* [PATCH v2 1/3] KVM: Don't create VM debugfs files outside of the VM directory
2022-04-04 18:21 [PATCH v2 0/3] KVM: Fix use-after-free in debugfs Oliver Upton
@ 2022-04-04 18:21 ` Oliver Upton
2022-04-06 7:10 ` Marc Zyngier
2022-04-04 18:21 ` [PATCH v2 2/3] selftests: KVM: Don't leak GIC FD across dirty log test iterations Oliver Upton
2022-04-04 18:21 ` [PATCH v2 3/3] selftests: KVM: Free the GIC FD when cleaning up in arch_timer Oliver Upton
2 siblings, 1 reply; 6+ messages in thread
From: Oliver Upton @ 2022-04-04 18:21 UTC (permalink / raw)
To: kvmarm
Cc: kvm, Marc Zyngier, James Morse, Alexandru Elisei,
Suzuki K Poulose, linux-arm-kernel, Peter Shier, Ricardo Koller,
Reiji Watanabe, Paolo Bonzini, Sean Christopherson, Oliver Upton,
stable
Unfortunately, there is no guarantee that KVM was able to instantiate a
debugfs directory for a particular VM. To that end, KVM shouldn't even
attempt to create new debugfs files in this case. If the specified
parent dentry is NULL, debugfs_create_file() will instantiate files at
the root of debugfs.
For arm64, it is possible to create the vgic-state file outside of a
VM directory, the file is not cleaned up when a VM is destroyed.
Nonetheless, the corresponding struct kvm is freed when the VM is
destroyed.
Nip the problem in the bud for all possible errant debugfs file
creations by initializing kvm->debugfs_dentry to -ENOENT. In so doing,
debugfs_create_file() will fail instead of creating the file in the root
directory.
Cc: stable@kernel.org
Fixes: 929f45e32499 ("kvm: no need to check return value of debugfs_create functions")
Signed-off-by: Oliver Upton <oupton@google.com>
---
virt/kvm/kvm_main.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 70e05af5ebea..04a426e65cb8 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -932,7 +932,7 @@ static void kvm_destroy_vm_debugfs(struct kvm *kvm)
int kvm_debugfs_num_entries = kvm_vm_stats_header.num_desc +
kvm_vcpu_stats_header.num_desc;
- if (!kvm->debugfs_dentry)
+ if (!IS_ERR(kvm->debugfs_dentry))
return;
debugfs_remove_recursive(kvm->debugfs_dentry);
@@ -955,6 +955,12 @@ static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)
int kvm_debugfs_num_entries = kvm_vm_stats_header.num_desc +
kvm_vcpu_stats_header.num_desc;
+ /*
+ * Force subsequent debugfs file creations to fail if the VM directory
+ * is not created.
+ */
+ kvm->debugfs_dentry = ERR_PTR(-ENOENT);
+
if (!debugfs_initialized())
return 0;
@@ -5479,7 +5485,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)
}
add_uevent_var(env, "PID=%d", kvm->userspace_pid);
- if (kvm->debugfs_dentry) {
+ if (!IS_ERR(kvm->debugfs_dentry)) {
char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL_ACCOUNT);
if (p) {
--
2.35.1.1094.g7c7d902a7c-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH v2 1/3] KVM: Don't create VM debugfs files outside of the VM directory
2022-04-04 18:21 ` [PATCH v2 1/3] KVM: Don't create VM debugfs files outside of the VM directory Oliver Upton
@ 2022-04-06 7:10 ` Marc Zyngier
2022-04-06 17:59 ` Oliver Upton
0 siblings, 1 reply; 6+ messages in thread
From: Marc Zyngier @ 2022-04-06 7:10 UTC (permalink / raw)
To: Oliver Upton
Cc: kvmarm, kvm, James Morse, Alexandru Elisei, Suzuki K Poulose,
linux-arm-kernel, Peter Shier, Ricardo Koller, Reiji Watanabe,
Paolo Bonzini, Sean Christopherson, stable
Hi Oliver,
On Mon, 04 Apr 2022 19:21:17 +0100,
Oliver Upton <oupton@google.com> wrote:
>
> Unfortunately, there is no guarantee that KVM was able to instantiate a
> debugfs directory for a particular VM. To that end, KVM shouldn't even
> attempt to create new debugfs files in this case. If the specified
> parent dentry is NULL, debugfs_create_file() will instantiate files at
> the root of debugfs.
>
> For arm64, it is possible to create the vgic-state file outside of a
> VM directory, the file is not cleaned up when a VM is destroyed.
> Nonetheless, the corresponding struct kvm is freed when the VM is
> destroyed.
>
> Nip the problem in the bud for all possible errant debugfs file
> creations by initializing kvm->debugfs_dentry to -ENOENT. In so doing,
> debugfs_create_file() will fail instead of creating the file in the root
> directory.
>
> Cc: stable@kernel.org
> Fixes: 929f45e32499 ("kvm: no need to check return value of debugfs_create functions")
> Signed-off-by: Oliver Upton <oupton@google.com>
> ---
> virt/kvm/kvm_main.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 70e05af5ebea..04a426e65cb8 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -932,7 +932,7 @@ static void kvm_destroy_vm_debugfs(struct kvm *kvm)
> int kvm_debugfs_num_entries = kvm_vm_stats_header.num_desc +
> kvm_vcpu_stats_header.num_desc;
>
> - if (!kvm->debugfs_dentry)
> + if (!IS_ERR(kvm->debugfs_dentry))
> return;
Shouldn't this condition be inverted? It certainly looks odd.
>
> debugfs_remove_recursive(kvm->debugfs_dentry);
> @@ -955,6 +955,12 @@ static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)
> int kvm_debugfs_num_entries = kvm_vm_stats_header.num_desc +
> kvm_vcpu_stats_header.num_desc;
>
> + /*
> + * Force subsequent debugfs file creations to fail if the VM directory
> + * is not created.
> + */
> + kvm->debugfs_dentry = ERR_PTR(-ENOENT);
> +
> if (!debugfs_initialized())
> return 0;
>
> @@ -5479,7 +5485,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)
> }
> add_uevent_var(env, "PID=%d", kvm->userspace_pid);
>
> - if (kvm->debugfs_dentry) {
> + if (!IS_ERR(kvm->debugfs_dentry)) {
> char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL_ACCOUNT);
>
> if (p) {
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v2 1/3] KVM: Don't create VM debugfs files outside of the VM directory
2022-04-06 7:10 ` Marc Zyngier
@ 2022-04-06 17:59 ` Oliver Upton
0 siblings, 0 replies; 6+ messages in thread
From: Oliver Upton @ 2022-04-06 17:59 UTC (permalink / raw)
To: Marc Zyngier
Cc: kvmarm, kvm, James Morse, Alexandru Elisei, Suzuki K Poulose,
linux-arm-kernel, Peter Shier, Ricardo Koller, Reiji Watanabe,
Paolo Bonzini, Sean Christopherson, stable
On Wed, Apr 06, 2022 at 08:10:00AM +0100, Marc Zyngier wrote:
> Hi Oliver,
>
> On Mon, 04 Apr 2022 19:21:17 +0100,
> Oliver Upton <oupton@google.com> wrote:
> >
> > Unfortunately, there is no guarantee that KVM was able to instantiate a
> > debugfs directory for a particular VM. To that end, KVM shouldn't even
> > attempt to create new debugfs files in this case. If the specified
> > parent dentry is NULL, debugfs_create_file() will instantiate files at
> > the root of debugfs.
> >
> > For arm64, it is possible to create the vgic-state file outside of a
> > VM directory, the file is not cleaned up when a VM is destroyed.
> > Nonetheless, the corresponding struct kvm is freed when the VM is
> > destroyed.
> >
> > Nip the problem in the bud for all possible errant debugfs file
> > creations by initializing kvm->debugfs_dentry to -ENOENT. In so doing,
> > debugfs_create_file() will fail instead of creating the file in the root
> > directory.
> >
> > Cc: stable@kernel.org
> > Fixes: 929f45e32499 ("kvm: no need to check return value of debugfs_create functions")
> > Signed-off-by: Oliver Upton <oupton@google.com>
> > ---
> > virt/kvm/kvm_main.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> > index 70e05af5ebea..04a426e65cb8 100644
> > --- a/virt/kvm/kvm_main.c
> > +++ b/virt/kvm/kvm_main.c
> > @@ -932,7 +932,7 @@ static void kvm_destroy_vm_debugfs(struct kvm *kvm)
> > int kvm_debugfs_num_entries = kvm_vm_stats_header.num_desc +
> > kvm_vcpu_stats_header.num_desc;
> >
> > - if (!kvm->debugfs_dentry)
> > + if (!IS_ERR(kvm->debugfs_dentry))
> > return;
>
> Shouldn't this condition be inverted? It certainly looks odd.
Err... Yep, this is plain wrong. Let me fix this obvious mistake.
--
Thanks,
Oliver
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2 2/3] selftests: KVM: Don't leak GIC FD across dirty log test iterations
2022-04-04 18:21 [PATCH v2 0/3] KVM: Fix use-after-free in debugfs Oliver Upton
2022-04-04 18:21 ` [PATCH v2 1/3] KVM: Don't create VM debugfs files outside of the VM directory Oliver Upton
@ 2022-04-04 18:21 ` Oliver Upton
2022-04-04 18:21 ` [PATCH v2 3/3] selftests: KVM: Free the GIC FD when cleaning up in arch_timer Oliver Upton
2 siblings, 0 replies; 6+ messages in thread
From: Oliver Upton @ 2022-04-04 18:21 UTC (permalink / raw)
To: kvmarm
Cc: kvm, Marc Zyngier, James Morse, Alexandru Elisei,
Suzuki K Poulose, linux-arm-kernel, Peter Shier, Ricardo Koller,
Reiji Watanabe, Paolo Bonzini, Sean Christopherson, Oliver Upton,
Jing Zhang
dirty_log_perf_test instantiates a VGICv3 for the guest (if supported by
hardware) to reduce the overhead of guest exits. However, the test does
not actually close the GIC fd when cleaning up the VM between test
iterations, meaning that the VM is never actually destroyed in the
kernel.
While this is generally a bad idea, the bug was detected from the kernel
spewing about duplicate debugfs entries as subsequent VMs happen to
reuse the same FD even though the debugfs directory is still present.
Abstract away the notion of setup/cleanup of the GIC FD from the test
by creating arch-specific helpers for test setup/cleanup. Close the GIC
FD on VM cleanup and do nothing for the other architectures.
Fixes: c340f7899af6 ("KVM: selftests: Add vgic initialization for dirty log perf test for ARM")
Reviewed-by: Jing Zhang <jingzhangos@google.com>
Signed-off-by: Oliver Upton <oupton@google.com>
---
.../selftests/kvm/dirty_log_perf_test.c | 34 +++++++++++++++++--
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/kvm/dirty_log_perf_test.c b/tools/testing/selftests/kvm/dirty_log_perf_test.c
index c9d9e513ca04..7b47ae4f952e 100644
--- a/tools/testing/selftests/kvm/dirty_log_perf_test.c
+++ b/tools/testing/selftests/kvm/dirty_log_perf_test.c
@@ -18,11 +18,40 @@
#include "test_util.h"
#include "perf_test_util.h"
#include "guest_modes.h"
+
#ifdef __aarch64__
#include "aarch64/vgic.h"
#define GICD_BASE_GPA 0x8000000ULL
#define GICR_BASE_GPA 0x80A0000ULL
+
+static int gic_fd;
+
+static void arch_setup_vm(struct kvm_vm *vm, unsigned int nr_vcpus)
+{
+ /*
+ * The test can still run even if hardware does not support GICv3, as it
+ * is only an optimization to reduce guest exits.
+ */
+ gic_fd = vgic_v3_setup(vm, nr_vcpus, 64, GICD_BASE_GPA, GICR_BASE_GPA);
+}
+
+static void arch_cleanup_vm(struct kvm_vm *vm)
+{
+ if (gic_fd > 0)
+ close(gic_fd);
+}
+
+#else /* __aarch64__ */
+
+static void arch_setup_vm(struct kvm_vm *vm, unsigned int nr_vcpus)
+{
+}
+
+static void arch_cleanup_vm(struct kvm_vm *vm)
+{
+}
+
#endif
/* How many host loops to run by default (one KVM_GET_DIRTY_LOG for each loop)*/
@@ -206,9 +235,7 @@ static void run_test(enum vm_guest_mode mode, void *arg)
vm_enable_cap(vm, &cap);
}
-#ifdef __aarch64__
- vgic_v3_setup(vm, nr_vcpus, 64, GICD_BASE_GPA, GICR_BASE_GPA);
-#endif
+ arch_setup_vm(vm, nr_vcpus);
/* Start the iterations */
iteration = 0;
@@ -302,6 +329,7 @@ static void run_test(enum vm_guest_mode mode, void *arg)
}
free_bitmaps(bitmaps, p->slots);
+ arch_cleanup_vm(vm);
perf_test_destroy_vm(vm);
}
--
2.35.1.1094.g7c7d902a7c-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH v2 3/3] selftests: KVM: Free the GIC FD when cleaning up in arch_timer
2022-04-04 18:21 [PATCH v2 0/3] KVM: Fix use-after-free in debugfs Oliver Upton
2022-04-04 18:21 ` [PATCH v2 1/3] KVM: Don't create VM debugfs files outside of the VM directory Oliver Upton
2022-04-04 18:21 ` [PATCH v2 2/3] selftests: KVM: Don't leak GIC FD across dirty log test iterations Oliver Upton
@ 2022-04-04 18:21 ` Oliver Upton
2 siblings, 0 replies; 6+ messages in thread
From: Oliver Upton @ 2022-04-04 18:21 UTC (permalink / raw)
To: kvmarm
Cc: kvm, Marc Zyngier, James Morse, Alexandru Elisei,
Suzuki K Poulose, linux-arm-kernel, Peter Shier, Ricardo Koller,
Reiji Watanabe, Paolo Bonzini, Sean Christopherson, Oliver Upton
In order to correctly destroy a VM, all references to the VM must be
freed. The arch_timer selftest creates a VGIC for the guest, which
itself holds a reference to the VM.
Close the GIC FD when cleaning up a VM.
Signed-off-by: Oliver Upton <oupton@google.com>
---
tools/testing/selftests/kvm/aarch64/arch_timer.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/kvm/aarch64/arch_timer.c b/tools/testing/selftests/kvm/aarch64/arch_timer.c
index b08d30bf71c5..3b940a101bc0 100644
--- a/tools/testing/selftests/kvm/aarch64/arch_timer.c
+++ b/tools/testing/selftests/kvm/aarch64/arch_timer.c
@@ -362,11 +362,12 @@ static void test_init_timer_irq(struct kvm_vm *vm)
pr_debug("ptimer_irq: %d; vtimer_irq: %d\n", ptimer_irq, vtimer_irq);
}
+static int gic_fd;
+
static struct kvm_vm *test_vm_create(void)
{
struct kvm_vm *vm;
unsigned int i;
- int ret;
int nr_vcpus = test_args.nr_vcpus;
vm = vm_create_default_with_vcpus(nr_vcpus, 0, 0, guest_code, NULL);
@@ -383,8 +384,8 @@ static struct kvm_vm *test_vm_create(void)
ucall_init(vm, NULL);
test_init_timer_irq(vm);
- ret = vgic_v3_setup(vm, nr_vcpus, 64, GICD_BASE_GPA, GICR_BASE_GPA);
- if (ret < 0) {
+ gic_fd = vgic_v3_setup(vm, nr_vcpus, 64, GICD_BASE_GPA, GICR_BASE_GPA);
+ if (gic_fd < 0) {
print_skip("Failed to create vgic-v3");
exit(KSFT_SKIP);
}
@@ -395,6 +396,12 @@ static struct kvm_vm *test_vm_create(void)
return vm;
}
+static void test_vm_cleanup(struct kvm_vm *vm)
+{
+ close(gic_fd);
+ kvm_vm_free(vm);
+}
+
static void test_print_help(char *name)
{
pr_info("Usage: %s [-h] [-n nr_vcpus] [-i iterations] [-p timer_period_ms]\n",
@@ -478,7 +485,7 @@ int main(int argc, char *argv[])
vm = test_vm_create();
test_run(vm);
- kvm_vm_free(vm);
+ test_vm_cleanup(vm);
return 0;
}
--
2.35.1.1094.g7c7d902a7c-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 6+ messages in thread