Commit 92da008f authored Mar 12, 2019 by Ben Gardon Committed by Paolo Bonzini Mar 15, 2019

Revert "KVM/MMU: Flush tlb directly in the kvm_zap_gfn_range()"



This reverts commit 71883a62.

The above commit contains an optimization to kvm_zap_gfn_range which
uses gfn-limited TLB flushes, if enabled. If using these limited flushes,
kvm_zap_gfn_range passes lock_flush_tlb=false to slot_handle_level_range
which creates a race when the function unlocks to call cond_resched.
See an example of this race below:

CPU 0                   CPU 1                           CPU 3
// zap_direct_gfn_range
mmu_lock()
// *ptep == pte_1
*ptep = 0
if (lock_flush_tlb)
        flush_tlbs()
mmu_unlock()
                        // In invalidate range
                        // MMU notifier
                        mmu_lock()
                        if (pte != 0)
                                *ptep = 0
                                flush = true
                        if (flush)
                                flush_remote_tlbs()
                        mmu_unlock()
                        return
                        // Host MM reallocates
                        // page previously
                        // backing guest memory.
                                                        // Guest accesses
                                                        // invalid page
                                                        // through pte_1
                                                        // in its TLB!!

Tested: Ran all kvm-unit-tests on a Intel Haswell machine with and
	without this patch. The patch introduced no new failures.

Signed-off-by: Ben Gardon <bgardon@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent 71783e09

arch/x86/kvm/mmu.c

+3 −13

Original line number	Diff line number	Diff line
		@@ -5660,13 +5660,8 @@ void kvm_zap_gfn_range(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end)
		{
		struct kvm_memslots *slots;
		struct kvm_memory_slot *memslot;
		bool flush_tlb = true;
		bool flush = false;
		int i;

		if (kvm_available_flush_tlb_with_range())
		flush_tlb = false;

		spin_lock(&kvm->mmu_lock);
		for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
		slots = __kvm_memslots(kvm, i);
		@@ -5678,17 +5673,12 @@ void kvm_zap_gfn_range(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end)
		if (start >= end)
		continue;

		flush \|= slot_handle_level_range(kvm, memslot,
		kvm_zap_rmapp, PT_PAGE_TABLE_LEVEL,
		PT_MAX_HUGEPAGE_LEVEL, start,
		end - 1, flush_tlb);
		slot_handle_level_range(kvm, memslot, kvm_zap_rmapp,
		PT_PAGE_TABLE_LEVEL, PT_MAX_HUGEPAGE_LEVEL,
		start, end - 1, true);
		}
		}

		if (flush)
		kvm_flush_remote_tlbs_with_address(kvm, gfn_start,
		gfn_end - gfn_start + 1);

		spin_unlock(&kvm->mmu_lock);
		}

Admin message