From: David Gibson <david@gibson.dropbear.id.au>
To: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: Paul Mackerras <paulus@samba.org>,
Alex Williamson <alex.williamson@redhat.com>,
linuxppc-dev@lists.ozlabs.org, kvm@vger.kernel.org,
kvm-ppc@vger.kernel.org
Subject: Re: [PATCH kernel v4 08/10] KVM: PPC: Separate TCE validation from update
Date: Thu, 09 Feb 2017 03:51:51 +0000 [thread overview]
Message-ID: <20170209035151.GA14524@umbus> (raw)
In-Reply-To: <20170207071711.28938-9-aik@ozlabs.ru>
[-- Attachment #1: Type: text/plain, Size: 3040 bytes --]
On Tue, Feb 07, 2017 at 06:17:09PM +1100, Alexey Kardashevskiy wrote:
> For the emulated devices it does not matter much if we get a broken TCE
> half way handling a TCE list but for VFIO it will matter as it has
> more chances to fail so we try to do our best and check as much as we
> can before proceeding.
>
> This separates a guest view table update from validation. No change in
> behavior is expected.
>
> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
> ---
> arch/powerpc/kvm/book3s_64_vio.c | 8 ++++++++
> arch/powerpc/kvm/book3s_64_vio_hv.c | 8 ++++++--
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
> index 15df8ae627d9..9a7b7fca5e84 100644
> --- a/arch/powerpc/kvm/book3s_64_vio.c
> +++ b/arch/powerpc/kvm/book3s_64_vio.c
> @@ -282,6 +282,14 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> ret = kvmppc_tce_validate(stt, tce);
> if (ret != H_SUCCESS)
> goto unlock_exit;
> + }
> +
> + for (i = 0; i < npages; ++i) {
> + if (get_user(tce, tces + i)) {
> + ret = H_TOO_HARD;
> + goto unlock_exit;
> + }
> + tce = be64_to_cpu(tce);
This doesn't look safe. The contents of user memory could change
between the two get_user()s, meaning that you're no longer guaranteed
a TCE loaded into kernel has been validated at all.
I think you need to either:
a) Make sure things safe against a bad TCE being loaded into a TCE
table and move all validation to where the TCE is used, rather
than loaded
or
b) Copy the whole set of indirect entries to a temporary in-kernel
buffer, then validate, then load into the actual TCE table.
>
> kvmppc_tce_put(stt, entry + i, tce);
> }
> diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
> index 918af76ab2b6..f8a54b7c788e 100644
> --- a/arch/powerpc/kvm/book3s_64_vio_hv.c
> +++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
> @@ -237,7 +237,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> {
> struct kvmppc_spapr_tce_table *stt;
> long i, ret = H_SUCCESS;
> - unsigned long tces, entry, ua = 0;
> + unsigned long tces, entry, tce, ua = 0;
> unsigned long *rmap = NULL;
>
> stt = kvmppc_find_table(vcpu->kvm, liobn);
> @@ -279,11 +279,15 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> }
>
> for (i = 0; i < npages; ++i) {
> - unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
> + tce = be64_to_cpu(((u64 *)tces)[i]);
>
> ret = kvmppc_tce_validate(stt, tce);
> if (ret != H_SUCCESS)
> goto unlock_exit;
> + }
> +
> + for (i = 0; i < npages; ++i) {
> + tce = be64_to_cpu(((u64 *)tces)[i]);
Same problem here.
>
> kvmppc_tce_put(stt, entry + i, tce);
> }
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: David Gibson <david@gibson.dropbear.id.au>
To: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: linuxppc-dev@lists.ozlabs.org,
Alex Williamson <alex.williamson@redhat.com>,
Paul Mackerras <paulus@samba.org>,
kvm-ppc@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH kernel v4 08/10] KVM: PPC: Separate TCE validation from update
Date: Thu, 9 Feb 2017 14:51:51 +1100 [thread overview]
Message-ID: <20170209035151.GA14524@umbus> (raw)
In-Reply-To: <20170207071711.28938-9-aik@ozlabs.ru>
[-- Attachment #1: Type: text/plain, Size: 3040 bytes --]
On Tue, Feb 07, 2017 at 06:17:09PM +1100, Alexey Kardashevskiy wrote:
> For the emulated devices it does not matter much if we get a broken TCE
> half way handling a TCE list but for VFIO it will matter as it has
> more chances to fail so we try to do our best and check as much as we
> can before proceeding.
>
> This separates a guest view table update from validation. No change in
> behavior is expected.
>
> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
> ---
> arch/powerpc/kvm/book3s_64_vio.c | 8 ++++++++
> arch/powerpc/kvm/book3s_64_vio_hv.c | 8 ++++++--
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
> index 15df8ae627d9..9a7b7fca5e84 100644
> --- a/arch/powerpc/kvm/book3s_64_vio.c
> +++ b/arch/powerpc/kvm/book3s_64_vio.c
> @@ -282,6 +282,14 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> ret = kvmppc_tce_validate(stt, tce);
> if (ret != H_SUCCESS)
> goto unlock_exit;
> + }
> +
> + for (i = 0; i < npages; ++i) {
> + if (get_user(tce, tces + i)) {
> + ret = H_TOO_HARD;
> + goto unlock_exit;
> + }
> + tce = be64_to_cpu(tce);
This doesn't look safe. The contents of user memory could change
between the two get_user()s, meaning that you're no longer guaranteed
a TCE loaded into kernel has been validated at all.
I think you need to either:
a) Make sure things safe against a bad TCE being loaded into a TCE
table and move all validation to where the TCE is used, rather
than loaded
or
b) Copy the whole set of indirect entries to a temporary in-kernel
buffer, then validate, then load into the actual TCE table.
>
> kvmppc_tce_put(stt, entry + i, tce);
> }
> diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
> index 918af76ab2b6..f8a54b7c788e 100644
> --- a/arch/powerpc/kvm/book3s_64_vio_hv.c
> +++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
> @@ -237,7 +237,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> {
> struct kvmppc_spapr_tce_table *stt;
> long i, ret = H_SUCCESS;
> - unsigned long tces, entry, ua = 0;
> + unsigned long tces, entry, tce, ua = 0;
> unsigned long *rmap = NULL;
>
> stt = kvmppc_find_table(vcpu->kvm, liobn);
> @@ -279,11 +279,15 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> }
>
> for (i = 0; i < npages; ++i) {
> - unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
> + tce = be64_to_cpu(((u64 *)tces)[i]);
>
> ret = kvmppc_tce_validate(stt, tce);
> if (ret != H_SUCCESS)
> goto unlock_exit;
> + }
> +
> + for (i = 0; i < npages; ++i) {
> + tce = be64_to_cpu(((u64 *)tces)[i]);
Same problem here.
>
> kvmppc_tce_put(stt, entry + i, tce);
> }
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: David Gibson <david@gibson.dropbear.id.au>
To: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: Paul Mackerras <paulus@samba.org>,
Alex Williamson <alex.williamson@redhat.com>,
linuxppc-dev@lists.ozlabs.org, kvm@vger.kernel.org,
kvm-ppc@vger.kernel.org
Subject: Re: [PATCH kernel v4 08/10] KVM: PPC: Separate TCE validation from update
Date: Thu, 9 Feb 2017 14:51:51 +1100 [thread overview]
Message-ID: <20170209035151.GA14524@umbus> (raw)
In-Reply-To: <20170207071711.28938-9-aik@ozlabs.ru>
[-- Attachment #1: Type: text/plain, Size: 3040 bytes --]
On Tue, Feb 07, 2017 at 06:17:09PM +1100, Alexey Kardashevskiy wrote:
> For the emulated devices it does not matter much if we get a broken TCE
> half way handling a TCE list but for VFIO it will matter as it has
> more chances to fail so we try to do our best and check as much as we
> can before proceeding.
>
> This separates a guest view table update from validation. No change in
> behavior is expected.
>
> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
> ---
> arch/powerpc/kvm/book3s_64_vio.c | 8 ++++++++
> arch/powerpc/kvm/book3s_64_vio_hv.c | 8 ++++++--
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
> index 15df8ae627d9..9a7b7fca5e84 100644
> --- a/arch/powerpc/kvm/book3s_64_vio.c
> +++ b/arch/powerpc/kvm/book3s_64_vio.c
> @@ -282,6 +282,14 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> ret = kvmppc_tce_validate(stt, tce);
> if (ret != H_SUCCESS)
> goto unlock_exit;
> + }
> +
> + for (i = 0; i < npages; ++i) {
> + if (get_user(tce, tces + i)) {
> + ret = H_TOO_HARD;
> + goto unlock_exit;
> + }
> + tce = be64_to_cpu(tce);
This doesn't look safe. The contents of user memory could change
between the two get_user()s, meaning that you're no longer guaranteed
a TCE loaded into kernel has been validated at all.
I think you need to either:
a) Make sure things safe against a bad TCE being loaded into a TCE
table and move all validation to where the TCE is used, rather
than loaded
or
b) Copy the whole set of indirect entries to a temporary in-kernel
buffer, then validate, then load into the actual TCE table.
>
> kvmppc_tce_put(stt, entry + i, tce);
> }
> diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
> index 918af76ab2b6..f8a54b7c788e 100644
> --- a/arch/powerpc/kvm/book3s_64_vio_hv.c
> +++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
> @@ -237,7 +237,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> {
> struct kvmppc_spapr_tce_table *stt;
> long i, ret = H_SUCCESS;
> - unsigned long tces, entry, ua = 0;
> + unsigned long tces, entry, tce, ua = 0;
> unsigned long *rmap = NULL;
>
> stt = kvmppc_find_table(vcpu->kvm, liobn);
> @@ -279,11 +279,15 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> }
>
> for (i = 0; i < npages; ++i) {
> - unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
> + tce = be64_to_cpu(((u64 *)tces)[i]);
>
> ret = kvmppc_tce_validate(stt, tce);
> if (ret != H_SUCCESS)
> goto unlock_exit;
> + }
> +
> + for (i = 0; i < npages; ++i) {
> + tce = be64_to_cpu(((u64 *)tces)[i]);
Same problem here.
>
> kvmppc_tce_put(stt, entry + i, tce);
> }
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2017-02-09 3:51 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-07 7:17 [PATCH kernel v4 00/10] powerpc/kvm/vfio: Enable in-kernel acceleration Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 01/10] powerpc/mmu: Add real mode support for IOMMU preregistered memory Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 02/10] powerpc/powernv/iommu: Add real mode version of iommu_table_ops::exchange() Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 03/10] powerpc/iommu/vfio_spapr_tce: Cleanup iommu_table disposal Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 04/10] powerpc/vfio_spapr_tce: Add reference counting to iommu_table Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 05/10] KVM: PPC: Reserve KVM_CAP_SPAPR_TCE_VFIO capability number Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 06/10] KVM: PPC: Enable IOMMU_API for KVM_BOOK3S_64 permanently Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 07/10] KVM: PPC: Pass kvm* to kvmppc_find_table() Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 08/10] KVM: PPC: Separate TCE validation from update Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-09 3:51 ` David Gibson [this message]
2017-02-09 3:51 ` David Gibson
2017-02-09 3:51 ` David Gibson
2017-02-09 8:20 ` Alexey Kardashevskiy
2017-02-09 8:20 ` Alexey Kardashevskiy
2017-02-10 3:07 ` David Gibson
2017-02-10 3:07 ` David Gibson
2017-02-10 4:09 ` Alexey Kardashevskiy
2017-02-10 4:09 ` Alexey Kardashevskiy
2017-02-10 4:50 ` David Gibson
2017-02-10 4:50 ` David Gibson
2017-02-10 4:50 ` David Gibson
2017-02-10 7:58 ` Alexey Kardashevskiy
2017-02-10 7:58 ` Alexey Kardashevskiy
2017-02-07 7:17 ` [PATCH kernel v4 09/10] KVM: PPC: Use preregistered memory API to access TCE list Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-09 4:00 ` David Gibson
2017-02-09 4:00 ` David Gibson
2017-02-09 4:00 ` David Gibson
2017-02-07 7:17 ` [PATCH kernel v4 10/10] KVM: PPC: VFIO: Add in-kernel acceleration for VFIO Alexey Kardashevskiy
2017-02-07 7:17 ` Alexey Kardashevskiy
2017-02-09 6:41 ` David Gibson
2017-02-09 6:41 ` David Gibson
2017-02-09 6:41 ` David Gibson
2017-02-10 2:50 ` Alexey Kardashevskiy
2017-02-10 2:50 ` Alexey Kardashevskiy
2017-02-10 2:50 ` Alexey Kardashevskiy
2017-02-10 4:02 ` David Gibson
2017-02-10 4:02 ` David Gibson
2017-02-10 4:02 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170209035151.GA14524@umbus \
--to=david@gibson.dropbear.id.au \
--cc=aik@ozlabs.ru \
--cc=alex.williamson@redhat.com \
--cc=kvm-ppc@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.