From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
To: Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>
Cc: x86@kernel.org, Kostya Serebryany <kcc@google.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Alexander Potapenko <glider@google.com>,
Taras Madan <tarasmadan@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
"H . J . Lu" <hjl.tools@gmail.com>,
Andi Kleen <ak@linux.intel.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Bharata B Rao <bharata@amd.com>,
Jacob Pan <jacob.jun.pan@linux.intel.com>,
Ashok Raj <ashok.raj@intel.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Marc Zyngier <maz@kernel.org>
Subject: [PATCHv9 06/14] KVM: Serialize tagged address check against tagging enabling
Date: Fri, 30 Sep 2022 17:47:50 +0300 [thread overview]
Message-ID: <20220930144758.30232-7-kirill.shutemov@linux.intel.com> (raw)
In-Reply-To: <20220930144758.30232-1-kirill.shutemov@linux.intel.com>
KVM forbids usage of tagged userspace addresses for memslots. It is done
by checking if the address stays the same after untagging.
It is works fine for ARM TBI, but it the check gets racy for LAM. TBI
enabling happens per-thread, so nobody can enable tagging for the thread
while the memslot gets added.
LAM gets enabled per-process. If it gets enabled after the
untagged_addr() check, but before access_ok() check the kernel can
wrongly allow tagged userspace_addr.
Use mmap lock to protect against parallel LAM enabling.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Marc Zyngier <maz@kernel.org>
---
virt/kvm/kvm_main.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index d2239aa85cf5..858c3e870ebc 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1941,12 +1941,22 @@ int __kvm_set_memory_region(struct kvm *kvm,
return -EINVAL;
if (mem->guest_phys_addr & (PAGE_SIZE - 1))
return -EINVAL;
+
+ /* Serialize against tagging enabling */
+ if (mmap_read_lock_killable(kvm->mm))
+ return -EINTR;
+
/* We can read the guest memory with __xxx_user() later on. */
if ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
(mem->userspace_addr != untagged_addr(kvm->mm, mem->userspace_addr)) ||
!access_ok((void __user *)(unsigned long)mem->userspace_addr,
- mem->memory_size))
+ mem->memory_size)) {
+ mmap_read_unlock(kvm->mm);
return -EINVAL;
+ }
+
+ mmap_read_unlock(kvm->mm);
+
if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM)
return -EINVAL;
if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)
--
2.35.1
next prev parent reply other threads:[~2022-09-30 14:48 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-30 14:47 [PATCHv9 00/14] Linear Address Masking enabling Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 01/14] x86/mm: Fix CR3_ADDR_MASK Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 02/14] x86: CPUID and CR3/CR4 flags for Linear Address Masking Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 03/14] mm: Pass down mm_struct to untagged_addr() Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 04/14] x86/mm: Handle LAM on context switch Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 05/14] x86/uaccess: Provide untagged_addr() and remove tags before address check Kirill A. Shutemov
2022-09-30 14:47 ` Kirill A. Shutemov [this message]
2022-09-30 14:47 ` [PATCHv9 07/14] x86/mm: Provide arch_prctl() interface for LAM Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 08/14] x86/mm: Reduce untagged_addr() overhead until the first LAM user Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 09/14] x86: Expose untagging mask in /proc/$PID/arch_status Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 10/14] x86/mm, iommu/sva: Make LAM and SVM mutually exclusive Kirill A. Shutemov
2022-10-10 21:24 ` Jacob Pan
2022-09-30 14:47 ` [PATCHv9 11/14] selftests/x86/lam: Add malloc and tag-bits test cases for linear-address masking Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 12/14] selftests/x86/lam: Add mmap and SYSCALL " Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 13/14] selftests/x86/lam: Add io_uring " Kirill A. Shutemov
2022-09-30 14:47 ` [PATCHv9 14/14] selftests/x86/lam: Add inherit " Kirill A. Shutemov
2022-10-06 13:58 ` [PATCHv9 00/14] Linear Address Masking enabling Alexander Potapenko
2022-10-06 16:41 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220930144758.30232-7-kirill.shutemov@linux.intel.com \
--to=kirill.shutemov@linux.intel.com \
--cc=ak@linux.intel.com \
--cc=andreyknvl@gmail.com \
--cc=ashok.raj@intel.com \
--cc=bharata@amd.com \
--cc=dave.hansen@linux.intel.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hjl.tools@gmail.com \
--cc=jacob.jun.pan@linux.intel.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=maz@kernel.org \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=ryabinin.a.a@gmail.com \
--cc=tarasmadan@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).