From patchwork Thu Mar  3 18:33:27 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Matlack <dmatlack@google.com>
X-Patchwork-Id: 12767932
Return-Path: <kvm-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1E9F6C433EF
	for <kvm@archiver.kernel.org>; Thu,  3 Mar 2022 18:33:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234716AbiCCSeV (ORCPT <rfc822;kvm@archiver.kernel.org>);
        Thu, 3 Mar 2022 13:34:21 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43884 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233849AbiCCSeT (ORCPT <rfc822;kvm@vger.kernel.org>);
        Thu, 3 Mar 2022 13:34:19 -0500
Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com
 [IPv6:2607:f8b0:4864:20::1049])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6879E10A7C4
        for <kvm@vger.kernel.org>; Thu,  3 Mar 2022 10:33:33 -0800 (PST)
Received: by mail-pj1-x1049.google.com with SMTP id
 o41-20020a17090a0a2c00b001bf06e5badfso1986489pjo.3
        for <kvm@vger.kernel.org>; Thu, 03 Mar 2022 10:33:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=QOuZ5I4KFRMXkF6seWShnE2Ey6ez7qDQdhK2bClCPu0=;
        b=lDeisK5cHZpbtWacdaMm9AZjhDaWYo10ffNAXW4GS7AdNAyg+Hh/n56SMXrjaBrBGB
         UvG1CT+h6m7qNJsCzbDviTmDG+Bovty9yvh5u/fbAP5+WCF779/YNu4zcmVpMKMUJVCo
         kZDdVS4rlis+mXQWEAkHZU9clHM/euY6G6PR/1YG6sVnB8FymzRzfSiKZC8/Qqd+irdT
         oJpjpOTjYdxq7uGIZj8weZuQIPQh4OBN3TN+afP/g1QU5r2EzbcIlPCFVLoI2xuUAkvE
         FFOGmwmAtvioZej3cVRpljxne8EKoY4dt3ef0lJEaIyrJiHLZIyNShsen+31akNCCDZl
         c8fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=QOuZ5I4KFRMXkF6seWShnE2Ey6ez7qDQdhK2bClCPu0=;
        b=RDuZhHZwuFv3u8wnoDfkSaCJlWGYbNZ8jKV1cXcqhupSZzAFKE2mLF43ItQ2isuA0b
         UI39oY0kni90byzNnvhFJ+O2c6vzBNDWd0O2dDnzxn7fnmRejbXRv3gQa3GRCyMEW4k6
         yC7NNaJ0dg8FYTnhSKVoGnpVNoFTNFoapY+43czLMbKQsk3dUklUlqdufNyg2DP/4LZZ
         EC52iwxNmWBKX7UkhHLrmFmkKACcereyDg9fQmNNyImpjgfCnhyGwpdSt7svshHmv9m0
         uREEcXY3k3xIT3uZMstyrwOjK1J5cwhC9qfV/HYvvSGJTb1Uk9sAEu++zuQ5cDgtLlll
         DCBg==
X-Gm-Message-State: AOAM533AG1hm6r+Gj+y44lFgGJprsT/40PCMOjxd2UXxui5AVo4Clhpg
        rHUCe40yew/Rkh36DAMokpEt6AnXsFJgHQ==
X-Google-Smtp-Source: 
 ABdhPJyMOASFXqZeTTIqtYO0itzLRZL9uApqq7mmkmPJO9JZ5PbxYzX10D2vZj7kQXTCDJOFzri0PvVd+gYYTQ==
X-Received: from dmatlack-heavy.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:19cd])
 (user=dmatlack job=sendgmr) by 2002:a17:902:b602:b0:14f:e42b:d547 with SMTP
 id b2-20020a170902b60200b0014fe42bd547mr37940828pls.91.1646332412852; Thu, 03
 Mar 2022 10:33:32 -0800 (PST)
Date: Thu,  3 Mar 2022 18:33:27 +0000
In-Reply-To: <20220303183328.1499189-1-dmatlack@google.com>
Message-Id: <20220303183328.1499189-2-dmatlack@google.com>
Mime-Version: 1.0
References: <20220303183328.1499189-1-dmatlack@google.com>
X-Mailer: git-send-email 2.35.1.616.g0bdcbb4464-goog
Subject: [PATCH RESEND 1/2] KVM: Prevent module exit until all VMs are freed
From: David Matlack <dmatlack@google.com>
To: pbonzini@redhat.com
Cc: David Matlack <dmatlack@google.com>, kvm@vger.kernel.org,
        Marcelo Tosatti <mtosatti@redhat.com>,
        Gleb Natapov <gleb@redhat.com>, Rik van Riel <riel@redhat.com>,
        seanjc@google.com, bgardon@google.com, stable@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

Tie the lifetime the KVM module to the lifetime of each VM via
kvm.users_count. This way anything that grabs a reference to the VM via
kvm_get_kvm() cannot accidentally outlive the KVM module.

Prior to this commit, the lifetime of the KVM module was tied to the
lifetime of /dev/kvm file descriptors, VM file descriptors, and vCPU
file descriptors by their respective file_operations "owner" field.
This approach is insufficient because references grabbed via
kvm_get_kvm() do not prevent closing any of the aforementioned file
descriptors.

This fixes a long standing theoretical bug in KVM that at least affects
async page faults. kvm_setup_async_pf() grabs a reference via
kvm_get_kvm(), and drops it in an asynchronous work callback. Nothing
prevents the VM file descriptor from being closed and the KVM module
from being unloaded before this callback runs.

Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out")
Cc: stable@vger.kernel.org
Suggested-by: Ben Gardon <bgardon@google.com>
[ Based on a patch from Ben implemented for Google's kernel. ]
Signed-off-by: David Matlack <dmatlack@google.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
---
 virt/kvm/kvm_main.c | 8 ++++++++
 1 file changed, 8 insertions(+)


base-commit: b13a3befc815eae574d87e6249f973dfbb6ad6cd
prerequisite-patch-id: 38f66d60319bf0bc9bf49f91f0f9119e5441629b
prerequisite-patch-id: 51aa921d68ea649d436ea68e1b8f4aabc3805156

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 35ae6d32dae5..b59f0a29dbd5 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -117,6 +117,8 @@ EXPORT_SYMBOL_GPL(kvm_debugfs_dir);
 
 static const struct file_operations stat_fops_per_vm;
 
+static struct file_operations kvm_chardev_ops;
+
 static long kvm_vcpu_ioctl(struct file *file, unsigned int ioctl,
 			   unsigned long arg);
 #ifdef CONFIG_KVM_COMPAT
@@ -1131,6 +1133,11 @@ static struct kvm *kvm_create_vm(unsigned long type)
 	preempt_notifier_inc();
 	kvm_init_pm_notifier(kvm);
 
+	if (!try_module_get(kvm_chardev_ops.owner)) {
+		r = -ENODEV;
+		goto out_err;
+	}
+
 	return kvm;
 
 out_err:
@@ -1220,6 +1227,7 @@ static void kvm_destroy_vm(struct kvm *kvm)
 	preempt_notifier_dec();
 	hardware_disable_all();
 	mmdrop(mm);
+	module_put(kvm_chardev_ops.owner);
 }
 
 void kvm_get_kvm(struct kvm *kvm)

From patchwork Thu Mar  3 18:33:28 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Matlack <dmatlack@google.com>
X-Patchwork-Id: 12767933
Return-Path: <kvm-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5BA23C433F5
	for <kvm@archiver.kernel.org>; Thu,  3 Mar 2022 18:33:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233906AbiCCSeW (ORCPT <rfc822;kvm@archiver.kernel.org>);
        Thu, 3 Mar 2022 13:34:22 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44054 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234176AbiCCSeV (ORCPT <rfc822;kvm@vger.kernel.org>);
        Thu, 3 Mar 2022 13:34:21 -0500
Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com
 [IPv6:2607:f8b0:4864:20::449])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07F7710DA48
        for <kvm@vger.kernel.org>; Thu,  3 Mar 2022 10:33:35 -0800 (PST)
Received: by mail-pf1-x449.google.com with SMTP id
 a23-20020aa794b7000000b004f6a3ac7a87so558182pfl.23
        for <kvm@vger.kernel.org>; Thu, 03 Mar 2022 10:33:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=/CVFzv1lHijKVsu+/AwQgOYGzYLObEY8ntA0I+2sSps=;
        b=Khsmzsfc1QvIRgHVwAaP4/9i/urdGO/czx0ewLL6zD2iAcufM3L7VPmGFlz1rsHbau
         lkV0Al6qGPDlIB1neIIOdDF1fYNdqG/YKl3OpJ6rhECIlYvVI9vFuL7SYjAmi2zHzrSs
         Sk7gzohvSSVfyEeqIoujxPWsU61byCVmw4B8E7jWrPi4Q4BKqibBRc7K4xLNN5Y0Huv+
         DCToGPhKJW0yGZdCiCKQ1X+cQc3/PP1BSoJmofeOsAL/77HeAJsbPffRvCD4JtDyraWT
         WbtyRWHlwLQl+jCExGTMEI5Q8XyUeTar6MSGqmd3gGJVLoevuyMprsntksVZ2f7ZqLh4
         i45g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=/CVFzv1lHijKVsu+/AwQgOYGzYLObEY8ntA0I+2sSps=;
        b=G7Q0ZX96Bz8pmu4wdc55Fa0HiNnGIRUBkcGEq3jktTrSv+QyD/M1WjwCvwh7wQAR02
         q8tZYss3tKOnutWyq/5hH360mUPVQZN/nXYkYzOrHiKRdrwlsshuUm6Qgmnm8RfUaF0h
         lhdw0K0VcHkiXoz4BY02MyCP4Xlf1Qwzcx+wWwM3lBlvEfcvuX23VdD97NMosG9fNhAP
         A2ucl3QyJUmo8JoXxB5DLxkq4Y72HWK3nQGsYPoopj7wk6KDcnGqQgV1vHw5CMrpQytH
         NT+Or6vbJZGltkzEijya6D9AtsJM73bhMbv4swJblyfUB3XqvM1vo+ez7gbuggej/22S
         Fh1g==
X-Gm-Message-State: AOAM530L6Q2Me1Tc5I7LssLqX1UvjBLmmzSWI9NTMiiM1lPYeMt95KJ4
        XJ8petjSFlR1r+g+fIuMxGI+qYhJq1i1XA==
X-Google-Smtp-Source: 
 ABdhPJy+QHJPjKpeGkvtBVOpW7PD7zxKVT+82Aq+GD5zKBbdDS9NteFjpSKrQA3Iit6MJIIjNrJ1mYl6cz68mg==
X-Received: from dmatlack-heavy.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:19cd])
 (user=dmatlack job=sendgmr) by 2002:a17:902:7610:b0:151:6152:549c with SMTP
 id k16-20020a170902761000b001516152549cmr23663447pll.91.1646332414548; Thu,
 03 Mar 2022 10:33:34 -0800 (PST)
Date: Thu,  3 Mar 2022 18:33:28 +0000
In-Reply-To: <20220303183328.1499189-1-dmatlack@google.com>
Message-Id: <20220303183328.1499189-3-dmatlack@google.com>
Mime-Version: 1.0
References: <20220303183328.1499189-1-dmatlack@google.com>
X-Mailer: git-send-email 2.35.1.616.g0bdcbb4464-goog
Subject: [PATCH RESEND 2/2] Revert "KVM: set owner of cpu and vm file
 operations"
From: David Matlack <dmatlack@google.com>
To: pbonzini@redhat.com
Cc: David Matlack <dmatlack@google.com>, kvm@vger.kernel.org,
        Marcelo Tosatti <mtosatti@redhat.com>,
        Gleb Natapov <gleb@redhat.com>, Rik van Riel <riel@redhat.com>,
        seanjc@google.com, bgardon@google.com
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

This reverts commit 3d3aab1b973b01bd2a1aa46307e94a1380b1d802.

Now that the KVM module's lifetime is tied to kvm.users_count, there is
no need to also tie it's lifetime to the lifetime of the VM and vCPU
file descriptors.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: David Matlack <dmatlack@google.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
---
 virt/kvm/kvm_main.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index b59f0a29dbd5..73b8f70e16cc 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3684,7 +3684,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
 	return 0;
 }
 
-static struct file_operations kvm_vcpu_fops = {
+static const struct file_operations kvm_vcpu_fops = {
 	.release        = kvm_vcpu_release,
 	.unlocked_ioctl = kvm_vcpu_ioctl,
 	.mmap           = kvm_vcpu_mmap,
@@ -4735,7 +4735,7 @@ static long kvm_vm_compat_ioctl(struct file *filp,
 }
 #endif
 
-static struct file_operations kvm_vm_fops = {
+static const struct file_operations kvm_vm_fops = {
 	.release        = kvm_vm_release,
 	.unlocked_ioctl = kvm_vm_ioctl,
 	.llseek		= noop_llseek,
@@ -5744,8 +5744,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
 		goto out_free_5;
 
 	kvm_chardev_ops.owner = module;
-	kvm_vm_fops.owner = module;
-	kvm_vcpu_fops.owner = module;
 
 	r = misc_register(&kvm_dev);
 	if (r) {