From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1BC3CC001E0
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231168AbjGUXAS (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48630 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231132AbjGUXAO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:14 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE84B3A93
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:12 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id
 3f1490d57ef6-c5a479bc2d4so2311570276.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980412; x=1690585212;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=zPxDuw7GeJQotzB/CPJITWYq84dGkPo6Sdy7hiPXZfA=;
        b=hx05lOSKevEnFTjhQmIFaPmCZWGUtEHn8FPIM5Bki+UcSqPi4IntQeAWTUj+y16Q3C
         VsMT2vKpEPje3bE2F0xUf0GMW5chsQEeSL/rUzNBHYE0ccg3hQtfK6AT50tUNffQ+8JG
         2lay9BL2a9yTqI12d+ssVhmL3OUE4QhP5T2TLWlFFWWHXSAqQObIEcB/e+q7NdsNjEj4
         UCEjIIafqyus+s+Yz/Sjnh+LhYRgVyo596begODfAr9zRbpusbnFttvuh4cZFl+MJM9s
         LeXrJ1BKKbDZ6/OgzBfbvkzPH93TO2gneJJqKXJtvdEHeUxwyOVwVtabahG+/177jK4Z
         NLSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980412; x=1690585212;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=zPxDuw7GeJQotzB/CPJITWYq84dGkPo6Sdy7hiPXZfA=;
        b=A7ZfkFDWIfS9UqBtNV6HVmtsYJqPPkFny0iK5wyX+y62xwSZ0hUl6cY7r9PWhY6fwc
         kUEW3o1j1ij6RUdgX0b9/MPXzeD1oUMqrwlJIwfZiDDI/phHdLrTrQZbSPk2PuawgV3l
         wpWXtfT4hys2z2I46bSyTxxuIwywO2iDx7bu7CK0llQ9f1H07XDG6iPvEIalcqKbcw8z
         SYhktFjFyGItS3G4YikrGbvIaDIws+0P0RSTcPF9mT1oBnTi5ulubatCx+FEIzmOGLTr
         sgj8ss401iD62e0H0sPnAwx3YKUNd7xsd5YThniTLgUV6LDHuAhwEmJ29ov6rmPOiwqJ
         2bxA==
X-Gm-Message-State: ABy/qLa1Dz8WAUjT9oo334FO/OiztQ3kNwfKLfT8mWeljqQGsM/6EpjK
        xqyLBKwj16j4sl4zqm08G3Mbd5rthTw=
X-Google-Smtp-Source: 
 APBJJlFJ/eOkeJGXEeW0uRAXDqLwIw2mNwIfFaPZWB6Xz5oFPGi7eUqiR679QoROZxoeZJEJY3G6J0NMJ0g=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:6902:1388:b0:d05:38ba:b616 with SMTP id
 x8-20020a056902138800b00d0538bab616mr12927ybu.6.1689980411985; Fri, 21 Jul
 2023 16:00:11 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 15:59:58 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-2-seanjc@google.com>
Subject: [PATCH v2 1/9] KVM: x86/mmu: Delete rmap_printk() and all its usage
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Delete rmap_printk() so that MMU_WARN_ON() and MMU_DEBUG can be morphed
into something that can be regularly enabled for debug kernels.  The
information provided by rmap_printk() isn't all that useful now that the
rmap and unsync code is mature, as the prints are simultaneously too
verbose (_lots_ of message) and yet not verbose enough to be helpful for
debug (most instances print just the SPTE pointer/value, which is rarely
sufficient to root cause anything but trivial bugs).

Alternatively, rmap_printk() could be reworked to into tracepoints, but
it's not clear there is a real need as rmap bugs rarely escape initial
development, and when bugs do escape to production, they are often edge
cases and/or reside in code that isn't directly related to the rmaps.
In other words, the problems with rmap_printk() being unhelpful also apply
to tracepoints.  And deleting rmap_printk() doesn't preclude adding
tracepoints in the future.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/mmu.c          | 12 ------------
 arch/x86/kvm/mmu/mmu_internal.h |  2 --
 2 files changed, 14 deletions(-)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index bc24d430db6e..8e36e07719bf 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -941,10 +941,8 @@ static int pte_list_add(struct kvm_mmu_memory_cache *c=
ache, u64 *spte,
 	int count =3D 0;
=20
 	if (!rmap_head->val) {
-		rmap_printk("%p %llx 0->1\n", spte, *spte);
 		rmap_head->val =3D (unsigned long)spte;
 	} else if (!(rmap_head->val & 1)) {
-		rmap_printk("%p %llx 1->many\n", spte, *spte);
 		desc =3D kvm_mmu_memory_cache_alloc(cache);
 		desc->sptes[0] =3D (u64 *)rmap_head->val;
 		desc->sptes[1] =3D spte;
@@ -953,7 +951,6 @@ static int pte_list_add(struct kvm_mmu_memory_cache *ca=
che, u64 *spte,
 		rmap_head->val =3D (unsigned long)desc | 1;
 		++count;
 	} else {
-		rmap_printk("%p %llx many->many\n", spte, *spte);
 		desc =3D (struct pte_list_desc *)(rmap_head->val & ~1ul);
 		count =3D desc->tail_count + desc->spte_count;
=20
@@ -1018,14 +1015,12 @@ static void pte_list_remove(u64 *spte, struct kvm_r=
map_head *rmap_head)
 		pr_err("%s: %p 0->BUG\n", __func__, spte);
 		BUG();
 	} else if (!(rmap_head->val & 1)) {
-		rmap_printk("%p 1->0\n", spte);
 		if ((u64 *)rmap_head->val !=3D spte) {
 			pr_err("%s:  %p 1->BUG\n", __func__, spte);
 			BUG();
 		}
 		rmap_head->val =3D 0;
 	} else {
-		rmap_printk("%p many->many\n", spte);
 		desc =3D (struct pte_list_desc *)(rmap_head->val & ~1ul);
 		while (desc) {
 			for (i =3D 0; i < desc->spte_count; ++i) {
@@ -1241,8 +1236,6 @@ static bool spte_write_protect(u64 *sptep, bool pt_pr=
otect)
 	    !(pt_protect && is_mmu_writable_spte(spte)))
 		return false;
=20
-	rmap_printk("spte %p %llx\n", sptep, *sptep);
-
 	if (pt_protect)
 		spte &=3D ~shadow_mmu_writable_mask;
 	spte =3D spte & ~PT_WRITABLE_MASK;
@@ -1267,8 +1260,6 @@ static bool spte_clear_dirty(u64 *sptep)
 {
 	u64 spte =3D *sptep;
=20
-	rmap_printk("spte %p %llx\n", sptep, *sptep);
-
 	MMU_WARN_ON(!spte_ad_enabled(spte));
 	spte &=3D ~shadow_dirty_mask;
 	return mmu_spte_update(sptep, spte);
@@ -1480,9 +1471,6 @@ static bool kvm_set_pte_rmap(struct kvm *kvm, struct =
kvm_rmap_head *rmap_head,
=20
 restart:
 	for_each_rmap_spte(rmap_head, &iter, sptep) {
-		rmap_printk("spte %p %llx gfn %llx (%d)\n",
-			    sptep, *sptep, gfn, level);
-
 		need_flush =3D true;
=20
 		if (pte_write(pte)) {
diff --git a/arch/x86/kvm/mmu/mmu_internal.h b/arch/x86/kvm/mmu/mmu_interna=
l.h
index 4f1e4b327f40..9c9dd9340c63 100644
--- a/arch/x86/kvm/mmu/mmu_internal.h
+++ b/arch/x86/kvm/mmu/mmu_internal.h
@@ -11,10 +11,8 @@
 #ifdef MMU_DEBUG
 extern bool dbg;
=20
-#define rmap_printk(fmt, args...) do { if (dbg) printk("%s: " fmt, __func_=
_, ## args); } while (0)
 #define MMU_WARN_ON(x) WARN_ON(x)
 #else
-#define rmap_printk(x...) do { } while (0)
 #define MMU_WARN_ON(x) do { } while (0)
 #endif
=20
--=20
2.41.0.487.g6d72f3e995-goog
From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C7AB9C41513
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:24 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231186AbjGUXAU (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:20 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48642 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231142AbjGUXAP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:15 -0400
Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com
 [IPv6:2607:f8b0:4864:20::114a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4DC4D3A97
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:14 -0700 (PDT)
Received: by mail-yw1-x114a.google.com with SMTP id
 00721157ae682-5771e0959f7so25402297b3.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980413; x=1690585213;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=8LvdkVE4wBNN35/JnHy3xytlSvey6H90m9oi4YFPLDo=;
        b=Fnz97LFPQsOkL23SslhD1HyDQozbiC0iTemf6PytzyfHmiWMkLWDmrnORTlidFilW6
         Q1dU/fSVtlP1Gqa8eMttlJq6eZUwnmB5Y8NlHnYcwA0mULuVDp3rO8XjF4yTNQYYy16C
         50kD5kw/uOe8RqgFAeYEp5qfy6nV2vcHihVXs2YYbf+jDO6HwW6iEg52Cr+KgxC1Auq0
         Bu5iPbYSRPVZ6QRFMTF+mDaRK22Hur/lxqKqp4l7H/hFdfBJap8KzbiE0NWh51EIAjEp
         k1nM1hJEfkkIvsIdMdrjOyUJR/VF530ZcddIe8/vYZfyUjTKijFdsb+gSNuCX5IraY4t
         XORw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980413; x=1690585213;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8LvdkVE4wBNN35/JnHy3xytlSvey6H90m9oi4YFPLDo=;
        b=l8361om8pTsjz/6I74x4+bKnym0WkviaICcmnKyy1CQpX48YxJ1GeL+UfHZV6TDMNF
         qWQq/u6YOTVHDfwSF0Uj0vgfVhhOZJLBucboZq5TgQhDfuFvdCS11lGbwvXEQeggEhD6
         l3u4gmwVMhcomcV8KQUQmruFD7/v7y5LYSNShKb8OD0KavokIJ7uQ74mw+wUlhQIbNhh
         cGMzGm1Vgq/sBF5d6COFJ7ep2ULLJWjqkWSo4EhaxC7uFmalMRs4+BGz+rvOtdk5emjL
         Xe7nbVQbpXNL05POPltzME+Y0vsbnnNIYYv0u+G9V6+OWInq1hdeiRwPEDAnvjMk6nU2
         N4Pg==
X-Gm-Message-State: ABy/qLbmHeIBPiGE77recMAC3z/32dU3hg5ax9/QkrmZRP0M92GJtA7F
        7wLjsXU0VCo/JjHJGHypUGyY8vc2dMA=
X-Google-Smtp-Source: 
 APBJJlE0+AmIQUxDszBHL9JMrn1F2wLbO9Yj1xoL8dFyCqS6LOUsHHVNIxJsyAolCWQqdaUwXps0Le+Ibf8=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:690c:707:b0:580:841e:a06a with SMTP id
 bs7-20020a05690c070700b00580841ea06amr13275ywb.2.1689980413619; Fri, 21 Jul
 2023 16:00:13 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 15:59:59 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-3-seanjc@google.com>
Subject: [PATCH v2 2/9] KVM: x86/mmu: Delete the "dbg" module param
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Delete KVM's "dbg" module param now that its usage in KVM is gone (it
used to guard pgprintk() and rmap_printk()).

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/mmu.c          | 5 -----
 arch/x86/kvm/mmu/mmu_internal.h | 2 --
 2 files changed, 7 deletions(-)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 8e36e07719bf..b16092d71d3f 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -115,11 +115,6 @@ static int max_huge_page_level __read_mostly;
 static int tdp_root_level __read_mostly;
 static int max_tdp_level __read_mostly;
=20
-#ifdef MMU_DEBUG
-bool dbg =3D 0;
-module_param(dbg, bool, 0644);
-#endif
-
 #define PTE_PREFETCH_NUM		8
=20
 #include <trace/events/kvm.h>
diff --git a/arch/x86/kvm/mmu/mmu_internal.h b/arch/x86/kvm/mmu/mmu_interna=
l.h
index 9c9dd9340c63..9ea80e4d463c 100644
--- a/arch/x86/kvm/mmu/mmu_internal.h
+++ b/arch/x86/kvm/mmu/mmu_internal.h
@@ -9,8 +9,6 @@
 #undef MMU_DEBUG
=20
 #ifdef MMU_DEBUG
-extern bool dbg;
-
 #define MMU_WARN_ON(x) WARN_ON(x)
 #else
 #define MMU_WARN_ON(x) do { } while (0)
--=20
2.41.0.487.g6d72f3e995-goog
From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 46C8EC04FDF
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231211AbjGUXAX (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:23 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48670 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231159AbjGUXAR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:17 -0400
Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com
 [IPv6:2607:f8b0:4864:20::114a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 373E73A9F
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:16 -0700 (PDT)
Received: by mail-yw1-x114a.google.com with SMTP id
 00721157ae682-583a058f890so8908667b3.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980415; x=1690585215;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=omheWi+fB4D/RinebRnnTaXxuGsxp/H5OZ8/iJL52gg=;
        b=vbdN8OctTXpcWhp32zvgNfnvRtfWXnph6+vcUlc57CGOPd/R/4a75ImhrgGJ3xAHn1
         HaUh6pk8xronY2t50P13VcHS9megjWcRGLgMyQ7QhQfCyyCR28TJ495s7uhFE9oLDv/v
         BUKnqDhACAN7T+UUwH5DpfGaHlhnS+WA5TMxO/jxbTNz4qzlhXWxxK5UwaB7GT7i4Jjk
         MisNKnGlVNq6+vnwALgo0EqgsXSHKXoZErQKj4TAW98IFS+aKdGQZ9cgBSAxem3upUdi
         wSCmNRxyhGEmgLGpYFwC6/jF6+ThqolhHilmyYC0Q4N9SXDCrO8n4iHEdPaFAavMSBM9
         k6SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980415; x=1690585215;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=omheWi+fB4D/RinebRnnTaXxuGsxp/H5OZ8/iJL52gg=;
        b=VK/7l1YXHzdr4UeNWw6amBf2pah7nB+bFX0ff5eYNCucBcHRCfImCYNZQJnxcFaz+i
         qEkY0rLGygzmC1IKnssjaOTM/eEbLJ19QRwVCqarRoH2p/6AZTjy0BAQwPXXThZgH4v/
         t2rFJoY6woaDxdLaIIC+wKR2oesyYdEA0DQmfCQ/liVEWwbskweMyp0n6sCT+s16HCr7
         C7eii0xrJRJ9NNPrvDx6MKL1QhKYM5HYFsXrMlkaGQL+wpvLK9GESG56shsoaWIX7Ci6
         htjveV1crQgA308SVoh1OtKeQgkLWvpavkzu81RLtLquS5jqLiaWBvyjhGl5pYTmWBtQ
         H2Hw==
X-Gm-Message-State: ABy/qLZtbRZKHu0Bc3ta60HNgy6KFZxZLSqbTes4qk0ntqfoS5h/xEmN
        k3bm64+kfkX532gnCTXEnMe2Yb3Apns=
X-Google-Smtp-Source: 
 APBJJlED9CgDOHYdLhezvIRO12CxHnBgshIulfAAdeWhiRCGQ3PWOvbdpCPlyTEInQj7kA8j2mFdN/93DVQ=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a81:b668:0:b0:56f:f62b:7a11 with SMTP id
 h40-20020a81b668000000b0056ff62b7a11mr13119ywk.8.1689980415400; Fri, 21 Jul
 2023 16:00:15 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 16:00:00 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-4-seanjc@google.com>
Subject: [PATCH v2 3/9] KVM: x86/mmu: Rename MMU_WARN_ON() to
 KVM_MMU_WARN_ON()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Rename MMU_WARN_ON() to make it super obvious that the assertions are
all about KVM's MMU, not the primary MMU.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/mmu.c          | 4 ++--
 arch/x86/kvm/mmu/mmu_internal.h | 4 ++--
 arch/x86/kvm/mmu/spte.h         | 8 ++++----
 arch/x86/kvm/mmu/tdp_mmu.c      | 8 ++++----
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index b16092d71d3f..c87539dd1ac0 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -1255,7 +1255,7 @@ static bool spte_clear_dirty(u64 *sptep)
 {
 	u64 spte =3D *sptep;
=20
-	MMU_WARN_ON(!spte_ad_enabled(spte));
+	KVM_MMU_WARN_ON(!spte_ad_enabled(spte));
 	spte &=3D ~shadow_dirty_mask;
 	return mmu_spte_update(sptep, spte);
 }
@@ -1735,7 +1735,7 @@ static void kvm_unaccount_mmu_page(struct kvm *kvm, s=
truct kvm_mmu_page *sp)
=20
 static void kvm_mmu_free_shadow_page(struct kvm_mmu_page *sp)
 {
-	MMU_WARN_ON(!is_empty_shadow_page(sp->spt));
+	KVM_MMU_WARN_ON(!is_empty_shadow_page(sp->spt));
 	hlist_del(&sp->hash_link);
 	list_del(&sp->link);
 	free_page((unsigned long)sp->spt);
diff --git a/arch/x86/kvm/mmu/mmu_internal.h b/arch/x86/kvm/mmu/mmu_interna=
l.h
index 9ea80e4d463c..bb1649669bc9 100644
--- a/arch/x86/kvm/mmu/mmu_internal.h
+++ b/arch/x86/kvm/mmu/mmu_internal.h
@@ -9,9 +9,9 @@
 #undef MMU_DEBUG
=20
 #ifdef MMU_DEBUG
-#define MMU_WARN_ON(x) WARN_ON(x)
+#define KVM_MMU_WARN_ON(x) WARN_ON(x)
 #else
-#define MMU_WARN_ON(x) do { } while (0)
+#define KVM_MMU_WARN_ON(x) do { } while (0)
 #endif
=20
 /* Page table builder macros common to shadow (host) PTEs and guest PTEs. =
*/
diff --git a/arch/x86/kvm/mmu/spte.h b/arch/x86/kvm/mmu/spte.h
index 1279db2eab44..83e6614f3720 100644
--- a/arch/x86/kvm/mmu/spte.h
+++ b/arch/x86/kvm/mmu/spte.h
@@ -265,13 +265,13 @@ static inline bool sp_ad_disabled(struct kvm_mmu_page=
 *sp)
=20
 static inline bool spte_ad_enabled(u64 spte)
 {
-	MMU_WARN_ON(!is_shadow_present_pte(spte));
+	KVM_MMU_WARN_ON(!is_shadow_present_pte(spte));
 	return (spte & SPTE_TDP_AD_MASK) !=3D SPTE_TDP_AD_DISABLED;
 }
=20
 static inline bool spte_ad_need_write_protect(u64 spte)
 {
-	MMU_WARN_ON(!is_shadow_present_pte(spte));
+	KVM_MMU_WARN_ON(!is_shadow_present_pte(spte));
 	/*
 	 * This is benign for non-TDP SPTEs as SPTE_TDP_AD_ENABLED is '0',
 	 * and non-TDP SPTEs will never set these bits.  Optimize for 64-bit
@@ -282,13 +282,13 @@ static inline bool spte_ad_need_write_protect(u64 spt=
e)
=20
 static inline u64 spte_shadow_accessed_mask(u64 spte)
 {
-	MMU_WARN_ON(!is_shadow_present_pte(spte));
+	KVM_MMU_WARN_ON(!is_shadow_present_pte(spte));
 	return spte_ad_enabled(spte) ? shadow_accessed_mask : 0;
 }
=20
 static inline u64 spte_shadow_dirty_mask(u64 spte)
 {
-	MMU_WARN_ON(!is_shadow_present_pte(spte));
+	KVM_MMU_WARN_ON(!is_shadow_present_pte(spte));
 	return spte_ad_enabled(spte) ? shadow_dirty_mask : 0;
 }
=20
diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
index 512163d52194..f881de40f9ef 100644
--- a/arch/x86/kvm/mmu/tdp_mmu.c
+++ b/arch/x86/kvm/mmu/tdp_mmu.c
@@ -1548,8 +1548,8 @@ static bool clear_dirty_gfn_range(struct kvm *kvm, st=
ruct kvm_mmu_page *root,
 		if (!is_shadow_present_pte(iter.old_spte))
 			continue;
=20
-		MMU_WARN_ON(kvm_ad_enabled() &&
-			    spte_ad_need_write_protect(iter.old_spte));
+		KVM_MMU_WARN_ON(kvm_ad_enabled() &&
+				spte_ad_need_write_protect(iter.old_spte));
=20
 		if (!(iter.old_spte & dbit))
 			continue;
@@ -1607,8 +1607,8 @@ static void clear_dirty_pt_masked(struct kvm *kvm, st=
ruct kvm_mmu_page *root,
 		if (!mask)
 			break;
=20
-		MMU_WARN_ON(kvm_ad_enabled() &&
-			    spte_ad_need_write_protect(iter.old_spte));
+		KVM_MMU_WARN_ON(kvm_ad_enabled() &&
+				spte_ad_need_write_protect(iter.old_spte));
=20
 		if (iter.level > PG_LEVEL_4K ||
 		    !(mask & (1UL << (iter.gfn - gfn))))
--=20
2.41.0.487.g6d72f3e995-goog
From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 89769C04FE0
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:27 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231224AbjGUXA0 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48690 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231179AbjGUXAU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:20 -0400
Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com
 [IPv6:2607:f8b0:4864:20::1149])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3F293A97
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:17 -0700 (PDT)
Received: by mail-yw1-x1149.google.com with SMTP id
 00721157ae682-576d63dfc1dso25786387b3.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980417; x=1690585217;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=rw5rKXDTTdMh/U/oht/75ukyZlue3elcNBySkPi6QuY=;
        b=PpIfeEHZR/3QXYPAgxsIW1BsTi+XN0rYNoHNbHiGRDkddmEvrNVaSoZJIwhjJxmtEo
         xaVUpZxE606Lcp2pwzz636CIk/9JRNIo2A0kndkVSzvqqbesvJ29EW1s4TlfboxmEa24
         z6d5gTQqhb5rti+bL3hGOh3s/f5pl8dnTrVtbua03qm/CRwf37kxYa5IUWItG1L5vBEd
         +bto1hbOM/g5DlBo/PDGXL3cOyCLecMog3CVEmdWn+m0Un2ntluHD+Qaf5n6xHVFWSdd
         es1c3mPo8wUrE5Ov4O1Vatv7b6oO1KRtQh4P+LvzBi/Z/FaBn6a037La5MHyN+7y/Rog
         meWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980417; x=1690585217;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=rw5rKXDTTdMh/U/oht/75ukyZlue3elcNBySkPi6QuY=;
        b=I8xrStzRD49KiclpuxAPokQTMG6JeBVRhec1yB1pREyZQvgbn1eBkhXsbzDo4hRJQZ
         1KE8nAEWcQyloQF7tNi4GJVQvjKn6Na2qabauKxE6iNq7bp/7x+BsxBRo4lZivXXi8ex
         4MJ3wVPbIOJusR/DDLECo2gq0YGJJgIze+RTr7rNqbwD4rvPFzZlxPbXVIYipEhhcHi6
         kv0JnlgX44cVlDHfOCw6+kcGQzLBWQWvtLXV/rE+lwtlOk09lcyb+55Dk9/dXL0dsTb8
         JSZMMw6M0dTBTDQjHz7mZ53qObcQUkXVJi/TF288LVskUESfxpi/AFcV8yiSbxeKTT5J
         myrg==
X-Gm-Message-State: ABy/qLat+R+fTLpvIM5eS/QcxRmj744PkeUtwwvTB0TxbOAUbY3o6GKF
        v84hLKJClFwx3XcS+k7hqW6Ig3GqF28=
X-Google-Smtp-Source: 
 APBJJlEC/CpykobkIsxmUL3kCkFNh7T+LsRMpu11FQ6cucjCpLfPOVbszUntyrSk6Rvv/4mm2Kpmg/dfGrg=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a81:4406:0:b0:577:3b0c:5b85 with SMTP id
 r6-20020a814406000000b005773b0c5b85mr14328ywa.0.1689980417324; Fri, 21 Jul
 2023 16:00:17 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 16:00:01 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-5-seanjc@google.com>
Subject: [PATCH v2 4/9] KVM: x86/mmu: Convert "runtime" WARN_ON() assertions
 to WARN_ON_ONCE()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Convert all "runtime" assertions, i.e. assertions that can be triggered
while running vCPUs, from WARN_ON() to WARN_ON_ONCE().  Every WARN in the
MMU that is tied to running vCPUs, i.e. not contained to loading and
initializing KVM, is likely to fire _a lot_ when it does trigger.  E.g. if
KVM ends up with a bug that causes a root to be invalidated before the
page fault handler is invoked, pretty much _every_ page fault VM-Exit
triggers the WARN.

If a WARN is triggered frequently, the resulting spam usually causes a lot
of damage of its own, e.g. consumes resources to log the WARN and pollutes
the kernel log, often to the point where other useful information can be
lost.  In many case, the damage caused by the spam is actually worse than
the bug itself, e.g. KVM can almost always recover from an unexpectedly
invalid root.

On the flip side, warning every time is rarely helpful for debug and
triage, i.e. a single splat is usually sufficient to point a debugger in
the right direction, and automated testing, e.g. syzkaller, typically runs
with warn_on_panic=3D1, i.e. will never get past the first WARN anyways.

Lastly, when an assertions fails multiple times, the stack traces in KVM
are almost always identical, i.e. the full splat only needs to be captured
once.  And _if_ there is value in captruing information about the failed
assert, a ratelimited printk() is sufficient and less likely to rack up a
large amount of collateral damage.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/mmu.c          | 48 ++++++++++++++++-----------------
 arch/x86/kvm/mmu/mmu_internal.h |  2 +-
 arch/x86/kvm/mmu/page_track.c   | 16 +++++------
 arch/x86/kvm/mmu/paging_tmpl.h  |  4 +--
 arch/x86/kvm/mmu/spte.c         |  4 +--
 arch/x86/kvm/mmu/tdp_iter.c     |  4 +--
 arch/x86/kvm/mmu/tdp_mmu.c      | 20 +++++++-------
 7 files changed, 49 insertions(+), 49 deletions(-)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index c87539dd1ac0..eb6af9c4cf14 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -485,7 +485,7 @@ static u64 __get_spte_lockless(u64 *sptep)
  */
 static void mmu_spte_set(u64 *sptep, u64 new_spte)
 {
-	WARN_ON(is_shadow_present_pte(*sptep));
+	WARN_ON_ONCE(is_shadow_present_pte(*sptep));
 	__set_spte(sptep, new_spte);
 }
=20
@@ -497,7 +497,7 @@ static u64 mmu_spte_update_no_track(u64 *sptep, u64 new=
_spte)
 {
 	u64 old_spte =3D *sptep;
=20
-	WARN_ON(!is_shadow_present_pte(new_spte));
+	WARN_ON_ONCE(!is_shadow_present_pte(new_spte));
 	check_spte_writable_invariants(new_spte);
=20
 	if (!is_shadow_present_pte(old_spte)) {
@@ -510,7 +510,7 @@ static u64 mmu_spte_update_no_track(u64 *sptep, u64 new=
_spte)
 	else
 		old_spte =3D __update_clear_spte_slow(sptep, new_spte);
=20
-	WARN_ON(spte_to_pfn(old_spte) !=3D spte_to_pfn(new_spte));
+	WARN_ON_ONCE(spte_to_pfn(old_spte) !=3D spte_to_pfn(new_spte));
=20
 	return old_spte;
 }
@@ -592,7 +592,7 @@ static u64 mmu_spte_clear_track_bits(struct kvm *kvm, u=
64 *sptep)
 	 * by a refcounted page, the refcount is elevated.
 	 */
 	page =3D kvm_pfn_to_refcounted_page(pfn);
-	WARN_ON(page && !page_count(page));
+	WARN_ON_ONCE(page && !page_count(page));
=20
 	if (is_accessed_spte(old_spte))
 		kvm_set_pfn_accessed(pfn);
@@ -807,7 +807,7 @@ static void update_gfn_disallow_lpage_count(const struc=
t kvm_memory_slot *slot,
 	for (i =3D PG_LEVEL_2M; i <=3D KVM_MAX_HUGEPAGE_LEVEL; ++i) {
 		linfo =3D lpage_info_slot(gfn, slot, i);
 		linfo->disallow_lpage +=3D count;
-		WARN_ON(linfo->disallow_lpage < 0);
+		WARN_ON_ONCE(linfo->disallow_lpage < 0);
 	}
 }
=20
@@ -1202,7 +1202,7 @@ static void drop_large_spte(struct kvm *kvm, u64 *spt=
ep, bool flush)
 	struct kvm_mmu_page *sp;
=20
 	sp =3D sptep_to_sp(sptep);
-	WARN_ON(sp->role.level =3D=3D PG_LEVEL_4K);
+	WARN_ON_ONCE(sp->role.level =3D=3D PG_LEVEL_4K);
=20
 	drop_spte(kvm, sptep);
=20
@@ -1461,7 +1461,7 @@ static bool kvm_set_pte_rmap(struct kvm *kvm, struct =
kvm_rmap_head *rmap_head,
 	u64 new_spte;
 	kvm_pfn_t new_pfn;
=20
-	WARN_ON(pte_huge(pte));
+	WARN_ON_ONCE(pte_huge(pte));
 	new_pfn =3D pte_pfn(pte);
=20
 restart:
@@ -1823,7 +1823,7 @@ static int mmu_pages_add(struct kvm_mmu_pages *pvec, =
struct kvm_mmu_page *sp,
 static inline void clear_unsync_child_bit(struct kvm_mmu_page *sp, int idx)
 {
 	--sp->unsync_children;
-	WARN_ON((int)sp->unsync_children < 0);
+	WARN_ON_ONCE((int)sp->unsync_children < 0);
 	__clear_bit(idx, sp->unsync_child_bitmap);
 }
=20
@@ -1881,7 +1881,7 @@ static int mmu_unsync_walk(struct kvm_mmu_page *sp,
=20
 static void kvm_unlink_unsync_page(struct kvm *kvm, struct kvm_mmu_page *s=
p)
 {
-	WARN_ON(!sp->unsync);
+	WARN_ON_ONCE(!sp->unsync);
 	trace_kvm_mmu_sync_page(sp);
 	sp->unsync =3D 0;
 	--kvm->stat.mmu_unsync;
@@ -2056,11 +2056,11 @@ static int mmu_pages_first(struct kvm_mmu_pages *pv=
ec,
 	if (pvec->nr =3D=3D 0)
 		return 0;
=20
-	WARN_ON(pvec->page[0].idx !=3D INVALID_INDEX);
+	WARN_ON_ONCE(pvec->page[0].idx !=3D INVALID_INDEX);
=20
 	sp =3D pvec->page[0].sp;
 	level =3D sp->role.level;
-	WARN_ON(level =3D=3D PG_LEVEL_4K);
+	WARN_ON_ONCE(level =3D=3D PG_LEVEL_4K);
=20
 	parents->parent[level-2] =3D sp;
=20
@@ -2082,7 +2082,7 @@ static void mmu_pages_clear_parents(struct mmu_page_p=
ath *parents)
 		if (!sp)
 			return;
=20
-		WARN_ON(idx =3D=3D INVALID_INDEX);
+		WARN_ON_ONCE(idx =3D=3D INVALID_INDEX);
 		clear_unsync_child_bit(sp, idx);
 		level++;
 	} while (!sp->unsync_children);
@@ -2203,7 +2203,7 @@ static struct kvm_mmu_page *kvm_mmu_find_shadow_page(=
struct kvm *kvm,
 			if (ret < 0)
 				break;
=20
-			WARN_ON(!list_empty(&invalid_list));
+			WARN_ON_ONCE(!list_empty(&invalid_list));
 			if (ret > 0)
 				kvm_flush_remote_tlbs(kvm);
 		}
@@ -2658,7 +2658,7 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
 	kvm_flush_remote_tlbs(kvm);
=20
 	list_for_each_entry_safe(sp, nsp, invalid_list, link) {
-		WARN_ON(!sp->role.invalid || sp->root_count);
+		WARN_ON_ONCE(!sp->role.invalid || sp->root_count);
 		kvm_mmu_free_shadow_page(sp);
 	}
 }
@@ -2853,7 +2853,7 @@ int mmu_try_to_unsync_pages(struct kvm *kvm, const st=
ruct kvm_memory_slot *slot,
 				continue;
 		}
=20
-		WARN_ON(sp->role.level !=3D PG_LEVEL_4K);
+		WARN_ON_ONCE(sp->role.level !=3D PG_LEVEL_4K);
 		kvm_unsync_page(kvm, sp);
 	}
 	if (locked)
@@ -3006,7 +3006,7 @@ static void __direct_pte_prefetch(struct kvm_vcpu *vc=
pu,
 	u64 *spte, *start =3D NULL;
 	int i;
=20
-	WARN_ON(!sp->role.direct);
+	WARN_ON_ONCE(!sp->role.direct);
=20
 	i =3D spte_index(sptep) & ~(PTE_PREFETCH_NUM - 1);
 	spte =3D sp->spt + i;
@@ -3552,7 +3552,7 @@ static void mmu_free_root_page(struct kvm *kvm, hpa_t=
 *root_hpa,
 	 * SPTE to ensure any non-PA bits are dropped.
 	 */
 	sp =3D spte_to_child_sp(*root_hpa);
-	if (WARN_ON(!sp))
+	if (WARN_ON_ONCE(!sp))
 		return;
=20
 	if (is_tdp_mmu_page(sp))
@@ -4167,7 +4167,7 @@ static int handle_mmio_page_fault(struct kvm_vcpu *vc=
pu, u64 addr, bool direct)
 		return RET_PF_EMULATE;
=20
 	reserved =3D get_mmio_spte(vcpu, addr, &spte);
-	if (WARN_ON(reserved))
+	if (WARN_ON_ONCE(reserved))
 		return -EINVAL;
=20
 	if (is_mmio_spte(spte)) {
@@ -5502,9 +5502,9 @@ void kvm_mmu_unload(struct kvm_vcpu *vcpu)
 	struct kvm *kvm =3D vcpu->kvm;
=20
 	kvm_mmu_free_roots(kvm, &vcpu->arch.root_mmu, KVM_MMU_ROOTS_ALL);
-	WARN_ON(VALID_PAGE(vcpu->arch.root_mmu.root.hpa));
+	WARN_ON_ONCE(VALID_PAGE(vcpu->arch.root_mmu.root.hpa));
 	kvm_mmu_free_roots(kvm, &vcpu->arch.guest_mmu, KVM_MMU_ROOTS_ALL);
-	WARN_ON(VALID_PAGE(vcpu->arch.guest_mmu.root.hpa));
+	WARN_ON_ONCE(VALID_PAGE(vcpu->arch.guest_mmu.root.hpa));
 	vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
 }
=20
@@ -5708,7 +5708,7 @@ int noinline kvm_mmu_page_fault(struct kvm_vcpu *vcpu=
, gpa_t cr2_or_gpa, u64 err
 	int r, emulation_type =3D EMULTYPE_PF;
 	bool direct =3D vcpu->arch.mmu->root_role.direct;
=20
-	if (WARN_ON(!VALID_PAGE(vcpu->arch.mmu->root.hpa)))
+	if (WARN_ON_ONCE(!VALID_PAGE(vcpu->arch.mmu->root.hpa)))
 		return RET_PF_RETRY;
=20
 	r =3D RET_PF_INVALID;
@@ -6065,7 +6065,7 @@ static void kvm_zap_obsolete_pages(struct kvm *kvm)
 		 * pages.  Skip the bogus page, otherwise we'll get stuck in an
 		 * infinite loop if the page gets put back on the list (again).
 		 */
-		if (WARN_ON(sp->role.invalid))
+		if (WARN_ON_ONCE(sp->role.invalid))
 			continue;
=20
 		/*
@@ -6707,7 +6707,7 @@ void kvm_mmu_zap_all(struct kvm *kvm)
 	write_lock(&kvm->mmu_lock);
 restart:
 	list_for_each_entry_safe(sp, node, &kvm->arch.active_mmu_pages, link) {
-		if (WARN_ON(sp->role.invalid))
+		if (WARN_ON_ONCE(sp->role.invalid))
 			continue;
 		if (__kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list, &ign))
 			goto restart;
@@ -6725,7 +6725,7 @@ void kvm_mmu_zap_all(struct kvm *kvm)
=20
 void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm, u64 gen)
 {
-	WARN_ON(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS);
+	WARN_ON_ONCE(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS);
=20
 	gen &=3D MMIO_SPTE_GEN_MASK;
=20
diff --git a/arch/x86/kvm/mmu/mmu_internal.h b/arch/x86/kvm/mmu/mmu_interna=
l.h
index bb1649669bc9..cfe925fefa68 100644
--- a/arch/x86/kvm/mmu/mmu_internal.h
+++ b/arch/x86/kvm/mmu/mmu_internal.h
@@ -9,7 +9,7 @@
 #undef MMU_DEBUG
=20
 #ifdef MMU_DEBUG
-#define KVM_MMU_WARN_ON(x) WARN_ON(x)
+#define KVM_MMU_WARN_ON(x) WARN_ON_ONCE(x)
 #else
 #define KVM_MMU_WARN_ON(x) do { } while (0)
 #endif
diff --git a/arch/x86/kvm/mmu/page_track.c b/arch/x86/kvm/mmu/page_track.c
index 0a2ac438d647..fd16918b3a7a 100644
--- a/arch/x86/kvm/mmu/page_track.c
+++ b/arch/x86/kvm/mmu/page_track.c
@@ -94,7 +94,7 @@ static void update_gfn_track(struct kvm_memory_slot *slot=
, gfn_t gfn,
=20
 	val =3D slot->arch.gfn_track[mode][index];
=20
-	if (WARN_ON(val + count < 0 || val + count > USHRT_MAX))
+	if (WARN_ON_ONCE(val + count < 0 || val + count > USHRT_MAX))
 		return;
=20
 	slot->arch.gfn_track[mode][index] +=3D count;
@@ -117,11 +117,11 @@ void kvm_slot_page_track_add_page(struct kvm *kvm,
 				  enum kvm_page_track_mode mode)
 {
=20
-	if (WARN_ON(!page_track_mode_is_valid(mode)))
+	if (WARN_ON_ONCE(!page_track_mode_is_valid(mode)))
 		return;
=20
-	if (WARN_ON(mode =3D=3D KVM_PAGE_TRACK_WRITE &&
-		    !kvm_page_track_write_tracking_enabled(kvm)))
+	if (WARN_ON_ONCE(mode =3D=3D KVM_PAGE_TRACK_WRITE &&
+			 !kvm_page_track_write_tracking_enabled(kvm)))
 		return;
=20
 	update_gfn_track(slot, gfn, mode, 1);
@@ -155,11 +155,11 @@ void kvm_slot_page_track_remove_page(struct kvm *kvm,
 				     struct kvm_memory_slot *slot, gfn_t gfn,
 				     enum kvm_page_track_mode mode)
 {
-	if (WARN_ON(!page_track_mode_is_valid(mode)))
+	if (WARN_ON_ONCE(!page_track_mode_is_valid(mode)))
 		return;
=20
-	if (WARN_ON(mode =3D=3D KVM_PAGE_TRACK_WRITE &&
-		    !kvm_page_track_write_tracking_enabled(kvm)))
+	if (WARN_ON_ONCE(mode =3D=3D KVM_PAGE_TRACK_WRITE &&
+			 !kvm_page_track_write_tracking_enabled(kvm)))
 		return;
=20
 	update_gfn_track(slot, gfn, mode, -1);
@@ -181,7 +181,7 @@ bool kvm_slot_page_track_is_active(struct kvm *kvm,
 {
 	int index;
=20
-	if (WARN_ON(!page_track_mode_is_valid(mode)))
+	if (WARN_ON_ONCE(!page_track_mode_is_valid(mode)))
 		return false;
=20
 	if (!slot)
diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
index 7a97f769a7cb..a3fc7c1a7f8d 100644
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -633,7 +633,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, struct k=
vm_page_fault *fault,
 	if (FNAME(gpte_changed)(vcpu, gw, top_level))
 		goto out_gpte_changed;
=20
-	if (WARN_ON(!VALID_PAGE(vcpu->arch.mmu->root.hpa)))
+	if (WARN_ON_ONCE(!VALID_PAGE(vcpu->arch.mmu->root.hpa)))
 		goto out_gpte_changed;
=20
 	for_each_shadow_entry(vcpu, fault->addr, it) {
@@ -830,7 +830,7 @@ static gpa_t FNAME(get_level1_sp_gpa)(struct kvm_mmu_pa=
ge *sp)
 {
 	int offset =3D 0;
=20
-	WARN_ON(sp->role.level !=3D PG_LEVEL_4K);
+	WARN_ON_ONCE(sp->role.level !=3D PG_LEVEL_4K);
=20
 	if (PTTYPE =3D=3D 32)
 		offset =3D sp->role.quadrant << SPTE_LEVEL_BITS;
diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
index 438a86bda9f3..4a599130e9c9 100644
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -61,7 +61,7 @@ static u64 generation_mmio_spte_mask(u64 gen)
 {
 	u64 mask;
=20
-	WARN_ON(gen & ~MMIO_SPTE_GEN_MASK);
+	WARN_ON_ONCE(gen & ~MMIO_SPTE_GEN_MASK);
=20
 	mask =3D (gen << MMIO_SPTE_GEN_LOW_SHIFT) & MMIO_SPTE_GEN_LOW_MASK;
 	mask |=3D (gen << MMIO_SPTE_GEN_HIGH_SHIFT) & MMIO_SPTE_GEN_HIGH_MASK;
@@ -240,7 +240,7 @@ bool make_spte(struct kvm_vcpu *vcpu, struct kvm_mmu_pa=
ge *sp,
=20
 	if ((spte & PT_WRITABLE_MASK) && kvm_slot_dirty_track_enabled(slot)) {
 		/* Enforced by kvm_mmu_hugepage_adjust. */
-		WARN_ON(level > PG_LEVEL_4K);
+		WARN_ON_ONCE(level > PG_LEVEL_4K);
 		mark_page_dirty_in_slot(vcpu->kvm, slot, gfn);
 	}
=20
diff --git a/arch/x86/kvm/mmu/tdp_iter.c b/arch/x86/kvm/mmu/tdp_iter.c
index d2eb0d4f8710..5bb09f8d9fc6 100644
--- a/arch/x86/kvm/mmu/tdp_iter.c
+++ b/arch/x86/kvm/mmu/tdp_iter.c
@@ -41,8 +41,8 @@ void tdp_iter_start(struct tdp_iter *iter, struct kvm_mmu=
_page *root,
 {
 	int root_level =3D root->role.level;
=20
-	WARN_ON(root_level < 1);
-	WARN_ON(root_level > PT64_ROOT_MAX_LEVEL);
+	WARN_ON_ONCE(root_level < 1);
+	WARN_ON_ONCE(root_level > PT64_ROOT_MAX_LEVEL);
=20
 	iter->next_last_level_gfn =3D next_last_level_gfn;
 	iter->root_level =3D root_level;
diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
index f881de40f9ef..b2068c47f78c 100644
--- a/arch/x86/kvm/mmu/tdp_mmu.c
+++ b/arch/x86/kvm/mmu/tdp_mmu.c
@@ -475,9 +475,9 @@ static void handle_changed_spte(struct kvm *kvm, int as=
_id, gfn_t gfn,
 	bool is_leaf =3D is_present && is_last_spte(new_spte, level);
 	bool pfn_changed =3D spte_to_pfn(old_spte) !=3D spte_to_pfn(new_spte);
=20
-	WARN_ON(level > PT64_ROOT_MAX_LEVEL);
-	WARN_ON(level < PG_LEVEL_4K);
-	WARN_ON(gfn & (KVM_PAGES_PER_HPAGE(level) - 1));
+	WARN_ON_ONCE(level > PT64_ROOT_MAX_LEVEL);
+	WARN_ON_ONCE(level < PG_LEVEL_4K);
+	WARN_ON_ONCE(gfn & (KVM_PAGES_PER_HPAGE(level) - 1));
=20
 	/*
 	 * If this warning were to trigger it would indicate that there was a
@@ -522,9 +522,9 @@ static void handle_changed_spte(struct kvm *kvm, int as=
_id, gfn_t gfn,
 		 * impact the guest since both the former and current SPTEs
 		 * are nonpresent.
 		 */
-		if (WARN_ON(!is_mmio_spte(old_spte) &&
-			    !is_mmio_spte(new_spte) &&
-			    !is_removed_spte(new_spte)))
+		if (WARN_ON_ONCE(!is_mmio_spte(old_spte) &&
+				 !is_mmio_spte(new_spte) &&
+				 !is_removed_spte(new_spte)))
 			pr_err("Unexpected SPTE change! Nonpresent SPTEs\n"
 			       "should not be replaced with another,\n"
 			       "different nonpresent SPTE, unless one or both\n"
@@ -661,7 +661,7 @@ static u64 tdp_mmu_set_spte(struct kvm *kvm, int as_id,=
 tdp_ptep_t sptep,
 	 * should be used. If operating under the MMU lock in write mode, the
 	 * use of the removed SPTE should not be necessary.
 	 */
-	WARN_ON(is_removed_spte(old_spte) || is_removed_spte(new_spte));
+	WARN_ON_ONCE(is_removed_spte(old_spte) || is_removed_spte(new_spte));
=20
 	old_spte =3D kvm_tdp_mmu_write_spte(sptep, old_spte, new_spte, level);
=20
@@ -709,7 +709,7 @@ static inline bool __must_check tdp_mmu_iter_cond_resch=
ed(struct kvm *kvm,
 							  struct tdp_iter *iter,
 							  bool flush, bool shared)
 {
-	WARN_ON(iter->yielded);
+	WARN_ON_ONCE(iter->yielded);
=20
 	/* Ensure forward progress has been made before yielding. */
 	if (iter->next_last_level_gfn =3D=3D iter->yielded_gfn)
@@ -728,7 +728,7 @@ static inline bool __must_check tdp_mmu_iter_cond_resch=
ed(struct kvm *kvm,
=20
 		rcu_read_lock();
=20
-		WARN_ON(iter->gfn > iter->next_last_level_gfn);
+		WARN_ON_ONCE(iter->gfn > iter->next_last_level_gfn);
=20
 		iter->yielded =3D true;
 	}
@@ -1241,7 +1241,7 @@ static bool set_spte_gfn(struct kvm *kvm, struct tdp_=
iter *iter,
 	u64 new_spte;
=20
 	/* Huge pages aren't expected to be modified without first being zapped. =
*/
-	WARN_ON(pte_huge(range->pte) || range->start + 1 !=3D range->end);
+	WARN_ON_ONCE(pte_huge(range->pte) || range->start + 1 !=3D range->end);
=20
 	if (iter->level !=3D PG_LEVEL_4K ||
 	    !is_shadow_present_pte(iter->old_spte))
--=20
2.41.0.487.g6d72f3e995-goog
From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 316E4C001DF
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231210AbjGUXA3 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:29 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48738 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231190AbjGUXAV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:21 -0400
Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com
 [IPv6:2607:f8b0:4864:20::64a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFF5E3AA3
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:19 -0700 (PDT)
Received: by mail-pl1-x64a.google.com with SMTP id
 d9443c01a7336-1b8a7734734so14247045ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980419; x=1690585219;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=Hf66Tg9z6eVGNOq7lITDvOc5Z8kagkKjdF0cIF19+es=;
        b=gWGRlaTkn5NiQLzTFkJJKM2s4Vv0wJGMneYaEHOeICGvTQoBJES+ZxeOaxEYUZZ8H/
         aLgB8W2eVwNHUj+L5gE16Bl9H4JCMo1jGVfETz9hdyOEhIOdqK4qUaEnHiyFgT3I5xvw
         5T05h3Lp3sUtvhTNneKrxTx1I6X497FTCSBHT4zPNmNGobPrsW5GniH4Q83Wpsg84klB
         BoNg3UF4Ix1V+9TO5Vo7EA8b8WvxG0sO4gwmvOZvacxW6B3glGXlVviCggBB5PUN470T
         AxanZ4SsftqURjvz+fPuPucWNINaeTK/YOLjg38HJr+MNi6DcmrliLE9v0nUEQxlvldR
         Td2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980419; x=1690585219;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Hf66Tg9z6eVGNOq7lITDvOc5Z8kagkKjdF0cIF19+es=;
        b=hB86obYvpZ89OkgucrOSIPYnojPS8f9iFUTyqaN6+kdSSnFh8NnzF13OVMoDqrf357
         QPX/KkhN+ylJplzbixXX1XN3xgiAFhOATpgggvn+FLp4pot6O0sQtEHrdJldxoyHiXu5
         7jQjwM+AV4fl5KdIPJ3MGx298ZL3tOGJ348ozLluuIobjwgtW8zUNbYqo8XWId4Zqhs/
         dufimSB5xFlEANUzxlGg8qDAAHohHzduhgOiSw5Py635inX4Y5BEFTwDwRWKLuOGdSwR
         ji5P6iZ585Sgq/lha5+tM1UOsqWgzuF9tgQhOcJ1p7mO/p2ubQ/kSWDYxUD/N6M4hTHH
         k/0A==
X-Gm-Message-State: ABy/qLbO4ZC9dn2fg3lsfbEsWI5zgm8IwynsgbqJf1n2cUlz4PHk/hu7
        EKLkinW8AB706Ubzp5+HZZPp0KJDWLc=
X-Google-Smtp-Source: 
 APBJJlEsYv3UXRqM2FbL42Qk0+DlYkMF8rC36zy+MJ2FBqa3Hu01PoGnin5LXIu6/ke1lnlgUHk4C5SvjFo=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a17:902:dad2:b0:1b8:5541:9d4d with SMTP id
 q18-20020a170902dad200b001b855419d4dmr13969plx.6.1689980419181; Fri, 21 Jul
 2023 16:00:19 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 16:00:02 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-6-seanjc@google.com>
Subject: [PATCH v2 5/9] KVM: x86/mmu: Bug the VM if a vCPU ends up in long
 mode without PAE enabled
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Promote the ASSERT(), which is quite dead code in KVM, into a KVM_BUG_ON()
for KVM's sanity check that CR4.PAE=3D1 if the vCPU is in long mode when
performing a walk of guest page tables.  The sanity is quite cheap since
neither EFER nor CR4.PAE requires a VMREAD, especially relative to the
cost of walking the guest page tables.

More importantly, the sanity check would have prevented the true badness
fixed by commit 112e66017bff ("KVM: nVMX: add missing consistency checks
for CR0 and CR4").  The missed consistency check resulted in some versions
of KVM corrupting the on-stack guest_walker structure due to KVM thinking
there are 4/5 levels of page tables, but wiring up the MMU hooks to point
at the paging32 implementation, which only allocates space for two levels
of page tables in "struct guest_walker32".

Queue a page fault for injection if the assertion fails, as both callers,
FNAME(gva_to_gpa) and FNAME(walk_addr_generic), assume that walker.fault
contains sane info on a walk failure.  E.g. not populating the fault info
could result in KVM consuming and/or exposing uninitialized stack data
before the vCPU is kicked out to userspace, which doesn't happen until
KVM checks for KVM_REQ_VM_DEAD on the next enter.

Move the check below the initialization of "pte_access" so that the
aforementioned to-be-injected page fault doesn't consume uninitialized
stack data.  The information _shouldn't_ reach the guest or userspace,
but there's zero downside to being paranoid in this case.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/paging_tmpl.h | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
index a3fc7c1a7f8d..f8d358226ac6 100644
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -338,7 +338,6 @@ static int FNAME(walk_addr_generic)(struct guest_walker=
 *walker,
 	}
 #endif
 	walker->max_level =3D walker->level;
-	ASSERT(!(is_long_mode(vcpu) && !is_pae(vcpu)));
=20
 	/*
 	 * FIXME: on Intel processors, loads of the PDPTE registers for PAE paging
@@ -348,6 +347,17 @@ static int FNAME(walk_addr_generic)(struct guest_walke=
r *walker,
 	nested_access =3D (have_ad ? PFERR_WRITE_MASK : 0) | PFERR_USER_MASK;
=20
 	pte_access =3D ~0;
+
+	/*
+	 * Queue a page fault for injection if this assertion fails, as callers
+	 * assume that walker.fault contains sane info on a walk failure.  I.e.
+	 * avoid making the situation worse by inducing even worse badness
+	 * between when the assertion fails and when KVM kicks the vCPU out to
+	 * userspace (because the VM is bugged).
+	 */
+	if (KVM_BUG_ON(is_long_mode(vcpu) && !is_pae(vcpu), vcpu->kvm))
+		goto error;
+
 	++walker->level;
=20
 	do {
--=20
2.41.0.487.g6d72f3e995-goog
From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7A36CC001DF
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231310AbjGUXAl (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48752 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231179AbjGUXA1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:27 -0400
Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com
 [IPv6:2607:f8b0:4864:20::114a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4DD5E3A9E
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:22 -0700 (PDT)
Received: by mail-yw1-x114a.google.com with SMTP id
 00721157ae682-5704991ea05so25109677b3.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980421; x=1690585221;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=X/oIShHlu0RWHnSfFLoqzSAF9H1dCTHQouzdEN73lD8=;
        b=pwTqHKWTE0X3bdnmjOpODVldyzk1dIzpF7+/KwNuUcq64cH0kstCCEWs/DVZKzzEcQ
         UIYI4y3o0dgHuY00MGLBeSShDY9DK9C+Vfe4LhtztHr1nAl9wCZc6nU2bDk/liPtPPYx
         eAE7ePKu5VeqX1llGnUpHdkCH0Naz8m2VAO2fa1k9qT0yn88NXpzEGgopXRvGimnBP79
         cCyS3p/HCCNaTaVR6tDiHh7Jk/rUY4F9H9aVkv+jM+VqiQSGK7B7d2bMKDH9A9eDIub9
         sJnTzFf4aggrhXC+PkV0I/dQ1oj5ueL69wIDEM+TJnL9gSTW5M1DReAyvT+tQK2kt83X
         SGPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980421; x=1690585221;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=X/oIShHlu0RWHnSfFLoqzSAF9H1dCTHQouzdEN73lD8=;
        b=ja9kvnyLJpeaxO+fXqeZtICdVHs0WNUtMP8bhMDTulDHVA1DSJ5o4OjULmRsav62EM
         RKLBUBN4YdN3IqIxrKcJH7cSa2f+FeO1hH2EzvVjzeq/fq3hQOASyRWYFaJ5nTOhLXas
         rHDN2RCuvE7jrQsfaZWGPaG8+ZwvkppyN67qPvG0vi5a1LoScqnbCW66AXuBLgsIZnAV
         h6S+lCce45ADJopLbJz2emOEr8Zg5AU/0OCHWUY7s5lgB4uEFcd0HYzGcdKwtak0uZmv
         Dl0EycuTvRjnPR6j4p38OjfIKCzNZDFs5RqL0xDabGT8nbJkghoG+C3Lrn6+ZkuRggQR
         IcAw==
X-Gm-Message-State: ABy/qLYJVhXLgFXm9OaQDfst2EgYJ87Zfp6Al5L2eGyazU8ai1iIKH3v
        mYJkv50Dx/r5qw8Y904HsMrWaZlEypg=
X-Google-Smtp-Source: 
 APBJJlGsBQocGngXBpfZzLx0ZDqWk+ySytms2F+SQYW02DzFelMXdLlIMGbRjWpoaeOJ0cRSsCRm8yAEIk0=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a81:ae18:0:b0:577:4540:905a with SMTP id
 m24-20020a81ae18000000b005774540905amr12452ywh.7.1689980421153; Fri, 21 Jul
 2023 16:00:21 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 16:00:03 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-7-seanjc@google.com>
Subject: [PATCH v2 6/9] KVM: x86/mmu: Replace MMU_DEBUG with proper
 KVM_PROVE_MMU Kconfig
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Replace MMU_DEBUG, which requires manually modifying KVM to enable the
macro, with a proper Kconfig, KVM_PROVE_MMU.  Now that pgprintk() and
rmap_printk() are gone, i.e. the macro guards only KVM_MMU_WARN_ON() and
won't flood the kernel logs, enabling the option for debug kernels is both
desirable and feasible.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/Kconfig            | 13 +++++++++++++
 arch/x86/kvm/mmu/mmu.c          |  4 ++--
 arch/x86/kvm/mmu/mmu_internal.h |  4 +---
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index 89ca7f4c1464..4e5a282cc518 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -138,6 +138,19 @@ config KVM_XEN
=20
 	  If in doubt, say "N".
=20
+config KVM_PROVE_MMU
+	bool "Prove KVM MMU correctness"
+	depends on DEBUG_KERNEL
+	depends on KVM
+	depends on EXPERT
+	help
+	  Enables runtime assertions in KVM's MMU that are too costly to enable
+	  in anything remotely resembling a production environment, e.g. this
+	  gates code that verifies a to-be-freed page table doesn't have any
+	  present SPTEs.
+
+	  If in doubt, say "N".
+
 config KVM_EXTERNAL_WRITE_TRACKING
 	bool
=20
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index eb6af9c4cf14..933e48a73a9a 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -1693,7 +1693,7 @@ bool kvm_test_age_gfn(struct kvm *kvm, struct kvm_gfn=
_range *range)
 	return young;
 }
=20
-#ifdef MMU_DEBUG
+#ifdef CONFIG_KVM_PROVE_MMU
 static int is_empty_shadow_page(u64 *spt)
 {
 	u64 *pos;
@@ -1707,7 +1707,7 @@ static int is_empty_shadow_page(u64 *spt)
 		}
 	return 1;
 }
-#endif
+#endif /* CONFIG_KVM_PROVE_MMU */
=20
 /*
  * This value is the sum of all of the kvm instances's
diff --git a/arch/x86/kvm/mmu/mmu_internal.h b/arch/x86/kvm/mmu/mmu_interna=
l.h
index cfe925fefa68..40e74db6a7d5 100644
--- a/arch/x86/kvm/mmu/mmu_internal.h
+++ b/arch/x86/kvm/mmu/mmu_internal.h
@@ -6,9 +6,7 @@
 #include <linux/kvm_host.h>
 #include <asm/kvm_host.h>
=20
-#undef MMU_DEBUG
-
-#ifdef MMU_DEBUG
+#ifdef CONFIG_KVM_PROVE_MMU
 #define KVM_MMU_WARN_ON(x) WARN_ON_ONCE(x)
 #else
 #define KVM_MMU_WARN_ON(x) do { } while (0)
--=20
2.41.0.487.g6d72f3e995-goog
From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 40C13C001E0
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:44 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230014AbjGUXAn (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48908 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231252AbjGUXA2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:28 -0400
Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com
 [IPv6:2607:f8b0:4864:20::649])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 488383C0D
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:24 -0700 (PDT)
Received: by mail-pl1-x649.google.com with SMTP id
 d9443c01a7336-1bb7b0b8315so5024525ad.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980423; x=1690585223;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=N+/CFCalnN5xPq+FJCMcppiU8/rhXPIN/0hig0msSo8=;
        b=O+6lv7D05Q0OUUA9ynt/KcA/czw0nVCmbf+DG+BCK0K9Z7aCmw2tgEyYalVuedspq8
         piJatN1AxWJYSYEWXCgEWV6Lj9WRMaYOQpNFZf/D6YxBGvXXC9sxFeWVnYSsh9PgdALK
         TI08rE9tC6B2sbC+Jjczj0KDs710pw7/X1Q1ffZt9W4t0WnhvXUr1aVaNL8cXazRCmS1
         C0EhZctoNOm/7wdzAXrff4qAVIbwy2Z8bb+Wn7hr5Vao+gofADZJgTNphVeN4r5pIW46
         fLax9V/1g5GZUDnUccR06p1tDp+XdU1R4e6QA1byPUciyCipHt9n184iwnlMoLNkuP/D
         gFtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980423; x=1690585223;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=N+/CFCalnN5xPq+FJCMcppiU8/rhXPIN/0hig0msSo8=;
        b=kc85QfgtXFe3pKuaHl/HW6zHMTYXo7Bg4wmkvzHFa/lQiOjbfHzEa4plksgpwhF23k
         vwMtg9E+VBpQ4EQk53aPSs7zvD9cmq5MMraWpBdrspninCxPWRNnsHdYaSZctQxvEpti
         ua8i5tTVhpf58+wQZ26G5WlRCRHByNG1jC7bZt3MmGE7NWJ36akRGzo3kKRrUN7qbJ0G
         UiCG83lF6EOX9s+1HebZP+cagZBdmlPL193/M4lPlDQIbKTz+L9NPN0MZPags9xbKrfs
         LetpOpt4/Zzf4wWoQPUW/NXEQDZoy8u+HeeK03rx5rZcCPqZtVyGtLFR2XImwjdKgmLK
         djDg==
X-Gm-Message-State: ABy/qLaO23uKa7hGOS+ZKGCvZaa0kwI2Y31X121ns4+knQmd9c/dXQpY
        tSSPZnhhsShgYevherDjYbIHETf+MHE=
X-Google-Smtp-Source: 
 APBJJlEdgoY2p3pkiIdjBOcg3jw3MqxAMwsO+nZ04BO6YA4qb9EUQT+jbdKrNSLS86YvWP/CqI58RihYbdk=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a17:902:e74a:b0:1b8:b7fc:9aa1 with SMTP id
 p10-20020a170902e74a00b001b8b7fc9aa1mr13677plf.1.1689980423625; Fri, 21 Jul
 2023 16:00:23 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 16:00:04 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-8-seanjc@google.com>
Subject: [PATCH v2 7/9] KVM: x86/mmu: Use BUILD_BUG_ON_INVALID() for
 KVM_MMU_WARN_ON() stub
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Use BUILD_BUG_ON_INVALID() instead of an empty do-while loop to stub out
KVM_MMU_WARN_ON() when CONFIG_KVM_PROVE_MMU=3Dn, that way _some_ build
issues with the usage of KVM_MMU_WARN_ON() will be dected even if the
kernel is using the stubs, e.g. basic syntax errors will be detected.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/mmu_internal.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/mmu/mmu_internal.h b/arch/x86/kvm/mmu/mmu_interna=
l.h
index 40e74db6a7d5..f1ef670058e5 100644
--- a/arch/x86/kvm/mmu/mmu_internal.h
+++ b/arch/x86/kvm/mmu/mmu_internal.h
@@ -9,7 +9,7 @@
 #ifdef CONFIG_KVM_PROVE_MMU
 #define KVM_MMU_WARN_ON(x) WARN_ON_ONCE(x)
 #else
-#define KVM_MMU_WARN_ON(x) do { } while (0)
+#define KVM_MMU_WARN_ON(x) BUILD_BUG_ON_INVALID(x)
 #endif
=20
 /* Page table builder macros common to shadow (host) PTEs and guest PTEs. =
*/
--=20
2.41.0.487.g6d72f3e995-goog
From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1D8FDC001DF
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:53 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231301AbjGUXAv (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48870 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231239AbjGUXAk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:40 -0400
Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com
 [IPv6:2607:f8b0:4864:20::64a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73B723C1F
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:26 -0700 (PDT)
Received: by mail-pl1-x64a.google.com with SMTP id
 d9443c01a7336-1bb7b0b8315so5024705ad.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980425; x=1690585225;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=PLkSwB6tRh7JnFVgr30kOLaNRpwq5sUpwdYDiH0NxiY=;
        b=et21q4jW2oI5WQNLlFaRkxQCMVyGGgcs4+y24fpzOsPzXRNvf7yEdkMT1oeo7ANhvJ
         89Igf1qRGyAKQ6P0v/Jsy786tsOFF6zbVcyHrXg2hQPuH3ZFAM0n0EnkRHve6v6YLzeu
         sHbdwQAgnkWG/389w1nyDBEF/mC9ixug2JbmyK+nHF3Fln+QoNT0mJkUVcEcSSArQSk2
         y9Lk5hkiRTxoY6rvX3KGaT5EXH7jrlvsGYgBxuDkkrVrUGWoUXc//TypGfz2EmoutoDZ
         93WB8lzAm7xfjQzIHUqmH+26nAi1+D0aZWE1PFbuG6EqifzZxZEZXJT9cTXkxzO9cLFC
         OcSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980425; x=1690585225;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=PLkSwB6tRh7JnFVgr30kOLaNRpwq5sUpwdYDiH0NxiY=;
        b=So6W8hta/z0o90/7yPmwU+ZtA15K4eLD2q22KaVUprXPM7FrzRzmk71+ozviOTfxf/
         /QSQG2OJlb/8zI1W0H9T+dtUqzfC4l/S6gWRsQ+Vq21oAE3swGrPX2EE0w7Ha9vrpXAC
         G+3eNE/VFYZjlfVL0mqaq5oeRAzTheBNwHAJiASSD7L535c0WN8pC18PKVmvfFS89X4c
         +yU1P5o5LiKePTx0cVH3YaMUVQ6B08PbrIn4/mK5ooWypjtv0odWTRUJ1SIi9eB9EDHc
         OwyIvtiayZrK5w6eHchyfZ5IHHXvYBme1rCvjix4Dv2hXAbmfPdpgehNnk5kOa7r10wt
         54Xw==
X-Gm-Message-State: ABy/qLYKIST5I6tonMSbZJitaYhypNjq3uszKHQESSM7ul2A2h4Pij0G
        dSeHweZHk6ZGHjnZa7tPIFEcTUj7caE=
X-Google-Smtp-Source: 
 APBJJlFoDO1avqLXe9WIEzr7nkCBtmSBVc1vKDbXXCMkXdjvsdLRnnOgrZenL+wNGPEAeAGHDFl7L8POYj8=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a17:902:f684:b0:1b8:a552:c8c9 with SMTP id
 l4-20020a170902f68400b001b8a552c8c9mr14093plg.13.1689980425184; Fri, 21 Jul
 2023 16:00:25 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 16:00:05 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-9-seanjc@google.com>
Subject: [PATCH v2 8/9] KVM: x86/mmu: Plumb "struct kvm" all the way to
 pte_list_remove()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Mingwei Zhang <mizhang@google.com>

Plumb "struct kvm" all the way to pte_list_remove() to allow the usage of
KVM_BUG() and/or KVM_BUG_ON().  This will allow killing only the offending
VM instead of doing BUG() if the kernel is built with
CONFIG_BUG_ON_DATA_CORRUPTION=3Dn, i.e. does NOT want to BUG() if KVM's data
structures (rmaps) appear to be corrupted.

Signed-off-by: Mingwei Zhang <mizhang@google.com>
[sean: tweak changelog]
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/mmu.c | 33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 933e48a73a9a..b6cc261d7748 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -965,7 +965,8 @@ static int pte_list_add(struct kvm_mmu_memory_cache *ca=
che, u64 *spte,
 	return count;
 }
=20
-static void pte_list_desc_remove_entry(struct kvm_rmap_head *rmap_head,
+static void pte_list_desc_remove_entry(struct kvm *kvm,
+				       struct kvm_rmap_head *rmap_head,
 				       struct pte_list_desc *desc, int i)
 {
 	struct pte_list_desc *head_desc =3D (struct pte_list_desc *)(rmap_head->v=
al & ~1ul);
@@ -1001,7 +1002,8 @@ static void pte_list_desc_remove_entry(struct kvm_rma=
p_head *rmap_head,
 	mmu_free_pte_list_desc(head_desc);
 }
=20
-static void pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head)
+static void pte_list_remove(struct kvm *kvm, u64 *spte,
+			    struct kvm_rmap_head *rmap_head)
 {
 	struct pte_list_desc *desc;
 	int i;
@@ -1020,7 +1022,8 @@ static void pte_list_remove(u64 *spte, struct kvm_rma=
p_head *rmap_head)
 		while (desc) {
 			for (i =3D 0; i < desc->spte_count; ++i) {
 				if (desc->sptes[i] =3D=3D spte) {
-					pte_list_desc_remove_entry(rmap_head, desc, i);
+					pte_list_desc_remove_entry(kvm, rmap_head,
+								   desc, i);
 					return;
 				}
 			}
@@ -1035,7 +1038,7 @@ static void kvm_zap_one_rmap_spte(struct kvm *kvm,
 				  struct kvm_rmap_head *rmap_head, u64 *sptep)
 {
 	mmu_spte_clear_track_bits(kvm, sptep);
-	pte_list_remove(sptep, rmap_head);
+	pte_list_remove(kvm, sptep, rmap_head);
 }
=20
 /* Return true if at least one SPTE was zapped, false otherwise */
@@ -1110,7 +1113,7 @@ static void rmap_remove(struct kvm *kvm, u64 *spte)
 	slot =3D __gfn_to_memslot(slots, gfn);
 	rmap_head =3D gfn_to_rmap(gfn, sp->role.level, slot);
=20
-	pte_list_remove(spte, rmap_head);
+	pte_list_remove(kvm, spte, rmap_head);
 }
=20
 /*
@@ -1758,16 +1761,16 @@ static void mmu_page_add_parent_pte(struct kvm_mmu_=
memory_cache *cache,
 	pte_list_add(cache, parent_pte, &sp->parent_ptes);
 }
=20
-static void mmu_page_remove_parent_pte(struct kvm_mmu_page *sp,
+static void mmu_page_remove_parent_pte(struct kvm *kvm, struct kvm_mmu_pag=
e *sp,
 				       u64 *parent_pte)
 {
-	pte_list_remove(parent_pte, &sp->parent_ptes);
+	pte_list_remove(kvm, parent_pte, &sp->parent_ptes);
 }
=20
-static void drop_parent_pte(struct kvm_mmu_page *sp,
+static void drop_parent_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
 			    u64 *parent_pte)
 {
-	mmu_page_remove_parent_pte(sp, parent_pte);
+	mmu_page_remove_parent_pte(kvm, sp, parent_pte);
 	mmu_spte_clear_no_track(parent_pte);
 }
=20
@@ -2482,7 +2485,7 @@ static void validate_direct_spte(struct kvm_vcpu *vcp=
u, u64 *sptep,
 		if (child->role.access =3D=3D direct_access)
 			return;
=20
-		drop_parent_pte(child, sptep);
+		drop_parent_pte(vcpu->kvm, child, sptep);
 		kvm_flush_remote_tlbs_sptep(vcpu->kvm, sptep);
 	}
 }
@@ -2500,7 +2503,7 @@ static int mmu_page_zap_pte(struct kvm *kvm, struct k=
vm_mmu_page *sp,
 			drop_spte(kvm, spte);
 		} else {
 			child =3D spte_to_child_sp(pte);
-			drop_parent_pte(child, spte);
+			drop_parent_pte(kvm, child, spte);
=20
 			/*
 			 * Recursively zap nested TDP SPs, parentless SPs are
@@ -2531,13 +2534,13 @@ static int kvm_mmu_page_unlink_children(struct kvm =
*kvm,
 	return zapped;
 }
=20
-static void kvm_mmu_unlink_parents(struct kvm_mmu_page *sp)
+static void kvm_mmu_unlink_parents(struct kvm *kvm, struct kvm_mmu_page *s=
p)
 {
 	u64 *sptep;
 	struct rmap_iterator iter;
=20
 	while ((sptep =3D rmap_get_first(&sp->parent_ptes, &iter)))
-		drop_parent_pte(sp, sptep);
+		drop_parent_pte(kvm, sp, sptep);
 }
=20
 static int mmu_zap_unsync_children(struct kvm *kvm,
@@ -2576,7 +2579,7 @@ static bool __kvm_mmu_prepare_zap_page(struct kvm *kv=
m,
 	++kvm->stat.mmu_shadow_zapped;
 	*nr_zapped =3D mmu_zap_unsync_children(kvm, sp, invalid_list);
 	*nr_zapped +=3D kvm_mmu_page_unlink_children(kvm, sp, invalid_list);
-	kvm_mmu_unlink_parents(sp);
+	kvm_mmu_unlink_parents(kvm, sp);
=20
 	/* Zapping children means active_mmu_pages has become unstable. */
 	list_unstable =3D *nr_zapped;
@@ -2934,7 +2937,7 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, struct=
 kvm_memory_slot *slot,
 			u64 pte =3D *sptep;
=20
 			child =3D spte_to_child_sp(pte);
-			drop_parent_pte(child, sptep);
+			drop_parent_pte(vcpu->kvm, child, sptep);
 			flush =3D true;
 		} else if (pfn !=3D spte_to_pfn(*sptep)) {
 			drop_spte(vcpu->kvm, sptep);
--=20
2.41.0.487.g6d72f3e995-goog
From nobody Sun Feb  8 02:26:49 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7EB5BC001DF
	for <linux-kernel@archiver.kernel.org>; Fri, 21 Jul 2023 23:00:56 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231320AbjGUXAy (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 21 Jul 2023 19:00:54 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49124 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231316AbjGUXAl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Jul 2023 19:00:41 -0400
Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com
 [IPv6:2607:f8b0:4864:20::114a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 848323C3D
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:28 -0700 (PDT)
Received: by mail-yw1-x114a.google.com with SMTP id
 00721157ae682-569e7aec37bso28215937b3.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 21 Jul 2023 16:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1689980427; x=1690585227;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=usSK3yeb2+dbKuXeDCW9x7zKGJjv9CPmyUgQidtHNNE=;
        b=y1ewr/kbrOutA8ZR9xcOf7OlMOdxw6k07Xh+KfWIE5JsL+KhmTlZRyCEhNpAHfv87x
         ie7QOITXavYjalaAjDKeXxQMwYjdQPvh7z+EaFByJvIgPz+DmyjSWp6GSdvQriAwM0Lf
         p+nf/mRt4XJCGhhorw6p3qGCi5tF/q/MSoiOaW4ofuVk7Hjpw4Z5Myh8bQ87UgCzU6Yc
         aQLyGCcnbkLKU0sBEkRgdd/xkiOJjKj/Qj/zWLX8yde8ERQtkxMVF/GAz4EnSPdHF0jQ
         yDpY/QJ4hCBXtx6pyOpZ/f6fjGbs1EKXZQ6ROP6h5PsdVYKo5B7DY+Vzfh+v998P/MiR
         0kTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689980427; x=1690585227;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=usSK3yeb2+dbKuXeDCW9x7zKGJjv9CPmyUgQidtHNNE=;
        b=GzpnhZ6kuKg36R0XU4IV9tDg4K5iPqGZCKKKAG/+TJb+Nx97yhESLg0313tvkiAY4y
         3QOmT6QDD0n8j46qP8rA4PMXH/NmAw65FbgGqVwrUWu6lMc0bvXfK6w2w3NnQbGeDAtl
         HNueWwFfeYUBjlDgmSeIU/9UQQXRi6mC2OXfzcSRCxHO7EvEemigYLEaEORBAXwPTZNa
         Jg8ReTeCnXOXQ4T/5G2hZGOkebh7ueqcG4H+eHA27lhdEOlB1WnqpZKdLV74EWkrNvpX
         mO4nMUWncZJa3lYCrb15aiGLLNoeQRdCEKI1Yj85tWO/swk5WND0C5CWEO9TQFYH5T+l
         C+8g==
X-Gm-Message-State: ABy/qLa96rzJ7u/duXe/HjBkGGhPW7Ce+GT/WRS+M8A0RGXx3YwfyrTp
        0rGkKM6DXwTKr0jELV85w30nzsPu8U4=
X-Google-Smtp-Source: 
 APBJJlGFKU0XvWU3rbDD6SD/1tQ9cIEjxCh2ylxjtv/vyXSNY2TuqHp04chOSWPozToc7GNMJKNkMr+U/LE=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a5b:bc2:0:b0:ce9:64b3:80dc with SMTP id
 c2-20020a5b0bc2000000b00ce964b380dcmr21029ybr.1.1689980427316; Fri, 21 Jul
 2023 16:00:27 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 21 Jul 2023 16:00:06 -0700
In-Reply-To: <20230721230006.2337941-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230721230006.2337941-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog
Message-ID: <20230721230006.2337941-10-seanjc@google.com>
Subject: [PATCH v2 9/9] KVM: x86/mmu: BUG() in rmap helpers iff
 CONFIG_BUG_ON_DATA_CORRUPTION=y
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Mingwei Zhang <mizhang@google.com>,
        David Matlack <dmatlack@google.com>,
        Jim Mattson <jmattson@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Introduce KVM_BUG_ON_DATA_CORRUPTION() and use it in the low-level rmap
helpers to convert the existing BUG()s to WARN_ON_ONCE() when the kernel
is built with CONFIG_BUG_ON_DATA_CORRUPTION=3Dn, i.e. does NOT want to BUG()
on corruption of host kernel data structures.  Environments that don't
have infrastructure to automatically capture crash dumps, i.e. aren't
likely to enable CONFIG_BUG_ON_DATA_CORRUPTION=3Dy, are typically better
served overall by WARN-and-continue behavior (for the kernel, the VM is
dead regardless), as a BUG() while holding mmu_lock all but guarantees
the _best_ case scenario is a panic().

Make the BUG()s conditional instead of removing/replacing them entirely as
there's a non-zero chance (though by no means a guarantee) that the damage
isn't contained to the target VM, e.g. if no rmap is found for a SPTE then
KVM may be double-zapping the SPTE, i.e. has already freed the memory the
SPTE pointed at and thus KVM is reading/writing memory that KVM no longer
owns.

Link: https://lore.kernel.org/all/20221129191237.31447-1-mizhang@google.com
Suggested-by: Mingwei Zhang <mizhang@google.com>
Cc: David Matlack <dmatlack@google.com>
Cc: Jim Mattson <jmattson@google.com>
Reviewed-by: Mingwei Zhang <mizhang@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/mmu.c   | 21 ++++++++++-----------
 include/linux/kvm_host.h | 19 +++++++++++++++++++
 2 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index b6cc261d7748..69f65f7b6158 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -977,7 +977,7 @@ static void pte_list_desc_remove_entry(struct kvm *kvm,
 	 * when adding an entry and the previous head is full, and heads are
 	 * removed (this flow) when they become empty.
 	 */
-	BUG_ON(j < 0);
+	KVM_BUG_ON_DATA_CORRUPTION(j < 0, kvm);
=20
 	/*
 	 * Replace the to-be-freed SPTE with the last valid entry from the head
@@ -1008,14 +1008,13 @@ static void pte_list_remove(struct kvm *kvm, u64 *s=
pte,
 	struct pte_list_desc *desc;
 	int i;
=20
-	if (!rmap_head->val) {
-		pr_err("%s: %p 0->BUG\n", __func__, spte);
-		BUG();
-	} else if (!(rmap_head->val & 1)) {
-		if ((u64 *)rmap_head->val !=3D spte) {
-			pr_err("%s:  %p 1->BUG\n", __func__, spte);
-			BUG();
-		}
+	if (KVM_BUG_ON_DATA_CORRUPTION(!rmap_head->val, kvm))
+		return;
+
+	if (!(rmap_head->val & 1)) {
+		if (KVM_BUG_ON_DATA_CORRUPTION((u64 *)rmap_head->val !=3D spte, kvm))
+			return;
+
 		rmap_head->val =3D 0;
 	} else {
 		desc =3D (struct pte_list_desc *)(rmap_head->val & ~1ul);
@@ -1029,8 +1028,8 @@ static void pte_list_remove(struct kvm *kvm, u64 *spt=
e,
 			}
 			desc =3D desc->more;
 		}
-		pr_err("%s: %p many->many\n", __func__, spte);
-		BUG();
+
+		KVM_BUG_ON_DATA_CORRUPTION(true, kvm);
 	}
 }
=20
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 9d3ac7720da9..cb86108c624d 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -865,6 +865,25 @@ static inline void kvm_vm_bugged(struct kvm *kvm)
 	unlikely(__ret);					\
 })
=20
+/*
+ * Note, "data corruption" refers to corruption of host kernel data struct=
ures,
+ * not guest data.  Guest data corruption, suspected or confirmed, that is=
 tied
+ * and contained to a single VM should *never* BUG() and potentially panic=
 the
+ * host, i.e. use this variant of KVM_BUG() if and only if a KVM data stru=
cture
+ * is corrupted and that corruption can have a cascading effect to other p=
arts
+ * of the hosts and/or to other VMs.
+ */
+#define KVM_BUG_ON_DATA_CORRUPTION(cond, kvm)			\
+({								\
+	bool __ret =3D !!(cond);					\
+								\
+	if (IS_ENABLED(CONFIG_BUG_ON_DATA_CORRUPTION))		\
+		BUG_ON(__ret);					\
+	else if (WARN_ON_ONCE(__ret && !(kvm)->vm_bugged))	\
+		kvm_vm_bugged(kvm);				\
+	unlikely(__ret);					\
+})
+
 static inline void kvm_vcpu_srcu_read_lock(struct kvm_vcpu *vcpu)
 {
 #ifdef CONFIG_PROVE_RCU
--=20
2.41.0.487.g6d72f3e995-goog