Skip to content

Commit e447212

Browse files
sean-jcbonzini
sean-jc
authored and
bonzini
committed
KVM: x86: Unload MMUs during vCPU destruction, not before
When destroying a VM, unload a vCPU's MMUs as part of normal vCPU freeing, instead of as a separate prepratory action. Unloading MMUs ahead of time is a holdover from commit 7b53aa5 ("KVM: Fix vcpu freeing for guest smp"), which "fixed" a rather egregious flaw where KVM would attempt to free *all* MMU pages when destroying a vCPU. At the time, KVM would spin on all MMU pages in a VM when free a single vCPU, and so would hang due to the way KVM pins and zaps root pages (roots are invalidated but not freed if they are pinned by a vCPU). static void free_mmu_pages(struct kvm_vcpu *vcpu) { struct kvm_mmu_page *page; while (!list_empty(&vcpu->kvm->active_mmu_pages)) { page = container_of(vcpu->kvm->active_mmu_pages.next, struct kvm_mmu_page, link); kvm_mmu_zap_page(vcpu->kvm, page); } free_page((unsigned long)vcpu->mmu.pae_root); } Now that KVM doesn't try to free all MMU pages when destroying a single vCPU, there's no need to unpin roots prior to destroying a vCPU. Note! While KVM mostly destroys all MMUs before calling kvm_arch_destroy_vm() (see commit f00be0c ("KVM: MMU: do not free active mmu pages in free_mmu_pages()")), unpinning MMU roots during vCPU destruction will unfortunately trigger remote TLB flushes, i.e. will try to send requests to all vCPUs. Happily, thanks to commit 27592ae ("KVM: Move wiping of the kvm->vcpus array to common code"), that's a non-issue as freed vCPUs are naturally skipped by xa_for_each_range(), i.e. by kvm_for_each_vcpu(). Prior to that commit, KVM x86 rather stupidly freed vCPUs one-by-one, and _then_ nullified them, one-by-one. I.e. triggering a VM-wide request would hit a use-after-free. Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20250224235542.2562848-6-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 parent ed8f966 commit e447212

File tree

1 file changed

+3
-12
lines changed

1 file changed

+3
-12
lines changed

arch/x86/kvm/x86.c

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -12361,6 +12361,9 @@ void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
1236112361
{
1236212362
int idx;
1236312363

12364+
kvm_clear_async_pf_completion_queue(vcpu);
12365+
kvm_mmu_unload(vcpu);
12366+
1236412367
kvmclock_reset(vcpu);
1236512368

1236612369
kvm_x86_call(vcpu_free)(vcpu);
@@ -12754,17 +12757,6 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
1275412757
return ret;
1275512758
}
1275612759

12757-
static void kvm_unload_vcpu_mmus(struct kvm *kvm)
12758-
{
12759-
unsigned long i;
12760-
struct kvm_vcpu *vcpu;
12761-
12762-
kvm_for_each_vcpu(i, vcpu, kvm) {
12763-
kvm_clear_async_pf_completion_queue(vcpu);
12764-
kvm_mmu_unload(vcpu);
12765-
}
12766-
}
12767-
1276812760
void kvm_arch_sync_events(struct kvm *kvm)
1276912761
{
1277012762
cancel_delayed_work_sync(&kvm->arch.kvmclock_sync_work);
@@ -12869,7 +12861,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
1286912861
__x86_set_memory_region(kvm, TSS_PRIVATE_MEMSLOT, 0, 0);
1287012862
mutex_unlock(&kvm->slots_lock);
1287112863
}
12872-
kvm_unload_vcpu_mmus(kvm);
1287312864
kvm_destroy_vcpus(kvm);
1287412865
kvm_x86_call(vm_destroy)(kvm);
1287512866
kvm_free_msr_filter(srcu_dereference_check(kvm->arch.msr_filter, &kvm->srcu, 1));

0 commit comments

Comments
 (0)