• Sean Christopherson's avatar
    KVM: x86/mmu: Retry page fault if root is invalidated by memslot update · a955cad8
    Sean Christopherson authored
    Bail from the page fault handler if the root shadow page was obsoleted by
    a memslot update.  Do the check _after_ acuiring mmu_lock, as the TDP MMU
    doesn't rely on the memslot/MMU generation, and instead relies on the
    root being explicit marked invalid by kvm_mmu_zap_all_fast(), which takes
    mmu_lock for write.
    
    For the TDP MMU, inserting a SPTE into an obsolete root can leak a SP if
    kvm_tdp_mmu_zap_invalidated_roots() has already zapped the SP, i.e. has
    moved past the gfn associated with the SP.
    
    For other MMUs, the resulting behavior is far more convoluted, though
    unlikely to be truly problematic.  Installing SPs/SPTEs into the obsolete
    root isn't directly problematic, as the obsolete root will be unloaded
    and dropped before the vCPU re-enters the guest.  But because the legacy
    MMU tracks shadow pages by their role, any SP created by the fault can
    can be reused in the new post-reload root.  Again, that _shouldn't_ be
    problematic as any leaf child SPTEs will be created for the current/valid
    memslot generation, and kvm_mmu_get_page() will not reuse child SPs from
    the old generation as they will be flagged as obsolete.  But, given that
    continuing with the fault is pointess (the root will be unloaded), apply
    the check to all MMUs.
    
    Fixes: b7cccd39 ("KVM: x86/mmu: Fast invalidation for TDP MMU")
    Cc: stable@vger.kernel.org
    Cc: Ben Gardon <bgardon@google.com>
    Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
    Message-Id: <20211120045046.3940942-5-seanjc@google.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    a955cad8
mmu.c 168 KB