From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AG47ELu49Gz7ZWAuLEOO0K3V6mLCw987ElDPXGPaZEMLlUVGuuopo1SNpDnnM8DtVAeCq3mJPi5y ARC-Seal: i=1; a=rsa-sha256; t=1520452116; cv=none; d=google.com; s=arc-20160816; b=yaik22hlEwVVfaKVqu1AOw1GFc7AL8gWfqL4sEphliwkWq7dV7JG494l7HpaHxrrRG iS5AqNWPtUrL33XcSC6aisSbTB7zcyZQzsFq2Hfsh+u1/JeITfc0JPdND7hZ4tvy/uOb UXy7Q3Obdx/zQld9Oj0PaXP6YhtOSaJI5bwuLhFCKEqNUxYH3krLe8Na7wkYpb+dlKj5 K5CS7dR2jU4r1ikHqbHli5NJxIFkRQlIDpekNjPAT/y1/FcrzgsUAVWnebIfvFncUfDy NKrCgXaKhuYSXvjY0ZmI9Pv4wLPgHqSBp1Wq3nVcemWe08SaIs8PifsZB24y4zM3XYre 1tsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=m6/lKlQIc1+KLhqQT9QtvGF8GbclnSylhwMLTMkJUUQ=; b=oDOfotsk9mNArPfsv/VTzBih75yRSxZKXP1rpXV2o+WG2CHlGgM0u+U7jXkfKnCpsO 95bwkHwQxYGg13PpuY10fPsPY713BpXz/NjLPkPhMnO2u8FipRFkoelX6i45DOOL4KlN Gxd78ix97htR9iMJ+sbIs8pHDf2pCtp7RA+TltFQl2PztK+BTZep7/4wevL6opcWxziz Cn+KV+qk7DGsfyKcBpyHvzSt6nLuzz3VZdSH5OljoP0szd1p5MX/SC9xHoJTVZTPv6q7 Xl90lHQ9lO0VkUcvtOrMb3To2Zg6Q6DLg4GFKxy5CjMKmT8kOZmAnQ57ABNVvebDZz7j n07A== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 185.236.200.248 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 185.236.200.248 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dmitry Vyukov , Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Eric Biggers , Wanpeng Li Subject: [PATCH 4.14 098/110] KVM: mmu: Fix overlap between public and private memslots Date: Wed, 7 Mar 2018 11:39:21 -0800 Message-Id: <20180307191052.395789797@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180307191039.748351103@linuxfoundation.org> References: <20180307191039.748351103@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1594309325310197361?= X-GMAIL-MSGID: =?utf-8?q?1594309598886299814?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Wanpeng Li commit b28676bb8ae4569cced423dc2a88f7cb319d5379 upstream. Reported by syzkaller: pte_list_remove: ffff9714eb1f8078 0->BUG ------------[ cut here ]------------ kernel BUG at arch/x86/kvm/mmu.c:1157! invalid opcode: 0000 [#1] SMP RIP: 0010:pte_list_remove+0x11b/0x120 [kvm] Call Trace: drop_spte+0x83/0xb0 [kvm] mmu_page_zap_pte+0xcc/0xe0 [kvm] kvm_mmu_prepare_zap_page+0x81/0x4a0 [kvm] kvm_mmu_invalidate_zap_all_pages+0x159/0x220 [kvm] kvm_arch_flush_shadow_all+0xe/0x10 [kvm] kvm_mmu_notifier_release+0x6c/0xa0 [kvm] ? kvm_mmu_notifier_release+0x5/0xa0 [kvm] __mmu_notifier_release+0x79/0x110 ? __mmu_notifier_release+0x5/0x110 exit_mmap+0x15a/0x170 ? do_exit+0x281/0xcb0 mmput+0x66/0x160 do_exit+0x2c9/0xcb0 ? __context_tracking_exit.part.5+0x4a/0x150 do_group_exit+0x50/0xd0 SyS_exit_group+0x14/0x20 do_syscall_64+0x73/0x1f0 entry_SYSCALL64_slow_path+0x25/0x25 The reason is that when creates new memslot, there is no guarantee for new memslot not overlap with private memslots. This can be triggered by the following program: #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include long r[16]; int main() { void *p = valloc(0x4000); r[2] = open("/dev/kvm", 0); r[3] = ioctl(r[2], KVM_CREATE_VM, 0x0ul); uint64_t addr = 0xf000; ioctl(r[3], KVM_SET_IDENTITY_MAP_ADDR, &addr); r[6] = ioctl(r[3], KVM_CREATE_VCPU, 0x0ul); ioctl(r[3], KVM_SET_TSS_ADDR, 0x0ul); ioctl(r[6], KVM_RUN, 0); ioctl(r[6], KVM_RUN, 0); struct kvm_userspace_memory_region mr = { .slot = 0, .flags = KVM_MEM_LOG_DIRTY_PAGES, .guest_phys_addr = 0xf000, .memory_size = 0x4000, .userspace_addr = (uintptr_t) p }; ioctl(r[3], KVM_SET_USER_MEMORY_REGION, &mr); return 0; } This patch fixes the bug by not adding a new memslot even if it overlaps with private memslots. Reported-by: Dmitry Vyukov Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Dmitry Vyukov Cc: Eric Biggers Cc: stable@vger.kernel.org Signed-off-by: Wanpeng Li --- virt/kvm/kvm_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) Signed-off-by: Greg Kroah-Hartman --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -975,8 +975,7 @@ int __kvm_set_memory_region(struct kvm * /* Check for overlaps */ r = -EEXIST; kvm_for_each_memslot(slot, __kvm_memslots(kvm, as_id)) { - if ((slot->id >= KVM_USER_MEM_SLOTS) || - (slot->id == id)) + if (slot->id == id) continue; if (!((base_gfn + npages <= slot->base_gfn) || (base_gfn >= slot->base_gfn + slot->npages)))