From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754195AbbG2XCX (ORCPT <rfc822;w@1wt.eu>);
	Wed, 29 Jul 2015 19:02:23 -0400
Received: from ppsw-50.csi.cam.ac.uk ([131.111.8.150]:40836 "EHLO
	ppsw-50.csi.cam.ac.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752911AbbG2XCV (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 29 Jul 2015 19:02:21 -0400
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Subject: Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and
 config option
To: Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        David Vrabel <dvrabel@cantab.net>,
        Andy Lutomirski <luto@amacapital.net>
References: <cover.1437802102.git.luto@kernel.org>
 <CALCETrV7zVbt0ZV4KYcSTUHjAOxzGmu3SXWoT7iECB=zWSN7Ew@mail.gmail.com>
 <CALCETrV275oYQY80yg6TJ-h9n2Db-uF-po90bF+JmKjnV5ZqYw@mail.gmail.com>
 <55B75993.90909@citrix.com>
 <CALCETrXt2OP=+JAj7gzUOJT+5=00Qg3Te11twSeK8F_9zn_nwg@mail.gmail.com>
 <55B7AE39.7000101@citrix.com>
 <CALCETrVd56uwkZw0YtaSHKHp5dh7NugQouigibJkr=e3Q_mYyA@mail.gmail.com>
 <55B7B791.2050208@oracle.com>
 <CALCETrXH5_PMqfH1en_5c+5gUpq8SjCnQ3Xaz-K6ej6FgBgLDQ@mail.gmail.com>
 <55B822B8.3090608@citrix.com> <55B841FF.2000102@oracle.com>
 <CALCETrWkMRb+Y3FsJ7+kNYmPxtupM3ZPOeOPwagXytgBqM6tJQ@mail.gmail.com>
 <55B8E16C.2050406@citrix.com> <55B8E68B.2030305@oracle.com>
 <55B9236B.9090507@citrix.com> <55B94451.8040600@oracle.com>
 <CALCETrWA=hAyqqp=yzZ2r_S=9U9hLkd6dZEuNefew8hyLVA_eQ@mail.gmail.com>
 <55B947AF.7020404@citrix.com>
 <CALCETrXp_DV-_Uvekwv7xLHO-5P8Oxkgn6OeXG-6tVOD4RkKMw@mail.gmail.com>
 <55B94F9D.3000405@citrix.com> <55B957DE.60405@cantab.net>
 <55B95863.2000102@oracle.com>
Cc: "security@kernel.org" <security@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>, X86 ML <x86@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Steven Rostedt <rostedt@goodmis.org>,
        xen-devel <xen-devel@lists.xen.org>, Borislav Petkov <bp@alien8.de>,
        David Vrabel <david.vrabel@citrix.com>,
        Jan Beulich <jbeulich@suse.com>, Sasha Levin <sasha.levin@oracle.com>
From: Andrew Cooper <andrew.cooper3@citrix.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <55B95B70.8010902@citrix.com>
Date: Thu, 30 Jul 2015 00:02:08 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <55B95863.2000102@oracle.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 29/07/2015 23:49, Boris Ostrovsky wrote:
> On 07/29/2015 06:46 PM, David Vrabel wrote:
>>
>> On 29/07/2015 23:11, Andrew Cooper wrote:
>>> On 29/07/2015 23:05, Andy Lutomirski wrote:
>>>> On Wed, Jul 29, 2015 at 2:37 PM, Andrew Cooper
>>>> <andrew.cooper3@citrix.com> wrote:
>>>>> On 29/07/2015 22:26, Andy Lutomirski wrote:
>>>>>> On Wed, Jul 29, 2015 at 2:23 PM, Boris Ostrovsky
>>>>>> <boris.ostrovsky@oracle.com> wrote:
>>>>>>> On 07/29/2015 03:03 PM, Andrew Cooper wrote:
>>>>>>>> On 29/07/15 15:43, Boris Ostrovsky wrote:
>>>>>>>>> FYI, I have got a repro now and am investigating.
>>>>>>>> Good and bad news.  This bug has nothing to do with LDTs
>>>>>>>> themselves.
>>>>>>>>
>>>>>>>> I have worked out what is going on, but this:
>>>>>>>>
>>>>>>>> diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
>>>>>>>> index 5abeaac..7e1a82e 100644
>>>>>>>> --- a/arch/x86/xen/enlighten.c
>>>>>>>> +++ b/arch/x86/xen/enlighten.c
>>>>>>>> @@ -493,6 +493,7 @@ static void set_aliased_prot(void *v,
>>>>>>>> pgprot_t prot)
>>>>>>>>             pte = pfn_pte(pfn, prot);
>>>>>>>>    +       (void)*(volatile int*)v;
>>>>>>>>           if (HYPERVISOR_update_va_mapping((unsigned long)v,
>>>>>>>> pte, 0)) {
>>>>>>>>                   pr_err("set_aliased_prot va update failed w/
>>>>>>>> lazy mode
>>>>>>>> %u\n", paravirt_get_lazy_mode());
>>>>>>>>                   BUG();
>>>>>>>>
>>>>>>>> Is perhaps not the fix we are looking for, and every use of
>>>>>>>> HYPERVISOR_update_va_mapping() is susceptible to the same problem.
>>>>>>> I think in most cases we know that page is mapped so hopefully
>>>>>>> this is the
>>>>>>> only site that we need to be careful about.
>>>>>> Is there any chance we can get some kind of quick-and-dirty fix that
>>>>>> can go to x86/urgent in the next few days even if a clean fix isn't
>>>>>> available yet?
>>>>> Quick and dirty?
>>>>>
>>>>> Reading from v is the most obvious and quick way, for areas where
>>>>> we are
>>>>> certain v exists, is kernel memory and is expected to have a backing
>>>>> page.  I don't know offhand how many of current
>>>>> HYPERVISOR_update_va_mapping() callsites this applies to.
>>>> __get_user((char *)v, tmp), perhaps, unless there's something better
>>>> in the wings.  Keep in mind that we need this for -stable, and it's
>>>> likely to get backported quite quickly due to CVE-2015-5157.
>>> Hmm - something like that tucked inside HYPERVISOR_update_va_mapping()
>>> would probably work, and certainly be minimal hassle for -stable.
>>>
>>> Altering the hypercall used is certainly not something to backport, nor
>>> are we sure it is a viable fix at this time.
>> Changing this one use of update_va_mapping to use mmu_update_normal_pt
>> is the correct fix to unblock this LDT series.  I see no reason why this
>> cannot be backported.
>
> To properly fix it should include batching and that is not something
> that I think we should target for stable.

Batching is absolutely not necessary to alter update_va_mapping to
mmu_update_normal_pt.  After all, update_va_mapping isn't batched.

However this isn't the first issue issue we have had lazy mmu faulting,
and I doubt it is the last.  There are not many callsites of
update_va_mapping - I will audit them tomorrow and see if any similar
issues are lurking elsewhere.

~Andrew