[PATCH 09/13] KVM: Always add relevant ranges to invalidation set when changing attributes

From: Sean Christopherson
Date: Thu Sep 21 2023 - 16:57:31 EST

Next message: Rafael J. Wysocki: "[PATCH v1 02/13] ACPI: thermal: Collapse trip devices update functions"
Previous message: Sean Christopherson: "[PATCH 13/13] KVM: Rename guest_mem.c to guest_memfd.c"
In reply to: Sean Christopherson: "[PATCH 13/13] KVM: Rename guest_mem.c to guest_memfd.c"
Next in thread: Sean Christopherson: "[PATCH 11/13] KVM: selftests: Refactor private mem conversions to prep for punch_hole test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When setting memory attributes, add all affected memslot ranges to the set
of invalidation ranges before calling into arch code. Even if the change
in attributes doesn't strictly require zapping, it's not at all obvious
that letting arch code establish new mappings while the attributes are in
flux is safe and/or desirable. Unconditionally adding ranges allows KVM
to keep its sanity check that at least one range is added between begin()
and end(), e.g. to guard against a missed add() call, without needing
complex code to condition the begin()/end() on arch behavior.

Fixes: 9a327182447a ("KVM: Introduce per-page memory attributes")
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
virt/kvm/kvm_main.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 277afeedd670..96fc609459e3 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2529,6 +2529,25 @@ static __always_inline void kvm_handle_gfn_range(struct kvm *kvm,
KVM_MMU_UNLOCK(kvm);
}

+static bool kvm_pre_set_memory_attributes(struct kvm *kvm,
+ struct kvm_gfn_range *range)
+{
+ /*
+ * Unconditionally add the range to the invalidation set, regardless of
+ * whether or not the arch callback actually needs to zap SPTEs. E.g.
+ * if KVM supports RWX attributes in the future and the attributes are
+ * going from R=>RW, zapping isn't strictly necessary. Unconditionally
+ * adding the range allows KVM to require that MMU invalidations add at
+ * least one range between begin() and end(), e.g. allows KVM to detect
+ * bugs where the add() is missed. Rexlaing the rule *might* be safe,
+ * but it's not obvious that allowing new mappings while the attributes
+ * are in flux is desirable or worth the complexity.
+ */
+ kvm_mmu_invalidate_range_add(kvm, range->start, range->end);
+
+ return kvm_arch_pre_set_memory_attributes(kvm, range);
+}
+
/* Set @attributes for the gfn range [@start, @end). */
static int kvm_vm_set_mem_attributes(struct kvm *kvm, gfn_t start, gfn_t end,
unsigned long attributes)
@@ -2536,7 +2555,7 @@ static int kvm_vm_set_mem_attributes(struct kvm *kvm, gfn_t start, gfn_t end,
struct kvm_mmu_notifier_range pre_set_range = {
.start = start,
.end = end,
- .handler = kvm_arch_pre_set_memory_attributes,
+ .handler = kvm_pre_set_memory_attributes,
.on_lock = kvm_mmu_invalidate_begin,
.flush_on_ret = true,
.may_block = true,
--
2.42.0.515.g380fc7ccd1-goog

Next message: Rafael J. Wysocki: "[PATCH v1 02/13] ACPI: thermal: Collapse trip devices update functions"
Previous message: Sean Christopherson: "[PATCH 13/13] KVM: Rename guest_mem.c to guest_memfd.c"
In reply to: Sean Christopherson: "[PATCH 13/13] KVM: Rename guest_mem.c to guest_memfd.c"
Next in thread: Sean Christopherson: "[PATCH 11/13] KVM: selftests: Refactor private mem conversions to prep for punch_hole test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]