From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jason Gunthorpe <jgg@nvidia.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 20/42] KVM: s390: fix race in gmap_make_secure()
Date: Thu, 1 Jun 2023 14:21:07 +0100 [thread overview]
Message-ID: <20230601131937.629922352@linuxfoundation.org> (raw)
In-Reply-To: <20230601131936.699199833@linuxfoundation.org>
From: Claudio Imbrenda <imbrenda@linux.ibm.com>
[ Upstream commit c148dc8e2fa403be501612ee409db866eeed35c0 ]
Fix a potential race in gmap_make_secure() and remove the last user of
follow_page() without FOLL_GET.
The old code is locking something it doesn't have a reference to, and
as explained by Jason and David in this discussion:
https://lore.kernel.org/linux-mm/Y9J4P%2FRNvY1Ztn0Q@nvidia.com/
it can lead to all kind of bad things, including the page getting
unmapped (MADV_DONTNEED), freed, reallocated as a larger folio and the
unlock_page() would target the wrong bit.
There is also another race with the FOLL_WRITE, which could race
between the follow_page() and the get_locked_pte().
The main point is to remove the last use of follow_page() without
FOLL_GET or FOLL_PIN, removing the races can be considered a nice
bonus.
Link: https://lore.kernel.org/linux-mm/Y9J4P%2FRNvY1Ztn0Q@nvidia.com/
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Fixes: 214d9bbcd3a6 ("s390/mm: provide memory management functions for protected KVM guests")
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Message-Id: <20230428092753.27913-2-imbrenda@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/uv.c | 32 +++++++++++---------------------
1 file changed, 11 insertions(+), 21 deletions(-)
diff --git a/arch/s390/kernel/uv.c b/arch/s390/kernel/uv.c
index 7d7961c7b1281..66d1248c8c923 100644
--- a/arch/s390/kernel/uv.c
+++ b/arch/s390/kernel/uv.c
@@ -160,21 +160,10 @@ static int expected_page_refs(struct page *page)
return res;
}
-static int make_secure_pte(pte_t *ptep, unsigned long addr,
- struct page *exp_page, struct uv_cb_header *uvcb)
+static int make_page_secure(struct page *page, struct uv_cb_header *uvcb)
{
- pte_t entry = READ_ONCE(*ptep);
- struct page *page;
int expected, rc = 0;
- if (!pte_present(entry))
- return -ENXIO;
- if (pte_val(entry) & _PAGE_INVALID)
- return -ENXIO;
-
- page = pte_page(entry);
- if (page != exp_page)
- return -ENXIO;
if (PageWriteback(page))
return -EAGAIN;
expected = expected_page_refs(page);
@@ -252,17 +241,18 @@ int gmap_make_secure(struct gmap *gmap, unsigned long gaddr, void *uvcb)
goto out;
rc = -ENXIO;
- page = follow_page(vma, uaddr, FOLL_WRITE);
- if (IS_ERR_OR_NULL(page))
- goto out;
-
- lock_page(page);
ptep = get_locked_pte(gmap->mm, uaddr, &ptelock);
- if (should_export_before_import(uvcb, gmap->mm))
- uv_convert_from_secure(page_to_phys(page));
- rc = make_secure_pte(ptep, uaddr, page, uvcb);
+ if (pte_present(*ptep) && !(pte_val(*ptep) & _PAGE_INVALID) && pte_write(*ptep)) {
+ page = pte_page(*ptep);
+ rc = -EAGAIN;
+ if (trylock_page(page)) {
+ if (should_export_before_import(uvcb, gmap->mm))
+ uv_convert_from_secure(page_to_phys(page));
+ rc = make_page_secure(page, uvcb);
+ unlock_page(page);
+ }
+ }
pte_unmap_unlock(ptep, ptelock);
- unlock_page(page);
out:
mmap_read_unlock(gmap->mm);
--
2.39.2
next prev parent reply other threads:[~2023-06-01 13:24 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-01 13:20 [PATCH 5.15 00/42] 5.15.115-rc1 review Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 01/42] power: supply: bq27xxx: expose battery data when CI=1 Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 02/42] power: supply: bq27xxx: Move bq27xxx_battery_update() down Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 03/42] power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 04/42] power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 05/42] power: supply: core: Refactor power_supply_set_input_current_limit_from_supplier() Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 06/42] power: supply: bq24190: Call power_supply_changed() after updating input current Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 07/42] bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 08/42] net/mlx5: devcom only supports 2 ports Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 09/42] net/mlx5e: Fix deadlock in tc route query code Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 10/42] net/mlx5: Devcom, serialize devcom registration Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 11/42] platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.15 12/42] platform/x86: ISST: Remove 8 socket limit Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 13/42] net: phy: mscc: enable VSC8501/2 RGMII RX clock Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 14/42] dmaengine: at_xdmac: Move the free desc to the tail of the desc list Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 15/42] dmaengine: at_xdmac: Remove a level of indentation in at_xdmac_tasklet() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 16/42] dmaengine: at_xdmac: disable/enable clock directly on suspend/resume Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 17/42] dmaengine: at_xdmac: do not resume channels paused by consumers Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 18/42] dmaengine: at_xdmac: restore the content of grws register Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 19/42] KVM: s390: pv: add export before import Greg Kroah-Hartman
2023-06-01 13:21 ` Greg Kroah-Hartman [this message]
2023-06-01 13:21 ` [PATCH 5.15 21/42] net: dsa: introduce helpers for iterating through ports using dp Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 22/42] net: dsa: mt7530: rework mt753[01]_setup Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 23/42] net: dsa: mt7530: split-off common parts from mt7531_setup Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 24/42] net: dsa: mt7530: fix network connectivity with multiple CPU ports Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 25/42] Bonding: add arp_missed_max option Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 26/42] bonding: fix send_peer_notif overflow Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 27/42] binder: fix UAF caused by faulty buffer cleanup Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 28/42] irqchip/mips-gic: Get rid of the reliance on irq_cpu_online() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 29/42] irqchip/mips-gic: Use raw spinlock for gic_lock Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 30/42] net/mlx5e: Fix SQ wake logic in ptp napi_poll context Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 31/42] xdp: Allow registering memory model without rxq reference Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 32/42] net: page_pool: use in_softirq() instead Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 33/42] page_pool: fix inconsistency for page_pool_ring_[un]lock() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 34/42] irqchip/mips-gic: Dont touch vl_map if a local interrupt is not routable Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 35/42] xdp: xdp_mem_allocator can be NULL in trace_mem_connect() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 36/42] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 37/42] Revert "binder_alloc: add missing mmap_lock calls when using the VMA" Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 38/42] Revert "android: binder: stop saving a pointer to " Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 39/42] binder: add lockless binder_alloc_(set|get)_vma() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 40/42] binder: fix UAF of alloc->vma in race with munmap() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 41/42] ipv{4,6}/raw: fix output xfrm lookup wrt protocol Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.15 42/42] netfilter: ctnetlink: Support offloaded conntrack entry deletion Greg Kroah-Hartman
2023-06-01 14:12 ` [PATCH 5.15 00/42] 5.15.115-rc1 review Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230601131937.629922352@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=imbrenda@linux.ibm.com \
--cc=jgg@nvidia.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.