From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.6 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58B5EC2B9F4 for ; Fri, 25 Jun 2021 08:04:39 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 14A0160200 for ; Fri, 25 Jun 2021 08:04:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 14A0160200 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=de.ibm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:Cc:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=bgIYFMCpfQnYMDmPD49LuiFtzXjVyBOVLaZY97oJoAc=; b=q6R2ooA0xUYKO2h2ZW/tricgFL wh1gpZ4//C5I4FBN1liVJWowKJ5Ozq2ghfjMUQN5bIXPptRkJDq2XfEMFy1edJaKS6GsMsixHCi0c T1f58pIIcHXsy24nYrckTEVg4SYloG45qhYa03S/0LWv220cyfonFa24BXal2goXM5bAXqhhGvU5g 2P4p+UfIEHZvxUJ6mFmiOMJxHBm6AjW8p77y1AA7TyyPXVFn47IGX6Mv6G7BtOyKJQa8SlqeP61Rb BHEHXAxmD1YtDFnjhI5DLXV+911nCKnF3LtODu00etnMDWKfKgr5JJXGARqTGODAGxjakscbccVDe ktj9464g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lwgn4-000Brf-JY; Fri, 25 Jun 2021 08:02:20 +0000 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5] helo=mx0a-001b2d01.pphosted.com) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1lwgWE-0005z0-BB for linux-arm-kernel@lists.infradead.org; Fri, 25 Jun 2021 07:44:56 +0000 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15P7YTqX061945; Fri, 25 Jun 2021 03:44:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=1RqvYvHqS+g8GAhL7EUAfBHKQHRxaUMGXuw/IwCXA00=; b=Nmb11u4f/JhMKk+ivMs7oA1Ku85DovZ4LdaLOgwfNrDLH0a/wz5mI0aLrLO3Altwv4N4 LMTZyz/WDveZjxrU5tD5PPo68pDirAd4Gfrex52xiqR0TujC5LdTRYi0ri1ge/eDHmSN JQJ8rK/jOMjr3THp/ok9RkvIdn/4KtjecaWiJfeTOER6nglHE+EZicixc1c1BnhsB+1Y g5DWwvan20xvxygDIi3MEZQ7H/GwZDVcHzVEGz2iIjsiJgKnoZ7U+TUpyPDhD5O2Zekw xJiAEI7Z0lyxcZgGi3MCDrgB0acHr+cDdUAyjJoQ4I+2kOZz0Z9ex/2nv4xilwCqOw4H ZA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39d8cn51sy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 25 Jun 2021 03:44:39 -0400 Received: from m0098420.ppops.net (m0098420.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15P7YRo0061765; Fri, 25 Jun 2021 03:44:38 -0400 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0b-001b2d01.pphosted.com with ESMTP id 39d8cn51s5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 25 Jun 2021 03:44:38 -0400 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 15P7g5SF017198; Fri, 25 Jun 2021 07:44:36 GMT Received: from b06avi18878370.portsmouth.uk.ibm.com (b06avi18878370.portsmouth.uk.ibm.com [9.149.26.194]) by ppma06ams.nl.ibm.com with ESMTP id 3997uhaw6x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 25 Jun 2021 07:44:35 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 15P7h6UA14352728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 Jun 2021 07:43:06 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6193DAE056; Fri, 25 Jun 2021 07:44:33 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9D274AE051; Fri, 25 Jun 2021 07:44:31 +0000 (GMT) Received: from oc7455500831.ibm.com (unknown [9.171.31.44]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 25 Jun 2021 07:44:31 +0000 (GMT) Subject: Re: [PATCH 0/6] KVM: Remove uses of struct page from x86 and arm64 MMU To: Nicholas Piggin , Aleksandar Markovic , Huacai Chen , Marc Zyngier , Paul Mackerras , Paolo Bonzini , David Stevens , Zhenyu Wang , Zhi Wang Cc: Alexandru Elisei , dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, intel-gvt-dev@lists.freedesktop.org, James Morse , Jim Mattson , Joerg Roedel , kvmarm@lists.cs.columbia.edu, kvm-ppc@vger.kernel.org, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, Sean Christopherson , David Stevens , Suzuki K Poulose , Vitaly Kuznetsov , Wanpeng Li , Will Deacon References: <20210624035749.4054934-1-stevensd@google.com> <1624530624.8jff1f4u11.astroid@bobo.none> <1624534759.nj0ylor2eh.astroid@bobo.none> <0d3a699a-15eb-9f1b-0735-79d14736f38c@redhat.com> <1624539354.6zggpdrdbw.astroid@bobo.none> From: Christian Borntraeger Message-ID: <19c4e392-fbab-ee2c-7039-c88d1ae5775d@de.ibm.com> Date: Fri, 25 Jun 2021 09:44:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <1624539354.6zggpdrdbw.astroid@bobo.none> Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-GUID: Xd2p2n2e6jxdPlNvwSbyIgmg3LPAQMfs X-Proofpoint-ORIG-GUID: 6q0X_bUItmYJaGkAxPmmRfj9zzu6NsL2 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-25_02:2021-06-24, 2021-06-25 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=0 malwarescore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 impostorscore=0 bulkscore=0 priorityscore=1501 clxscore=1011 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106250043 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210625_004454_584416_3CE8FF99 X-CRM114-Status: GOOD ( 45.23 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 24.06.21 14:57, Nicholas Piggin wrote: > Excerpts from Paolo Bonzini's message of June 24, 2021 10:41 pm: >> On 24/06/21 13:42, Nicholas Piggin wrote: >>> Excerpts from Nicholas Piggin's message of June 24, 2021 8:34 pm: >>>> Excerpts from David Stevens's message of June 24, 2021 1:57 pm: >>>>> KVM supports mapping VM_IO and VM_PFNMAP memory into the guest by using >>>>> follow_pte in gfn_to_pfn. However, the resolved pfns may not have >>>>> assoicated struct pages, so they should not be passed to pfn_to_page. >>>>> This series removes such calls from the x86 and arm64 secondary MMU. To >>>>> do this, this series modifies gfn_to_pfn to return a struct page in >>>>> addition to a pfn, if the hva was resolved by gup. This allows the >>>>> caller to call put_page only when necessated by gup. >>>>> >>>>> This series provides a helper function that unwraps the new return type >>>>> of gfn_to_pfn to provide behavior identical to the old behavior. As I >>>>> have no hardware to test powerpc/mips changes, the function is used >>>>> there for minimally invasive changes. Additionally, as gfn_to_page and >>>>> gfn_to_pfn_cache are not integrated with mmu notifier, they cannot be >>>>> easily changed over to only use pfns. >>>>> >>>>> This addresses CVE-2021-22543 on x86 and arm64. >>>> >>>> Does this fix the problem? (untested I don't have a POC setup at hand, >>>> but at least in concept) >>> >>> This one actually compiles at least. Unfortunately I don't have much >>> time in the near future to test, and I only just found out about this >>> CVE a few hours ago. >> >> And it also works (the reproducer gets an infinite stream of userspace >> exits and especially does not crash). We can still go for David's >> solution later since MMU notifiers are able to deal with this pages, but >> it's a very nice patch for stable kernels. > > Oh nice, thanks for testing. How's this? > > Thanks, > Nick > > --- > > KVM: Fix page ref underflow for regions with valid but non-refcounted pages > > It's possible to create a region which maps valid but non-refcounted > pages (e.g., tail pages of non-compound higher order allocations). These > host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family > of APIs, which take a reference to the page, which takes it from 0 to 1. > When the reference is dropped, this will free the page incorrectly. > > Fix this by only taking a reference on the page if it was non-zero, > which indicates it is participating in normal refcounting (and can be > released with put_page). > > Signed-off-by: Nicholas Piggin > --- > virt/kvm/kvm_main.c | 19 +++++++++++++++++-- > 1 file changed, 17 insertions(+), 2 deletions(-) > > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c > index 6a6bc7af0e28..46fb042837d2 100644 > --- a/virt/kvm/kvm_main.c > +++ b/virt/kvm/kvm_main.c > @@ -2055,6 +2055,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault) > return true; > } > > +static int kvm_try_get_pfn(kvm_pfn_t pfn) > +{ > + if (kvm_is_reserved_pfn(pfn)) > + return 1; > + return get_page_unless_zero(pfn_to_page(pfn)); > +} > + > static int hva_to_pfn_remapped(struct vm_area_struct *vma, > unsigned long addr, bool *async, > bool write_fault, bool *writable, > @@ -2104,13 +2111,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, > * Whoever called remap_pfn_range is also going to call e.g. > * unmap_mapping_range before the underlying pages are freed, > * causing a call to our MMU notifier. > + * > + * Certain IO or PFNMAP mappings can be backed with valid > + * struct pages, but be allocated without refcounting e.g., > + * tail pages of non-compound higher order allocations, which > + * would then underflow the refcount when the caller does the > + * required put_page. Don't allow those pages here. > */ > - kvm_get_pfn(pfn); > + if (!kvm_try_get_pfn(pfn)) > + r = -EFAULT; > Right. That should also take care of s390 (pin_guest_page in vsie.c which calls gfn_to_page). FWIW, the current API is really hard to follow as it does not tell which functions take a reference and which dont. Anyway, this patch (with cc stable?) Reviewed-by: Christian Borntraeger > out: > pte_unmap_unlock(ptep, ptl); > *p_pfn = pfn; > - return 0; > + > + return r; > } > > /* > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel