From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5AE98C4332F for ; Wed, 1 Nov 2023 12:47:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CCB418E000B; Wed, 1 Nov 2023 08:47:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C53F68D0040; Wed, 1 Nov 2023 08:47:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AF5088E000B; Wed, 1 Nov 2023 08:47:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 9D9238D0040 for ; Wed, 1 Nov 2023 08:47:04 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 7585D160C83 for ; Wed, 1 Nov 2023 12:47:04 +0000 (UTC) X-FDA: 81409360368.24.E1F7482 Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) by imf23.hostedemail.com (Postfix) with ESMTP id 9A88E14001A for ; Wed, 1 Nov 2023 12:47:02 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=LTD8gAbp; spf=pass (imf23.hostedemail.com: domain of tabba@google.com designates 209.85.219.44 as permitted sender) smtp.mailfrom=tabba@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1698842822; a=rsa-sha256; cv=none; b=I+KotA+W2ZqwOBe1P37CmfuXpy9UvXVrtHpFWQjV6v9od+4MRL+2WaTs56PjiLTMNG8k9t OdDPPpBF9GoedFn24E2/Zfb8ef9F2Q/Aiad/PghW6oQuqwo7kjcmNpDYoaF7AXExrUFYYn ZkxTr0UAQzclwOOLSEkbA80Pji+olgw= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=LTD8gAbp; spf=pass (imf23.hostedemail.com: domain of tabba@google.com designates 209.85.219.44 as permitted sender) smtp.mailfrom=tabba@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1698842822; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=i1rvjvqySA8gfoAJ2h4xCVn6r+FVikEwY0ryqbt6qgE=; b=gZT5mhXkj5AjTV+vQv1KdX7fCj7uqNh/1XywdWYEOwAgOuuR41a54Y4qbyniHlf1dU3bF2 0Z25wpcgoaDu4MXPA7WP8LGljg8zZfpZTkzCWHrGsoDsH92+Vda2ABTChWLP6MjFYDaiaH ptzu9GUVi6364E1qwpw3R+FOFcl1w0Y= Received: by mail-qv1-f44.google.com with SMTP id 6a1803df08f44-66d190a8f87so43543826d6.0 for ; Wed, 01 Nov 2023 05:47:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698842822; x=1699447622; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=i1rvjvqySA8gfoAJ2h4xCVn6r+FVikEwY0ryqbt6qgE=; b=LTD8gAbpsERS7fkR/bU5ojpsfXSyv9vxDyF2o8cSBlLi2CMWmmbmkCVIklLVXs9rqJ IcNOg72x0GHjYAneh+UGcTbFj9nNHrxAVBcr0eBiqZ5jCfu0TzkIk3gcmHmoSu/c5jvx u2j0HKctwiJS9LAQI0YJOiZ75sBsGqYclSkB4zS3oJEYmJfrky296cXmIo2IWBMCpxcr nF5KF/6xYTq78tB00S6XpNOTn4jrcDN7x6VGWIG3ewGksEDsBFPVZQJl9jVukLRFcxQ+ fqE9RJ0no8VNCGCgjsbRbiZX0JvacwEcSobergGUzp0+U24VHwkl7CTjNuGkfwCWnbDp nYEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698842822; x=1699447622; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i1rvjvqySA8gfoAJ2h4xCVn6r+FVikEwY0ryqbt6qgE=; b=ql70VDcTpr3nQbasRFKYCcoST+BP/b8vYq1s7/O9lJoaSh+hgEAiocoD/41AkKTx0p OONvkVFvSdUK354HqfKaFo94jl3lWlY2ynVHZh2n9VjIb2r5fTglaTv8DItbwF3PyjvG BlpmuI1WFs3vWwPLSOYt1/7pmgMgonpxAY8S58oWMD3Odj2lrHU0ii2WeGGUswO8N0MT ZULZ3vXh1hfyy4MpaYV/vUd4lf7XmyXR9g1NdYNWHHrUw6/y9AssP0FG8+8fOCCEBQRx iOVMoezeuzi/VZgH8o2/YobDZD7l7sa4fqH8H0gAI2+YUgwucbNPhgz8kYLTUwj3L9F3 DQkw== X-Gm-Message-State: AOJu0Yz9sw4QITTeolSlfMmg5+Ihuq6AZpMmwkSIPmeKsZhIh9xxVnvF 8xcauTrbgeeZoCeK++/+kfnmnDSiXTRlVsmq7XHNug== X-Google-Smtp-Source: AGHT+IEwNefwVjOpplfsdA5Dp0BgUdMFZ8Gr0x2pIdj0EOquTk7Lrcu3yjtemmSczlmcSeWnvG38gd5iU/oYIFP7LzQ= X-Received: by 2002:ad4:5de9:0:b0:65d:31e:b810 with SMTP id jn9-20020ad45de9000000b0065d031eb810mr19758846qvb.34.1698842821613; Wed, 01 Nov 2023 05:47:01 -0700 (PDT) MIME-Version: 1.0 References: <20231027182217.3615211-1-seanjc@google.com> <20231027182217.3615211-3-seanjc@google.com> In-Reply-To: <20231027182217.3615211-3-seanjc@google.com> From: Fuad Tabba Date: Wed, 1 Nov 2023 12:46:25 +0000 Message-ID: Subject: Re: [PATCH v13 02/35] KVM: Assert that mmu_invalidate_in_progress *never* goes negative To: Sean Christopherson Cc: Paolo Bonzini , Marc Zyngier , Oliver Upton , Huacai Chen , Michael Ellerman , Anup Patel , Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexander Viro , Christian Brauner , "Matthew Wilcox (Oracle)" , Andrew Morton , kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Xiaoyao Li , Xu Yilun , Chao Peng , Jarkko Sakkinen , Anish Moorthy , David Matlack , Yu Zhang , Isaku Yamahata , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Vlastimil Babka , Vishal Annapurve , Ackerley Tng , Maciej Szmigiero , David Hildenbrand , Quentin Perret , Michael Roth , Wang , Liam Merwick , Isaku Yamahata , "Kirill A . Shutemov" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 9A88E14001A X-Stat-Signature: 5i84ky76p1fngqocxr1osaguudn6mk1d X-Rspam-User: X-HE-Tag: 1698842822-303688 X-HE-Meta: U2FsdGVkX1/ettKIHPx6y+JXJ9C8a1AEt7qbF7ti43MC1R8gViRtZlg2F3PJnl4Uekwnk5W2XQ395318m+QsYYZSrht4KF9k0XXTiFJvGda0ndN+S/It/RoYqWV3TQX0vlzUbLGd0AmqWarrdfm+BKCHj/qtxy/EuFX7mNkE3/mi4HWVRVXXHlAnqbUefrIgX0QhuXb4VvdpGltwunQfJ+SiOAHuMoLMnP4pHcXn7GPrzOjFA0WMKRMKm2Y7mPc6jZ705G/ted2En18BAiGWgVvy943bElisXTKf/LUxw34dPDfGDK671o6gnl24TkRONJiyd+3InLtRX8/7X9agnAFHiBDRuB5twsfcdmBCX9pUAXsKdWm8BT9PBesC/7G1dKtRBzKB0Zle6Ko82xllWb6S1L9lqbW+1TpAsXLWnDu4XjjWxd0WnENGsWuqGdjnodL6kzlw3UCT1Ztf+qTb5Xm6YCHBhz0BsJ8z+iHEDMwwjhwRuXZ4vYvF/CIfjY3Uwdq+Emynwfu0xT04Ne5bCoQW27eNc14/7JVqAFdzn249SH7oNKV3JWEER0nZg801QgxgZ9kP/dnpGfqKIrvC6CsG1/a/HrE6VGI78laeUQ4uJEWsbq8kKxrQgZXu8PC381zl5PCrl8n6rfSUt6DxSMDk8Hw5oOW/D2N6f2sbA6fBxmUuJWeFn0nG3+zUfwWQuTE5m+jc6R32DF1rRSPQO54aD9Oujg7Lrxi2Pse8+95GxvVprO/hh+C6iQsU+rCdBvNqvhC35gwRzb7wCjTzMv0RrlYiyAle3bHLH/tCsV4GRG1zMjcYf6F8Nx2uWvcCpR00S5rOOaGizCcwjVdx0G78Yk1d55d3BH+RakaDQp//eTVapAiu1Q43sZKK3zH/eBXxfQo7di5tE7rSU42+TeXj8Bk6aGPUPn/BR7VycmSc3ybZxhYV0C3C7k9giTSNNWCLEFr3PLgWn+unnLT G3RKZ49V cLWYKSnzQqBe9vy+I3Sf94Pfmuzz5x2mc/X39xz3iXIsJNceVcR+jl9jGvTv7qpWJck9zTiunws7H6h+hZXJjv+itzezHfzzwtsqR8VgfU0qHlV8wAYtmbLrF5CcSiUAQj4SNC4bRmexlNp2+1aSPrES4RMxkacXpHJ0ctVoDZ0hvzjz4NkGrb1g6h5h4ZhumB0ugXfpcIrBlw7Sqnm4nMXozaqBigCfRjlkDG9axzNmPZefV7/zLN30uwm0QZKoZlZ6BxIJtM59I5oCUw2D4vFE+ujVL/kcVdnHKXUJxbySkyNSRog+Q57TVTphzgmoOfRHzRhHX0ZUrhBoKb6CD2vDcjsRS8Zki3Xk9fp3vpe3odKsxCYTfBWF+fiqUo2ZiNXsCGkXseqr2m6H9qY3A9LqlQA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Oct 27, 2023 at 7:22=E2=80=AFPM Sean Christopherson wrote: > > Move the assertion on the in-progress invalidation count from the primary > MMU's notifier path to KVM's common notification path, i.e. assert that > the count doesn't go negative even when the invalidation is coming from > KVM itself. > > Opportunistically convert the assertion to a KVM_BUG_ON(), i.e. kill only > the affected VM, not the entire kernel. A corrupted count is fatal to th= e > VM, e.g. the non-zero (negative) count will cause mmu_invalidate_retry() > to block any and all attempts to install new mappings. But it's far from > guaranteed that an end() without a start() is fatal or even problematic t= o > anything other than the target VM, e.g. the underlying bug could simply b= e > a duplicate call to end(). And it's much more likely that a missed > invalidation, i.e. a potential use-after-free, would manifest as no > notification whatsoever, not an end() without a start(). > > Signed-off-by: Sean Christopherson > --- Reviewed-by: Fuad Tabba Tested-by: Fuad Tabba Cheers, /fuad > virt/kvm/kvm_main.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c > index 0524933856d4..5a97e6c7d9c2 100644 > --- a/virt/kvm/kvm_main.c > +++ b/virt/kvm/kvm_main.c > @@ -833,6 +833,7 @@ void kvm_mmu_invalidate_end(struct kvm *kvm, unsigned= long start, > * in conjunction with the smp_rmb in mmu_invalidate_retry(). > */ > kvm->mmu_invalidate_in_progress--; > + KVM_BUG_ON(kvm->mmu_invalidate_in_progress < 0, kvm); > } > > static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *m= n, > @@ -863,8 +864,6 @@ static void kvm_mmu_notifier_invalidate_range_end(str= uct mmu_notifier *mn, > */ > if (wake) > rcuwait_wake_up(&kvm->mn_memslots_update_rcuwait); > - > - BUG_ON(kvm->mmu_invalidate_in_progress < 0); > } > > static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn, > -- > 2.42.0.820.g83a721a137-goog >