From nobody Sat Feb 7 11:05:10 2026 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9012841B37A; Fri, 6 Feb 2026 14:36:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770388565; cv=none; b=knGuqxInzsxjULuXgfML2Sm/SR3RAhtUmDCdxlcrebZQmBYsCS+6ytFjMmynQ+td9dULmSjt4uE5ynCvxVd4QH7M+R7m1plwmdD8MCK/sbLsQEVDfecq9uIDgHMfz9Ipu8NInZm4WJc5RPqO6TxdwNL9EYqV2GxXlLQVdfjTzEc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770388565; c=relaxed/simple; bh=teosBCDK6IfIkmGwdHQiKygu4qGeF4c/T6x89BA1fkA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=d8402xfasUs/rwp0ODyu1coHeZNEd8ZsynxKdqMb3Pcf60MU4hhqV+w2XekmBKRhq6uq5Bi9rxOuyK6trLOFd2ZI3XhKR18m+KAEo3XsHtlTUqLYhDkDyPTbycliiG+g/4qlf3uNb1uRdJ7IkK4u81w1Dr/XnY5qvIbb6/oKQXQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=UewZh3Dg; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="UewZh3Dg" Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 615MFmFa019976; Fri, 6 Feb 2026 14:36:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=lNLJv3ESo/NTya75o TVxxKaf8QnphHTvd6B8ri0MSCY=; b=UewZh3DgRQ5AxvNInBWnJ5YTOI29qf/tk vttRMYLL1ENVMwrukwjE2PVdh8adAZdeYjsoL4eBiFzmBGaFOo6cgK1bVwfUa5Ip mFAlbmJJ6cRsG11LnrAijje+UEBrE5tBpcQSFlZlvTQPqUAr3LTRdHdMEoAL60H6 Dd9A4ezzzKmIG8H0aSpIm8s9op8W8KFMXkF94sOkSWTuWy6Mref/ONKG59jHJ8s2 PALhdyY5JTX5ItbsLp6LrC/z8bYdkZ6NdKIPen2OVZosHphnj6YYqwGRAzKxaVIr i5kR6hgksvk5O0tQa2uUsOf2+Rgtp4sqdGeHAtt3jqXpXo2p1GLuA== Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4c185h8ugr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 Feb 2026 14:36:00 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 616DrKba027357; Fri, 6 Feb 2026 14:36:00 GMT Received: from smtprelay01.fra02v.mail.ibm.com ([9.218.2.227]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4c1xs1p7rn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 Feb 2026 14:36:00 +0000 Received: from smtpav05.fra02v.mail.ibm.com (smtpav05.fra02v.mail.ibm.com [10.20.54.104]) by smtprelay01.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 616EZuYA54198716 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 6 Feb 2026 14:35:56 GMT Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2542720043; Fri, 6 Feb 2026 14:35:56 +0000 (GMT) Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4A3B920040; Fri, 6 Feb 2026 14:35:55 +0000 (GMT) Received: from p-imbrenda.t-mobile.de (unknown [9.111.61.157]) by smtpav05.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 6 Feb 2026 14:35:55 +0000 (GMT) From: Claudio Imbrenda To: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, borntraeger@de.ibm.com, frankja@linux.ibm.com, nsg@linux.ibm.com, nrb@linux.ibm.com, seiden@linux.ibm.com, gra@linux.ibm.com, schlameuss@linux.ibm.com, hca@linux.ibm.com, svens@linux.ibm.com, agordeev@linux.ibm.com, gor@linux.ibm.com, david@kernel.org, gerald.schaefer@linux.ibm.com Subject: [PATCH v1 1/3] KVM: s390: Use guest address to mark guest page dirty Date: Fri, 6 Feb 2026 15:35:51 +0100 Message-ID: <20260206143553.14730-2-imbrenda@linux.ibm.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260206143553.14730-1-imbrenda@linux.ibm.com> References: <20260206143553.14730-1-imbrenda@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=UdxciaSN c=1 sm=1 tr=0 ts=6985fc51 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=HzLeVaNsDn8A:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22 a=VnNF1IyMAAAA:8 a=f4flIeLPmhlFVUFj6_kA:9 X-Proofpoint-GUID: gRdVZBM6xh4dWZiR0bERqo1e__rVI6CQ X-Proofpoint-ORIG-GUID: gRdVZBM6xh4dWZiR0bERqo1e__rVI6CQ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjA2MDEwMyBTYWx0ZWRfX8gBCdu/xUQwI HdhYJ8h27seac4qNLAjSQfkKsT+ejmJyvWOCy8BlKDtHp8YBPR34duVfl7QNzVLFeAUnTWN42En KbnmRaTn74mrSwKbsQWndAieSkKXX6nzUDOC8MEpkO+nP0Ubeuflv6n58ifcVNj79ko391WaYPz Nwa2l1+2Jwv0lWKAEqpPtHih3rt2/D+8aKX6xCX5WpgeHxP0/YsGwrV2Gf/QJS/43wRklCAwZGK uLVFSCtfJGK2E/oZeQfAf5MHenX/ZtE7kyQ7ILrAE2dpa1cqvBM+SHjMBRVvcjMzphEHVtQ2mXL gfvporDiZ3BgtVZv1aNu1rjtBztgdp/IG4B12Pt4OzQKhtGcBAiiTMR+U9E/ol5+TicSK8a5aRp TyMQ5Z8ZgKZVwg9WF4WhTgepuEt3wAaeF/TCUwOb109JkzhMXelojGgCQ9zQdoUoATpk9HLnVbf hcvPTjfbYTSU/7vxSiA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-06_04,2026-02-05_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 impostorscore=0 lowpriorityscore=0 suspectscore=0 clxscore=1015 bulkscore=0 spamscore=0 phishscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2601150000 definitions=main-2602060103 Content-Type: text/plain; charset="utf-8" Stop using the userspace address to mark the guest page dirty. mark_page_dirty() expects a guest frame number, but was being passed a host virtual frame number. When slot =3D=3D NULL, mark_page_dirty_in_slot() does nothing and does not complain. This means that in some circumstances the dirtiness of the guest page might have been lost. Fix by adding two fields in struct kvm_s390_adapter_int to keep the guest addressses, and use those for mark_page_dirty(). Fixes: f65470661f36 ("KVM: s390/interrupt: do not pin adapter interrupt pag= es") Signed-off-by: Claudio Imbrenda Reviewed-by: Janosch Frank Reviewed-by: Steffen Eiden --- arch/s390/kvm/interrupt.c | 6 ++++-- include/linux/kvm_host.h | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c index f55eca9aa638..1c2bb5cd7e12 100644 --- a/arch/s390/kvm/interrupt.c +++ b/arch/s390/kvm/interrupt.c @@ -2768,13 +2768,13 @@ static int adapter_indicators_set(struct kvm *kvm, bit =3D get_ind_bit(adapter_int->ind_addr, adapter_int->ind_offset, adapter->swap); set_bit(bit, map); - mark_page_dirty(kvm, adapter_int->ind_addr >> PAGE_SHIFT); + mark_page_dirty(kvm, adapter_int->ind_gaddr >> PAGE_SHIFT); set_page_dirty_lock(ind_page); map =3D page_address(summary_page); bit =3D get_ind_bit(adapter_int->summary_addr, adapter_int->summary_offset, adapter->swap); summary_set =3D test_and_set_bit(bit, map); - mark_page_dirty(kvm, adapter_int->summary_addr >> PAGE_SHIFT); + mark_page_dirty(kvm, adapter_int->summary_gaddr >> PAGE_SHIFT); set_page_dirty_lock(summary_page); srcu_read_unlock(&kvm->srcu, idx); =20 @@ -2870,7 +2870,9 @@ int kvm_set_routing_entry(struct kvm *kvm, if (kvm_is_error_hva(uaddr_s) || kvm_is_error_hva(uaddr_i)) return -EFAULT; e->adapter.summary_addr =3D uaddr_s; + e->adapter.summary_gaddr =3D ue->u.adapter.summary_addr; e->adapter.ind_addr =3D uaddr_i; + e->adapter.ind_gaddr =3D ue->u.adapter.ind_addr; e->adapter.summary_offset =3D ue->u.adapter.summary_offset; e->adapter.ind_offset =3D ue->u.adapter.ind_offset; e->adapter.adapter_id =3D ue->u.adapter.adapter_id; diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index d93f75b05ae2..deb36007480d 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -645,7 +645,9 @@ static inline unsigned long *kvm_second_dirty_bitmap(st= ruct kvm_memory_slot *mem =20 struct kvm_s390_adapter_int { u64 ind_addr; + u64 ind_gaddr; u64 summary_addr; + u64 summary_gaddr; u64 ind_offset; u32 summary_offset; u32 adapter_id; --=20 2.52.0 From nobody Sat Feb 7 11:05:10 2026 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7F0941C2EF; Fri, 6 Feb 2026 14:36:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770388566; cv=none; b=t5Q+vCOdogCp1jx8hGraho49dGiJ3YVwSyp/joJMg0JXSEGvfUHuXZnGSixqrtAXmh5ZecHxKv4baqvu0NUNPZ2r+ct2Fcn/EMaZue4XsS+vLdRXwY3wLfw4T7w+HRV1NA7318LeE1R2kkI4FEuQNir7PsQnzB536bAz8Vvp2xM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770388566; c=relaxed/simple; bh=FffS2/0OnOZmx2aiSg/u8Np+riU63GonMULLXCIXrNU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Nb6tDUxnfCrY0bR0lQkrBgk7agpfkBs0ZC15qlZMAS0LM8m3NsHEm4v81Yi1c2JHzvm6n2V2pFAM9LbcipQtxt+xgAdSZbcy2qwkjWzPrTFE058fvwSId0N87x2ylKySsNZk6JLK/RgnsDCPNqZgkk4CFXD0iq/vQvbCH6fNw90= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=mnkJQirR; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="mnkJQirR" Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 6167YCaB004915; Fri, 6 Feb 2026 14:36:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=eitFMCAjymzAWbYDP pE4JBXd9oloRneQKzpjAYcKCwg=; b=mnkJQirRX+0hZQEhQSbE5OGHrb7HmdK5P J8R3+NwSENAnZLpMF3eWwSOVhgteDN59c4mKYNMkrbJU3tEr6j591x92jAawIz71 L0HypTKN8beDKeEoeFxF5jfWao351xCd7Sn3g4xKEW9jIlCSMA++zY34kGPGhj7R rRn+zEAcJ5UjiqHcE9ykx1CMYFhCpp6Eqkv7SBhhWebBJoL+YyAEETYS0sQ0n0Uv Ab0YhPVkyKOq3WdPjkwmSZR17Io9SdnRbXNcsPS88vI7lTACbFpribTiaMGkaRIV EVfmf4mbPYgB4b23M+51TT1Ds5Phd/08Woljru/t6PtBl4pVBX2Fw== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4c185h8ugt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 Feb 2026 14:36:01 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 616BEK13015355; Fri, 6 Feb 2026 14:36:01 GMT Received: from smtprelay05.fra02v.mail.ibm.com ([9.218.2.225]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4c4gsgxtf5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 Feb 2026 14:36:01 +0000 Received: from smtpav05.fra02v.mail.ibm.com (smtpav05.fra02v.mail.ibm.com [10.20.54.104]) by smtprelay05.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 616EZvfa42467668 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 6 Feb 2026 14:35:57 GMT Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1FE2120043; Fri, 6 Feb 2026 14:35:57 +0000 (GMT) Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3C98420040; Fri, 6 Feb 2026 14:35:56 +0000 (GMT) Received: from p-imbrenda.t-mobile.de (unknown [9.111.61.157]) by smtpav05.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 6 Feb 2026 14:35:56 +0000 (GMT) From: Claudio Imbrenda To: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, borntraeger@de.ibm.com, frankja@linux.ibm.com, nsg@linux.ibm.com, nrb@linux.ibm.com, seiden@linux.ibm.com, gra@linux.ibm.com, schlameuss@linux.ibm.com, hca@linux.ibm.com, svens@linux.ibm.com, agordeev@linux.ibm.com, gor@linux.ibm.com, david@kernel.org, gerald.schaefer@linux.ibm.com Subject: [PATCH v1 2/3] KVM: s390: vsie: Fix race in walk_guest_tables() Date: Fri, 6 Feb 2026 15:35:52 +0100 Message-ID: <20260206143553.14730-3-imbrenda@linux.ibm.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260206143553.14730-1-imbrenda@linux.ibm.com> References: <20260206143553.14730-1-imbrenda@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=UdxciaSN c=1 sm=1 tr=0 ts=6985fc51 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=HzLeVaNsDn8A:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22 a=VnNF1IyMAAAA:8 a=Xpc-Ysi5efBL8YaAkn8A:9 X-Proofpoint-GUID: cvMZZ6C56l5uNO_0W_grA6bNS4zbJZ68 X-Proofpoint-ORIG-GUID: cvMZZ6C56l5uNO_0W_grA6bNS4zbJZ68 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjA2MDEwMyBTYWx0ZWRfX8eaA+g2L5y5e mhpJkcVgC2mPhZurKub/wuXPQlocACElyRN3uZabg37nEmr9s+fXvL1xZM1hI2H8scBpGzEyd6J 2BKJfSsgIUcggmBBKfwX27LFhjlP7ahV4RMpZitmxQugxgKztY7keRBSliIth3TZoZr2msU/PRu 2OWVRxC1Tl0QSSJukOtWgP4ilQ2qYB8rix0hJggl2RMEc5zVpJfD7jQi4YFsLZwUQtVHg9bkeBD FbkduN+d+psszlr6/QhMFSZquz979fwL+LMbJH9zzx7ivRTTnnJ/LhIDKT6KuPzocR6WdNnJmhI GMRDK67A8874bw1GB5r+4VQ0QEeyus5nq3Hu8k9/xBonwV4Xtvp/6gV/16xmqbocfULjm7fscA4 eAwMQDMfNXEQLaWcGfQjTGEayW1CeBghcoAWDyQDe2ndjyBDf6tlctWWMoYZOyGuNLtn5vk+5Z4 I1gGa9tdtX8luA7yuYA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-06_04,2026-02-05_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 impostorscore=0 lowpriorityscore=0 suspectscore=0 clxscore=1015 bulkscore=0 spamscore=0 phishscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2601150000 definitions=main-2602060103 Content-Type: text/plain; charset="utf-8" It is possible that walk_guest_tables() is called on a shadow gmap that has been removed already, in which case its parent will be NULL. In such case, return -EAGAIN and let the callers deal with it. Fixes: e38c884df921 ("KVM: s390: Switch to new gmap") Signed-off-by: Claudio Imbrenda Acked-by: Janosch Frank --- arch/s390/kvm/gaccess.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c index 67de47a81a87..4630b2a067ea 100644 --- a/arch/s390/kvm/gaccess.c +++ b/arch/s390/kvm/gaccess.c @@ -1287,7 +1287,10 @@ static int walk_guest_tables(struct gmap *sg, unsign= ed long saddr, struct pgtwal union asce asce; int rc; =20 + if (!parent) + return -EAGAIN; kvm =3D parent->kvm; + WARN_ON(!kvm); asce =3D sg->guest_asce; entries =3D get_entries(w); =20 --=20 2.52.0 From nobody Sat Feb 7 11:05:10 2026 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1FDB441B37A; Fri, 6 Feb 2026 14:36:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.156.1 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770388571; cv=none; b=j8PzdRFiBOECqjD2wmzpCjhMRb9JSfLajH1UPt+SFBW88pu56p7DIxxfUWnsCFRwb0g6aHa73dE/fUAPhn0FHWb0wfDE8GBUtuS+DJj+VNF7uD4EfDmGM3HPHDGd/ORlRKzmKAWZabhk4sZzK6P7mNOuS062zCnhpsjxtIPw618= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770388571; c=relaxed/simple; bh=s9XbWYFcP+A82AuBUlEgr9qX8/WvhGPY8I8vsO0/o0Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GjAleUjeVUAfwFg8mBwPR8rcQJ6aJIgwQw8JcGQtvOb1Gcz02qd1Mq3Sccappt1+/ZkVe6RHRK5g1Nu7VifVjdiWUGDzPiDeWA1tX36UVXuoppUASOUszmgQEqmnp9EkVIGc8d8Ihpd4DKMiMp1zrqvhah4FCpk5Lu3N40k4r4w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=FRTYQzlm; arc=none smtp.client-ip=148.163.156.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="FRTYQzlm" Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 616BaBck009119; Fri, 6 Feb 2026 14:36:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=kTtSp4OjQif9vQ7xB 780ZKfwHlP+SAXvGWNcax3SbPA=; b=FRTYQzlmuh6xt6g1oECUSusay5cVtm/wF 3PQTTL+/+v1asC9FiowrYnrJeUTXjkW/GzscjcuyxigmcWv8qhJGT8Z7D4rRabft JTiw5pIZE1JXITqj6RgH0B8sqba2PQMe9x/m123q3DnLH7Hj5NAgCIR6A2VbHs5f E3IljsVjdijp3cvKWHXTYk9/SUlS8BNEI9AadLZtKDbiRr0K5IUB99hW4BzfEniU F7n7fEN30gJPtSQKR/XJKMssEKCf2K1+14KXPFAZituMlFvxRV9lPoZnFrDOTCLP 2Ntah2FkgUTETCdtLMb/VqcJmEnOL9VRq4+kNz4zch3Bi6YNNhwTA== Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4c19f6v3uu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 Feb 2026 14:36:03 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 616BdRFF009147; Fri, 6 Feb 2026 14:36:02 GMT Received: from smtprelay06.fra02v.mail.ibm.com ([9.218.2.230]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4c1veyekeg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 Feb 2026 14:36:02 +0000 Received: from smtpav05.fra02v.mail.ibm.com (smtpav05.fra02v.mail.ibm.com [10.20.54.104]) by smtprelay06.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 616EZwrT29950368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 6 Feb 2026 14:35:58 GMT Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 11FC120043; Fri, 6 Feb 2026 14:35:58 +0000 (GMT) Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 35C7020040; Fri, 6 Feb 2026 14:35:57 +0000 (GMT) Received: from p-imbrenda.t-mobile.de (unknown [9.111.61.157]) by smtpav05.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 6 Feb 2026 14:35:57 +0000 (GMT) From: Claudio Imbrenda To: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, borntraeger@de.ibm.com, frankja@linux.ibm.com, nsg@linux.ibm.com, nrb@linux.ibm.com, seiden@linux.ibm.com, gra@linux.ibm.com, schlameuss@linux.ibm.com, hca@linux.ibm.com, svens@linux.ibm.com, agordeev@linux.ibm.com, gor@linux.ibm.com, david@kernel.org, gerald.schaefer@linux.ibm.com Subject: [PATCH v1 3/3] KVM: s390: vsie: Fix race in acquire_gmap_shadow() Date: Fri, 6 Feb 2026 15:35:53 +0100 Message-ID: <20260206143553.14730-4-imbrenda@linux.ibm.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260206143553.14730-1-imbrenda@linux.ibm.com> References: <20260206143553.14730-1-imbrenda@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: HazLgJd6JTEEtmBifDMcRcfqg02YYd27 X-Authority-Analysis: v=2.4 cv=drTWylg4 c=1 sm=1 tr=0 ts=6985fc53 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=HzLeVaNsDn8A:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22 a=VnNF1IyMAAAA:8 a=2Zy88G6H4nKnHoKmEisA:9 X-Proofpoint-ORIG-GUID: HazLgJd6JTEEtmBifDMcRcfqg02YYd27 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjA2MDEwMyBTYWx0ZWRfX9N/KTU6h5Rhs Hk5VyAF9A8hdCqoWt3GFL0+p7z3CgpKbUtMQs6U7W5kQFUPpshXAUTjqt85IDY4Q2d4YY3F6GRx 6Uk2JlrAm0npCgxvBaKAy3xkP7q4rD1LHQMB2N4ARtRQfTSSFqtA4fX+Suoq4uQnvoky/T5zOMH P2bpgliPIrKABd+udwS7z4SHt1PcnIxQXlf5gD0U02r/eKS0FbME6XmmpelXnDQ/dhOl7irK+F6 nu53JrKMHY+OK2/pJR9yf0vm68mVPG0OvYbT5DeJxnD/+s1qH6H/PTi9Da06EIgl4iAo74rDwN/ akqDxd2fUyvVVpRl92ZlaH+WnpotR5TX2XsOTvWx3GqKzuOWnrXCIoYR387+n12RScjKIulRUgB aK86G5qq+t1c3xGuwWasPaUsz6bQI6Uo+t9fvB/vWIhNjP7F1ehBPZW2CLi6yN9WMaU0xwLCelm x9ePjk+4+VboF8tkecg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-06_04,2026-02-05_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 spamscore=0 malwarescore=0 bulkscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2601150000 definitions=main-2602060103 Content-Type: text/plain; charset="utf-8" The shadow gmap returned by gmap_create_shadow() could get dropped before taking the gmap->children_lock. This meant that the shadow gmap was sometimes being used while its reference count was 0. Fix this by taking the additional reference inside gmap_create_shadow() while still holding gmap->children_lock, instead of afterwards. Fixes: e38c884df921 ("KVM: s390: Switch to new gmap") Signed-off-by: Claudio Imbrenda --- arch/s390/kvm/gmap.c | 15 ++++++++++++--- arch/s390/kvm/vsie.c | 6 +++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/arch/s390/kvm/gmap.c b/arch/s390/kvm/gmap.c index da222962ef6d..26cd2b208b6f 100644 --- a/arch/s390/kvm/gmap.c +++ b/arch/s390/kvm/gmap.c @@ -1179,6 +1179,8 @@ static int gmap_protect_asce_top_level(struct kvm_s39= 0_mmu_cache *mc, struct gma * The shadow table will be removed automatically on any change to the * PTE mapping for the source table. * + * The returned shadow gmap will be returned with one extra reference. + * * Return: A guest address space structure, ERR_PTR(-ENOMEM) if out of mem= ory, * ERR_PTR(-EAGAIN) if the caller has to retry and ERR_PTR(-EFAULT) if the * parent gmap table could not be protected. @@ -1189,10 +1191,13 @@ struct gmap *gmap_create_shadow(struct kvm_s390_mmu= _cache *mc, struct gmap *pare struct gmap *sg, *new; int rc; =20 - scoped_guard(spinlock, &parent->children_lock) + scoped_guard(spinlock, &parent->children_lock) { sg =3D gmap_find_shadow(parent, asce, edat_level); - if (sg) - return sg; + if (sg) { + gmap_get(sg); + return sg; + } + } /* Create a new shadow gmap. */ new =3D gmap_new(parent->kvm, asce.r ? 1UL << (64 - PAGE_SHIFT) : asce_en= d(asce)); if (!new) @@ -1206,6 +1211,7 @@ struct gmap *gmap_create_shadow(struct kvm_s390_mmu_c= ache *mc, struct gmap *pare sg =3D gmap_find_shadow(parent, asce, edat_level); if (sg) { gmap_put(new); + gmap_get(sg); return sg; } if (asce.r) { @@ -1219,16 +1225,19 @@ struct gmap *gmap_create_shadow(struct kvm_s390_mmu= _cache *mc, struct gmap *pare } gmap_add_child(parent, new); /* Nothing to protect, return right away. */ + gmap_get(new); return new; } } =20 + gmap_get(new); new->parent =3D parent; /* Protect while inserting, protects against invalidation races. */ rc =3D gmap_protect_asce_top_level(mc, new); if (rc) { new->parent =3D NULL; gmap_put(new); + gmap_put(new); return ERR_PTR(rc); } return new; diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c index faf8b01fa672..d0296491b2f7 100644 --- a/arch/s390/kvm/vsie.c +++ b/arch/s390/kvm/vsie.c @@ -1256,6 +1256,7 @@ static struct gmap *acquire_gmap_shadow(struct kvm_vc= pu *vcpu, struct vsie_page release_gmap_shadow(vsie_page); } } +again: gmap =3D gmap_create_shadow(vcpu->arch.mc, vcpu->kvm->arch.gmap, asce, ed= at); if (IS_ERR(gmap)) return gmap; @@ -1263,11 +1264,14 @@ static struct gmap *acquire_gmap_shadow(struct kvm_= vcpu *vcpu, struct vsie_page /* unlikely race condition, remove the previous shadow */ if (vsie_page->gmap_cache.gmap) release_gmap_shadow(vsie_page); + if (!gmap->parent) { + gmap_put(gmap); + goto again; + } vcpu->kvm->stat.gmap_shadow_create++; list_add(&vsie_page->gmap_cache.list, &gmap->scb_users); vsie_page->gmap_cache.gmap =3D gmap; prefix_unmapped(vsie_page); - gmap_get(gmap); } return gmap; } --=20 2.52.0