kvm: mmu: Fix overflow on kvm mmu page limit calculation [Linux 3.16.72]

This Linux kernel change "kvm: mmu: Fix overflow on kvm mmu page limit calculation" is included in the Linux 3.16.72 release. This change is authored by Ben Gardon <bgardon [at] google.com> on Mon Apr 8 11:07:30 2019 -0700. The commit for this change in Linux stable tree is 3849fe3 (patch) which is from upstream commit bc8a3d8. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream bc8a3d8.

commit bc8a3d8925a8fa09fa550e0da115d95851ce33c6 upstream.

KVM bases its memory usage limits on the total number of guest pages
across all memslots. However, those limits, and the calculations to
produce them, use 32 bit unsigned integers. This can result in overflow
if a VM has more guest pages that can be represented by a u32. As a
result of this overflow, KVM can use a low limit on the number of MMU
pages it will allocate. This makes KVM unable to map all of guest memory
at once, prompting spurious faults.

Tested: Ran all kvm-unit-tests on an Intel Haswell machine. This patch
    introduced no new failures.

Signed-off-by: Ben Gardon <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>

There are 31 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 arch/x86/include/asm/kvm_host.h | 12 ++++++------
 arch/x86/kvm/mmu.c              | 13 ++++++-------
 arch/x86/kvm/mmu.h              |  2 +-
 arch/x86/kvm/x86.c              |  4 ++--
 4 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index de6c067..92a9ba2 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -88,7 +88,7 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
 #define IOPL_SHIFT 12

 #define KVM_MMU_HASH_SHIFT 10
@@ -552,9 +552,9 @@ struct kvm_apic_map {

 struct kvm_arch {
-   unsigned int n_used_mmu_pages;
-   unsigned int n_requested_mmu_pages;
-   unsigned int n_max_mmu_pages;
+   unsigned long n_used_mmu_pages;
+   unsigned long n_requested_mmu_pages;
+   unsigned long n_max_mmu_pages;
    unsigned int indirect_shadow_pages;
    unsigned long mmu_valid_gen;
    struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
@@ -810,8 +810,8 @@ void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
                     gfn_t gfn_offset, unsigned long mask);
 void kvm_mmu_zap_all(struct kvm *kvm);
 void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm);
-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages);
+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long kvm_nr_mmu_pages);

 int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3);

diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index c81ccc0..886fb53 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -1492,7 +1492,7 @@ static int is_empty_shadow_page(u64 *spt)
  * aggregate version in order to make the slab shrinker
  * faster
-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, int nr)
+static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
    kvm->arch.n_used_mmu_pages += nr;
    percpu_counter_add(&kvm_total_used_mmu_pages, nr);
@@ -2207,7 +2207,7 @@ static bool prepare_zap_oldest_mmu_page(struct kvm *kvm,
  * Changing the number of mmu pages allocated to the vm
  * Note: if goal_nr_mmu_pages is too small, you will get dead lock
-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages)
+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages)

@@ -4505,10 +4505,10 @@ int kvm_mmu_module_init(void)
  * Caculate mmu pages needed for kvm.
-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
-   unsigned int nr_mmu_pages;
-   unsigned int  nr_pages = 0;
+   unsigned long nr_mmu_pages;
+   unsigned long nr_pages = 0;
    struct kvm_memslots *slots;
    struct kvm_memory_slot *memslot;

@@ -4518,8 +4518,7 @@ unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
        nr_pages += memslot->npages;

    nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
-   nr_mmu_pages = max(nr_mmu_pages,
-           (unsigned int) KVM_MIN_ALLOC_MMU_PAGES);
+   nr_mmu_pages = max(nr_mmu_pages, KVM_MIN_ALLOC_MMU_PAGES);

    return nr_mmu_pages;
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index 58b2f51..f3dc8f6 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -81,7 +81,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
        bool execonly);
 bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);

-static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
+static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm)
    if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
        return kvm->arch.n_max_mmu_pages -
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 7773e28..2c0f1ea 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3529,7 +3529,7 @@ static int kvm_vm_ioctl_set_identity_map_addr(struct kvm *kvm,

 static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
-                     u32 kvm_nr_mmu_pages)
+                    unsigned long kvm_nr_mmu_pages)
    if (kvm_nr_mmu_pages < KVM_MIN_ALLOC_MMU_PAGES)
        return -EINVAL;
@@ -3543,7 +3543,7 @@ static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
    return 0;

-static int kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
+static unsigned long kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
    return kvm->arch.n_max_mmu_pages;

