From patchwork Tue Aug 3 13:55:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 492237 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1C8B6C4338F for ; Tue, 3 Aug 2021 13:56:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EFA5860C3F for ; Tue, 3 Aug 2021 13:56:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236195AbhHCN4Y (ORCPT ); Tue, 3 Aug 2021 09:56:24 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:18330 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236128AbhHCN4X (ORCPT ); Tue, 3 Aug 2021 09:56:23 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 173DhTCL023855; Tue, 3 Aug 2021 06:56:10 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=rwJrtBCb6mGvrcMntLalaeMbzHQKcYN2N1IzmmisL1o=; b=heg16l8bU5HCaRtrmRiDf6Go5lb42SXImlOwFAhToX9dZQ5+vodoRdQBLlf8NYSc0+Zh 4jr+oCcp+lCCFj96zHoOKhmtwou2/EptF/oto5IT4i5yeZmqHfvFdwJulJBA6jLdDpG8 RUAgDUVHOK6cqs03p1mbzDNTvebsLZshiJ3vSL1neXZDm4pWb4fGv/WOKx10C0yuo3MT A1BUxBoDiXxRxwptOGpMyQ3BSm1ferUKNWLEaN+qKYLwBHxFpY48o8St7krs4sbUaM+Z 8Sja4lYcjPG6Sgq9842LKzBJE8nPWOO5i9GrcsNok6Q100eYQNh4y4EmNsHeXYZBLI9R hg== Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2171.outbound.protection.outlook.com [104.47.55.171]) by mx0a-0064b401.pphosted.com with ESMTP id 3a753s02rk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 Aug 2021 06:56:10 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n3MTRezNsCfiEBGzlDggaxJiVib2BeSMSDIeTxctaDI1m/pYOuazcBOFHIvw/VXeyQwQ0GjiXjH8oz7NTD8wUOetOdk79IpWJq8a64ibM+8Z/XUfXwKIDYfrCvL7mMxgGlv2kzr6jm0BTi1IGBkXVn1voVttgmiVnZv1siCT78HV3aSSJE/37kWu9g3K2IGC249aiDJhRV/21UK9J+i+CnMfyllbkCQ1l+9tPXtuuJdk0Arzyadk5GFfnCCQHm0Si6vXlVovdgbr5PC4BZXUOvLZVYlQ0iHT+p0WjpUr49XW14VSCuzRJ3EW1YW0IjNYeHpIHHNtYo1KS6chrYAjAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rwJrtBCb6mGvrcMntLalaeMbzHQKcYN2N1IzmmisL1o=; b=BqoiFH6Wp9v0PHKzG6kxCCvfXIt6qIAhudoXC2T0No4OxG67nS9R6qkNThbf6WUyf6TRKAYF7nXq3fAQ40ruCJl5qlc9q1H87gJTm2ZjycfQUvFp17pNHzYt2/j4wg5wL+D9+ILrSOuNlNIfEQR4BNVUTLOZw9tLqDMY5V4UiB3w4FeM8fHLmgu0yWxOtcDH0OmdP7AY39GS20pG3SDaJQGBytlFzPrSf4eVK1Syjb9njuGd7Fqpn747hl/apLxWCutIYTuP2g0ksaCcLF/iNB/rk9mhpt93h7ioOLREtbEqJORb4XZl2rYjwWAAPKVxQI3you9kyEoYsVx+d7rKQA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR11MB1497.namprd11.prod.outlook.com (2603:10b6:4:c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.22; Tue, 3 Aug 2021 13:56:08 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::dce0:cf03:275:4b3c]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::dce0:cf03:275:4b3c%2]) with mapi id 15.20.4373.026; Tue, 3 Aug 2021 13:56:08 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: pbonzini@redhat.com Subject: [PATCH 4.14 1/3] KVM: do not assume PTE is writable after follow_pfn Date: Tue, 3 Aug 2021 16:55:19 +0300 Message-Id: <20210803135521.2603575-1-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: VI1PR07CA0159.eurprd07.prod.outlook.com (2603:10a6:802:16::46) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR07CA0159.eurprd07.prod.outlook.com (2603:10a6:802:16::46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.6 via Frontend Transport; Tue, 3 Aug 2021 13:56:07 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e79450f3-966a-4d56-048d-08d95686716e X-MS-TrafficTypeDiagnostic: DM5PR11MB1497: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:478; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: E7bygJwIN3o5FAC3Tjr0lq9ZaQfGae4ZV4nu5KUCibp7ojQQL3aUtcHtLlmITtLM3nZKOkbibYHwujxIFdZidT/TWDOo54Wlq71Rw3X45PEqAgV5BLcqCVOFX7xUN2gtiROn/heU6QpxwhBe3pBRqLnYwPh3Kr7X2+FdIFs3OLoofW1GBEfpxFyFFXj9MNWT3e9vhupH7IDYczukPgvLUE7fDidjrhhb4UpIjo7HzW3eEZfhgsoLxsrx7AXnpy6fat39tvcnU8imeEVN4IQKiUyHGg0XzlTkNfraPjENb21FpQ5fvvuTcooIpSOToglXCktE2lO8WBcLhZDGFjMi/LDTEtulis0yEidZv7T0VfqRF3V155eE23a3NifzcIOpSRhNf80Ykq52pMQfGL2iSZmYmBp6D2A7qRQm8b0ISKqL6DIKNmkvwrpBZ637ZEp4T83xjI2p7Qr9vitQVhUxIVCceoOlJDdZIs3aMvOh8YH5pPSIRbT9MYG4D4RShvqYD/Ds0ZLAnYz7pvpbFcMpo2x/qvKug1/SPKebdoEZAUfkWUppwJ0JVSoUID/WbTuZWAZYk5KbPe9sxfigupcg6kYZKWgZ9GcAYRcXxW3HG0PDEvCoq7rVEmCkHEP3dKPGFQ/ljkwlcYn/mUSw2CuANVatOE/avtDap5AWonQGSMWx/1Y71Ek3MHA4Pk8TwqMRFNrD3HByoDNXp/m7TJFjbQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39850400004)(346002)(38350700002)(8676002)(6486002)(2906002)(316002)(6666004)(6506007)(5660300002)(38100700002)(6916009)(186003)(26005)(1076003)(8936002)(478600001)(86362001)(83380400001)(4326008)(6512007)(2616005)(956004)(44832011)(66556008)(66946007)(52116002)(66476007)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ZKFWqfAAcLMN7Q88R0BYIK2UurpujyWL8RihLu/2Aif5j3LDq67IYXjb5W2EO4l1t/Yv4tKYbwPH+lz80MxFRFi3uU1l9l9O5gTUyis78Ux17RlSeVviOjEwPvydw5ydxjR34NcgnVW4g6csPkQyG+ICxwiP4kd+qSgxb6wQ4m1xW7ehsYhZRDEQKvK7VkJU3PtoMd+sQvJuMBe/pjzzW0yFHfCfeov74XeexkZ7mRT/zvmWey3DhZEFBCCdHvwhmlTR4Py09TxuOpy+rUgu8q1VTRiB5nFp3E6Gmblw5V1Eh0h0iEboR3UrJZ86mQyC1o2v1jrPBzVU7F7RZYKQhtz1/DM2iC83PHVTgHckZTYgkbYWwWU4rsrNcoxCWaP9oAg2MT+vetAZs/hg9Bq7HwV2rEHuemhkGUNIteb/mD/+zSi/WoOVb9jGVDH5/DZPQ1yrZjrMWeJxEi6dRJGiXTXWY2JLFKB+Sad7/Gt9Op3k+YylJQEbsYgDAult5W8sWj3HDGoPM9QseB5DwLLAw9rH6o2E//am8QD0BBlSxbh9AvZJumYWiCP2ES7WjCrbTDQBFAstop6SdYa3dOzGyKxmIEiObpke3u4zaVknIWVyaly77j5SzanByjA3OXKn6hjwMWv0Smj3M/W7KWQxcQ1ixGxCOdfoI21HoKBHDx4VXANPo0ai3EICHkaP0dxcw5zmtM9AbNYDalQHiPD3x9+Eq8d9j/VKlGKNQTaFZgyoTo0j7pnOkDm5uQBK90qxINMEnhxj6XpwZUp3MHwZsl02yChwjaxbJUpMcAWG0zdAQKDceRGvCjmNmhh1vRFHUUqUS7MB3PpxkGgvMMznHBhZL6qkymlTbx6FaX2+Ebo8RtcX/gFVOoDBr60hIsACBin2KegFYPRv+yZ1qIy6r6fkpWy2n7PSwRo2iO2J1AD1bhFhC7nHObz6LyCFw/NslLBkMv8e+NBrljrInacPpllQPqcsI41I0o3DrZqu0G6RZ9/e6v8Un7MyCl5rCUOgZhNTr1yvPxNkpryPNKbFvt97f5lCqJXJh7AmvRez2ivGnYCK1CL4qu7cRAavnfOglDEyElyShIqtAbag5WHd4//GfawQqr3sRqVczEmfKbpecJQyhIaSaGndi0GxYse7UwwwLCJdX3jiuXF1/jo7nzk7lGzMW6x3Or17hASZa/I7G4BrCPkLsxPJ1gJs5KUImQQU3h9lWBTr4JXcagsRp3qsdy8PD/ab9WAEQnMARE/hqzYuupqMkn2vRjsasJJ2QZwc3pX2UDhC5HGlHgPNLEN5hdnI/QnCUvir4ixuO6QOJCLfZ1SR46G3Q3BSUbd0 X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: e79450f3-966a-4d56-048d-08d95686716e X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Aug 2021 13:56:08.0657 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: IVPV3GASZ10dXslMKJxl81QtKCshT7D5283EZ7KITGA0k/5Bjq/GA3+yBoOgazIK6eRc1gr+gVdQuigxRokNHBYO9hI6qoZNcttTSDrvFJk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1497 X-Proofpoint-ORIG-GUID: iHVCzy7-bIwxeNORBzlxNKOKqWymWfaF X-Proofpoint-GUID: iHVCzy7-bIwxeNORBzlxNKOKqWymWfaF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-03_03,2021-08-03_03,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 bulkscore=0 spamscore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 mlxscore=0 impostorscore=0 mlxlogscore=697 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108030093 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Paolo Bonzini commit bd2fae8da794b55bf2ac02632da3a151b10e664c upstream. In order to convert an HVA to a PFN, KVM usually tries to use the get_user_pages family of functinso. This however is not possible for VM_IO vmas; in that case, KVM instead uses follow_pfn. In doing this however KVM loses the information on whether the PFN is writable. That is usually not a problem because the main use of VM_IO vmas with KVM is for BARs in PCI device assignment, however it is a bug. To fix it, use follow_pte and check pte_write while under the protection of the PTE lock. The information can be used to fail hva_to_pfn_remapped or passed back to the caller via *writable. Usage of follow_pfn was introduced in commit add6a0cd1c5b ("KVM: MMU: try to fix up page faults before giving up", 2016-07-05); however, even older version have the same issue, all the way back to commit 2e2e3738af33 ("KVM: Handle vma regions with no backing page", 2008-07-20), as they also did not check whether the PFN was writable. Fixes: 2e2e3738af33 ("KVM: Handle vma regions with no backing page") Reported-by: David Stevens Cc: 3pvd@google.com Cc: Jann Horn Cc: Jason Gunthorpe Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini [OP: backport to 4.14, adjust follow_pte() -> follow_pte_pmd()] Signed-off-by: Ovidiu Panait Acked-by: Paolo Bonzini --- virt/kvm/kvm_main.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 547ae59199db..4e23d0b4b810 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1491,9 +1491,11 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, kvm_pfn_t *p_pfn) { unsigned long pfn; + pte_t *ptep; + spinlock_t *ptl; int r; - r = follow_pfn(vma, addr, &pfn); + r = follow_pte_pmd(vma->vm_mm, addr, NULL, NULL, &ptep, NULL, &ptl); if (r) { /* * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does @@ -1508,14 +1510,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, if (r) return r; - r = follow_pfn(vma, addr, &pfn); + r = follow_pte_pmd(vma->vm_mm, addr, NULL, NULL, &ptep, NULL, &ptl); if (r) return r; + } + if (write_fault && !pte_write(*ptep)) { + pfn = KVM_PFN_ERR_RO_FAULT; + goto out; } if (writable) - *writable = true; + *writable = pte_write(*ptep); + pfn = pte_pfn(*ptep); /* * Get a reference here because callers of *hva_to_pfn* and @@ -1530,6 +1537,8 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, */ kvm_get_pfn(pfn); +out: + pte_unmap_unlock(ptep, ptl); *p_pfn = pfn; return 0; } From patchwork Tue Aug 3 13:55:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 491465 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 627E4C432BE for ; Tue, 3 Aug 2021 13:56:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3F2CA60F46 for ; Tue, 3 Aug 2021 13:56:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236128AbhHCN4Y (ORCPT ); Tue, 3 Aug 2021 09:56:24 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:18814 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236138AbhHCN4X (ORCPT ); Tue, 3 Aug 2021 09:56:23 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 173DhTCM023855; Tue, 3 Aug 2021 06:56:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=acnyeXh7PDb2Sq2wyQuKPG9TJoofPELjLjwiWQ/DHVE=; b=Axv+y6kDeOOr0e9E3OrkeDU36Z4G6H0ge1KExP8qzVemHquvOxU28EIoxTwn9Vmgyl3g 00hffi0p02sBg44ihz82CPk+gk6cXMKlf9s7Nw0reWyIUFp310wjL3EDscZpQHNfXJTU EjwmLD3oiA8cfU8PMwrd0tjgq7NTES/bmwAcL3PIKwhQfVFbxaMjo79y5E1pTfboeZhq 4n7ngEqZPkGKg0VscAYHb6LM9DEt3aQfoOl3u1lfBNnsuD/cFdp6oQWe3c+J5yZRheOZ 4jr7hxw7Kta0nG6WU0TmcORcri4Bcol0SGc6JAd/VLz13Z/7Wf1KiMbgCi9v4e6QLGfy ZA== Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2171.outbound.protection.outlook.com [104.47.55.171]) by mx0a-0064b401.pphosted.com with ESMTP id 3a753s02rk-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 Aug 2021 06:56:10 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=akr8UzDLom44E45OJCqF9aIPR1vJ+mQaorLGH6v2nC6vWQbNoYAvdXbA1QpkUNjVu7BABf7EFoQxLYaSljfPq7C44i+iA1Vlra4YrPWcgp06THZJon3fvAc2nyjQpImG2sfbWtvhURKs7HYUdVtSPy5V5qWb9ijR2g95hFe9Vm7Cy5dC+jOPh2/08vRnHGX70dvJKqfo0iyz76uNqgz2K8FdFjcmH4mXhZ9SKCf0JHWIVRD/KiikLAcPQ0+S7n9iDpex2572aBpFkqces7I0iKOMGglR+p/rMldz828x0GlcVi7nUWIn3EyN47RaGebTP3RwvgXVIh8LarWccyQKzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=acnyeXh7PDb2Sq2wyQuKPG9TJoofPELjLjwiWQ/DHVE=; b=jGwa8pxq2eZcTP0FIT4MBftIRUJOjLGk0Ag08rrFKCFSi25c5w7GvobaFtHGPrJwRxiV35TldxTnnmzQZAU90mF4HlpBbx8l7rz8AmTm50E9Yvg2Brn3rfduzWQ5gl3xYq9eXUoHJlRUFCW8OcDGKJWuuimJRxy23WRmfntAyBokDuRDHhI3pFi3OI5YQyFsOcHILmunMEAJoYda8PZKaRIbfrGigihwDxWSbY5NmpbURg0Ots6AZ54lppoQ3XFX1kLxnnoo7jlv2xr7NM4NuG3NGwy7FPrapih43OG6KQoqWzgfXvM9nw84uF5hgHVHA7Vt9aWB3yS5rvHe6aVjHQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR11MB1497.namprd11.prod.outlook.com (2603:10b6:4:c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.22; Tue, 3 Aug 2021 13:56:09 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::dce0:cf03:275:4b3c]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::dce0:cf03:275:4b3c%2]) with mapi id 15.20.4373.026; Tue, 3 Aug 2021 13:56:09 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: pbonzini@redhat.com Subject: [PATCH 4.14 2/3] KVM: do not allow mapping valid but non-reference-counted pages Date: Tue, 3 Aug 2021 16:55:20 +0300 Message-Id: <20210803135521.2603575-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210803135521.2603575-1-ovidiu.panait@windriver.com> References: <20210803135521.2603575-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR07CA0159.eurprd07.prod.outlook.com (2603:10a6:802:16::46) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR07CA0159.eurprd07.prod.outlook.com (2603:10a6:802:16::46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.6 via Frontend Transport; Tue, 3 Aug 2021 13:56:08 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3103f4f5-a223-4705-6c7a-08d956867228 X-MS-TrafficTypeDiagnostic: DM5PR11MB1497: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: AhM88zvnhPVTF6AtLUvoYs0fIN+yj7LOYL2kIZ1CxEcCxB093E1+hmIClxZJFr9Cckj8HEJhD5wQ2V95oQfBpn9XiDiqVv5bW51PicyXXI9cHg9vfjEy3eUh5YkUXdzBukgGE8VPoVS38PwM1/kVeqfGcFKFVV7wIeiCvV4awYhEVXgmyy9S2PKL5n0Kns0OWqy8Bxhj0i3ez7977VGiQfpLaVNybz95TQ88q8vb39tqGyAs4cskwEWSgWVe5A6OPQTDQFA4krlbktjR9E0c3fJaMM6iKWdexxFcFE22ip3vilwF65PHHh8vVWGTqXJJjpSF/Hho82CNYnfvLdIjCYosijyqtmeeQ7ATmeLceMuTJtFegwOZHNvpdVbz+NMYAwgATJ5PArbLwf+j4farfDQvT+8SjLUOKO2vQ4uCtlV9l1uyvP6FEyF2zfIKmyrS0Md5kb3hCez24285lvv94nFq9gTQLenH+y8XJDHFnBPcYDapWI/WM+CCr6gN/JM06JHeNqWdSNXwN2FValdHMYMgnOQGZZiGNNL0cGWf9CRkVCR78+U/adXXVS7SS6e9LwWMjnmn05CMLXcWaiNzM//WvWnjaGhvr2O2tr+vAMsq8Z0iBMqnHnRKkHYLeiShrHKpLh9W9jXzWMnyDF6MdN9rINSQLlLeJ1JtnEUissKTylJUkBCYKdLLSigGpWrDHVeeqO7i84Gf1D/8zOVhlw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39850400004)(346002)(38350700002)(8676002)(6486002)(2906002)(316002)(6666004)(6506007)(5660300002)(38100700002)(6916009)(186003)(26005)(1076003)(8936002)(478600001)(86362001)(83380400001)(4326008)(6512007)(2616005)(956004)(44832011)(66556008)(66946007)(52116002)(66476007)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: XEyvXXvAG1ijIFLmUVvEMR4CyS6KiF0HDHOLxvihIFyMkm5BUCKYrwBNMNAJpi8pRHrkjVX0n8xyV78Xs3X0larBnzScmMm6w1m10tQPranOpIdZLA0TAZz3LYemdQtU1VnBf5EHWIhrN7xZYuif+OU6Ui18ZtNESDBoYHg8gkPJlAkwDnT/D7glJGAufeofK7hfhi6MJrNWssp0ny9zwvUnk8Xw8MDHE86bG67rl7ie6fi3rUDYbNl/1eDwlSHNjQ1qhixPlr4qx0BYilDjiZMb3V4I7x8e2Y3IQEPftCSwjb0qIl0ggaxkJVuq8gd2urgcCZ3y4JExUpdU8E5mdhvZ3kC9wk7jfVNBjwLUJmK64p9QYaSiuzJqODVRyXNlRP0FAb1TzMR9aOpn+F2POTIewxb9pCE0LcDA6a8zlLiWGnmKS/yz/YcGRq1oQaYO4Q6BOpi4QYuGxjD376LSUGO+3SL0TSabWhDTq2Jgpd7/+kzGZwbliFuECdQW4WTA59APXG0m6XDUUYGgJiuMGAaPwoZd7kmMzU/qsjt10mPgo7U/m+QU3ZNTdn7X2Ck42qrVJjHTRupaW33Z5DAEC19qBqoRw6S7Y/RXSzR0nS3BvBOouGQx4HUW/hbzk+2EAu3fUKEUGg/SWlZ6jm90l1lN2sL5kM55o+0sdA3KplUgaPUM6go3SUQ6PiaXNCs6Pz5l7TCFLg0d2x+2U8S33Fa3dGHKh08MzQin/Zw3Rzsk6SrjPtWq5pLhNDKMASfs1vxnI6T9JbTilmv7UybqQkYx1QMmWj5k5BGEY8ZuNUqTudyJC6Ws2WI7/owZ8hP5pa/wz9KS84VCEGC0uCoZSlkN/tlqLQPClBZ2fDK4QZGGx+qgFYzUmVKytYPTLsQ1rdXJWQfKfXou7TwcCiZPkSIlFagZ6r+VdQFyvb9Uwycm6NR6r8hdDx5kvQFcKGqi0OIKuUUoG479tPaeYAhodfqi7ofDTOT+le1+zImnPSthQK1VJonwh+ZEXzOXJfphBGMAK3yDLEG7nVWjwluk79yXwjtnc/YoDNAJrFf0qzfq7eQwO+xlJejrvh+e+b1pLhJCDqkaI6V2E2mIgSLSZfofDYl9TJdSuOWq8cgGFFdvsxefgQfm2ZQR00Cw1sY53d6OwD9wbRwCmY2iOgV+a5dQJ6kCJuYgndw8Dyht5C3lLJwEuv8Mm5U31o1x70GNizyvCpAZ0K9NfhaproLwf17K0t37YkdQkmHnV2uAsc3ru/2gP00uc3bQIKWI9dvwrjkmsH2q6J0XYoJ5jZmXI6nuMEp2eUTYLUvQRzOXcOoiFWJ8WEN0tiwoSe7t9rJM X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3103f4f5-a223-4705-6c7a-08d956867228 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Aug 2021 13:56:09.1977 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: u32/zY5tbfVSXGV5onFG/lKVpMO5szR4AVtLpoM/EaDkKC3RAfGSmWF9GXGFtTu0b59U9tDDpEfg5Qf4iCIm85lfkmSrjqNhThEKkq72zco= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1497 X-Proofpoint-ORIG-GUID: 9ceWf8GMdopM4ynT3UfqOD7qTgGw1vRt X-Proofpoint-GUID: 9ceWf8GMdopM4ynT3UfqOD7qTgGw1vRt X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-03_03,2021-08-03_03,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 bulkscore=0 spamscore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108030093 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nicholas Piggin commit f8be156be163a052a067306417cd0ff679068c97 upstream. It's possible to create a region which maps valid but non-refcounted pages (e.g., tail pages of non-compound higher order allocations). These host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family of APIs, which take a reference to the page, which takes it from 0 to 1. When the reference is dropped, this will free the page incorrectly. Fix this by only taking a reference on valid pages if it was non-zero, which indicates it is participating in normal refcounting (and can be released with put_page). This addresses CVE-2021-22543. Signed-off-by: Nicholas Piggin Tested-by: Paolo Bonzini Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Ovidiu Panait Acked-by: Paolo Bonzini --- virt/kvm/kvm_main.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 4e23d0b4b810..469361d01116 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1485,6 +1485,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault) return true; } +static int kvm_try_get_pfn(kvm_pfn_t pfn) +{ + if (kvm_is_reserved_pfn(pfn)) + return 1; + return get_page_unless_zero(pfn_to_page(pfn)); +} + static int hva_to_pfn_remapped(struct vm_area_struct *vma, unsigned long addr, bool *async, bool write_fault, bool *writable, @@ -1534,13 +1541,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, * Whoever called remap_pfn_range is also going to call e.g. * unmap_mapping_range before the underlying pages are freed, * causing a call to our MMU notifier. + * + * Certain IO or PFNMAP mappings can be backed with valid + * struct pages, but be allocated without refcounting e.g., + * tail pages of non-compound higher order allocations, which + * would then underflow the refcount when the caller does the + * required put_page. Don't allow those pages here. */ - kvm_get_pfn(pfn); + if (!kvm_try_get_pfn(pfn)) + r = -EFAULT; out: pte_unmap_unlock(ptep, ptl); *p_pfn = pfn; - return 0; + + return r; } /* From patchwork Tue Aug 3 13:55:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 491464 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3830C4320E for ; Tue, 3 Aug 2021 13:56:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BB5676054F for ; Tue, 3 Aug 2021 13:56:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236138AbhHCN4Y (ORCPT ); Tue, 3 Aug 2021 09:56:24 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:19694 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236143AbhHCN4Y (ORCPT ); Tue, 3 Aug 2021 09:56:24 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 173DhTCN023855; Tue, 3 Aug 2021 06:56:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=xhNmZfa36xZ4CKPY9plc6D8hMSBhV7bTsmAP7wKfj/M=; b=PyAG2R+2mMm8yuKgF/iYFTFpAS21+MTG6JU4q6MLfjGd9qn6khex/75rXtEJa9bkAo4m LmN153duGqA0AIZacNhyolS3UDJlfYc4j/uMWPtsLSHlK4V67F/aIh7FJyE97k3ujf9x KlbrdtcUvI7CSt9ocGuKsaP7qd9Jej/Z0gXO3dgZLffgko+N2TBRTpl7lLWVEGaDgl42 TeEYGocTbF2jBiDCvrsm3m9Zirko+XCiozXrvF3VMaSMtk9V3mdK58aEy8eg2F8icvBs DwM5jV7P10WZ6Y2Ux8/fApnQUuNgkZ0HFQfVCF1N/O2+Bp1wZjKqxQN+MJZUw6NINy/e CQ== Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2171.outbound.protection.outlook.com [104.47.55.171]) by mx0a-0064b401.pphosted.com with ESMTP id 3a753s02rk-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 Aug 2021 06:56:11 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YsHkyF3hgwD8bbAB/vPuPYnpKrXVFWjYqKOm573vxlCB/bLEs/rL+l//XbAetVCVqWQXFWbJy0j2z+w0qk16ovcK9OTfO6XJ1a/vT2Dnrt1emB5kuISzcB1T4wVuF/h9FnTosc9mcgwpdm8UDcBNeOaxaVjzGhKVVA/yLrLlmeM5ULKXGCJZjkkvuCxtXyjmEXM8M6SPQLWeaWjsLg/Dw/gimPDGfv0PZQ/D0VQ+mEfUbcORNnDiB6HPoomEBm17Ml2vsWQD9HyR2+c1g6iMvUTWo7E/9j8xjSehLOGQF5/LAmP/hJIvcREWAoOZ5fAVhkwtqrxNjbq4zgzlXBodvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xhNmZfa36xZ4CKPY9plc6D8hMSBhV7bTsmAP7wKfj/M=; b=VY/Z7rO2wT/9PuP/i9uDRQUTlT37lec4Eoz8k9pgL/umcaP8cwpLKR61MqDEh/t+JsiugXydLO7kd8C/wKQ80cAtcgix42Gki0mSCQsQ2a6665jpAwMGKGZE/zzEDTHC/pQZdejLPCTF6wR/XwIf1fZkhyArG0uWodLKDUqVRpJAyL9nvt9jNE3RyG3kW34zd2rjhNSBwRQzAKkx0UWSG18NbUBTKcr9vZROLyX5tmAYUQitibKDarYbnt5ybyfnK8DcVeAasnefzxqO/sDSTogWciUegmx9vCttX5AdiFsvkyh7f+nwN7j3cMV4wEQ+nlC00TlL9Scb+L3dBkeGPQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR11MB1497.namprd11.prod.outlook.com (2603:10b6:4:c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.22; Tue, 3 Aug 2021 13:56:10 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::dce0:cf03:275:4b3c]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::dce0:cf03:275:4b3c%2]) with mapi id 15.20.4373.026; Tue, 3 Aug 2021 13:56:10 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: pbonzini@redhat.com Subject: [PATCH 4.14 3/3] KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped() Date: Tue, 3 Aug 2021 16:55:21 +0300 Message-Id: <20210803135521.2603575-3-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210803135521.2603575-1-ovidiu.panait@windriver.com> References: <20210803135521.2603575-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR07CA0159.eurprd07.prod.outlook.com (2603:10a6:802:16::46) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR07CA0159.eurprd07.prod.outlook.com (2603:10a6:802:16::46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.6 via Frontend Transport; Tue, 3 Aug 2021 13:56:09 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f4160e76-e477-4f4e-b9ef-08d9568672d2 X-MS-TrafficTypeDiagnostic: DM5PR11MB1497: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1186; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 564JlotGlJWAqHaGtldAFwXGdgMbgr6Wk7rZ745B7be8x84SYM/Cet0tCBBlbAoq0nsLCzbtMlsY2rXwXz59ULoyRcd61J7h0iXiTyDUTQpy9HGQUWccjwY/oaCb9+vhBy/f3ZQz922vTPks1ngKO5cNerlLN0jE27I7IUgGETkFw8stxO8FFaJJHY3sCLju+q5cugP2YnY+VnzVXuwSO3G5g/KAqDJo9QoxyyjBIRHrFptmcozedzvk1vAAbYGYL53nfn82PxrhPlSjeOB5anJyloeb2gyC9cZ6On1YyKSrINysCzsOa9528FO58gzZAGLooIYB7p5OoRJaE3YOLMjtuv0nNuszlVOpiDAaJ+CXp87g5Do26hzHoHOOpMmTLk3GVfwnb7F9OZkvEqPd5Cc6Fu1laquvYC91OK5CH9V9WZmcc6yh59yiMO0l1CGZ/MAEjqbhN8EBZI9pTekk69Q3Ulih2+ORhlCiaib4FjYCfxq5L2RKe24KX6xwY4kPoRwv2zgrGUN6aCSA0+xnMcEuYjH+OitDyipEPozMYHiDz6Vl5o6/WuqGWrDW172Ju3AyIE187DylL01Cncm39KpuovJlP1dEfJ4qFdyf7C6NCKAzwLjkUEbHF/Z5STER85mVOq1ilFsuXd/Tkfm9B55mHRddMU1WVAoDMQhIT7mM3K3N7DbrfMJ8OOimXGji X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39850400004)(346002)(38350700002)(8676002)(6486002)(2906002)(316002)(6666004)(6506007)(5660300002)(38100700002)(6916009)(186003)(26005)(1076003)(8936002)(478600001)(86362001)(83380400001)(4326008)(6512007)(2616005)(956004)(44832011)(66556008)(66946007)(52116002)(66476007)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?9XEudjNYSMTxdh1o6Ne5UydAi?= =?utf-8?q?l8FSKAOIENNS38SIgYdR+EyGbRK0hEbmTRbcqEtYRPxVKLkNWPuOs7Pk?= =?utf-8?q?783kuhXHpHM8XYwLduw+dkEIYKDSd/AJ0UL+5RvugFgp2bUaiwecD1Zs?= =?utf-8?q?g24U+Bd29tBVJy+32fMW/x2MvmZhZmrAORa3Mw8apkDdLI8pXdM0k/TS?= =?utf-8?q?+AP16+oQRO6Y5svHzvzm/5sqHCrlVSzqNKf+gvsGBd++Jz6DJbgWjON5?= =?utf-8?q?qxzya/+mmVHGJfdZtHz3STmTgjpkA+C/DwZFZW1+xNiSEEKIhT1CONxV?= =?utf-8?q?KYi5VK2jpSU3xIzBk6/z3yu7El3tw6pq1rjGvAynzRosmGaXSR0hO/yT?= =?utf-8?q?G4upHbAmUYZStNmHeiP1RwNyEW0dOuBnpClRLfyAPvDqMova9TpsXSwi?= =?utf-8?q?Hmmk/8AoprX/nEsyrEFpQo/Jhm+0N2FrQi7YCjYiDznxaRY8jYfMpP51?= =?utf-8?q?nc/yzpuxlqTV3WDNphncEhG8Iezy9oyt6aczX5r3/MfSS5Pw4ymxNXqn?= =?utf-8?q?zkRYF+PQTGh4p5nZq8tpMFo7Z2nenXGJvjJMD5UDJ8XfttB7xV9Tv9El?= =?utf-8?q?5My8WN+Y6JNaeMbnl2oAigf4C0MKDeJIx1AEKy06hGsK3LdshpI36E0s?= =?utf-8?q?xJyhB5P4pornTk+jMFsWPgh94YMoPG9yDgZHKQOJeQHhf6Xnm6Ur2eEj?= =?utf-8?q?3TSGuEmIZ1u5r7qy5qPNoj6pqRTOKffLqF5TUnerYFGg1v9oI5+I4w53?= =?utf-8?q?sEMrsOY+gPzN6nwo/9ssuwI/f17pakWwugkf5FWmpMtsdd1/PVdAnUmz?= =?utf-8?q?Zb8OlCB9OiAggoKOoSpRbdOmkAO6NhbUx1/Hfp5gXtDjJpChXd16cm7v?= =?utf-8?q?RgbgFw0vUiUyah8HQnrxP1fJNlJcQDAO2V9tmDNVW5DpobCxAwvwN5QO?= =?utf-8?q?vqCYMDxRxeW9fShlHzQJn/oJ9fr3RHrnca8xNM19AllAYdCmiqeKMMxP?= =?utf-8?q?MtW4zmkUZ0at3YPFT0gXaPhtg0aFwBCEqs332IrcPQqtzvAFVg16nP7k?= =?utf-8?q?k8MZwlHvcDyPJ0uXAJrS5IIjRkZHp0a+3jHyRU7MRlO7pNfjHpkDW0uV?= =?utf-8?q?3l2517e182vZn1QLOaTnuhAMFwoufKcClLW86cQoxFf7STpcMJ7j+RDO?= =?utf-8?q?dA+uwey456XAwp/neTyhsB7LmcUmFzRYoXRV3bMuHv/+HTAE1oegeWHX?= =?utf-8?q?tU3ECNlCvhuW3Mmk2ZbFpbhL3/1sLu9fM5jT+63iSKg9DBKgwTQPNr3G?= =?utf-8?q?d4eeqdr7xtdY4LmnDCZSwG5czUjc6W4+GRAyLomz5EtqcE8TVjYuqTRm?= =?utf-8?q?rHyuG9apK9UTHx9tcslmYelF774eHlI?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: f4160e76-e477-4f4e-b9ef-08d9568672d2 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Aug 2021 13:56:10.3297 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: YkRJ1n5R2B3C3L2kT3gIJSlypLYlU0158DSRfO5oBycdPoIuw6Pldxl1zZvqoykZnhtmvU9lXnHZQ60YKWe9+0LROXx9LNjAjv15+GXQO18= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1497 X-Proofpoint-ORIG-GUID: Hp7pE2BKXI0uuCp1ctUiV69zg71IS4l2 X-Proofpoint-GUID: Hp7pE2BKXI0uuCp1ctUiV69zg71IS4l2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-03_03,2021-08-03_03,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 bulkscore=0 spamscore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 mlxscore=0 impostorscore=0 mlxlogscore=853 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108030093 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Sean Christopherson commit a9545779ee9e9e103648f6f2552e73cfe808d0f4 upstream Use kvm_pfn_t, a.k.a. u64, for the local 'pfn' variable when retrieving a so called "remapped" hva/pfn pair. In theory, the hva could resolve to a pfn in high memory on a 32-bit kernel. This bug was inadvertantly exposed by commit bd2fae8da794 ("KVM: do not assume PTE is writable after follow_pfn"), which added an error PFN value to the mix, causing gcc to comlain about overflowing the unsigned long. arch/x86/kvm/../../../virt/kvm/kvm_main.c: In function ‘hva_to_pfn_remapped’: include/linux/kvm_host.h:89:30: error: conversion from ‘long long unsigned int’ to ‘long unsigned int’ changes value from ‘9218868437227405314’ to ‘2’ [-Werror=overflow] 89 | #define KVM_PFN_ERR_RO_FAULT (KVM_PFN_ERR_MASK + 2) | ^ virt/kvm/kvm_main.c:1935:9: note: in expansion of macro ‘KVM_PFN_ERR_RO_FAULT’ Cc: stable@vger.kernel.org Fixes: add6a0cd1c5b ("KVM: MMU: try to fix up page faults before giving up") Signed-off-by: Sean Christopherson Message-Id: <20210208201940.1258328-1-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Ovidiu Panait Acked-by: Paolo Bonzini --- virt/kvm/kvm_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 469361d01116..36b9f2b29071 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1497,7 +1497,7 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, bool write_fault, bool *writable, kvm_pfn_t *p_pfn) { - unsigned long pfn; + kvm_pfn_t pfn; pte_t *ptep; spinlock_t *ptl; int r;