• Sean Christopherson's avatar
    KVM: x86/mmu: Fix wrong/misleading comments in TDP MMU fast zap · f28e9c7f
    Sean Christopherson authored
    Fix misleading and arguably wrong comments in the TDP MMU's fast zap
    flow.  The comments, and the fact that actually zapping invalid roots was
    added separately, strongly suggests that zapping invalid roots is an
    optimization and not required for correctness.  That is a lie.
    
    KVM _must_ zap invalid roots before returning from kvm_mmu_zap_all_fast(),
    because when it's called from kvm_mmu_invalidate_zap_pages_in_memslot(),
    KVM is relying on it to fully remove all references to the memslot.  Once
    the memslot is gone, KVM's mmu_notifier hooks will be unable to find the
    stale references as the hva=>gfn translation is done via the memslots.
    If KVM doesn't immediately zap SPTEs and userspace unmaps a range after
    deleting a memslot, KVM will fail to zap in response to the mmu_notifier
    due to not finding a memslot corresponding to the notifier's range, which
    leads to a variation of use-after-free.
    
    The other misleading comment (and code) explicitly states that roots
    without a reference should be skipped.  While that's technically true,
    it's also extremely misleading as it should be impossible for KVM to
    encounter a defunct root on the list while holding mmu_lock for write.
    Opportunistically add a WARN to enforce that invariant.
    
    Fixes: b7cccd39 ("KVM: x86/mmu: Fast invalidation for TDP MMU")
    Fixes: 4c6654bd ("KVM: x86/mmu: Tear down roots before kvm_mmu_zap_all_fast returns")
    Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
    Reviewed-by: default avatarBen Gardon <bgardon@google.com>
    Message-Id: <20220226001546.360188-4-seanjc@google.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    f28e9c7f
tdp_mmu.c 50 KB