Re: [PATCH] KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds

From: Paolo Bonzini <pbonzini@redhat.com>
To: Sean Christopherson <seanjc@google.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>,
	Wanpeng Li <wanpengli@tencent.com>,
	Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
	kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Ben Gardon <bgardon@google.com>
Subject: Re: [PATCH] KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds
Date: Thu, 5 Aug 2021 09:33:50 +0200	[thread overview]
Message-ID: <9527197a-2a81-832b-7391-80d646a5e212@redhat.com> (raw)
In-Reply-To: <20210804214609.1096003-1-seanjc@google.com>

On 04/08/21 23:46, Sean Christopherson wrote:
> Take a signed 'long' instead of an 'unsigned long' for the number of
> pages to add/subtract to the total number of pages used by the MMU.  This
> fixes a zero-extension bug on 32-bit kernels that effectively corrupts
> the per-cpu counter used by the shrinker.
> 
> Per-cpu counters take a signed 64-bit value on both 32-bit and 64-bit
> kernels, whereas kvm_mod_used_mmu_pages() takes an unsigned long and thus
> an unsigned 32-bit value on 32-bit kernels.  As a result, the value used
> to adjust the per-cpu counter is zero-extended (unsigned -> signed), not
> sign-extended (signed -> signed), and so KVM's intended -1 gets morphed to
> 4294967295 and effectively corrupts the counter.
> 
> This was found by a staggering amount of sheer dumb luck when running
> kvm-unit-tests on a 32-bit KVM build.  The shrinker just happened to kick
> in while running tests and do_shrink_slab() logged an error about trying
> to free a negative number of objects.  The truly lucky part is that the
> kernel just happened to be a slightly stale build, as the shrinker no
> longer yells about negative objects as of commit 18bb473e5031 ("mm:
> vmscan: shrink deferred objects proportional to priority").
> 
>   vmscan: shrink_slab: mmu_shrink_scan+0x0/0x210 [kvm] negative objects to delete nr=-858993460
> 
> Fixes: bc8a3d8925a8 ("kvm: mmu: Fix overflow on kvm mmu page limit calculation")
> Cc: stable@vger.kernel.org
> Cc: Ben Gardon <bgardon@google.com>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
>   arch/x86/kvm/mmu/mmu.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> index b4b65c21b2ca..082a0ba79edd 100644
> --- a/arch/x86/kvm/mmu/mmu.c
> +++ b/arch/x86/kvm/mmu/mmu.c
> @@ -1700,7 +1700,7 @@ static int is_empty_shadow_page(u64 *spt)
>    * aggregate version in order to make the slab shrinker
>    * faster
>    */
> -static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
> +static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, long nr)
>   {
>   	kvm->arch.n_used_mmu_pages += nr;
>   	percpu_counter_add(&kvm_total_used_mmu_pages, nr);
> 

Queued, thanks.

Paolo