[PATCH v2 0/2] KVM: arm64: Plug a couple of MM races

[Marc Zyngier <maz@kernel.org>]

Ard recently reported a really odd warning generated with KASAN, where
the page table walker we use to inspect the userspace page tables was
going into the weeds and accessing something that was looking totally
unrelated (and previously freed).

Will and I spent quite some time looking into it, and while we were
not able to reproduce the issue, we were able to spot at least a
couple of issues that could partially explain the issue.

The first course of action is to disable interrupts while walking the
userspace PTs. This prevents exit_mmap() from tearing down these PTs
by blocking the IPI. We also fail gracefully if the IPI won the race
and killed the page tables before we started the walk.

The second issue is to not use a VMA pointer that was obtained with
the mmap_read_lock held after that lock has been released. There is no
guarantee that it is still valid.

I've earmarked both for stable, though I expect backporting this to
older revisions of the kernel could be... interesting.

* From v1[1]:

  - Return -EAGAIN from get_user_mapping_size() when the mapping is
    gone instead of -EFAULT which would be fatal (which is still
    returned in cases that are not expected to be seen). Other error
    codes can also be returned from kvm_pgtable_get_leaf(), but always
    in conditions that are rather bad.

  - Rebased on top of kvmarm/fixes which already contains David's own
    MMU fix.

[1] https://lore.kernel.org/r/20230313091425.1962708-1-maz@kernel.org

Marc Zyngier (2):
  KVM: arm64: Disable interrupts while walking userspace PTs
  KVM: arm64: Check for kvm_vma_mte_allowed in the critical section

 arch/arm64/kvm/mmu.c | 53 ++++++++++++++++++++++++++++++++++++--------
 1 file changed, 44 insertions(+), 9 deletions(-)

-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel