On Tue, Jul 04, 2023 at 04:50:50PM +0900, David Stevens wrote: > @@ -4451,7 +4461,8 @@ static int direct_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault > > out_unlock: > write_unlock(&vcpu->kvm->mmu_lock); > - kvm_release_pfn_clean(fault->pfn); > + if (fault->is_refcounted_page) > + kvm_set_page_accessed(pfn_to_page(fault->pfn)); For a refcounted page, as now KVM puts its ref early in kvm_faultin_pfn(), should this kvm_set_page_accessed() be placed before unlocking mmu_lock? Otherwise, if the user unmaps a region (which triggers kvm_unmap_gfn_range() with mmu_lock holding for write), and release the page, and if the two steps happen after checking page_count() in kvm_set_page_accessed() and before mark_page_accessed(), the latter function may mark accessed to a page that is released or does not belong to current process. Is it true? > return r; > } > > @@ -4529,7 +4540,8 @@ static int kvm_tdp_mmu_page_fault(struct kvm_vcpu *vcpu, > > out_unlock: > read_unlock(&vcpu->kvm->mmu_lock); > - kvm_release_pfn_clean(fault->pfn); > + if (fault->is_refcounted_page) > + kvm_set_page_accessed(pfn_to_page(fault->pfn)); > return r; > } Ditto.
