[RFC PATCH 09/28] kvm: mmu: Free direct MMU page table memory in an RCU callback

From: Ben Gardon <bgardon@google.com>
To: kvm@vger.kernel.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Peter Feiner <pfeiner@google.com>,
	Peter Shier <pshier@google.com>,
	Junaid Shahid <junaids@google.com>,
	Jim Mattson <jmattson@google.com>,
	Ben Gardon <bgardon@google.com>
Subject: [RFC PATCH 09/28] kvm: mmu: Free direct MMU page table memory in an RCU callback
Date: Thu, 26 Sep 2019 16:18:05 -0700	[thread overview]
Message-ID: <20190926231824.149014-10-bgardon@google.com> (raw)
In-Reply-To: <20190926231824.149014-1-bgardon@google.com>

The direct walk iterator, introduced in a later commit in this series,
uses RCU to ensure that its concurrent access to paging structure memory
is safe. This requires that page table memory not be freed until an RCU
grace period has elapsed. In order to keep the threads removing page
table memory from the paging structure from blocking, free the disonnected
page table memory in an RCU callback.

Signed-off-by: Ben Gardon <bgardon@google.com>
---
 arch/x86/kvm/mmu.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 788edbda02f69..9fe57ef7baa29 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -1685,6 +1685,21 @@ static bool __rmap_set_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
 	return flush;
 }
 
+/*
+ * This function is called through call_rcu in order to free direct page table
+ * memory safely, with resepct to other KVM MMU threads that might be operating
+ * on it. By only accessing direct page table memory in a RCU read critical
+ * section, and freeing it after a grace period, lockless access to that memory
+ * won't use it after it is freed.
+ */
+static void free_pt_rcu_callback(struct rcu_head *rp)
+{
+	struct page *req = container_of(rp, struct page, rcu_head);
+	u64 *disconnected_pt = page_address(req);
+
+	free_page((unsigned long)disconnected_pt);
+}
+
 static void handle_changed_pte(struct kvm *kvm, int as_id, gfn_t gfn,
 			       u64 old_pte, u64 new_pte, int level);
 
@@ -1720,6 +1735,11 @@ static void mark_pte_disconnected(struct kvm *kvm, int as_id, gfn_t gfn,
  * Given a pointer to a page table that has been removed from the paging
  * structure and its level, recursively free child page tables and mark their
  * entries as disconnected.
+ *
+ * RCU dereferences are not necessary to protect access to the disconnected
+ * page table or its children because it has been atomically removed from the
+ * root of the paging structure, so no other thread will be trying to free the
+ * memory.
  */
 static void handle_disconnected_pt(struct kvm *kvm, int as_id,
 				   gfn_t pt_base_gfn, kvm_pfn_t pfn, int level)
@@ -1727,6 +1747,7 @@ static void handle_disconnected_pt(struct kvm *kvm, int as_id,
 	int i;
 	gfn_t gfn = pt_base_gfn;
 	u64 *pt = pfn_to_kaddr(pfn);
+	struct page *page;
 
 	for (i = 0; i < PT64_ENT_PER_PAGE; i++) {
 		/*
@@ -1739,7 +1760,12 @@ static void handle_disconnected_pt(struct kvm *kvm, int as_id,
 		gfn += KVM_PAGES_PER_HPAGE(level);
 	}
 
-	free_page((unsigned long)pt);
+	/*
+	 * Free the pt page in an RCU callback, once it's safe to do
+	 * so.
+	 */
+	page = pfn_to_page(pfn);
+	call_rcu(&page->rcu_head, free_pt_rcu_callback);
 }
 
 /**
-- 
2.23.0.444.g18eeb5a265-goog

