| Message ID | 20240831001538.336683-1-seanjc@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | KVM: x86: Fix multiple #PF RO infinite loop bugs | expand |
On Fri, 30 Aug 2024 17:15:15 -0700, Sean Christopherson wrote: > Fix an amusing number of minor bugs that can lead to KVM putting the guest into > an infinite "retry #PF" loop, and cleanup and consolidate the unprotect+retry > paths (there are four-ish). > > As a bonus, adding RET_PF_WRITE_PROTECTED obviates the need for > kvm_lookup_pfn()[*]. > > [...] Applied to kvm-x86 mmu, except for patch 1, which I put at the end of "vmx" in case Paolo wants to take it through his tree for the CoCo stuff. [01/22] KVM: VMX: Set PFERR_GUEST_{FINAL,PAGE}_MASK if and only if the GVA is valid https://github.com/kvm-x86/linux/commit/f3009482512e [02/22] KVM: x86/mmu: Replace PFERR_NESTED_GUEST_PAGE with a more descriptive helper https://github.com/kvm-x86/linux/commit/4ececec19a09 [03/22] KVM: x86/mmu: Trigger unprotect logic only on write-protection page faults https://github.com/kvm-x86/linux/commit/989a84c93f59 [04/22] KVM: x86/mmu: Skip emulation on page fault iff 1+ SPs were unprotected https://github.com/kvm-x86/linux/commit/2fb2b7877b3a [05/22] KVM: x86: Retry to-be-emulated insn in "slow" unprotect path iff sp is zapped https://github.com/kvm-x86/linux/commit/c1edcc41c360 [06/22] KVM: x86: Get RIP from vCPU state when storing it to last_retry_eip https://github.com/kvm-x86/linux/commit/019f3f84a40c [07/22] KVM: x86: Store gpa as gpa_t, not unsigned long, when unprotecting for retry https://github.com/kvm-x86/linux/commit/9c19129e535b [08/22] KVM: x86/mmu: Apply retry protection to "fast nTDP unprotect" path https://github.com/kvm-x86/linux/commit/01dd4d319207 [09/22] KVM: x86/mmu: Try "unprotect for retry" iff there are indirect SPs https://github.com/kvm-x86/linux/commit/dfaae8447c53 [10/22] KVM: x86: Move EMULTYPE_ALLOW_RETRY_PF to x86_emulate_instruction() https://github.com/kvm-x86/linux/commit/41e6e367d576 [11/22] KVM: x86: Fold retry_instruction() into x86_emulate_instruction() https://github.com/kvm-x86/linux/commit/2df354e37c13 [12/22] KVM: x86/mmu: Don't try to unprotect an INVALID_GPA https://github.com/kvm-x86/linux/commit/b7e948898e77 [13/22] KVM: x86/mmu: Always walk guest PTEs with WRITE access when unprotecting https://github.com/kvm-x86/linux/commit/29e495bdf847 [14/22] KVM: x86/mmu: Move event re-injection unprotect+retry into common path https://github.com/kvm-x86/linux/commit/b299c273c06f [15/22] KVM: x86: Remove manual pfn lookup when retrying #PF after failed emulation https://github.com/kvm-x86/linux/commit/620525739521 [16/22] KVM: x86: Check EMULTYPE_WRITE_PF_TO_SP before unprotecting gfn https://github.com/kvm-x86/linux/commit/19ab2c8be070 [17/22] KVM: x86: Apply retry protection to "unprotect on failure" path https://github.com/kvm-x86/linux/commit/dabc4ff70c35 [18/22] KVM: x86: Update retry protection fields when forcing retry on emulation failure https://github.com/kvm-x86/linux/commit/4df685664bed [19/22] KVM: x86: Rename reexecute_instruction()=>kvm_unprotect_and_retry_on_failure() https://github.com/kvm-x86/linux/commit/2876624e1adc [20/22] KVM: x86/mmu: Subsume kvm_mmu_unprotect_page() into the and_retry() version https://github.com/kvm-x86/linux/commit/6b3dcabc1091 [21/22] KVM: x86/mmu: Detect if unprotect will do anything based on invalid_list https://github.com/kvm-x86/linux/commit/d859b16161c8 [22/22] KVM: x86/mmu: WARN on MMIO cache hit when emulating write-protected gfn https://github.com/kvm-x86/linux/commit/98a69b96caca -- https://github.com/kvm-x86/linux/tree/next
Fix an amusing number of minor bugs that can lead to KVM putting the guest into an infinite "retry #PF" loop, and cleanup and consolidate the unprotect+retry paths (there are four-ish). As a bonus, adding RET_PF_WRITE_PROTECTED obviates the need for kvm_lookup_pfn()[*]. [*] https://lore.kernel.org/all/63c41e25-2523-4397-96b4-557394281443@redhat.com v2: - Gather reviews. - Rewrite the comment for the nested NPT "fast" unprotect path to explain what it actually handles. [Yuan] - Drop Cc: stable for the remaining patches, as it's extremely unlikely these fixes would actually prevent a guest from dying. [Paolo] - Move the patch to replace PFERR_NESTED_GUEST_PAGE much earlier. [Paolo] - Wrap indirect_shadow_pages with READ_ONCE(). [Paolo] - Massage a few changelogs to (hopefully) fix weird wordings. [Paolo] - Always refer directly to last_retry_{addr,eip} in comments, instead of indirectly referencing them as "infinite loop protection". [Paolo] - WARN if write-protection hits the MMIO cache. [Yuan] v1: https://lore.kernel.org/all/20240809190319.1710470-1-seanjc@google.com Sean Christopherson (22): KVM: VMX: Set PFERR_GUEST_{FINAL,PAGE}_MASK if and only if the GVA is valid KVM: x86/mmu: Replace PFERR_NESTED_GUEST_PAGE with a more descriptive helper KVM: x86/mmu: Trigger unprotect logic only on write-protection page faults KVM: x86/mmu: Skip emulation on page fault iff 1+ SPs were unprotected KVM: x86: Retry to-be-emulated insn in "slow" unprotect path iff sp is zapped KVM: x86: Get RIP from vCPU state when storing it to last_retry_eip KVM: x86: Store gpa as gpa_t, not unsigned long, when unprotecting for retry KVM: x86/mmu: Apply retry protection to "fast nTDP unprotect" path KVM: x86/mmu: Try "unprotect for retry" iff there are indirect SPs KVM: x86: Move EMULTYPE_ALLOW_RETRY_PF to x86_emulate_instruction() KVM: x86: Fold retry_instruction() into x86_emulate_instruction() KVM: x86/mmu: Don't try to unprotect an INVALID_GPA KVM: x86/mmu: Always walk guest PTEs with WRITE access when unprotecting KVM: x86/mmu: Move event re-injection unprotect+retry into common path KVM: x86: Remove manual pfn lookup when retrying #PF after failed emulation KVM: x86: Check EMULTYPE_WRITE_PF_TO_SP before unprotecting gfn KVM: x86: Apply retry protection to "unprotect on failure" path KVM: x86: Update retry protection fields when forcing retry on emulation failure KVM: x86: Rename reexecute_instruction()=>kvm_unprotect_and_retry_on_failure() KVM: x86/mmu: Subsume kvm_mmu_unprotect_page() into the and_retry() version KVM: x86/mmu: Detect if unprotect will do anything based on invalid_list KVM: x86/mmu: WARN on MMIO cache hit when emulating write-protected gfn arch/x86/include/asm/kvm_host.h | 14 ++- arch/x86/kvm/mmu/mmu.c | 200 +++++++++++++++++++++++--------- arch/x86/kvm/mmu/mmu_internal.h | 3 + arch/x86/kvm/mmu/mmutrace.h | 1 + arch/x86/kvm/mmu/paging_tmpl.h | 2 +- arch/x86/kvm/mmu/tdp_mmu.c | 6 +- arch/x86/kvm/vmx/vmx.c | 5 +- arch/x86/kvm/x86.c | 133 ++++++--------------- 8 files changed, 198 insertions(+), 166 deletions(-) base-commit: a1206bc992c3cd3f758a9b46117dfc7e59e8c10f