Re: [PATCH 09/16] KVM: x86/mmu: Move private vs. shared check above slot validity checks

"Huang, Kai" <kai.huang@xxxxxxxxx> · Wed, 6 Mar 2024 12:06:14 +1300

On 28/02/2024 3:41 pm, Sean Christopherson wrote:
Prioritize private vs. shared gfn attribute checks above slot validity
checks to ensure a consistent userspace ABI.  E.g. as is, KVM will exit to
userspace if there is no memslot, but emulate accesses to the APIC access
page even if the attributes mismatch.

IMHO, it would be helpful to explicitly say that, in the later case 
(emulate APIC access page) we still want to report MEMORY_FAULT error 
first (so that userspace can have chance to fixup, IIUC) instead of 
emulating directly, which will unlikely work.

Reviewed-by: Kai Huang <kai.huang@xxxxxxxxx>


Fixes: 8dd2eee9d526 ("KVM: x86/mmu: Handle page fault for private memory")
Cc: Yu Zhang <yu.c.zhang@xxxxxxxxxxxxxxx>
Cc: Chao Peng <chao.p.peng@xxxxxxxxxxxxxxx>
Cc: Fuad Tabba <tabba@xxxxxxxxxx>
Cc: Michael Roth <michael.roth@xxxxxxx>
Cc: Isaku Yamahata <isaku.yamahata@xxxxxxxxx>
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
  arch/x86/kvm/mmu/mmu.c | 15 ++++++++++-----
  1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 9206cfa58feb..58c5ae8be66c 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -4365,11 +4365,6 @@ static int __kvm_faultin_pfn(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault
  			return RET_PF_EMULATE;
  	}
  
-	if (fault->is_private != kvm_mem_is_private(vcpu->kvm, fault->gfn)) {
-		kvm_mmu_prepare_memory_fault_exit(vcpu, fault);
-		return -EFAULT;
-	}
-
  	if (fault->is_private)
  		return kvm_faultin_pfn_private(vcpu, fault);
  
@@ -4410,6 +4405,16 @@ static int kvm_faultin_pfn(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault,
  	fault->mmu_seq = vcpu->kvm->mmu_invalidate_seq;
  	smp_rmb();
  
+	/*
+	 * Check for a private vs. shared mismatch *after* taking a snapshot of
+	 * mmu_invalidate_seq, as changes to gfn attributes are guarded by the
+	 * invalidation notifier.
+	 */
+	if (fault->is_private != kvm_mem_is_private(vcpu->kvm, fault->gfn)) {
+		kvm_mmu_prepare_memory_fault_exit(vcpu, fault);
+		return -EFAULT;
+	}
+
  	/*
  	 * Check for a relevant mmu_notifier invalidation event before getting
  	 * the pfn from the primary MMU, and before acquiring mmu_lock.







