From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, David Stevens <stevensd@google.com>,
3pvd@google.com, Jann Horn <jannh@google.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
Paolo Bonzini <pbonzini@redhat.com>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 4.14 08/11] KVM: do not assume PTE is writable after follow_pfn
Date: Fri, 6 Aug 2021 10:14:51 +0200 [thread overview]
Message-ID: <20210806081110.785046751@linuxfoundation.org> (raw)
In-Reply-To: <20210806081110.511221879@linuxfoundation.org>
From: Paolo Bonzini <pbonzini@redhat.com>
commit bd2fae8da794b55bf2ac02632da3a151b10e664c upstream.
In order to convert an HVA to a PFN, KVM usually tries to use
the get_user_pages family of functinso. This however is not
possible for VM_IO vmas; in that case, KVM instead uses follow_pfn.
In doing this however KVM loses the information on whether the
PFN is writable. That is usually not a problem because the main
use of VM_IO vmas with KVM is for BARs in PCI device assignment,
however it is a bug. To fix it, use follow_pte and check pte_write
while under the protection of the PTE lock. The information can
be used to fail hva_to_pfn_remapped or passed back to the
caller via *writable.
Usage of follow_pfn was introduced in commit add6a0cd1c5b ("KVM: MMU: try to fix
up page faults before giving up", 2016-07-05); however, even older version
have the same issue, all the way back to commit 2e2e3738af33 ("KVM:
Handle vma regions with no backing page", 2008-07-20), as they also did
not check whether the PFN was writable.
Fixes: 2e2e3738af33 ("KVM: Handle vma regions with no backing page")
Reported-by: David Stevens <stevensd@google.com>
Cc: 3pvd@google.com
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[OP: backport to 4.14, adjust follow_pte() -> follow_pte_pmd()]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
virt/kvm/kvm_main.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1491,9 +1491,11 @@ static int hva_to_pfn_remapped(struct vm
kvm_pfn_t *p_pfn)
{
unsigned long pfn;
+ pte_t *ptep;
+ spinlock_t *ptl;
int r;
- r = follow_pfn(vma, addr, &pfn);
+ r = follow_pte_pmd(vma->vm_mm, addr, NULL, NULL, &ptep, NULL, &ptl);
if (r) {
/*
* get_user_pages fails for VM_IO and VM_PFNMAP vmas and does
@@ -1508,14 +1510,19 @@ static int hva_to_pfn_remapped(struct vm
if (r)
return r;
- r = follow_pfn(vma, addr, &pfn);
+ r = follow_pte_pmd(vma->vm_mm, addr, NULL, NULL, &ptep, NULL, &ptl);
if (r)
return r;
+ }
+ if (write_fault && !pte_write(*ptep)) {
+ pfn = KVM_PFN_ERR_RO_FAULT;
+ goto out;
}
if (writable)
- *writable = true;
+ *writable = pte_write(*ptep);
+ pfn = pte_pfn(*ptep);
/*
* Get a reference here because callers of *hva_to_pfn* and
@@ -1530,6 +1537,8 @@ static int hva_to_pfn_remapped(struct vm
*/
kvm_get_pfn(pfn);
+out:
+ pte_unmap_unlock(ptep, ptl);
*p_pfn = pfn;
return 0;
}
next prev parent reply other threads:[~2021-08-06 8:17 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 8:14 [PATCH 4.14 00/11] 4.14.243-rc1 review Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 01/11] btrfs: mark compressed range uptodate only if all bio succeed Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 02/11] regulator: rt5033: Fix n_voltages settings for BUCK and LDO Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 03/11] r8152: Fix potential PM refcount imbalance Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 04/11] qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union() Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 05/11] net: Fix zero-copy head len calculation Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 06/11] Revert "spi: mediatek: fix fifo rx mode" Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 07/11] Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled" Greg Kroah-Hartman
2021-08-06 8:14 ` Greg Kroah-Hartman [this message]
2021-08-06 8:14 ` [PATCH 4.14 09/11] KVM: do not allow mapping valid but non-reference-counted pages Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 10/11] KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped() Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.14 11/11] Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" Greg Kroah-Hartman
2021-08-06 14:33 ` [PATCH 4.14 00/11] 4.14.243-rc1 review Jon Hunter
2021-08-06 18:58 ` Guenter Roeck
2021-08-08 4:57 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210806081110.785046751@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=3pvd@google.com \
--cc=jannh@google.com \
--cc=jgg@ziepe.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=ovidiu.panait@windriver.com \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
--cc=stevensd@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.