From: lizf@kernel.org
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Andy Lutomirski <luto@kernel.org>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Andy Lutomirski <luto@amacapital.net>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>,
David Vrabel <dvrabel@cantab.net>,
Denys Vlasenko <dvlasenk@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>, Jan Beulich <jbeulich@suse.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Sasha Levin <sasha.levin@oracle.com>,
Steven Rostedt <rostedt@goodmis.org>,
Thomas Gleixner <tglx@linutronix.de>,
"security@kernel.org" <security@kernel.org>,
xen-devel <xen-devel@lists.xen.org>,
Ingo Molnar <mingo@kernel.org>, Zefan Li <lizefan@huawei.com>
Subject: [PATCH 3.4 055/107] x86/xen: Probe target addresses in set_aliased_prot() before the hypercall
Date: Wed, 16 Mar 2016 16:05:49 +0800 [thread overview]
Message-ID: <1458115601-5762-55-git-send-email-lizf@kernel.org> (raw)
In-Reply-To: <1458115541-5712-1-git-send-email-lizf@kernel.org>
From: Andy Lutomirski <luto@kernel.org>
3.4.111-rc1 review patch. If anyone has any objections, please let me know.
------------------
commit aa1acff356bbedfd03b544051f5b371746735d89 upstream.
The update_va_mapping hypercall can fail if the VA isn't present
in the guest's page tables. Under certain loads, this can
result in an OOPS when the target address is in unpopulated vmap
space.
While we're at it, add comments to help explain what's going on.
This isn't a great long-term fix. This code should probably be
changed to use something like set_memory_ro.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Vrabel <dvrabel@cantab.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: security@kernel.org <security@kernel.org>
Cc: xen-devel <xen-devel@lists.xen.org>
Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Zefan Li <lizefan@huawei.com>
---
arch/x86/xen/enlighten.c | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
index 9598038..8ade106 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -413,6 +413,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
pte_t pte;
unsigned long pfn;
struct page *page;
+ unsigned char dummy;
ptep = lookup_address((unsigned long)v, &level);
BUG_ON(ptep == NULL);
@@ -422,6 +423,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
pte = pfn_pte(pfn, prot);
+ /*
+ * Careful: update_va_mapping() will fail if the virtual address
+ * we're poking isn't populated in the page tables. We don't
+ * need to worry about the direct map (that's always in the page
+ * tables), but we need to be careful about vmap space. In
+ * particular, the top level page table can lazily propagate
+ * entries between processes, so if we've switched mms since we
+ * vmapped the target in the first place, we might not have the
+ * top-level page table entry populated.
+ *
+ * We disable preemption because we want the same mm active when
+ * we probe the target and when we issue the hypercall. We'll
+ * have the same nominal mm, but if we're a kernel thread, lazy
+ * mm dropping could change our pgd.
+ *
+ * Out of an abundance of caution, this uses __get_user() to fault
+ * in the target address just in case there's some obscure case
+ * in which the target address isn't readable.
+ */
+
+ preempt_disable();
+
+ pagefault_disable(); /* Avoid warnings due to being atomic. */
+ __get_user(dummy, (unsigned char __user __force *)v);
+ pagefault_enable();
+
if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
BUG();
@@ -433,6 +460,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
BUG();
} else
kmap_flush_unused();
+
+ preempt_enable();
}
static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
@@ -440,6 +469,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
int i;
+ /*
+ * We need to mark the all aliases of the LDT pages RO. We
+ * don't need to call vm_flush_aliases(), though, since that's
+ * only responsible for flushing aliases out the TLBs, not the
+ * page tables, and Xen will flush the TLB for us if needed.
+ *
+ * To avoid confusing future readers: none of this is necessary
+ * to load the LDT. The hypervisor only checks this when the
+ * LDT is faulted in due to subsequent descriptor access.
+ */
+
for(i = 0; i < entries; i += entries_per_page)
set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
}
--
1.9.1
next prev parent reply other threads:[~2016-03-16 8:10 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-16 8:05 [PATCH 3.4 000/107] 3.4.111-rc1 review lizf
2016-03-16 8:04 ` [PATCH 3.4 001/107] Btrfs: use kmem_cache_free when freeing entry in inode cache lizf
2016-03-16 8:04 ` [PATCH 3.4 002/107] fs/buffer.c: support buffer cache allocations with gfp modifiers lizf
2016-03-16 8:04 ` [PATCH 3.4 003/107] bufferhead: Add _gfp version for sb_getblk() lizf
2016-03-16 8:04 ` [PATCH 3.4 004/107] ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp lizf
2016-03-16 8:04 ` [PATCH 3.4 005/107] ext4: replace open coded nofail allocation in ext4_free_blocks() lizf
2016-03-16 8:05 ` [PATCH 3.4 006/107] mm: avoid setting up anonymous pages into file mapping lizf
2016-03-16 8:05 ` [PATCH 3.4 007/107] hpfs: kstrdup() out of memory handling lizf
2016-03-16 8:05 ` [PATCH 3.4 008/107] hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead lizf
2016-03-16 8:05 ` [PATCH 3.4 009/107] 9p: don't leave a half-initialized inode sitting around lizf
2016-03-16 8:05 ` [PATCH 3.4 010/107] ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4 lizf
2016-03-16 8:05 ` [PATCH 3.4 011/107] dm btree remove: fix bug in redistribute3 lizf
2016-03-16 8:05 ` [PATCH 3.4 012/107] dm thin: allocate the cell_sort_array dynamically lizf
2016-03-16 8:05 ` [PATCH 3.4 013/107] USB: option: add 2020:4000 ID lizf
2016-03-16 8:05 ` [PATCH 3.4 014/107] USB: cp210x: add ID for Aruba Networks controllers lizf
2016-03-16 8:05 ` [PATCH 3.4 015/107] dm btree: silence lockdep lock inversion in dm_btree_del() lizf
2016-03-16 8:05 ` [PATCH 3.4 016/107] s390/sclp: clear upper register halves in _sclp_print_early lizf
2016-03-16 8:05 ` [PATCH 3.4 017/107] drm: add a check for x/y in drm_mode_setcrtc lizf
2016-03-16 8:05 ` [PATCH 3.4 018/107] rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver lizf
2016-03-16 8:05 ` [PATCH 3.4 019/107] net: do not process device backlog during unregistration lizf
2016-03-16 8:05 ` [PATCH 3.4 020/107] net: call rcu_read_lock early in process_backlog lizf
2016-03-16 8:05 ` [PATCH 3.4 021/107] s390/process: fix sfpc inline assembly lizf
2016-03-16 8:05 ` [PATCH 3.4 022/107] rds: rds_ib_device.refcount overflow lizf
2016-03-16 8:05 ` [PATCH 3.4 023/107] st: null pointer dereference panic caused by use after kref_put by st_open lizf
2016-03-16 8:05 ` [PATCH 3.4 024/107] ata: pmp: add quirk for Marvell 4140 SATA PMP lizf
2016-03-16 8:05 ` [PATCH 3.4 025/107] libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER lizf
2016-03-16 8:05 ` [PATCH 3.4 026/107] libata: add ATA_HORKAGE_NOTRIM lizf
2016-03-16 8:05 ` [PATCH 3.4 027/107] libata: force disable trim for SuperSSpeed S238 lizf
2016-03-16 8:05 ` [PATCH 3.4 028/107] libata: increase the timeout when setting transfer mode lizf
2016-03-16 8:05 ` [PATCH 3.4 029/107] net: Clone skb before setting peeked flag lizf
2016-03-16 8:05 ` [PATCH 3.4 030/107] NET: AX.25: Stop heartbeat timer on disconnect lizf
2016-03-16 10:40 ` Richard Stearn
2016-03-17 1:18 ` Zefan Li
2016-03-16 8:05 ` [PATCH 3.4 031/107] can: mcp251x: fix resume when device is down lizf
2016-03-16 8:05 ` [PATCH 3.4 032/107] mac80211: clear subdir_stations when removing debugfs lizf
2016-03-16 8:05 ` [PATCH 3.4 033/107] inet: frags: fix defragmented packet's IP header for af_packet lizf
2016-03-16 8:05 ` [PATCH 3.4 034/107] md: make sure everything is freed when dm-raid stops an array lizf
2016-03-16 8:05 ` [PATCH 3.4 035/107] md: flush ->event_work before stopping array lizf
2016-03-16 8:05 ` [PATCH 3.4 036/107] usb: dwc3: Reset the transfer resource index on SET_INTERFACE lizf
2016-03-16 8:05 ` [PATCH 3.4 037/107] usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function lizf
2016-03-16 8:05 ` [PATCH 3.4 038/107] xhci: Calculate old endpoints correctly on device reset lizf
2016-03-16 8:05 ` [PATCH 3.4 039/107] xhci: report U3 when link is in resume state lizf
2016-03-16 8:05 ` [PATCH 3.4 040/107] xhci: prevent bus_suspend if SS port resuming in phase 1 lizf
2016-03-16 8:05 ` [PATCH 3.4 041/107] usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 lizf
2016-03-16 8:05 ` [PATCH 3.4 042/107] tile: use free_bootmem_late() for initrd lizf
2016-03-16 8:05 ` [PATCH 3.4 043/107] Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen lizf
2016-03-16 8:05 ` [PATCH 3.4 044/107] md/raid1: fix test for 'was read error from last working device' lizf
2016-03-16 8:05 ` [PATCH 3.4 045/107] mmc: block: Add missing mmc_blk_put() in power_ro_lock_show() lizf
2016-03-16 8:05 ` [PATCH 3.4 046/107] netfilter: nf_conntrack: Support expectations in different zones lizf
2016-03-16 8:05 ` [PATCH 3.4 047/107] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer lizf
2016-03-16 8:05 ` [PATCH 3.4 048/107] iscsi-target: Fix use-after-free during TPG session shutdown lizf
2016-03-16 8:05 ` [PATCH 3.4 049/107] niu: don't count tx error twice in case of headroom realloc fails lizf
2016-03-16 8:05 ` [PATCH 3.4 050/107] vhost: actually track log eventfd file lizf
2016-03-16 8:05 ` [PATCH 3.4 051/107] USB: sierra: add 1199:68AB device ID lizf
2016-03-16 8:05 ` [PATCH 3.4 052/107] ALSA: usb-audio: add dB range mapping for some devices lizf
2016-03-16 8:05 ` [PATCH 3.4 053/107] drm/radeon/combios: add some validation of lvds values lizf
2016-03-16 8:05 ` [PATCH 3.4 054/107] target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT lizf
2016-03-16 8:05 ` lizf [this message]
2016-03-16 8:05 ` [PATCH 3.4 056/107] x86/ldt: Make modify_ldt synchronous lizf
2016-03-16 8:05 ` [PATCH 3.4 057/107] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies lizf
2016-03-16 8:05 ` [PATCH 3.4 058/107] MIPS: Fix sched_getaffinity with MT FPAFF enabled lizf
2016-03-16 8:05 ` [PATCH 3.4 059/107] xhci: fix off by one error in TRB DMA address boundary check lizf
2016-03-16 8:05 ` [PATCH 3.4 060/107] rds: fix an integer overflow test in rds_info_getsockopt() lizf
2016-03-16 8:05 ` [PATCH 3.4 061/107] perf: Fix fasync handling on inherited events lizf
2016-03-16 8:05 ` [PATCH 3.4 062/107] MIPS: Make set_pte() SMP safe lizf
2016-03-16 8:05 ` [PATCH 3.4 063/107] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() lizf
2016-03-16 8:05 ` [PATCH 3.4 064/107] x86/ldt: Correct LDT access in single stepping logic lizf
2016-03-16 8:05 ` [PATCH 3.4 065/107] x86/ldt: Correct FPU emulation access to LDT lizf
2016-03-16 8:06 ` [PATCH 3.4 066/107] localmodconfig: Use Kbuild files too lizf
2016-03-16 8:06 ` [PATCH 3.4 067/107] dm btree: add ref counting ops for the leaves of top level btrees lizf
2016-03-16 8:06 ` [PATCH 3.4 068/107] libiscsi: Fix host busy blocking during connection teardown lizf
2016-03-16 8:06 ` [PATCH 3.4 069/107] libfc: Fix fc_fcp_cleanup_each_cmd() lizf
2016-03-16 8:06 ` [PATCH 3.4 070/107] EDAC, ppc4xx: Access mci->csrows array elements properly lizf
2016-03-16 8:06 ` [PATCH 3.4 071/107] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits lizf
2016-03-16 8:06 ` [PATCH 3.4 072/107] net: Fix RCU splat in af_key lizf
2016-03-16 8:06 ` [PATCH 3.4 073/107] sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state lizf
2016-03-16 8:06 ` [PATCH 3.4 074/107] Revert "usb: dwc3: Reset the transfer resource index on SET_INTERFACE" lizf
2016-03-16 8:06 ` [PATCH 3.4 075/107] unix: avoid use-after-free in ep_remove_wait_queue lizf
2016-03-16 8:06 ` [PATCH 3.4 076/107] pptp: verify sockaddr_len in pptp_bind() and pptp_connect() lizf
2016-03-16 8:06 ` [PATCH 3.4 077/107] net: add validation for the socket syscall protocol argument lizf
2016-03-16 8:06 ` [PATCH 3.4 078/107] RDS: verify the underlying transport exists before creating a connection lizf
2016-03-16 8:06 ` [PATCH 3.4 079/107] RDS: fix race condition when sending a message on unbound socket lizf
2016-03-16 8:06 ` [PATCH 3.4 080/107] sg_start_req(): make sure that there's not too many elements in iovec lizf
2016-03-16 8:06 ` [PATCH 3.4 081/107] virtio-net: drop NETIF_F_FRAGLIST lizf
2016-03-16 8:06 ` [PATCH 3.4 082/107] isdn_ppp: Add checks for allocation failure in isdn_ppp_open() lizf
2016-03-16 8:06 ` [PATCH 3.4 083/107] ppp, slip: Validate VJ compression slot parameters completely lizf
2016-03-16 8:06 ` [PATCH 3.4 084/107] USB: whiteheat: fix potential null-deref at probe lizf
2016-03-16 8:06 ` [PATCH 3.4 085/107] KEYS: Fix race between key destruction and finding a keyring by name lizf
2016-03-16 8:06 ` [PATCH 3.4 086/107] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring lizf
2016-03-16 8:06 ` [PATCH 3.4 087/107] ipv6: addrconf: validate new MTU before applying it lizf
2016-03-16 8:06 ` [PATCH 3.4 088/107] KVM: x86: work around infinite loop in microcode when #AC is delivered lizf
2016-03-16 8:06 ` [PATCH 3.4 089/107] KVM: svm: unconditionally intercept #DB lizf
2016-03-16 8:06 ` [PATCH 3.4 090/107] get rid of s_files and files_lock lizf
2016-03-16 8:06 ` [PATCH 3.4 091/107] Initialize msg/shm IPC objects before doing ipc_addid() lizf
2016-03-16 8:06 ` [PATCH 3.4 092/107] net: avoid to hang up on sending due to sysctl configuration overflow lizf
2016-03-16 8:06 ` [PATCH 3.4 093/107] ipv6: probe routes asynchronous in rt6_probe lizf
2016-03-16 8:06 ` [PATCH 3.4 094/107] netfilter: nf_conntrack: fix RCU race in nf_conntrack_find_get lizf
2016-03-16 8:06 ` [PATCH 3.4 095/107] atm: deal with setting entry before mkip was called lizf
2016-03-16 8:06 ` [PATCH 3.4 096/107] SUNRPC: never enqueue a ->rq_cong request on ->sending lizf
2016-03-16 8:06 ` [PATCH 3.4 097/107] ipv6: prevent fib6_run_gc() contention lizf
2016-03-16 8:06 ` [PATCH 3.4 098/107] kernel/watchdog.c: touch_nmi_watchdog should only touch local cpu not every one lizf
2016-03-16 14:09 ` Don Zickus
2016-03-17 1:20 ` Zefan Li
2016-03-16 8:06 ` [PATCH 3.4 099/107] net: fix warnings in 'make htmldocs' by moving macro definition out of field declaration lizf
2016-03-16 8:06 ` [PATCH 3.4 100/107] af_unix: Guard against other == sk in unix_dgram_sendmsg lizf
2016-03-16 8:06 ` [PATCH 3.4 101/107] x86/LDT: Print the real LDT base address lizf
2016-03-16 8:06 ` [PATCH 3.4 102/107] ALSA: tlv: compute TLV_*_ITEM lengths automatically lizf
2016-03-16 8:06 ` [PATCH 3.4 103/107] ALSA: tlv: add DECLARE_TLV_DB_RANGE() lizf
2016-03-16 8:06 ` [PATCH 3.4 104/107] ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly lizf
2016-03-16 8:06 ` [PATCH 3.4 105/107] usb: dwc3: Fix assignment of EP transfer resources lizf
2016-03-16 8:06 ` [PATCH 3.4 106/107] dm btree remove: fix a bug when rebalancing nodes after removal lizf
2016-03-16 8:06 ` [PATCH 3.4 107/107] KVM: x86: move steal time initialization to vcpu entry time lizf
2016-03-16 17:51 ` [PATCH 3.4 000/107] 3.4.111-rc1 review Guenter Roeck
2016-03-17 1:21 ` Zefan Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458115601-5762-55-git-send-email-lizf@kernel.org \
--to=lizf@kernel.org \
--cc=andrew.cooper3@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dvlasenk@redhat.com \
--cc=dvrabel@cantab.net \
--cc=hpa@zytor.com \
--cc=jbeulich@suse.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=sasha.levin@oracle.com \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox