From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-38.mta1.migadu.com (out-38.mta1.migadu.com [95.215.58.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE66E3C30 for ; Tue, 14 Mar 2023 16:46:50 +0000 (UTC) Date: Tue, 14 Mar 2023 16:46:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1678812408; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nN1ruB34XKN2TR/Mn59lswl8p+LnmEyQ6lSmXWeTg3Q=; b=IK8ERWcubM7JPuKHvLUU8t8Z67f4skdhEmwArcgkWz7czAvnr/DfWUugtjqrQPrGEge1G6 zXxXVyKVRGA1odVn4BQr1SK8tk5rHkuEZKm9J/66hZIHQaOENalltl/Om67AODEGrQxS9i OqhZJIFEBth0z/aKFTjdsuB534cwT4E= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Oliver Upton To: Marc Zyngier Cc: David Matlack , kvm@vger.kernel.org, James Morse , Suzuki K Poulose , Zenghui Yu , Will Deacon , Marcelo Tosatti , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, stable@vger.kernel.org, Sean Christopherson Subject: Re: [PATCH] KVM: arm64: Retry fault if vma_lookup() results become invalid Message-ID: References: <20230313235454.2964067-1-dmatlack@google.com> <86fsa7xpjp.wl-maz@kernel.org> Precedence: bulk X-Mailing-List: kvmarm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86fsa7xpjp.wl-maz@kernel.org> X-Migadu-Flow: FLOW_OUT On Tue, Mar 14, 2023 at 04:31:38PM +0000, Marc Zyngier wrote: > [Dropping Christoffer's 11 year obsolete address...] > > On Mon, 13 Mar 2023 23:54:54 +0000, > David Matlack wrote: > > > > Read mmu_invalidate_seq before dropping the mmap_lock so that KVM can > > detect if the results of vma_lookup() (e.g. vma_shift) become stale > > before it acquires kvm->mmu_lock. This fixes a theoretical bug where a > > VMA could be changed by userspace after vma_lookup() and before KVM > > reads the mmu_invalidate_seq, causing KVM to install page table entries > > based on a (possibly) no-longer-valid vma_shift. > > > > Re-order the MMU cache top-up to earlier in user_mem_abort() so that it > > is not done after KVM has read mmu_invalidate_seq (i.e. so as to avoid > > inducing spurious fault retries). > > > > This bug has existed since KVM/ARM's inception. It's unlikely that any > > sane userspace currently modifies VMAs in such a way as to trigger this > > race. And even with directed testing I was unable to reproduce it. But a > > sufficiently motivated host userspace might be able to exploit this > > race. > > > > Fixes: 94f8e6418d39 ("KVM: ARM: Handle guest faults in KVM") > > Ah, good luck with that one! :D user_mem_abort() used to be so nice > and simple at the time! And yet... > > > Cc: stable@vger.kernel.org > > Reported-by: Sean Christopherson > > Signed-off-by: David Matlack > > Reviewed-by: Marc Zyngier > > Oliver, how do you want to deal with this one? queue it right now? Or > wait until the dust settles on my two other patches? > > I don't mind either way, I can either take it as part of the same > series, or rebase my stuff on it. I'll go ahead and grab it if you want to base your series on top of this, thanks both of you! -- Thanks, Oliver From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 991B7C6FD1F for ; Tue, 14 Mar 2023 16:47:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=lFA4RLJTJ097AJkGy0GLbc9YN3lQ3dNfC7zvMJC6KR8=; b=WAUl2CjWfjW0KZ NCKEoFUdvQIrUDW93Nmyxqbce3ttcSfQBkzfgyU9JwltpAxQmN0+AJjPjtFUj95syEVuaoU4d605D 24Kt5FQfYKSljU/PSRlirCtSchVdxDNnaPd1AA5ic0Fsv+t6Tm1gBj1Ir8/xXBWsn2Oo9GTbeh7fR 5QS7ahXxXPl6U/kEJoGx3wAPeCCh4V26QBY/3Cob2zuF+WEhq1Nyjmcqf0m8clqXgYIXljQUxdh6O QTMPOajJ2LFkHmLdeoGdTRpQ3ppdRAzAn2pedqDkQ4BcXGmlD0joHaeEz9g8n+vq942znRZAZGCsP DFF3VzNdaBSOHcAXuO+A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1pc7nf-00AtjT-0f; Tue, 14 Mar 2023 16:46:59 +0000 Received: from out-47.mta1.migadu.com ([2001:41d0:203:375::2f]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pc7nZ-00Atg3-2I for linux-arm-kernel@lists.infradead.org; Tue, 14 Mar 2023 16:46:57 +0000 Date: Tue, 14 Mar 2023 16:46:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1678812408; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nN1ruB34XKN2TR/Mn59lswl8p+LnmEyQ6lSmXWeTg3Q=; b=IK8ERWcubM7JPuKHvLUU8t8Z67f4skdhEmwArcgkWz7czAvnr/DfWUugtjqrQPrGEge1G6 zXxXVyKVRGA1odVn4BQr1SK8tk5rHkuEZKm9J/66hZIHQaOENalltl/Om67AODEGrQxS9i OqhZJIFEBth0z/aKFTjdsuB534cwT4E= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Oliver Upton To: Marc Zyngier Cc: David Matlack , kvm@vger.kernel.org, James Morse , Suzuki K Poulose , Zenghui Yu , Will Deacon , Marcelo Tosatti , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, stable@vger.kernel.org, Sean Christopherson Subject: Re: [PATCH] KVM: arm64: Retry fault if vma_lookup() results become invalid Message-ID: References: <20230313235454.2964067-1-dmatlack@google.com> <86fsa7xpjp.wl-maz@kernel.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <86fsa7xpjp.wl-maz@kernel.org> X-Migadu-Flow: FLOW_OUT X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230314_094655_922120_2FBC39EF X-CRM114-Status: GOOD ( 20.38 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Mar 14, 2023 at 04:31:38PM +0000, Marc Zyngier wrote: > [Dropping Christoffer's 11 year obsolete address...] > > On Mon, 13 Mar 2023 23:54:54 +0000, > David Matlack wrote: > > > > Read mmu_invalidate_seq before dropping the mmap_lock so that KVM can > > detect if the results of vma_lookup() (e.g. vma_shift) become stale > > before it acquires kvm->mmu_lock. This fixes a theoretical bug where a > > VMA could be changed by userspace after vma_lookup() and before KVM > > reads the mmu_invalidate_seq, causing KVM to install page table entries > > based on a (possibly) no-longer-valid vma_shift. > > > > Re-order the MMU cache top-up to earlier in user_mem_abort() so that it > > is not done after KVM has read mmu_invalidate_seq (i.e. so as to avoid > > inducing spurious fault retries). > > > > This bug has existed since KVM/ARM's inception. It's unlikely that any > > sane userspace currently modifies VMAs in such a way as to trigger this > > race. And even with directed testing I was unable to reproduce it. But a > > sufficiently motivated host userspace might be able to exploit this > > race. > > > > Fixes: 94f8e6418d39 ("KVM: ARM: Handle guest faults in KVM") > > Ah, good luck with that one! :D user_mem_abort() used to be so nice > and simple at the time! And yet... > > > Cc: stable@vger.kernel.org > > Reported-by: Sean Christopherson > > Signed-off-by: David Matlack > > Reviewed-by: Marc Zyngier > > Oliver, how do you want to deal with this one? queue it right now? Or > wait until the dust settles on my two other patches? > > I don't mind either way, I can either take it as part of the same > series, or rebase my stuff on it. I'll go ahead and grab it if you want to base your series on top of this, thanks both of you! -- Thanks, Oliver _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel