From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B83892E3B1A; Thu, 3 Jul 2025 15:20:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751556045; cv=none; b=Xbnvq7rtRtOz6rTherEdPewDJsAByxuZUpSt5BUQLvEHJUkVTDR0xEA/atlFJ+MyIhXtctqsCrFQ0/YKLHj3yCme+Po6/BQef3ZtNSBPhkMOeqxbkbW3scEGyNwPfKQHOg3Tl0SSEx0Lp8CQh+Hje4O0TVWjOlF9AnbwH5dO+68= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751556045; c=relaxed/simple; bh=rTc4g/wkR7LGHBfwH8Dg0T05O+HFBvsY1px8C98jDyk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K+Q1q5SEoQHyBoDyVy0fiz/msqwbQTiBziCCqqvDGzcLFR8hMAs0WN4/LHX22n8agui3Nx4MPaprSfapM3nEcT5c+XXmaFFvcOeyOBZvgZ+Vmcm/IhXWkae/mM/130iRoL+aUErI2N2A9Nwd9yxElgZCfXnshBJ1bch8L+LRYhE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=TWkqiocv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="TWkqiocv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1D871C4CEED; Thu, 3 Jul 2025 15:20:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1751556045; bh=rTc4g/wkR7LGHBfwH8Dg0T05O+HFBvsY1px8C98jDyk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TWkqiocv07JY0hn3G6PVYF9nBG+JyBBFZE+989LCH/U4JoZW69diSEL7Km6RlODA8 Ykv6VLIggPNKFC8BgvlyOgYULi6NKjI05uWKhCcEsh5AdpGw55rZq3mHnJ1F+9IQz+ g6y+Ahl7IMexJZfiBiwVo5RCMoQCD+A1CJ5D3gC4= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Rick Edgecombe , Michael Kelley , Kuppuswamy Sathyanarayanan , "Kirill A. Shutemov" , Wei Liu , Sasha Levin Subject: [PATCH 6.1 056/132] Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails Date: Thu, 3 Jul 2025 16:42:25 +0200 Message-ID: <20250703143941.622681705@linuxfoundation.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250703143939.370927276@linuxfoundation.org> References: <20250703143939.370927276@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Rick Edgecombe [ Upstream commit 03f5a999adba062456c8c818a683beb1b498983a ] In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. VMBus code could free decrypted pages if set_memory_encrypted()/decrypted() fails. Leak the pages if this happens. Signed-off-by: Rick Edgecombe Signed-off-by: Michael Kelley Reviewed-by: Kuppuswamy Sathyanarayanan Acked-by: Kirill A. Shutemov Link: https://lore.kernel.org/r/20240311161558.1310-2-mhklinux@outlook.com Signed-off-by: Wei Liu Message-ID: <20240311161558.1310-2-mhklinux@outlook.com> Stable-dep-of: 09eea7ad0b8e ("Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary") Signed-off-by: Sasha Levin --- drivers/hv/connection.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index ebf15f31d97e3..744d2809acc3f 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -236,8 +236,17 @@ int vmbus_connect(void) vmbus_connection.monitor_pages[0], 1); ret |= set_memory_decrypted((unsigned long) vmbus_connection.monitor_pages[1], 1); - if (ret) + if (ret) { + /* + * If set_memory_decrypted() fails, the encryption state + * of the memory is unknown. So leak the memory instead + * of risking returning decrypted memory to the free list. + * For simplicity, always handle both pages the same. + */ + vmbus_connection.monitor_pages[0] = NULL; + vmbus_connection.monitor_pages[1] = NULL; goto cleanup; + } /* * Set_memory_decrypted() will change the memory contents if @@ -336,13 +345,19 @@ void vmbus_disconnect(void) vmbus_connection.int_page = NULL; } - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); + if (vmbus_connection.monitor_pages[0]) { + if (!set_memory_encrypted( + (unsigned long)vmbus_connection.monitor_pages[0], 1)) + hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); + vmbus_connection.monitor_pages[0] = NULL; + } - hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); - hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); - vmbus_connection.monitor_pages[0] = NULL; - vmbus_connection.monitor_pages[1] = NULL; + if (vmbus_connection.monitor_pages[1]) { + if (!set_memory_encrypted( + (unsigned long)vmbus_connection.monitor_pages[1], 1)) + hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); + vmbus_connection.monitor_pages[1] = NULL; + } } /* -- 2.39.5