KVM: PPC: Book3S HV: Close race with page faults around memslot flushes

paulusmack · paulusmack · commit 11362b1befea · 2020-05-28T10:56:42.000+10:00
There is a potential race condition between hypervisor page faults
and flushing a memslot.  It is possible for a page fault to read the
memslot before a memslot is updated and then write a PTE to the
partition-scoped page tables after kvmppc_radix_flush_memslot has
completed.  (Note that this race has never been explicitly observed.)

To close this race, it is sufficient to increment the MMU sequence
number while the kvm-&gt;mmu_lock is held.  That will cause
mmu_notifier_retry() to return true, and the page fault will then
return to the guest without inserting a PTE.

Signed-off-by: Paul Mackerras &lt;paulus@ozlabs.org&gt;
diff --git a/arch/powerpc/kvm/book3s_64_mmu_radix.c b/arch/powerpc/kvm/book3s_64_mmu_radix.c
@@ -1130,6 +1130,11 @@ void kvmppc_radix_flush_memslot(struct kvm *kvm,
 					 kvm->arch.lpid);
 		gpa += PAGE_SIZE;
 	}
+	/*
+	 * Increase the mmu notifier sequence number to prevent any page
+	 * fault that read the memslot earlier from writing a PTE.
+	 */
+	kvm->mmu_notifier_seq++;
 	spin_unlock(&kvm->mmu_lock);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1130,6 +1130,11 @@ void kvmppc_radix_flush_memslot(struct kvm *kvm,`
`1130`	`1130`	`kvm->arch.lpid);`
`1131`	`1131`	`gpa += PAGE_SIZE;`
`1132`	`1132`	`}`
	`1133`	`+ /*`
	`1134`	`+ * Increase the mmu notifier sequence number to prevent any page`
	`1135`	`+ * fault that read the memslot earlier from writing a PTE.`
	`1136`	`+ */`
	`1137`	`+ kvm->mmu_notifier_seq++;`
`1133`	`1138`	`spin_unlock(&kvm->mmu_lock);`
`1134`	`1139`	`}`
`1135`	`1140`