From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB4B91FCA for ; Thu, 27 Oct 2022 13:13:45 +0000 (UTC) Received: by mail-ed1-f51.google.com with SMTP id b12so2640018edd.6 for ; Thu, 27 Oct 2022 06:13:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=6jud7Ls3+0knS57eOkqU3aPXs8XYGaLsC/MSEs6EmMo=; b=coB5F5xlLS4ZGJBOq74G9Z7uo7MjBZy+xChFNFzoqe+qjUjBYjA4yG1TWEBHfNf4J1 mcdzCmwZ0+4mnlL09NJuhBUcMzD/vWbDQ0eJak2pQOQ6rdEccapzTYCXSbCn6AAj6Qiq LNkUvDPQkbCCPKiXSonDd3/hYnygASrQyv1O1MR6gKEOmrBxy2KpnZWWbHDMZLUi/99d 0VgU3srN3IvjP2tmS6krA4c6Lw0mFYaB8+J6sA/FfR3/G7B2S4THT6CQSwIaIerUdMrK AYrpNORcotEHf07jXdHVZLpktcyh0+MWOwlfTrhBESUzQ2kjXbTWRkBQAYcbtYUxMetE RBPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=6jud7Ls3+0knS57eOkqU3aPXs8XYGaLsC/MSEs6EmMo=; b=kv7KORDh4ssxvNpFvDF9KnljUMvbE/1DJp6TsJZqHCzuH7ABE/l4kiP0IH7q7cdApk OizN3k10w+ipBqBerckB5JJl/PwPzSt1xqWCKWgQx/1hmRD10fATL8IqKIduMr6Mpm6o YGygZr1kaHdDc1UVHBL8GalQaaMc0KswnKos5dHYCdczoFNTjxgek9/CYPKVBx6e10kD 3ph7HpGKjzScjUg4vGuj2+O83lQOrk8ABGFTUS610NK5I/aE1F0SBl3h9zGzhh/5U7hl gPhn9B+YH5XvyoN4exlV7upZ/HBaYfDgFqUaunO7slR7C9RVPHlg4mtki1R2tkgdxBXK MVjw== X-Gm-Message-State: ACrzQf0/rZ224W9Znd9qjHm4GvcdzMNlbHfZjCfuFION9+ygFRXkR5Sv 9AeHOLc32DXhnJCEepkKx6gRTQ== X-Google-Smtp-Source: AMsMyM4WOdSgzl4SwTvaEe8U3ZIL/v1D5C65H+zxttEDUG8sVMzVnwecQoBMQyCHWGwQXYvykKJQfw== X-Received: by 2002:a05:6402:4312:b0:45c:c1e9:9dc8 with SMTP id m18-20020a056402431200b0045cc1e99dc8mr45490978edc.154.1666876423719; Thu, 27 Oct 2022 06:13:43 -0700 (PDT) Received: from google.com (64.227.90.34.bc.googleusercontent.com. [34.90.227.64]) by smtp.gmail.com with ESMTPSA id qo14-20020a170907874e00b00773f3cb67ffsm810765ejc.28.2022.10.27.06.13.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Oct 2022 06:13:42 -0700 (PDT) Date: Thu, 27 Oct 2022 13:13:38 +0000 From: Quentin Perret To: Will Deacon Cc: kvmarm@lists.linux.dev, Sean Christopherson , Vincent Donnefort , Alexandru Elisei , Catalin Marinas , Philippe =?utf-8?Q?Mathieu-Daud=C3=A9?= , James Morse , Chao Peng , Suzuki K Poulose , Mark Rutland , Fuad Tabba , Oliver Upton , Marc Zyngier , kernel-team@android.com, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v5 20/25] KVM: arm64: Return guest memory from EL2 via dedicated teardown memcache Message-ID: References: <20221020133827.5541-1-will@kernel.org> <20221020133827.5541-21-will@kernel.org> Precedence: bulk X-Mailing-List: kvmarm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221020133827.5541-21-will@kernel.org> On Thursday 20 Oct 2022 at 14:38:22 (+0100), Will Deacon wrote: > +static void > +teardown_donated_memory(struct kvm_hyp_memcache *mc, void *addr, size_t size) > +{ > + size = PAGE_ALIGN(size); > + memset(addr, 0, size); > + > + for (void *start = addr; start < addr + size; start += PAGE_SIZE) > + push_hyp_memcache(mc, start, hyp_virt_to_phys); > + > + unmap_donated_memory_noclear(addr, size); > +} > + > int __pkvm_teardown_vm(pkvm_handle_t handle) > { > + struct kvm_hyp_memcache *mc; > struct pkvm_hyp_vm *hyp_vm; > unsigned int idx; > size_t vm_size; > @@ -552,7 +565,8 @@ int __pkvm_teardown_vm(pkvm_handle_t handle) > hyp_spin_unlock(&vm_table_lock); > > /* Reclaim guest pages (including page-table pages) */ > - reclaim_guest_pages(hyp_vm); > + mc = &hyp_vm->host_kvm->arch.pkvm.teardown_mc; > + reclaim_guest_pages(hyp_vm, mc); > unpin_host_vcpus(hyp_vm->vcpus, hyp_vm->nr_vcpus); > > /* Push the metadata pages to the teardown memcache */ > @@ -561,11 +575,11 @@ int __pkvm_teardown_vm(pkvm_handle_t handle) > for (idx = 0; idx < hyp_vm->nr_vcpus; ++idx) { > struct pkvm_hyp_vcpu *hyp_vcpu = hyp_vm->vcpus[idx]; > > - unmap_donated_memory(hyp_vcpu, sizeof(*hyp_vcpu)); > + teardown_donated_memory(mc, hyp_vcpu, sizeof(*hyp_vcpu)); > } > > vm_size = pkvm_get_hyp_vm_size(hyp_vm->kvm.created_vcpus); > - unmap_donated_memory(hyp_vm, vm_size); > + teardown_donated_memory(mc, hyp_vm, vm_size); We should move the unpinning of the host's kvm struct down here as 'mc' here is part of it. Otherwise nothing prevents the host from unsharing the pages and donating them, etc. Probably hard to exploit but still worth fixing IMO. Thanks, Quentin > return 0; From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A064AFA3740 for ; Thu, 27 Oct 2022 13:30:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=+Yf82klw9/R8vDZQmshqn36sTi7Fb6Ua6lShnagxS8I=; b=dLq1uu0Qm7ehue HISEHKzs+s233FpU1+wpX68GWscT+swcKw4rLF58AWB7A0mevYWgFAdQywgjYSoEUHjSmyKcyf3Gn ARHf5s2KXnZ+pAjn1pxOvbvHNEj+akxIEdlkmqp4yQtQ1mV0OlA4TTm7TEL8tdAMlcn4Yxk+g9cJL 8z2d1oQW+axXDAj40IVMgUbpH69+2S8TzMviWlyoQ2Nmn/Lu1mS5hNFqADa500JjziLAB6X7ZBUZB 7QthSbd1a0YTlNy5K9Gj44Kuv97qZ91FQU/qXUelW3nRS9d7UFY/+T5eNLyUZCIstTzPJa5LpsMPT UwgE7/elRXhrIJf3sF+A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oo2wu-00DWqm-PC; Thu, 27 Oct 2022 13:29:33 +0000 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oo2hl-00DNvz-8S for linux-arm-kernel@lists.infradead.org; Thu, 27 Oct 2022 13:13:54 +0000 Received: by mail-ed1-x529.google.com with SMTP id y69so2655864ede.5 for ; Thu, 27 Oct 2022 06:13:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=6jud7Ls3+0knS57eOkqU3aPXs8XYGaLsC/MSEs6EmMo=; b=coB5F5xlLS4ZGJBOq74G9Z7uo7MjBZy+xChFNFzoqe+qjUjBYjA4yG1TWEBHfNf4J1 mcdzCmwZ0+4mnlL09NJuhBUcMzD/vWbDQ0eJak2pQOQ6rdEccapzTYCXSbCn6AAj6Qiq LNkUvDPQkbCCPKiXSonDd3/hYnygASrQyv1O1MR6gKEOmrBxy2KpnZWWbHDMZLUi/99d 0VgU3srN3IvjP2tmS6krA4c6Lw0mFYaB8+J6sA/FfR3/G7B2S4THT6CQSwIaIerUdMrK AYrpNORcotEHf07jXdHVZLpktcyh0+MWOwlfTrhBESUzQ2kjXbTWRkBQAYcbtYUxMetE RBPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=6jud7Ls3+0knS57eOkqU3aPXs8XYGaLsC/MSEs6EmMo=; b=ZpiBj5r+WkzWTtUH4ydEdqPEvw16EvQeJll/1stclO0cwBZb9bWmOHhGFI9ugatMAb mFwCU8wIswz0nrhPrQi9X7hku2ZQ1e/aU+VvViTqcAde31HgwOxN1lf9lK07eqs9N7Q0 X7WDYvMYQifWWUNsXEgPDFRhN6JqJ846kWjNgZDMxsTNH3KEED0zD7N1SH/eXTbSVfer AGcoVX8JA/MENpcTSfswjM07KCZiU8bTnfrDW8fPFB2rQMvldndh4zu7Jq1QTpLUVg1g Lg5jc5And6wPbEvtCkxgORzmLJ6zlowTmPrAnG6sU5XCq4jYGWdRusYeJTR2c5zww4tR 4mmg== X-Gm-Message-State: ACrzQf32Esx1qemGaKGcquUuhSIyctvXDQiJbHi5z9mJPLRhcKMU0Ms7 2sTn+p1mPBNAjYIR48vtdVQ3bg== X-Google-Smtp-Source: AMsMyM4WOdSgzl4SwTvaEe8U3ZIL/v1D5C65H+zxttEDUG8sVMzVnwecQoBMQyCHWGwQXYvykKJQfw== X-Received: by 2002:a05:6402:4312:b0:45c:c1e9:9dc8 with SMTP id m18-20020a056402431200b0045cc1e99dc8mr45490978edc.154.1666876423719; Thu, 27 Oct 2022 06:13:43 -0700 (PDT) Received: from google.com (64.227.90.34.bc.googleusercontent.com. [34.90.227.64]) by smtp.gmail.com with ESMTPSA id qo14-20020a170907874e00b00773f3cb67ffsm810765ejc.28.2022.10.27.06.13.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Oct 2022 06:13:42 -0700 (PDT) Date: Thu, 27 Oct 2022 13:13:38 +0000 From: Quentin Perret To: Will Deacon Cc: kvmarm@lists.linux.dev, Sean Christopherson , Vincent Donnefort , Alexandru Elisei , Catalin Marinas , Philippe =?utf-8?Q?Mathieu-Daud=C3=A9?= , James Morse , Chao Peng , Suzuki K Poulose , Mark Rutland , Fuad Tabba , Oliver Upton , Marc Zyngier , kernel-team@android.com, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v5 20/25] KVM: arm64: Return guest memory from EL2 via dedicated teardown memcache Message-ID: References: <20221020133827.5541-1-will@kernel.org> <20221020133827.5541-21-will@kernel.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20221020133827.5541-21-will@kernel.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221027_061353_354871_4FFFAEEA X-CRM114-Status: GOOD ( 12.52 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thursday 20 Oct 2022 at 14:38:22 (+0100), Will Deacon wrote: > +static void > +teardown_donated_memory(struct kvm_hyp_memcache *mc, void *addr, size_t size) > +{ > + size = PAGE_ALIGN(size); > + memset(addr, 0, size); > + > + for (void *start = addr; start < addr + size; start += PAGE_SIZE) > + push_hyp_memcache(mc, start, hyp_virt_to_phys); > + > + unmap_donated_memory_noclear(addr, size); > +} > + > int __pkvm_teardown_vm(pkvm_handle_t handle) > { > + struct kvm_hyp_memcache *mc; > struct pkvm_hyp_vm *hyp_vm; > unsigned int idx; > size_t vm_size; > @@ -552,7 +565,8 @@ int __pkvm_teardown_vm(pkvm_handle_t handle) > hyp_spin_unlock(&vm_table_lock); > > /* Reclaim guest pages (including page-table pages) */ > - reclaim_guest_pages(hyp_vm); > + mc = &hyp_vm->host_kvm->arch.pkvm.teardown_mc; > + reclaim_guest_pages(hyp_vm, mc); > unpin_host_vcpus(hyp_vm->vcpus, hyp_vm->nr_vcpus); > > /* Push the metadata pages to the teardown memcache */ > @@ -561,11 +575,11 @@ int __pkvm_teardown_vm(pkvm_handle_t handle) > for (idx = 0; idx < hyp_vm->nr_vcpus; ++idx) { > struct pkvm_hyp_vcpu *hyp_vcpu = hyp_vm->vcpus[idx]; > > - unmap_donated_memory(hyp_vcpu, sizeof(*hyp_vcpu)); > + teardown_donated_memory(mc, hyp_vcpu, sizeof(*hyp_vcpu)); > } > > vm_size = pkvm_get_hyp_vm_size(hyp_vm->kvm.created_vcpus); > - unmap_donated_memory(hyp_vm, vm_size); > + teardown_donated_memory(mc, hyp_vm, vm_size); We should move the unpinning of the host's kvm struct down here as 'mc' here is part of it. Otherwise nothing prevents the host from unsharing the pages and donating them, etc. Probably hard to exploit but still worth fixing IMO. Thanks, Quentin > return 0; _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel