From patchwork Tue Oct 25 00:17:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Kirill A. Shutemov" X-Patchwork-Id: 10441 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp737902wru; Mon, 24 Oct 2022 18:10:41 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4W6Mg9zHZNtrAnTODP/Fes7Wvgs2CBP4EdE0LDgE6ZZ/RyE8T/5GN6UpKrGEiJNMWEnuv2 X-Received: by 2002:a05:6402:5206:b0:45d:88f:4f00 with SMTP id s6-20020a056402520600b0045d088f4f00mr33693348edd.130.1666660240864; Mon, 24 Oct 2022 18:10:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666660240; cv=none; d=google.com; s=arc-20160816; b=Le2xPlEJTX0vYZ0snMTbleb7g/grqrRnryrdIClcJlKWJy4EnbtZUdDKc2ZFqDeBkS iVEGFhfXCzWJNjgTKBTnRgniGc1PrSwItsSXRIqqgnE/awCp3pq6tmRt0GCyIIqGlyMU R+2fqDWRzhKZSqUKAfMk6WLv3hhluQIX++m9/7xQeSWqdZgnvfNF/gv6FLZVJXVbpptx aYoTM4PTrkeTuziBGLYPGEyHfylEVdcKyHGcu42oDDh/3ntQZ8XkWm56/tK7Cp31cVoo Q4uK34IOYgPx7UyNNhUal3bU5jfFyU+HrbXCEj6ZL4tJ61G77KMX0iTDQmQlD4KtfPXC pucA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=/oO7gDFSCqJwvHDXoFqlm+XodfhyUhtj9wWrRX+3h+8=; b=qxLgTEUSXv9rvqla5DwjKWJWAg8PE7IRfGvciiOxuwBXwuRHe0bU5F6Ww5lb6Xc2+V zgQjsQMdavhxDpiIBstj3/J9k+Zp3bo7Ht6Pr5HU/DJp0QaKZFFWQGMU0+iQRslczc0a YCTnPGUkl92SWG8LzNGJ6Xb7YhUDQgQ1l+ylFI2UbiMnhYDpZFU7gvGnxH15ULku/HTe DgFfCSyD6OOsdUtXYBcQ1o99vjQNfvDATtns4pO2hFI/H4BtHGJprMeHxzEY29S56m1j VrnEvUIoj0XndX1pPbrIJhcwCWDPeOD/Vw8U0e8WSXEvS5xNXkXUHsh49GOk/vu/8b2r OlRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=djrvlDSY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h1-20020a50cdc1000000b00457053aadeasi1180629edj.398.2022.10.24.18.10.17; Mon, 24 Oct 2022 18:10:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=djrvlDSY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230015AbiJYBJ0 (ORCPT + 99 others); Mon, 24 Oct 2022 21:09:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229934AbiJYBIb (ORCPT ); Mon, 24 Oct 2022 21:08:31 -0400 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE9351E704 for ; Mon, 24 Oct 2022 17:17:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1666657064; x=1698193064; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=kLvyVSLWSQb+POxDNMInSWdsGrXEv5cSfT1ANJOQpLA=; b=djrvlDSYU1YcjeuPIjnkiYr5uwqoOFMkojpp+/U9ttcsNJYzTSkTxyvZ 3JrF6l8S8zBBsXxvRjxKJDNFCP5JpKu3+oRxky/jtTWKUp4RoS5hI3kX0 wTUxmsXbIgxKPhkVkHA8gI+lOsJkul/87Mt0/Ekp4sal5Yi/+2VD8CrwM jxpUvAqpmol6nwZ4Tb5L1TpCAo8Q2U247xUvq8Qyr4nguqMB81ekc2mb5 PwiH84zX04mcIdo3FFAueduU4D7r1f5lbrqJEXUvQjncdNQTyjApWZUdb dZtKeaD0qDcXJuHvxn95/ZdTuwAJEuZ70s8M1w9Gpy2nK1IVxOpeF3dpQ g==; X-IronPort-AV: E=McAfee;i="6500,9779,10510"; a="308644667" X-IronPort-AV: E=Sophos;i="5.95,210,1661842800"; d="scan'208";a="308644667" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 17:17:39 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10510"; a="582587481" X-IronPort-AV: E=Sophos;i="5.95,210,1661842800"; d="scan'208";a="582587481" Received: from ghoyler-mobl.ger.corp.intel.com (HELO box.shutemov.name) ([10.249.39.118]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 17:17:35 -0700 Received: by box.shutemov.name (Postfix, from userid 1000) id DB0371095BB; Tue, 25 Oct 2022 03:17:25 +0300 (+03) From: "Kirill A. Shutemov" To: Dave Hansen , Andy Lutomirski , Peter Zijlstra Cc: x86@kernel.org, Kostya Serebryany , Andrey Ryabinin , Andrey Konovalov , Alexander Potapenko , Taras Madan , Dmitry Vyukov , "H . J . Lu" , Andi Kleen , Rick Edgecombe , Bharata B Rao , Jacob Pan , Ashok Raj , linux-mm@kvack.org, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" , Marc Zyngier Subject: [PATCHv11 06/16] KVM: Serialize tagged address check against tagging enabling Date: Tue, 25 Oct 2022 03:17:12 +0300 Message-Id: <20221025001722.17466-7-kirill.shutemov@linux.intel.com> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221025001722.17466-1-kirill.shutemov@linux.intel.com> References: <20221025001722.17466-1-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747619928290865750?= X-GMAIL-MSGID: =?utf-8?q?1747619928290865750?= KVM forbids usage of tagged userspace addresses for memslots. It is done by checking if the address stays the same after untagging. It is works fine for ARM TBI, but it the check gets racy for LAM. TBI enabling happens per-thread, so nobody can enable tagging for the thread while the memslot gets added. LAM gets enabled per-process. If it gets enabled after the untagged_addr() check, but before access_ok() check the kernel can wrongly allow tagged userspace_addr. Use mmap lock to protect against parallel LAM enabling. Signed-off-by: Kirill A. Shutemov Reported-by: Rick Edgecombe Cc: Marc Zyngier --- virt/kvm/kvm_main.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 8c86b06b35da..833742c21c91 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1943,12 +1943,22 @@ int __kvm_set_memory_region(struct kvm *kvm, return -EINVAL; if (mem->guest_phys_addr & (PAGE_SIZE - 1)) return -EINVAL; + + /* Serialize against tagging enabling */ + if (mmap_read_lock_killable(kvm->mm)) + return -EINTR; + /* We can read the guest memory with __xxx_user() later on. */ if ((mem->userspace_addr & (PAGE_SIZE - 1)) || (mem->userspace_addr != untagged_addr(kvm->mm, mem->userspace_addr)) || !access_ok((void __user *)(unsigned long)mem->userspace_addr, - mem->memory_size)) + mem->memory_size)) { + mmap_read_unlock(kvm->mm); return -EINVAL; + } + + mmap_read_unlock(kvm->mm); + if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM) return -EINVAL; if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)