On Sun, 2023-11-05 at 17:30 +0100, Paolo Bonzini wrote: > From: Sean Christopherson <seanjc@xxxxxxxxxx> > > Move the assertion on the in-progress invalidation count from the primary > MMU's notifier path to KVM's common notification path, i.e. assert that > the count doesn't go negative even when the invalidation is coming from > KVM itself. > > Opportunistically convert the assertion to a KVM_BUG_ON(), i.e. kill only > the affected VM, not the entire kernel. A corrupted count is fatal to the > VM, e.g. the non-zero (negative) count will cause mmu_invalidate_retry() > to block any and all attempts to install new mappings. But it's far from > guaranteed that an end() without a start() is fatal or even problematic to > anything other than the target VM, e.g. the underlying bug could simply be > a duplicate call to end(). And it's much more likely that a missed > invalidation, i.e. a potential use-after-free, would manifest as no > notification whatsoever, not an end() without a start(). > > Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx> > Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Reviewed-by: Fuad Tabba <tabba@xxxxxxxxxx> > Tested-by: Fuad Tabba <tabba@xxxxxxxxxx> > Message-Id: <20231027182217.3615211-3-seanjc@xxxxxxxxxx> > Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Reviewed-by: Kai Huang <kai.huang@xxxxxxxxx>
