From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH] KVM: x86/mmu: fix KVM_X86_QUIRK_SLOT_ZAP_ALL for shadow MMU
Date: Mon, 7 Oct 2024 08:07:28 -0700 [thread overview]
Message-ID: <ZwP1kvgyIGIO_p0x@google.com> (raw)
In-Reply-To: <ZwAeJ1RtReFiRiNd@google.com>
On Fri, Oct 04, 2024, Sean Christopherson wrote:
> On Thu, Oct 03, 2024, Paolo Bonzini wrote:
> > +static void kvm_mmu_zap_memslot(struct kvm *kvm,
> > + struct kvm_memory_slot *slot)
> > {
> > struct kvm_gfn_range range = {
> > .slot = slot,
> > @@ -7064,11 +7096,11 @@ static void kvm_mmu_zap_memslot_leafs(struct kvm *kvm, struct kvm_memory_slot *s
> > .end = slot->base_gfn + slot->npages,
> > .may_block = true,
> > };
> > + bool flush;
> >
> > write_lock(&kvm->mmu_lock);
> > - if (kvm_unmap_gfn_range(kvm, &range))
> > - kvm_flush_remote_tlbs_memslot(kvm, slot);
> > -
> > + flush = kvm_unmap_gfn_range(kvm, &range);
>
> Aha! Finally figured out why this was bugging me. Using kvm_unmap_gfn_range()
> is subject to a race that would lead to UAF. Huh. And that could explain the
> old VFIO bug, though it seems unlikely that the race was being hit.
>
> KVM_SET_USER_MEMORY_REGION vCPU
> __kvm_faultin_pfn() /* resolve fault->pfn */
> kvm_swap_active_memslots();
> kvm_zap_gfn_range(APIC);
Copy+paste fail, this was supposed to be synchronize_srcu_expedited().
> kvm_mmu_zap_memslot();
> {read,write}_lock(&kvm->mmu_lock);
> <install SPTE>
>
> KVM's existing memslot deletion relies on the mmu_valid_gen check in is_obsolete_sp()
> to detect an obsolete root (and the KVM_REQ_MMU_FREE_OBSOLETE_ROOTS check to handle
> roots without a SP).
>
> With this approach, roots aren't invalidated, and so a vCPU could install a SPTE
> using the to-be-delete memslot.
This is wrong, I managed to forget kvm->srcu is held for the entire duration of
KVM_RUN (except for the actual VM-Enter/VM-Exit code). And the slot is retrieved
before the mmu_invalidate_seq snapshot is taken.
next prev parent reply other threads:[~2024-10-07 15:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-03 23:01 [PATCH] KVM: x86/mmu: fix KVM_X86_QUIRK_SLOT_ZAP_ALL for shadow MMU Paolo Bonzini
2024-10-04 16:56 ` Sean Christopherson
2024-10-07 15:07 ` Sean Christopherson [this message]
2024-10-09 8:51 ` Yan Zhao
2024-10-09 13:05 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZwP1kvgyIGIO_p0x@google.com \
--to=seanjc@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.