From 78e922e930c830809ec66d7a2ab809f858332b9f Mon Sep 17 00:00:00 2001 From: yangge Date: Tue, 29 Oct 2024 03:48:38 -0400 Subject: [PATCH] KVM: SVM: CSV: fix CSV3 launch failures because of concurrent longterm pin hygon inclusion category: bugfix CVE: NA --------------------------- If a large number of CMA memory are configured in system (for example, the CMA memory accounts for 50% of the system memory), starting a virtual machine with device passthrough, it will call pin_user_pages_remote(..., FOLL_LONGTERM, ...) to pin memory. Normally if a page is present and in CMA area, pin_user_pages_remote() will migrate the page from CMA area to non-CMA area because of FOLL_LONGTERM flag. But the current code will cause the migration failure due to unexpected page refcounts, and eventually cause the virtual machine fail to start. During CSV3 virtual machine startup, it will also call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin shared memory in #NPF handler. If pin_user_pages_remote() and pin_user_pages_fast() pin a same page concurrently, it may lead to unexpected page refcounts. To solve the problem above, we use mmap_write_lock/unlock() to serialize the execution of pin_user_pages_remote() and pin_user_pages_fast(). Signed-off-by: yangge Signed-off-by: hanliyang --- arch/x86/kvm/svm/csv.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/csv.c b/arch/x86/kvm/svm/csv.c index f0e2dda6468fa..f90a65c420cfa 100644 --- a/arch/x86/kvm/svm/csv.c +++ b/arch/x86/kvm/svm/csv.c @@ -2044,13 +2044,15 @@ static int csv3_pin_shared_memory(struct kvm_vcpu *vcpu, return -ENOMEM; hva = __gfn_to_hva_memslot(slot, gfn); - npinned = pin_user_pages_fast(hva, 1, FOLL_WRITE | FOLL_LONGTERM, - &page); + mmap_write_lock(current->mm); + npinned = pin_user_pages(hva, 1, FOLL_WRITE | FOLL_LONGTERM, &page); if (npinned != 1) { + mmap_write_unlock(current->mm); kmem_cache_free(csv->sp_slab, sp); return -ENOMEM; } + mmap_write_unlock(current->mm); sp->page = page; sp->gfn = gfn; shared_page_insert(&csv->sp_mgr, sp);