KVM: x86/mmu: Fix incorrect reference count for TDP MMU root
Intel inclusion category: feature bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I7S3VQ CVE: NA ---------------------------------------------------------------------- Do not ref-count TDP MMU root when fast zapping, if the root SP is already marked as invalid. Previously, upstream commit 4c6654bd ("KVM: x86/mmu: Tear down roots before kvm_mmu_zap_all_fast returns") added logic to zap TDP when memslot deletion happens, to avoid saddling the vCPU thread with the work of tearing down the entire paging structure. However, the root sp is still kept in the invalid list, because the map count is not zero. Later upstream commit f28e9c7f ("KVM: x86/mmu: Fix wrong/misleading comments in TDP MMU fast zap") added checking of root->role.invalid, and gave a warning, if the root was already invalid. We can easily witness such a warning, because the invalidated root sp is still kept in the root list. Although Paolo fixed this, with commit efd995da ("KVM: x86/mmu: Zap defunct roots via asynchronous worker"), this async solution was later dropped with Sean's commit 0df9dab8 ("KVM: x86/mmu: Stop zapping invalidated TDP MMU roots asynchronously"). So, cook this patch based on both Paolo's and Sean's solution, instead of porting them due to significant denpendencies. Note - we expect the fast zapping path to only zap the root, and to dereference sp's map count, but not to free the it. Because other vCPUs will still see a valid root_hpa, when it later tries to handle the KVM_REQ_MMU_RELOAD. And a use-after-free case may happen, if the sp is already freed in the fast zapping path. Fixes: fe75023f ("KVM: x86/mmu: Fix wrong/misleading comments in TDP MMU fast zap") Tested-and-reported-by:Hua Su <suhua1@kingsoft.com> Signed-off-by:
Loading
Please sign in to comment