From nobody Sun Feb  8 17:36:54 2026
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82A3731A56C
	for <linux-kernel@vger.kernel.org>; Thu, 29 Jan 2026 01:15:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769649334; cv=none;
 b=eC+TYRQoJDVP58zNrFjgfQvY0UIVqDFXBm5Eo9unoUs6LcDmvJhq29Ru2WD2PXIkFGm+grgGIZKAzw4JGkFmspSTH1X0sHlQc62Wk5le8a242sYTab44+K+yoz9N9ldhA22AD9Q/AqDl4+xPCrmRQICJfbSMn2MD92di6vc3JFk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769649334; c=relaxed/simple;
	bh=512/K9zz3Etgfo/Gtt/+uJuzjMDLWxSOVrO3dn//dXQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=fhlogGomcbGBAc8Y4Ya0YK4d+EW6w0eLN6SRtvDGaxaEf6Lov7T7CqwCyl+6xvz/aBi4vcGpXH0bDUe8I7xUeAB4eknxj6p4xXsMxl5Ihe1+Br6BraDDKsmCIcySWhnf7LlVE8x5GFrATkVHAeTjsh/vvgRtLrdqc54GXDcgc5g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=EPJgd6rI; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="EPJgd6rI"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-b630b4d8d52so239866a12.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 28 Jan 2026 17:15:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1769649332; x=1770254132;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=oJpdJVSHcQzV+/GX2rfzmObrBzUwVa1amlSsrvCn9LM=;
        b=EPJgd6rIwyNYD60F7j17l/C3mVc+WGLFxgc6FobNlrstijQjoF78m82Yr000xztpJK
         Qdz5t2o3WiTCxjXqiX6iIonY+xre/Q8/bO54R5akn4wvl7Edv5Md8Lu+7PxM86WRmaNy
         C/hxCQTHkXQplMMiLk2iRixbfRSd5kihsKxRMHHNt7poI5vb/BVSrTWjtuwThx43oGcT
         Ic8G/i1BgXyyvxe2Mphy5ssRp1dowgzlPZSbT+RwW9jDG/tI1rOfjgumoLfVu8pqRb+H
         KBcmf/xuYmYnfHQhIcn8ElXx8D6btiMvaUIQ1wRdoMOwEKWNn96iI+q9ZP79Tx6xiHVa
         o1vQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769649332; x=1770254132;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=oJpdJVSHcQzV+/GX2rfzmObrBzUwVa1amlSsrvCn9LM=;
        b=AJTWFxsIt8HNPbM9KYwjLm6PRnHG3Jj2utABFA72xo0akLcqEDQteWAyg84BETPPay
         VaOl9/2Ke3W1DJySEnML0OmrY+l5C9gpl2Fb/b9SRQUXK9i9zS/GA1KVs1zbD2mxrMUp
         q8BRN8gCiKsI3r3drH7G7jmZZrHsQhufJjYAZUgcT2zAGp7B/gKUU+PiKKqJA1RsWgOZ
         OWLtmO/vZKOVU9DePFdWAeIjIz1R4KMmnAgzsQHSlAXmrp3Vr7jsUZ18ICdquUQsfHCq
         OgiYAov6Mwpg8vmjwLRUolTmNrkdixhjR4Qqlpvpk4i7Wv020LGC6cLsAcY8N7+Z1zmh
         lVBg==
X-Gm-Message-State: AOJu0YwB6E80FGoIZqzhVso95M6BL7db9ZM29tazsv5Uc6ObYSbnbtG+
	MmGMKoTDQB0ocJSSWEPYtipr1gi+7msIgkPrf6pViYaenQ1fyhhfPBKiVTK7k+54zKghYEihqhp
	GBgdd0A==
X-Received: from pgbdk12.prod.google.com
 ([2002:a05:6a02:c8c:b0:c63:3c6b:9ab6])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a21:32a6:b0:366:1de8:62dc
 with SMTP id adf61e73a8af0-38ec627bccbmr6327229637.8.1769649331636; Wed, 28
 Jan 2026 17:15:31 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Wed, 28 Jan 2026 17:14:34 -0800
In-Reply-To: <20260129011517.3545883-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260129011517.3545883-1-seanjc@google.com>
X-Mailer: git-send-email 2.53.0.rc1.217.geba53bf80e-goog
Message-ID: <20260129011517.3545883-3-seanjc@google.com>
Subject: [RFC PATCH v5 02/45] KVM: x86/mmu: Update iter->old_spte if cmpxchg64
 on mirror SPTE "fails"
From: Sean Christopherson <seanjc@google.com>
To: Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, x86@kernel.org,
	Kiryl Shutsemau <kas@kernel.org>, Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev,
	kvm@vger.kernel.org, Kai Huang <kai.huang@intel.com>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>, Yan Zhao <yan.y.zhao@intel.com>,
	Vishal Annapurve <vannapurve@google.com>,
 Ackerley Tng <ackerleytng@google.com>,
	Sagi Shahar <sagis@google.com>, Binbin Wu <binbin.wu@linux.intel.com>,
	Xiaoyao Li <xiaoyao.li@intel.com>, Isaku Yamahata <isaku.yamahata@intel.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Pass a pointer to iter->old_spte, not simply its value, when setting an
external SPTE in __tdp_mmu_set_spte_atomic(), so that the iterator's value
will be updated if the cmpxchg64 to freeze the mirror SPTE fails.  The bug
is currently benign as TDX is mutualy exclusive with all paths that do
"local" retry", e.g. clear_dirty_gfn_range() and wrprot_gfn_range().

Fixes: 77ac7079e66d ("KVM: x86/tdp_mmu: Propagate building mirror page tabl=
es")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
---
 arch/x86/kvm/mmu/tdp_mmu.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
index 9c26038f6b77..0feda295859a 100644
--- a/arch/x86/kvm/mmu/tdp_mmu.c
+++ b/arch/x86/kvm/mmu/tdp_mmu.c
@@ -509,10 +509,10 @@ static void *get_external_spt(gfn_t gfn, u64 new_spte=
, int level)
 }
=20
 static int __must_check set_external_spte_present(struct kvm *kvm, tdp_pte=
p_t sptep,
-						 gfn_t gfn, u64 old_spte,
+						 gfn_t gfn, u64 *old_spte,
 						 u64 new_spte, int level)
 {
-	bool was_present =3D is_shadow_present_pte(old_spte);
+	bool was_present =3D is_shadow_present_pte(*old_spte);
 	bool is_present =3D is_shadow_present_pte(new_spte);
 	bool is_leaf =3D is_present && is_last_spte(new_spte, level);
 	int ret =3D 0;
@@ -525,7 +525,7 @@ static int __must_check set_external_spte_present(struc=
t kvm *kvm, tdp_ptep_t sp
 	 * page table has been modified. Use FROZEN_SPTE similar to
 	 * the zapping case.
 	 */
-	if (!try_cmpxchg64(rcu_dereference(sptep), &old_spte, FROZEN_SPTE))
+	if (!try_cmpxchg64(rcu_dereference(sptep), old_spte, FROZEN_SPTE))
 		return -EBUSY;
=20
 	/*
@@ -541,7 +541,7 @@ static int __must_check set_external_spte_present(struc=
t kvm *kvm, tdp_ptep_t sp
 		ret =3D kvm_x86_call(link_external_spt)(kvm, gfn, level, external_spt);
 	}
 	if (ret)
-		__kvm_tdp_mmu_write_spte(sptep, old_spte);
+		__kvm_tdp_mmu_write_spte(sptep, *old_spte);
 	else
 		__kvm_tdp_mmu_write_spte(sptep, new_spte);
 	return ret;
@@ -670,7 +670,7 @@ static inline int __must_check __tdp_mmu_set_spte_atomi=
c(struct kvm *kvm,
 			return -EBUSY;
=20
 		ret =3D set_external_spte_present(kvm, iter->sptep, iter->gfn,
-						iter->old_spte, new_spte, iter->level);
+						&iter->old_spte, new_spte, iter->level);
 		if (ret)
 			return ret;
 	} else {
--=20
2.53.0.rc1.217.geba53bf80e-goog