From patchwork Tue Jul 27 08:29:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 487494 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4166BC4320A for ; Tue, 27 Jul 2021 08:30:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2AC35611BF for ; Tue, 27 Jul 2021 08:30:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235629AbhG0I37 (ORCPT ); Tue, 27 Jul 2021 04:29:59 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:48838 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235912AbhG0I36 (ORCPT ); Tue, 27 Jul 2021 04:29:58 -0400 Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 16R8E2nG004378; Tue, 27 Jul 2021 08:29:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=MSNdrlHj47YlTaWn/hGM9Q09HTuUwUfWFXFRYPnc1tU=; b=kzFpmTpPUHkOQbO2lctZdupv0tuu10mHavf7nZLIUd9uLBGHmB0JOqX8RcbLH740e6gX lKGhIy9+5IzvirZykD/ecPPPJtSMnyDCDZDosrdZZF0xW5dzQkP4c71/mvDWIDr6eNIc cs9+2itl8rMPiA6QgyX07t3IJnB982NrllLuduOuG5RIc2Kjzw+kPeWsDHHkry+ZnRGH VxhMtI2F00mYtg2MVo9IxEpFKS7FRr1DVxk19rcCewg+QiVE6ywqKVju/L5Il2pIct+T wnCfho+RL7ML+buFCb6UW8PSkp3JiZVDeIBI5m9BNbbAJLHByi+qzJ8V14fGbPVzZLW3 0w== Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by mx0a-0064b401.pphosted.com with ESMTP id 3a2351gcr5-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Jul 2021 08:29:56 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jtDm00x0c7/4GRxFyEB3XxgiwtAewXu3rLySLfvebS281o/CyK42Xd8uKnPp/tZeOrvXM7WBLIEwApygCOHkmiorcEZ+Yw3L7csFNvSTGhEDxltr/rFq3ox5YzeFA0UnIOmUxCkWGUNSmpSSrqN3r8AWWMtJBw0gcqdPipALJY0pfq1uEIgArxO+7cC5JGRpiOlpJRz+doIq43V653x6jNbykeatqigvwoMUVO2FBFS5TA2ctDLSZ4HIQxufIPoO60bLBXQ2lwAJECt8UfIt8sPdVcVzp7ycjZT/xUF6G95TST6R31vxZtNWiN3vnRqGs3EonTXMc5iAUTrrNQJEtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MSNdrlHj47YlTaWn/hGM9Q09HTuUwUfWFXFRYPnc1tU=; b=dA1IdT8seUegSi6JvRjIr/z6hJWgC8S7bFBOFpMWjjPl84iRyDfq9HRtkPaQdPmCBWtDTnX7TE07E6rL9i5dXRhr8ie7xulfjHC8tvQquXvRWPNSts/+x9nyUPV687iBByma/XZrp9A+X+w5hdF5TzokH4fCz6OPuSs6dnxPWw5huTbSVDkvxoL9oFiAlG8knSf55iGOOUiA4dQjvtarYaM2GqDwb3mT0BwxnNGQcrBPPeHbbocYyKEhO3oUrFEbEMTAoOl6d8muX5Eqj6j2qZPbkiFiLbBe0zrK0ui81xeOBLgWF3GQZoHR+iNMkKlcKDIlhzc2DES6o9ZC04pHTA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN9PR11MB5321.namprd11.prod.outlook.com (2603:10b6:408:136::8) by BN6PR11MB1634.namprd11.prod.outlook.com (2603:10b6:405:c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Tue, 27 Jul 2021 08:29:50 +0000 Received: from BN9PR11MB5321.namprd11.prod.outlook.com ([fe80::5959:e459:a5e0:5881]) by BN9PR11MB5321.namprd11.prod.outlook.com ([fe80::5959:e459:a5e0:5881%9]) with mapi id 15.20.4352.031; Tue, 27 Jul 2021 08:29:50 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: pbonzini@redhat.com Subject: [PATCH v2 4.19 1/3] KVM: do not assume PTE is writable after follow_pfn Date: Tue, 27 Jul 2021 11:29:22 +0300 Message-Id: <20210727082924.2336367-1-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: VI1PR07CA0158.eurprd07.prod.outlook.com (2603:10a6:802:16::45) To BN9PR11MB5321.namprd11.prod.outlook.com (2603:10b6:408:136::8) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR07CA0158.eurprd07.prod.outlook.com (2603:10a6:802:16::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.7 via Frontend Transport; Tue, 27 Jul 2021 08:29:49 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1a61af26-b3fc-4d2e-96a0-08d950d8b350 X-MS-TrafficTypeDiagnostic: BN6PR11MB1634: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:478; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YSRoFD+l5qCT407KIbYBqCpmY6lnikMK5Zoxq2UrA3/sHp6qRCTUtFRE/qGvwp6UTAf9jPQiMHHmBbdzSeQ+SPgH6mmhDWshWIGbx6F95VVrU1YiKWj/2RmjoMOb+CFBqqmXp9rfQcW86BuWOjn9RBN9a0Ar1BvKP0NEnv8ozIC4PhYlU9DfOgjWRjwNUiTeo/yhr42cszvIa9jB9vkrX5vtagiCyOKlTYG9tku+VKDMF+IB6KpGeYoDxMN10F7a+JL1SntLhkHgAt0KjTwH4f8lOx3hXXiZb05Hol9JxcTMoFsl0mvRBL5RpYGWSAJRd9ZNu6v44gELQd6/NI8yRH5GMqOPLO4kp3pJpLlexBAVPK1WqTMm45wF2/FgFg/7qnCnebycBQnCCrIdIlKZG6Nh2yrHGZRCPaV0BDTQW6/rhgjIpl/oRxeV1XupI4YsX/7nfjlbd1TKXnOtyyCSj8R863YzlgdOizUj0GJ3laQkhAEKsMiDMr6NyRka5NER205LIfibPtJs5/3b6VZ/uFkj6GtUfn4pDzlC4m4sWvSMmECoYP8VIVeK7Tj4qElNDlqtLTk61r35j+5ZH9PxhHLl4ZKC2RkFiT9e4ZKOMoFNB3L42ynwdhr2rL9lFe1V0Blv9Z5/+urF2oPhCfK1LWpJM+FpBCmgq5v/Da6eOnGSn8ZhmNy+NbJMRVhn1cTN0Q9G0FywPVX108nlhLNkMQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN9PR11MB5321.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(186003)(2616005)(8676002)(956004)(5660300002)(316002)(6916009)(6486002)(52116002)(36756003)(1076003)(38350700002)(38100700002)(508600001)(8936002)(26005)(6512007)(66476007)(66556008)(66946007)(6506007)(2906002)(4326008)(6666004)(44832011)(86362001)(83380400001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 3LC+fd1GgHUUEPqEsEORY+X5YqnqeaO69GlLjL0yfk79F8hbdiy8HiFSJi6Lv/T6r6D7gCm+dLamHWziMA5xqQxDYGUgAcbkVD9Luc6MZ5FjAAuLovhv1ZCMwvkKoukQvWL/h9bdCxDs7iCzMoes4bNrecVV2jpuVnk1Y2FDlM/8SUsuq2L5Z3R5rjJaup5Fr0qw1FVb46fOBz5JDRslryJDOAXG30vrccSDcFYm8CSUdYzWWOCr7klTbr3os5bjd/Wt3Al9VELs3+oEuAYNfgQMjmhhTEUYgV0YVCrvqWU6LSuwpU1/73cJXTgttOSo1CZuhr8TAen5g0LTj7CdDBw9kLPspXo+s9nveDFrBYFRXua/3EJJUkbXzsEUzySD2bvD8eEmcjg/9kkiVi2aNX56uE3tjcZAkyJgOUt5/BB0x8Zz3S0uvCdeAG9bndv55fcBY6u9ce8jFQJnDmkgvyUqVL3e9SUKZLkNwEr8q15hW+tqPtY8sQPgZAU4CMR/TMxK6sY+uOgmf7by7PR6dhRbYsHE/PMuWHMFnbs/fJpGtF5vzj8OxvYrlDMnetGKjNadEsK57iz31KfFI7JIPblxVWqqth+ifjMUOvxWRtBLTy+EN8j2ljNOvZRBDN4EH/52MceFkiwvx0v9u5RaVFYvqVTQcNbiFbbopAUrLtmZXBNNwCMxqEq9xJ3KKxsbpRSReJJkLiNeBU6YZiVWGLlk9948xuFZyrpw5Pwlum0q3YvRvbekqMzEw7J6KQEHvr+Sytj3Jlz71R8V/ALjVoGlVTC0V7KEXaA4dnX47sBWEL5yCOAfYyxPQq7Hiui6nM8aL20ZR7wUV9MCwKIm9A/2QtbYCbpR/1mzbQlEUihtwMJwp9Wls9wQlCz7VQ9hN5YxCNnpVJYSc+32lVvvhVYXoKu+6drQaZhsmlfgBE2RvDZhSC4n2LTZaN6/T9lO4jxriJoFqEOtsSmObsJmjJPPeVaWujCaV/Fxn2c188oyn/9TNWDXjvyaHI6LviL+2c4CzOj/wtKV89pFjEnn503vnP/ClR5ycXCnAgPiaRGeMYtZRVi/hIU7kvSSFS1HmC0R7CtxmLMzXsFrcPCPRBJFworQGxka58DKWhwkWbHTil1/F7Am9J1Ao18iS2lv7t94lgeHCeMMtpyv8xQkS96Pagwze9XhoGGmIKPYzopaCtbr8e3Ap+FMKpPUO3Tcsulbiuvca5zE/4A+dNcmgfugWp6P47dVoW8ADHRmy8+YHcZT88T/ZSAAjkf3seLlsbeQCgvqDmbzafW1ZLkS9Imz9n3hB89YV/2cT08/uk4yDuCPIqsr+qhwbKC1Z2E6 X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1a61af26-b3fc-4d2e-96a0-08d950d8b350 X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5321.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jul 2021 08:29:50.2979 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: KZq3GLFoiNgtEvBjNNFzdouncXJCwlBdEzS1D5soNYXDooMrb/NwBDuDnBZ6YyuWK8JoodYT+yCfasb9hy9uzUtJaKKErvJiaDjnZHgV+aU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1634 X-Proofpoint-GUID: YBZiaokuhs5Eyj9IbHni0ucF9dicV7xo X-Proofpoint-ORIG-GUID: YBZiaokuhs5Eyj9IbHni0ucF9dicV7xo X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-07-27_05,2021-07-27_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=744 suspectscore=0 clxscore=1015 bulkscore=0 malwarescore=0 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2107270048 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Paolo Bonzini commit bd2fae8da794b55bf2ac02632da3a151b10e664c upstream. In order to convert an HVA to a PFN, KVM usually tries to use the get_user_pages family of functinso. This however is not possible for VM_IO vmas; in that case, KVM instead uses follow_pfn. In doing this however KVM loses the information on whether the PFN is writable. That is usually not a problem because the main use of VM_IO vmas with KVM is for BARs in PCI device assignment, however it is a bug. To fix it, use follow_pte and check pte_write while under the protection of the PTE lock. The information can be used to fail hva_to_pfn_remapped or passed back to the caller via *writable. Usage of follow_pfn was introduced in commit add6a0cd1c5b ("KVM: MMU: try to fix up page faults before giving up", 2016-07-05); however, even older version have the same issue, all the way back to commit 2e2e3738af33 ("KVM: Handle vma regions with no backing page", 2008-07-20), as they also did not check whether the PFN was writable. Fixes: 2e2e3738af33 ("KVM: Handle vma regions with no backing page") Reported-by: David Stevens Cc: 3pvd@google.com Cc: Jann Horn Cc: Jason Gunthorpe Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini [OP: backport to 4.19, adjust follow_pte() -> follow_pte_pmd()] Signed-off-by: Ovidiu Panait Acked-by: Paolo Bonzini --- virt/kvm/kvm_main.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 1ecb27b3421a..6aeac96bf147 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1495,9 +1495,11 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, kvm_pfn_t *p_pfn) { unsigned long pfn; + pte_t *ptep; + spinlock_t *ptl; int r; - r = follow_pfn(vma, addr, &pfn); + r = follow_pte_pmd(vma->vm_mm, addr, NULL, NULL, &ptep, NULL, &ptl); if (r) { /* * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does @@ -1512,14 +1514,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, if (r) return r; - r = follow_pfn(vma, addr, &pfn); + r = follow_pte_pmd(vma->vm_mm, addr, NULL, NULL, &ptep, NULL, &ptl); if (r) return r; + } + if (write_fault && !pte_write(*ptep)) { + pfn = KVM_PFN_ERR_RO_FAULT; + goto out; } if (writable) - *writable = true; + *writable = pte_write(*ptep); + pfn = pte_pfn(*ptep); /* * Get a reference here because callers of *hva_to_pfn* and @@ -1534,6 +1541,8 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, */ kvm_get_pfn(pfn); +out: + pte_unmap_unlock(ptep, ptl); *p_pfn = pfn; return 0; } From patchwork Tue Jul 27 08:29:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 487493 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9F62C432BE for ; Tue, 27 Jul 2021 08:30:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 947F8600CD for ; Tue, 27 Jul 2021 08:30:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235912AbhG0I37 (ORCPT ); Tue, 27 Jul 2021 04:29:59 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:49182 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235913AbhG0I36 (ORCPT ); Tue, 27 Jul 2021 04:29:58 -0400 Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 16R8E2nF004378; Tue, 27 Jul 2021 08:29:56 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=bcsaEGtk4rx2oEdbS52dsyY85DLuuKwLaPXOaSbRtNs=; b=QIXancpgDfzHRKRG3x7ty4LzWch/1W8LW9TExzD/4FsYXM5KoGt66Hcx30H5WHBYwyX0 dsftJ0fTtkE4kKy1vXxsajg7PISSUu+sPWU+MJmAGI9T7rlk2B5rH+dbFClxloR6pCWB 0+BTuFyIiYHmFWF+uVA4SLsbvaJ2yOEP0cEYJPS14lLkc8JbP0dgBJvgbCNrjt/NaoLt cD7PBXPcsmeEDPPunODzOgdmAtxdea32OF83hDeUpDXrlaS5rVpZB6+Qw4Ep3ZwzJjun zoe/swTl3+vjl4qkLSWyKNpngO759/2QsJHT+HyDFDryXIsCYdt0qEeD8G7GLO5L67cV eg== Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by mx0a-0064b401.pphosted.com with ESMTP id 3a2351gcr5-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Jul 2021 08:29:56 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LglZlSgxlC9lvVdQ225VU9WZQ+iAdUwrLCbG7s+g3K7JVQ1J5L9TWwwkzxKG3H4MB6vGznFNCtJ0egE6eVZvb64H1swSb18W+RgUCVFECCa67PLYjyIqzkU//lPXXz7VgKULQsrkKqz/yiiNQSD2hSm3ZPEuccW/zxQc9Bw2pbuFHmTPIY+CbMCHqQe+75KS9pSd1rLBhOw1xDkv+wPxGBg5pAWR3Jz8JYuoSj+KLyDRg99gg/QaQAldei527D8u5VRsZ5p664qjdTObLo3RsEd2BJKom/Be2FZKoB1nGY867ndXPzskZ43hLs68FGtRMg3r7IrkXfAC9MtGtgWPuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bcsaEGtk4rx2oEdbS52dsyY85DLuuKwLaPXOaSbRtNs=; b=hJgUKSrByFapiibHRb7CdWNCYUa83RFLzTmPUaMamVja1+GBOIDOhqJiGgq9VopoKZRSyy3+MUpsX/KBkb1/YUPnJslxMItn4qZGWCGhq78bpymlKYBmAbr89HgkKpkXhIpRzEppZOAa0BUj8qO+/JXqXIgevfR/t5gw9+TF5xWZtJAdLy+XmdqXh91DsrO4bpRSUMkjpDhg6VBK8FMGK1neAy8cl7Op3zKg5jwAgxeNr8tmVmlDYyGZZpNyon4WWCJlD3De75vu8cKvvgee6qALOpF5DZzQKQr1n31iA1/VjySyQObI0yR+SrMgW0lJ7Y37987oB0c3NE8mPVG2QA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN9PR11MB5321.namprd11.prod.outlook.com (2603:10b6:408:136::8) by BN6PR11MB1634.namprd11.prod.outlook.com (2603:10b6:405:c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Tue, 27 Jul 2021 08:29:51 +0000 Received: from BN9PR11MB5321.namprd11.prod.outlook.com ([fe80::5959:e459:a5e0:5881]) by BN9PR11MB5321.namprd11.prod.outlook.com ([fe80::5959:e459:a5e0:5881%9]) with mapi id 15.20.4352.031; Tue, 27 Jul 2021 08:29:51 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: pbonzini@redhat.com Subject: [PATCH v2 4.19 2/3] KVM: do not allow mapping valid but non-reference-counted pages Date: Tue, 27 Jul 2021 11:29:23 +0300 Message-Id: <20210727082924.2336367-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210727082924.2336367-1-ovidiu.panait@windriver.com> References: <20210727082924.2336367-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR07CA0158.eurprd07.prod.outlook.com (2603:10a6:802:16::45) To BN9PR11MB5321.namprd11.prod.outlook.com (2603:10b6:408:136::8) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR07CA0158.eurprd07.prod.outlook.com (2603:10a6:802:16::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.7 via Frontend Transport; Tue, 27 Jul 2021 08:29:50 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 22016dff-2da8-41d9-d636-08d950d8b3e6 X-MS-TrafficTypeDiagnostic: BN6PR11MB1634: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Td7B5u4G6AwIbz2NhOuXP7PCy7FxnjONN6NocdLXAndp1ZRM/vyEMvcNtXrBqOQaxd1gSkWuu6VrTzKylNemiKx6qHQXRygHZ+vQkrKxN0upomEcx7ecZ2DMS7E7A1HHlYQfTGN8d8yuBVfnVXompGtav5HCXzC+82jFzoDBMXbZmSGEmdtIaZ6YciIaGDSzQTyztZDm8+1hc/h3i2upD9A3Iz16MIXQPeK6lFnkd7ICFixQdIVG6KDiHWVHiK7FVnAjp3yi8kZ0ewF4mquNib8BQ4bahK64EhaBrEnGC+U2ZY8yRLI+ktHqpFDLJOjPAXEAomLymj3DHnVF9YFZerYG0EjpaJPjS5q/09VcLsGd029OJ9mVatuCMJ/fwXrDs8Vsck+EVEB3+UMzu3S8tUJhQ8n/Ipq+6P1rCfGW63FkzkA1sBiCNGtYYIbeYaIBRiobgM237qpoygSXgpx4MMu/lNjLz+uqxizljFNQgj+4cQd0sf3lnRkq/mfAHUw+eXlSu67bXfHPG54kdDeHJnOLOKtxDTCAoKvAzto6Utup5IYszmgUIvEbIuOuHoGnZomIL13Z94ecXtt3tZlFu6xw6X2Sewo1rp0pVWomU6zJ+n+ZsqPQiC5ggeoD8boq+6n99JEbD14YjXlJjnKcySdwAvbfLRWmabAuYVxxju1zPKBIx1ZB2tDSzXTBCZ1dyDcjTjtp86qA93UcxQqsrQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN9PR11MB5321.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(186003)(2616005)(8676002)(956004)(5660300002)(316002)(6916009)(6486002)(52116002)(36756003)(1076003)(38350700002)(38100700002)(508600001)(8936002)(26005)(6512007)(66476007)(66556008)(66946007)(6506007)(2906002)(4326008)(6666004)(44832011)(86362001)(83380400001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: s+ZI9geW5t90SmHtQBpgunCGoRZeBDs+KZbltIilZRpl6tBqyuqqUAwFsjaV+QaxSU6j9aqJvuhyE5m9yZIDQWRyT132ik0vqnhQUsd4FAymotEEvUmw879yyI1Tz48RMtvIk3yZirJkvhGvfjSkHMFjB9rxkqgOXNa5zb9jY017M4sdHRxKdtHI1dMiSoaErstR6E9uiH/vhY3FFNV3U07dNNmyhX6ENvjie2iLKutP1nLNc5bFFav3q50WadTHYtHqAHzBYVtO+sc9TcKB8VWaOXMMEsYcoh/ydzq59IJR6VQJj8rU+1KbIcmBgX2MSM1yGZtG1bAfJC2BbEpwh3GjKYEWzLdie5eBFdC2W9UU0+QT5Dl8VmzS76eYQbg5vtw53R6LwnhzXRelnxN41fABAsC4PYStWbmvtAFL9bFz9+ALeyL5LVI8KrR3zNm1NAtcLBhLLg7/k2eb9vUXM9LCL1TrvTSMiSwHX2JJ+psnBQYyVxTRITlS0c5CK9quy8kgWk1s6Hih63XwktY4eEJirhXxNE6ZPHaZ36k/gcMGseHUT0xnVq+Ce4kZZ+Bb7fM5ADz9rbM/ZpvKG3J1fyrvgsbSs1GWXcPbB1d+L9K9Pj6GngUmNw0yluLX7+8ysn1N+G4k+ujZ3D++nosTQN8wh95QcNdaFolEA1wFIZ4sPUuAtfnX8K6xxEg7HiNMSWsfWFFy88zJaCO1gduEQpT5CsnQcwUNUsu1U9jYlQwy03bsGRcDcstIV6Nahj66MFQic3UoU0eqIozBx0s4FVlZalHD5PQDrJT2jCb3k7U4p0zp6NHJvqCdFb6ySbFeRSMXcrVS41FtXHpwiQlokQJ/wmACDTECRZii6AehrOGNKqe/NGrBW9Gqo0Rjl2sY22H6auTdbXOvCWuSbz4PF1OI0JdVtuhBapKTi3Sl5uYn+tvrdms1vO5EZarxzakOoYDthVSE4r02j5Fkivbwwe9RCOFnsr3dcriZKjaTZz8S1KSVytcgi7SbSZ/FJpZirqGy5VFQ1fuq0tlW6YroEQ3PyG0LTK2zNOxAMrsAqDngMNN011UlU/1svTK46pyq+knN6DfB0cdZkj4Gv4LrzSw57bSwNhJYDZnWT5rsoH3GREQjjjx3Vbdk+F88zQ6qxiBIEFTZIj9f5P3Dbg1GJryYCNiqSTtPLucoFpg5LfTCGlegzxHbSYKsc7a6Trpeq8tESongGG2Omk1xP0EJLyCLTMaLSL9BFTxZQnhhaVOJAnqryfywXIyhcr8/Kog6PM61FvS/Uf8HNQmgBGyA4HxpzwzuCy0I7blm6acRs+Fuox2WkXY2r0BPJTisCaHf X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 22016dff-2da8-41d9-d636-08d950d8b3e6 X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5321.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jul 2021 08:29:51.2686 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 15FvjSzdtoO2ycoRy2TzV5TUhZ4gFkIRQmciIoq9Z2CLiKpdKn38sI6L+Gl+J+CaxZmVokEvAWFDHQjqoDUzkNMF9Q8MbNuXYVwFLUJJxW8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1634 X-Proofpoint-GUID: UJGPOTR_XcLDjSumRjxJ1wzhSC0RFB8O X-Proofpoint-ORIG-GUID: UJGPOTR_XcLDjSumRjxJ1wzhSC0RFB8O X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-07-27_05,2021-07-27_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 suspectscore=0 clxscore=1015 bulkscore=0 malwarescore=0 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2107270048 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nicholas Piggin commit f8be156be163a052a067306417cd0ff679068c97 upstream. It's possible to create a region which maps valid but non-refcounted pages (e.g., tail pages of non-compound higher order allocations). These host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family of APIs, which take a reference to the page, which takes it from 0 to 1. When the reference is dropped, this will free the page incorrectly. Fix this by only taking a reference on valid pages if it was non-zero, which indicates it is participating in normal refcounting (and can be released with put_page). This addresses CVE-2021-22543. Signed-off-by: Nicholas Piggin Tested-by: Paolo Bonzini Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Ovidiu Panait --- virt/kvm/kvm_main.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 6aeac96bf147..3559eba5f502 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1489,6 +1489,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault) return true; } +static int kvm_try_get_pfn(kvm_pfn_t pfn) +{ + if (kvm_is_reserved_pfn(pfn)) + return 1; + return get_page_unless_zero(pfn_to_page(pfn)); +} + static int hva_to_pfn_remapped(struct vm_area_struct *vma, unsigned long addr, bool *async, bool write_fault, bool *writable, @@ -1538,13 +1545,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, * Whoever called remap_pfn_range is also going to call e.g. * unmap_mapping_range before the underlying pages are freed, * causing a call to our MMU notifier. + * + * Certain IO or PFNMAP mappings can be backed with valid + * struct pages, but be allocated without refcounting e.g., + * tail pages of non-compound higher order allocations, which + * would then underflow the refcount when the caller does the + * required put_page. Don't allow those pages here. */ - kvm_get_pfn(pfn); + if (!kvm_try_get_pfn(pfn)) + r = -EFAULT; out: pte_unmap_unlock(ptep, ptl); *p_pfn = pfn; - return 0; + + return r; } /*