Commit db3f2f7b authored by Ben Gardon's avatar Ben Gardon Committed by Yu Zhang
Browse files

KVM: x86/mmu: Fix RCU usage in handle_removed_tdp_mmu_page 

mainline inclusion
from mainline-v5.12-rc4
commit 70fb3e41
category: feature
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I7S3VQ
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=70fb3e41a97a5fecc0aedc9a429479d702c3ab66



----------------------------------------------------------------------

The pt passed into handle_removed_tdp_mmu_page does not need RCU
protection, as it is not at any risk of being freed by another thread at
that point. However, the implicit cast from tdp_sptep_t to u64 * dropped
the __rcu annotation without a proper rcu_derefrence. Fix this by
passing the pt as a tdp_ptep_t and then rcu_dereferencing it in
the function.

Suggested-by: default avatarSean Christopherson <seanjc@google.com>
Reported-by: default avatarkernel test robot <lkp@intel.com>
Signed-off-by: default avatarBen Gardon <bgardon@google.com>
Message-Id: <20210315233803.2706477-2-bgardon@google.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: default avatarYu Zhang <yu.c.zhang@linux.intel.com>
parent b0e0ef73

arch/x86/kvm/mmu/tdp_mmu.c

+8 −3
Original line number Diff line number Diff line
@@ -301,11 +301,16 @@ static void tdp_mmu_unlink_page(struct kvm *kvm, struct kvm_mmu_page *sp, 
 *

 * Given a page table that has been removed from the TDP paging structure,

 * iterates through the page table to clear SPTEs and free child page tables.

 *

 * Note that pt is passed in as a tdp_ptep_t, but it does not need RCU

 * protection. Since this thread removed it from the paging structure,

 * this thread will be responsible for ensuring the page is freed. Hence the

 * early rcu_dereferences in the function.

 */

static void handle_removed_tdp_mmu_page(struct kvm *kvm, u64 *pt,

static void handle_removed_tdp_mmu_page(struct kvm *kvm, tdp_ptep_t pt,

					bool shared)

{

	struct kvm_mmu_page *sp = sptep_to_sp(pt);

	struct kvm_mmu_page *sp = sptep_to_sp(rcu_dereference(pt));

	int level = sp->role.level;

	gfn_t base_gfn = sp->gfn;

	u64 old_child_spte;
@@ -318,7 +323,7 @@ static void handle_removed_tdp_mmu_page(struct kvm *kvm, u64 *pt, 
	tdp_mmu_unlink_page(kvm, sp, shared);



	for (i = 0; i < PT64_ENT_PER_PAGE; i++) {

		sptep = pt + i;

		sptep = rcu_dereference(pt) + i;

		gfn = base_gfn + (i * KVM_PAGES_PER_HPAGE(level - 1));



		if (shared) {