XCHhT3UYJ87Ext0
6mEDku0ole4Uylma4umeYUvq+SNsLtGAgwD1SjOABljuSnBfBZFhypfdpab/uyG+3TY/
DDzOsMW1FgOFOEXTCrba/W6DrZnhmevGwcmZ1AYgyJzooZf5vb6/TiLS2I5KKakZzVjr
p+JA3qLUm9U0m42vFy7ZvYJfDCkOjbuIu5tYp1UWEDZOQj0T5D3oKPfygpHX4sqwQZYa
0sTI2wWCMABN8Hn1gvLEbOM/XyoJ2tFitLdXqIVKjV6k6cDo0xSQWLo2/Ust3GanZ+jx
6s6g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@google.com header.s=20210112 header.b=j1dAHXAb;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
bf8-20020a0564021a4800b0046bf4a2db94si7762422edb.491.2022.12.12.19.33.50;
Mon, 12 Dec 2022 19:34:13 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20210112 header.b=j1dAHXAb;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234230AbiLMDa4 (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com>
+ 99 others); Mon, 12 Dec 2022 22:30:56 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40172 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234220AbiLMDal (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 12 Dec 2022 22:30:41 -0500
Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com
[IPv6:2607:f8b0:4864:20::1149])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1214D1B9DA
for <linux-kernel@vger.kernel.org>;
Mon, 12 Dec 2022 19:30:41 -0800 (PST)
Received: by mail-yw1-x1149.google.com with SMTP id
00721157ae682-3b0af5bcbd3so153978907b3.0
for <linux-kernel@vger.kernel.org>;
Mon, 12 Dec 2022 19:30:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20210112;
h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
:date:reply-to:from:to:cc:subject:date:message-id:reply-to;
bh=IBv/w73Qp92ge1mM27QBzL+EeWNcmNZL8sCukn+Lbm4=;
b=j1dAHXAbK+4Msudj/HHnf6xN0DoV2u8oMGpZ7vBKKgYi2Blq6OUUjTqN9ZP0SwhFiP
NQ5nh8QW3M8k0o+0tds9o810RMiKNAyZXYos+Zgt9GsKrx6AwXoFgKvt+uDGbyohj6aO
auwrDD8vpnKfBwKdT/fcl7YtQOVSzTrniF9OWjE55wXZSDTezwRVQE3nBi4XxDtA4UpE
H2UlZRwSsEN51GK39gm/fvQ6BX/fje/UalOmmkNzCZjMRDl3+PRCWS/nY7yrrm2Cg3CM
yNdSmGflIo0wl6geay22FSuESwbPUhMAcSiKVh7iQ/HzVoC2AVPD1K25cUarEl2vKnGT
jXJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
:date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=IBv/w73Qp92ge1mM27QBzL+EeWNcmNZL8sCukn+Lbm4=;
b=EuibIVIlk50MKspUnFD2qnPgLTTUkahxrlxnCEDjk9Rlsh6m0TmjnaqJF6yimpP+mF
C5953iVbO3olrSzoIH1L9hp6jUjPz0hADn5HbNE9LEmkoUpEV/iSkI89G6LgQDsKKb3z
Apssogy5wUXoDh0gg8NtD+MNLsSXK/732hEA2r1Kfc37/9USFIy0/7x2oJ4RUeHfptPj
SO9npQQ6gn20ON1SQwXkgfONpo3P/KBCxMAN2Mp8tniH5NEMmfCYoV1NVy5zCy7l9pqV
QdP/9NSQU+XQ2bqu8/3yFK8t9xSVYxeLp8x8aUIJuMuO+BgOKIZsD2cTcFvoXj1MVvH0
R5jA==
X-Gm-Message-State: ANoB5plnWqLrvYmOZBaL/dQflOZQAcXoWJED9Z3N1biwFZkl5ZvD9E16
i5hvzZz92UAcTcWfTTLWeQKoYWbvrE0=
X-Received: from zagreus.c.googlers.com
([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
(user=seanjc job=sendgmr) by 2002:a81:57c3:0:b0:3c4:bb7a:9443 with SMTP id
l186-20020a8157c3000000b003c4bb7a9443mr723618ywb.138.1670902240356; Mon, 12
Dec 2022 19:30:40 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 13 Dec 2022 03:30:29 +0000
In-Reply-To: <20221213033030.83345-1-seanjc@google.com>
Mime-Version: 1.0
References: <20221213033030.83345-1-seanjc@google.com>
X-Mailer: git-send-email 2.39.0.rc1.256.g54fd8350bd-goog
Message-ID: <20221213033030.83345-5-seanjc@google.com>
Subject: [PATCH 4/5] KVM: x86/mmu: Don't install TDP MMU SPTE if SP has
unexpected level
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Robert Hoo <robert.hu@linux.intel.com>,
Greg Thelen <gthelen@google.com>,
David Matlack <dmatlack@google.com>,
Ben Gardon <bgardon@google.com>,
Mingwei Zhang <mizhang@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1752068211408682841?=
X-GMAIL-MSGID: =?utf-8?q?1752068211408682841?=
|
| Series |
KVM: x86/mmu: TDP MMU fixes for 6.2
|
|
Commit Message
Sean Christopherson
Dec. 13, 2022, 3:30 a.m. UTC
Don't install a leaf TDP MMU SPTE if the parent page's level doesn't
match the target level of the fault, and instead have the vCPU retry the
faulting instruction after warning. Continuing on is completely
unnecessary as the absolute worst case scenario of retrying is DoSing
the vCPU, whereas continuing on all but guarantees bigger explosions, e.g.
------------[ cut here ]------------
kernel BUG at arch/x86/kvm/mmu/tdp_mmu.c:559!
invalid opcode: 0000 [#1] SMP
CPU: 1 PID: 1025 Comm: nx_huge_pages_t Tainted: G W 6.1.0-rc4+ #64
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:__handle_changed_spte.cold+0x95/0x9c
RSP: 0018:ffffc9000072faf8 EFLAGS: 00010246
RAX: 00000000000000c1 RBX: ffffc90000731000 RCX: 0000000000000027
RDX: 0000000000000000 RSI: 00000000ffffdfff RDI: ffff888277c5b4c8
RBP: 0600000112400bf3 R08: ffff888277c5b4c0 R09: ffffc9000072f9a0
R10: 0000000000000001 R11: 0000000000000001 R12: 06000001126009f3
R13: 0000000000000002 R14: 0000000012600901 R15: 0000000012400b01
FS: 00007fba9f853740(0000) GS:ffff888277c40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010aa7a003 CR4: 0000000000172ea0
Call Trace:
<TASK>
kvm_tdp_mmu_map+0x3b0/0x510
kvm_tdp_page_fault+0x10c/0x130
kvm_mmu_page_fault+0x103/0x680
vmx_handle_exit+0x132/0x5a0 [kvm_intel]
vcpu_enter_guest+0x60c/0x16f0
kvm_arch_vcpu_ioctl_run+0x1e2/0x9d0
kvm_vcpu_ioctl+0x271/0x660
__x64_sys_ioctl+0x80/0xb0
do_syscall_64+0x2b/0x50
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
Modules linked in: kvm_intel
---[ end trace 0000000000000000 ]---
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
arch/x86/kvm/mmu/tdp_mmu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
On Mon, Dec 12, 2022 at 7:30 PM Sean Christopherson <seanjc@google.com> wrote: > > Don't install a leaf TDP MMU SPTE if the parent page's level doesn't > match the target level of the fault, and instead have the vCPU retry the > faulting instruction after warning. Continuing on is completely > unnecessary as the absolute worst case scenario of retrying is DoSing > the vCPU, whereas continuing on all but guarantees bigger explosions, e.g. Would it make sense to kill the VM instead via KVM_BUG()?
On Tue, Dec 13, 2022, David Matlack wrote: > On Mon, Dec 12, 2022 at 7:30 PM Sean Christopherson <seanjc@google.com> wrote: > > > > Don't install a leaf TDP MMU SPTE if the parent page's level doesn't > > match the target level of the fault, and instead have the vCPU retry the > > faulting instruction after warning. Continuing on is completely > > unnecessary as the absolute worst case scenario of retrying is DoSing > > the vCPU, whereas continuing on all but guarantees bigger explosions, e.g. > > Would it make sense to kill the VM instead via KVM_BUG()? No, because if bug that hits this escapes to a release, odds are quite high that retrying will succeed. E.g. the fix earlier in this series is for a rare corner case that I was able to hit consistently only by hacking KVM to effectively synchronize the page fault and zap. Other than an extra page fault, no harm has been done to the guest, e.g. there's no need to kill the VM to protect it from data corruption.
On Tue, Dec 13, 2022 at 06:15:56PM +0000, Sean Christopherson wrote: > On Tue, Dec 13, 2022, David Matlack wrote: > > On Mon, Dec 12, 2022 at 7:30 PM Sean Christopherson <seanjc@google.com> wrote: > > > > > > Don't install a leaf TDP MMU SPTE if the parent page's level doesn't > > > match the target level of the fault, and instead have the vCPU retry the > > > faulting instruction after warning. Continuing on is completely > > > unnecessary as the absolute worst case scenario of retrying is DoSing > > > the vCPU, whereas continuing on all but guarantees bigger explosions, e.g. > > > > Would it make sense to kill the VM instead via KVM_BUG()? > > No, because if bug that hits this escapes to a release, odds are quite high that > retrying will succeed. E.g. the fix earlier in this series is for a rare corner > case that I was able to hit consistently only by hacking KVM to effectively > synchronize the page fault and zap. Other than an extra page fault, no harm has > been done to the guest, e.g. there's no need to kill the VM to protect it from > data corruption. Good points, agreed!
diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c index fd4ae99790d7..cc1fb9a65620 100644 --- a/arch/x86/kvm/mmu/tdp_mmu.c +++ b/arch/x86/kvm/mmu/tdp_mmu.c @@ -1063,7 +1063,9 @@ static int tdp_mmu_map_handle_target_level(struct kvm_vcpu *vcpu, int ret = RET_PF_FIXED; bool wrprot = false; - WARN_ON(sp->role.level != fault->goal_level); + if (WARN_ON_ONCE(sp->role.level != fault->goal_level)) + return RET_PF_RETRY; + if (unlikely(!fault->slot)) new_spte = make_mmio_spte(vcpu, iter->gfn, ACC_ALL); else