| Message ID | 20200928171850.618223-1-maz@kernel.org |
|---|---|
| State | New |
| Headers | show |
| Series | [stable-5.8] KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch | expand |
On Mon, Sep 28, 2020 at 06:18:50PM +0100, Marc Zyngier wrote: > Commit c4ad98e4b72cb5be30ea282fce935248f2300e62 upstream. > > KVM currently assumes that an instruction abort can never be a write. > This is in general true, except when the abort is triggered by > a S1PTW on instruction fetch that tries to update the S1 page tables > (to set AF, for example). > > This can happen if the page tables have been paged out and brought > back in without seeing a direct write to them (they are thus marked > read only), and the fault handling code will make the PT executable(!) > instead of writable. The guest gets stuck forever. > > In these conditions, the permission fault must be considered as > a write so that the Stage-1 update can take place. This is essentially > the I-side equivalent of the problem fixed by 60e21a0ef54c ("arm64: KVM: > Take S1 walks into account when determining S2 write faults"). > > Update kvm_is_write_fault() to return true on IABT+S1PTW, and introduce > kvm_vcpu_trap_is_exec_fault() that only return true when no faulting > on a S1 fault. Additionally, kvm_vcpu_dabt_iss1tw() is renamed to > kvm_vcpu_abt_iss1tw(), as the above makes it plain that it isn't > specific to data abort. > > Signed-off-by: Marc Zyngier <maz@kernel.org> > Reviewed-by: Will Deacon <will@kernel.org> > Cc: stable@vger.kernel.org > Link: https://lore.kernel.org/r/20200915104218.1284701-2-maz@kernel.org Thanks for all 3 of these, now queued up! greg k-h
On Mon, 28 Sep 2020 at 23:16, Greg KH <gregkh@linuxfoundation.org> wrote: > > On Mon, Sep 28, 2020 at 06:18:50PM +0100, Marc Zyngier wrote: > > Commit c4ad98e4b72cb5be30ea282fce935248f2300e62 upstream. > > > > KVM currently assumes that an instruction abort can never be a write. > > This is in general true, except when the abort is triggered by > > a S1PTW on instruction fetch that tries to update the S1 page tables > > (to set AF, for example). > > > > This can happen if the page tables have been paged out and brought > > back in without seeing a direct write to them (they are thus marked > > read only), and the fault handling code will make the PT executable(!) > > instead of writable. The guest gets stuck forever. > > > > In these conditions, the permission fault must be considered as > > a write so that the Stage-1 update can take place. This is essentially > > the I-side equivalent of the problem fixed by 60e21a0ef54c ("arm64: KVM: > > Take S1 walks into account when determining S2 write faults"). > > > > Update kvm_is_write_fault() to return true on IABT+S1PTW, and introduce > > kvm_vcpu_trap_is_exec_fault() that only return true when no faulting > > on a S1 fault. Additionally, kvm_vcpu_dabt_iss1tw() is renamed to > > kvm_vcpu_abt_iss1tw(), as the above makes it plain that it isn't > > specific to data abort. > > > > Signed-off-by: Marc Zyngier <maz@kernel.org> > > Reviewed-by: Will Deacon <will@kernel.org> > > Cc: stable@vger.kernel.org > > Link: https://lore.kernel.org/r/20200915104218.1284701-2-maz@kernel.org > > Thanks for all 3 of these, now queued up! stable rc branch 4.19 arm64 build broken. ../arch/arm64/kvm/../../../virt/kvm/arm/mmu.c:1283:13: error: redefinition of ‘kvm_is_write_fault’ 1283 | static bool kvm_is_write_fault(struct kvm_vcpu *vcpu) | ^~~~~~~~~~~~~~~~~~ Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org> build log, make -sk KBUILD_BUILD_USER=TuxBuild -C/linux -j16 ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- HOSTCC=gcc CC="sccache aarch64-linux-gnu-gcc" O=build Image # In file included from ../arch/arm64/kvm/hyp/../../../../virt/kvm/arm/hyp/vgic-v3-sr.c:22: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/hyp/../../../../virt/kvm/arm/hyp/aarch32.c:14: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/hyp/vgic-v2-cpuif-proxy.c:23: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/hyp/sysreg-sr.c:23: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/hyp/switch.c:29: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/arm.c:51: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/mmio.c:21: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/psci.c:25: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/perf.c:23: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/regmap.c:24: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/inject_fault.c:25: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/mmu.c:31: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ ../arch/arm64/kvm/../../../virt/kvm/arm/mmu.c: At top level: ../arch/arm64/kvm/../../../virt/kvm/arm/mmu.c:1283:13: error: redefinition of ‘kvm_is_write_fault’ 1283 | static bool kvm_is_write_fault(struct kvm_vcpu *vcpu) | ^~~~~~~~~~~~~~~~~~ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/mmu.c:31: ../arch/arm64/include/asm/kvm_emulate.h:382:20: note: previous definition of ‘kvm_is_write_fault’ was here 382 | static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu) | ^~~~~~~~~~~~~~~~~~ make[2]: *** [../scripts/Makefile.build:303: arch/arm64/kvm/../../../virt/kvm/arm/mmu.o] Error 1 In file included from ../arch/arm64/kvm/handle_exit.c:31: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/guest.c:32: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/debug.c:26: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/reset.c:34: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/sys_regs_generic_v8.c:27: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/vgic-sys-reg-v3.c:17: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/sys_regs.c:35: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/aarch32.c:26: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/vgic/vgic-init.c:22: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/vgic/vgic-mmio-v3.c:20: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/vgic/vgic-its.c:30: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ In file included from ../arch/arm64/kvm/../../../virt/kvm/arm/pmu.c:23: ../arch/arm64/include/asm/kvm_emulate.h: In function ‘kvm_vcpu_sys_get_rt’: ../arch/arm64/include/asm/kvm_emulate.h:379:6: warning: unused variable ‘esr’ [-Wunused-variable] 379 | u32 esr = kvm_vcpu_get_hsr(vcpu); | ^~~ ../arch/arm64/include/asm/kvm_emulate.h:380:1: warning: no return statement in function returning non-void [-Wreturn-type] 380 | } | ^ make[2]: Target '__build' not remade because of errors. make[1]: *** [/linux/Makefile:1074: arch/arm64/kvm] Error 2 -- Linaro LKFT https://lkft.linaro.org
On Tue, Sep 29, 2020 at 01:16:34AM +0530, Naresh Kamboju wrote: > On Mon, 28 Sep 2020 at 23:16, Greg KH <gregkh@linuxfoundation.org> wrote: > > > > On Mon, Sep 28, 2020 at 06:18:50PM +0100, Marc Zyngier wrote: > > > Commit c4ad98e4b72cb5be30ea282fce935248f2300e62 upstream. > > > > > > KVM currently assumes that an instruction abort can never be a write. > > > This is in general true, except when the abort is triggered by > > > a S1PTW on instruction fetch that tries to update the S1 page tables > > > (to set AF, for example). > > > > > > This can happen if the page tables have been paged out and brought > > > back in without seeing a direct write to them (they are thus marked > > > read only), and the fault handling code will make the PT executable(!) > > > instead of writable. The guest gets stuck forever. > > > > > > In these conditions, the permission fault must be considered as > > > a write so that the Stage-1 update can take place. This is essentially > > > the I-side equivalent of the problem fixed by 60e21a0ef54c ("arm64: KVM: > > > Take S1 walks into account when determining S2 write faults"). > > > > > > Update kvm_is_write_fault() to return true on IABT+S1PTW, and introduce > > > kvm_vcpu_trap_is_exec_fault() that only return true when no faulting > > > on a S1 fault. Additionally, kvm_vcpu_dabt_iss1tw() is renamed to > > > kvm_vcpu_abt_iss1tw(), as the above makes it plain that it isn't > > > specific to data abort. > > > > > > Signed-off-by: Marc Zyngier <maz@kernel.org> > > > Reviewed-by: Will Deacon <will@kernel.org> > > > Cc: stable@vger.kernel.org > > > Link: https://lore.kernel.org/r/20200915104218.1284701-2-maz@kernel.org > > > > Thanks for all 3 of these, now queued up! > > stable rc branch 4.19 arm64 build broken. > > ../arch/arm64/kvm/../../../virt/kvm/arm/mmu.c:1283:13: error: > redefinition of ‘kvm_is_write_fault’ > 1283 | static bool kvm_is_write_fault(struct kvm_vcpu *vcpu) > | ^~~~~~~~~~~~~~~~~~ > > Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org> Thanks, I'll go drop this patch from the 4.19.y queue and wait for a fixed up version from Marc. greg k-h
On 2020-09-29 08:01, Greg KH wrote: > On Tue, Sep 29, 2020 at 01:16:34AM +0530, Naresh Kamboju wrote: >> On Mon, 28 Sep 2020 at 23:16, Greg KH <gregkh@linuxfoundation.org> >> wrote: >> > >> > On Mon, Sep 28, 2020 at 06:18:50PM +0100, Marc Zyngier wrote: >> > > Commit c4ad98e4b72cb5be30ea282fce935248f2300e62 upstream. >> > > >> > > KVM currently assumes that an instruction abort can never be a write. >> > > This is in general true, except when the abort is triggered by >> > > a S1PTW on instruction fetch that tries to update the S1 page tables >> > > (to set AF, for example). >> > > >> > > This can happen if the page tables have been paged out and brought >> > > back in without seeing a direct write to them (they are thus marked >> > > read only), and the fault handling code will make the PT executable(!) >> > > instead of writable. The guest gets stuck forever. >> > > >> > > In these conditions, the permission fault must be considered as >> > > a write so that the Stage-1 update can take place. This is essentially >> > > the I-side equivalent of the problem fixed by 60e21a0ef54c ("arm64: KVM: >> > > Take S1 walks into account when determining S2 write faults"). >> > > >> > > Update kvm_is_write_fault() to return true on IABT+S1PTW, and introduce >> > > kvm_vcpu_trap_is_exec_fault() that only return true when no faulting >> > > on a S1 fault. Additionally, kvm_vcpu_dabt_iss1tw() is renamed to >> > > kvm_vcpu_abt_iss1tw(), as the above makes it plain that it isn't >> > > specific to data abort. >> > > >> > > Signed-off-by: Marc Zyngier <maz@kernel.org> >> > > Reviewed-by: Will Deacon <will@kernel.org> >> > > Cc: stable@vger.kernel.org >> > > Link: https://lore.kernel.org/r/20200915104218.1284701-2-maz@kernel.org >> > >> > Thanks for all 3 of these, now queued up! >> >> stable rc branch 4.19 arm64 build broken. >> >> ../arch/arm64/kvm/../../../virt/kvm/arm/mmu.c:1283:13: error: >> redefinition of ‘kvm_is_write_fault’ >> 1283 | static bool kvm_is_write_fault(struct kvm_vcpu *vcpu) >> | ^~~~~~~~~~~~~~~~~~ >> >> Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org> > > Thanks, I'll go drop this patch from the 4.19.y queue and wait for a > fixed up version from Marc. Right. I have no idea what I tested yesterday, but clearly this didn't stand a chance to even compile on arm64... :-( Funnily enough, 32bit ARM (which nobody cares about when it comes to KVM) was just fine. Bah. Apologies for the noise, v2 coming once I have had my second coffee... M. -- Jazz is not dead. It just smells funny...
diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h index 4d0f8ea600ba..e1254e55835b 100644 --- a/arch/arm64/include/asm/kvm_emulate.h +++ b/arch/arm64/include/asm/kvm_emulate.h @@ -319,7 +319,7 @@ static __always_inline int kvm_vcpu_dabt_get_rd(const struct kvm_vcpu *vcpu) return (kvm_vcpu_get_hsr(vcpu) & ESR_ELx_SRT_MASK) >> ESR_ELx_SRT_SHIFT; } -static __always_inline bool kvm_vcpu_dabt_iss1tw(const struct kvm_vcpu *vcpu) +static __always_inline bool kvm_vcpu_abt_iss1tw(const struct kvm_vcpu *vcpu) { return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_S1PTW); } @@ -327,7 +327,7 @@ static __always_inline bool kvm_vcpu_dabt_iss1tw(const struct kvm_vcpu *vcpu) static __always_inline bool kvm_vcpu_dabt_iswrite(const struct kvm_vcpu *vcpu) { return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_WNR) || - kvm_vcpu_dabt_iss1tw(vcpu); /* AF/DBM update */ + kvm_vcpu_abt_iss1tw(vcpu); /* AF/DBM update */ } static inline bool kvm_vcpu_dabt_is_cm(const struct kvm_vcpu *vcpu) @@ -356,6 +356,11 @@ static inline bool kvm_vcpu_trap_is_iabt(const struct kvm_vcpu *vcpu) return kvm_vcpu_trap_get_class(vcpu) == ESR_ELx_EC_IABT_LOW; } +static inline bool kvm_vcpu_trap_is_exec_fault(const struct kvm_vcpu *vcpu) +{ + return kvm_vcpu_trap_is_iabt(vcpu) && !kvm_vcpu_abt_iss1tw(vcpu); +} + static __always_inline u8 kvm_vcpu_trap_get_fault(const struct kvm_vcpu *vcpu) { return kvm_vcpu_get_hsr(vcpu) & ESR_ELx_FSC; @@ -393,6 +398,9 @@ static __always_inline int kvm_vcpu_sys_get_rt(struct kvm_vcpu *vcpu) static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu) { + if (kvm_vcpu_abt_iss1tw(vcpu)) + return true; + if (kvm_vcpu_trap_is_iabt(vcpu)) return false; diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c index ba225e09aaf1..8564742948d3 100644 --- a/arch/arm64/kvm/hyp/switch.c +++ b/arch/arm64/kvm/hyp/switch.c @@ -599,7 +599,7 @@ static bool __hyp_text fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code) kvm_vcpu_trap_get_fault_type(vcpu) == FSC_FAULT && kvm_vcpu_dabt_isvalid(vcpu) && !kvm_vcpu_dabt_isextabt(vcpu) && - !kvm_vcpu_dabt_iss1tw(vcpu); + !kvm_vcpu_abt_iss1tw(vcpu); if (valid) { int ret = __vgic_v2_perform_cpuif_access(vcpu); diff --git a/arch/arm64/kvm/mmio.c b/arch/arm64/kvm/mmio.c index 4e0366759726..07e9b6eab59e 100644 --- a/arch/arm64/kvm/mmio.c +++ b/arch/arm64/kvm/mmio.c @@ -146,7 +146,7 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, } /* Page table accesses IO mem: tell guest to fix its TTBR */ - if (kvm_vcpu_dabt_iss1tw(vcpu)) { + if (kvm_vcpu_abt_iss1tw(vcpu)) { kvm_inject_dabt(vcpu, kvm_vcpu_get_hfar(vcpu)); return 1; } diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c index d906350d543d..1677107b74de 100644 --- a/arch/arm64/kvm/mmu.c +++ b/arch/arm64/kvm/mmu.c @@ -1845,7 +1845,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, unsigned long vma_pagesize, flags = 0; write_fault = kvm_is_write_fault(vcpu); - exec_fault = kvm_vcpu_trap_is_iabt(vcpu); + exec_fault = kvm_vcpu_trap_is_exec_fault(vcpu); VM_BUG_ON(write_fault && exec_fault); if (fault_status == FSC_PERM && !write_fault && !exec_fault) {
Commit c4ad98e4b72cb5be30ea282fce935248f2300e62 upstream. KVM currently assumes that an instruction abort can never be a write. This is in general true, except when the abort is triggered by a S1PTW on instruction fetch that tries to update the S1 page tables (to set AF, for example). This can happen if the page tables have been paged out and brought back in without seeing a direct write to them (they are thus marked read only), and the fault handling code will make the PT executable(!) instead of writable. The guest gets stuck forever. In these conditions, the permission fault must be considered as a write so that the Stage-1 update can take place. This is essentially the I-side equivalent of the problem fixed by 60e21a0ef54c ("arm64: KVM: Take S1 walks into account when determining S2 write faults"). Update kvm_is_write_fault() to return true on IABT+S1PTW, and introduce kvm_vcpu_trap_is_exec_fault() that only return true when no faulting on a S1 fault. Additionally, kvm_vcpu_dabt_iss1tw() is renamed to kvm_vcpu_abt_iss1tw(), as the above makes it plain that it isn't specific to data abort. Signed-off-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Will Deacon <will@kernel.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200915104218.1284701-2-maz@kernel.org --- arch/arm64/include/asm/kvm_emulate.h | 12 ++++++++++-- arch/arm64/kvm/hyp/switch.c | 2 +- arch/arm64/kvm/mmio.c | 2 +- arch/arm64/kvm/mmu.c | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-)