From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C15AC05027 for ; Tue, 14 Mar 2023 16:47:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230177AbjCNQrB (ORCPT ); Tue, 14 Mar 2023 12:47:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230094AbjCNQq4 (ORCPT ); Tue, 14 Mar 2023 12:46:56 -0400 Received: from out-37.mta1.migadu.com (out-37.mta1.migadu.com [IPv6:2001:41d0:203:375::25]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B1892A76BE for ; Tue, 14 Mar 2023 09:46:50 -0700 (PDT) Date: Tue, 14 Mar 2023 16:46:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1678812408; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nN1ruB34XKN2TR/Mn59lswl8p+LnmEyQ6lSmXWeTg3Q=; b=IK8ERWcubM7JPuKHvLUU8t8Z67f4skdhEmwArcgkWz7czAvnr/DfWUugtjqrQPrGEge1G6 zXxXVyKVRGA1odVn4BQr1SK8tk5rHkuEZKm9J/66hZIHQaOENalltl/Om67AODEGrQxS9i OqhZJIFEBth0z/aKFTjdsuB534cwT4E= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Oliver Upton To: Marc Zyngier Cc: David Matlack , kvm@vger.kernel.org, James Morse , Suzuki K Poulose , Zenghui Yu , Will Deacon , Marcelo Tosatti , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, stable@vger.kernel.org, Sean Christopherson Subject: Re: [PATCH] KVM: arm64: Retry fault if vma_lookup() results become invalid Message-ID: References: <20230313235454.2964067-1-dmatlack@google.com> <86fsa7xpjp.wl-maz@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86fsa7xpjp.wl-maz@kernel.org> X-Migadu-Flow: FLOW_OUT Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org On Tue, Mar 14, 2023 at 04:31:38PM +0000, Marc Zyngier wrote: > [Dropping Christoffer's 11 year obsolete address...] > > On Mon, 13 Mar 2023 23:54:54 +0000, > David Matlack wrote: > > > > Read mmu_invalidate_seq before dropping the mmap_lock so that KVM can > > detect if the results of vma_lookup() (e.g. vma_shift) become stale > > before it acquires kvm->mmu_lock. This fixes a theoretical bug where a > > VMA could be changed by userspace after vma_lookup() and before KVM > > reads the mmu_invalidate_seq, causing KVM to install page table entries > > based on a (possibly) no-longer-valid vma_shift. > > > > Re-order the MMU cache top-up to earlier in user_mem_abort() so that it > > is not done after KVM has read mmu_invalidate_seq (i.e. so as to avoid > > inducing spurious fault retries). > > > > This bug has existed since KVM/ARM's inception. It's unlikely that any > > sane userspace currently modifies VMAs in such a way as to trigger this > > race. And even with directed testing I was unable to reproduce it. But a > > sufficiently motivated host userspace might be able to exploit this > > race. > > > > Fixes: 94f8e6418d39 ("KVM: ARM: Handle guest faults in KVM") > > Ah, good luck with that one! :D user_mem_abort() used to be so nice > and simple at the time! And yet... > > > Cc: stable@vger.kernel.org > > Reported-by: Sean Christopherson > > Signed-off-by: David Matlack > > Reviewed-by: Marc Zyngier > > Oliver, how do you want to deal with this one? queue it right now? Or > wait until the dust settles on my two other patches? > > I don't mind either way, I can either take it as part of the same > series, or rebase my stuff on it. I'll go ahead and grab it if you want to base your series on top of this, thanks both of you! -- Thanks, Oliver