From patchwork Wed Nov 9 16:51:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Kirill A. Shutemov" X-Patchwork-Id: 17681 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp446594wru; Wed, 9 Nov 2022 08:55:44 -0800 (PST) X-Google-Smtp-Source: AA0mqf7FkImTh2bXeZ94bguifzBhT4NiS51FJ2ZJfxuD3tdLOiaXFmpw6J5850zN38lKib09uTHy X-Received: by 2002:a17:906:1599:b0:7ae:9813:f930 with SMTP id k25-20020a170906159900b007ae9813f930mr2547951ejd.762.1668012944531; Wed, 09 Nov 2022 08:55:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668012944; cv=none; d=google.com; s=arc-20160816; b=EPKxS4gz7zq0yGkvIPGuKMbRs7DDmH3tsNYxrkAwVldqt8k3dGnQ39UPDOxiLuy0fx TLHjioV2fqp6Y5wMDVbTC89NDlDDBu7OW0lqESrae7JhyXbysbVlxlJx9xpxR6Bg7Liv bYG9PLIv5ee4o2ga45Is4bH3+//KdEgPRCRSpcpLtXC4CZ/q3U8PvhoX7dF4A0LQBSl3 m5SzTC6O5U/VPmPuXx/KGYE0Odm1K6aurn6TQc3YkaoQFs2Xawt9lH6DIDzzhfbcIxZW 4++I9ui7ThzNhZEDclYy1mC24GVcEoJ89X84i37ilf4Mf0/p3fdDLY0PK9JoRQOUMkU6 l4Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ZsMnpelDH6S8NiPofehi/MISgeT2xNjyCketcrjkirg=; b=masIMan0xaZZKTMPAITN90dBJVbzmB15Zz8ExTB6YDmolTlIz4YqTA0hY34sXmja64 1wHWLrYfeTXNorp7Ea1aMDNx1t5rHRY0tGK7ssLVxr7l5oNj2xKECtOrEB+RkMDXJtVU /hFmufriBZMPNlHpzZJ0bAf15fsMKN7Rv5lucW5MMfkp3F9TMbZnqxSt4u+QW6pJG37r bLQUNF9y6j8X5dYM3ZTTqXmiRRz/7bev5bMub7EVhvnJ8GTAv7aQ2sx7dwXxEeASt3Yg pWOMzHOXocmuc6QR56ajJ7gAmOYFc7zbt/ZMudOTTUa+Caog2Y0iGKpUv3scdmy6XS2+ hc1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=TygHs3kS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cx4-20020a05640222a400b0045caa1628c6si13755007edb.216.2022.11.09.08.55.21; Wed, 09 Nov 2022 08:55:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=TygHs3kS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230490AbiKIQxD (ORCPT + 99 others); Wed, 9 Nov 2022 11:53:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230375AbiKIQwg (ORCPT ); Wed, 9 Nov 2022 11:52:36 -0500 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6124F25C41 for ; Wed, 9 Nov 2022 08:52:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1668012739; x=1699548739; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=PRHpYCdvQPrEk4Dh8NC0NI3aanRW/V6efiDpPBADx4Y=; b=TygHs3kSZ2Sm/FQBkGTn8pSnkhgqhPSSedePkQYDPfPFIwNUTwkzvEUj cz3veemBdi6fyzn88HG7wV0DEcvcurTyE956E+fkJjNB2v1kbD9YMx9Gz lg0JuxdLRX2LJifQL3yVfblD2w1td54BOsK6wFidZnHMqufJr90f1da/z g+S+OeZGwk9D16w1D/fcO70JDCIv6i807GtqEnHEU5R1fMabEJLW30mQn wnYZAbaLFZLAPJAeSKvuaAzx7cym+apIzT+T64H6UlNS9oRkzU0c/7BOD UZJjWI9Y65Nt2NoU6aHOZz1/b4H2LHPHCflsnLwuh0fYCyxa9CN+mggmK A==; X-IronPort-AV: E=McAfee;i="6500,9779,10526"; a="298553715" X-IronPort-AV: E=Sophos;i="5.96,151,1665471600"; d="scan'208";a="298553715" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Nov 2022 08:52:16 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10526"; a="587827259" X-IronPort-AV: E=Sophos;i="5.96,151,1665471600"; d="scan'208";a="587827259" Received: from dschramm-mobl.ger.corp.intel.com (HELO box.shutemov.name) ([10.251.219.85]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Nov 2022 08:52:10 -0800 Received: by box.shutemov.name (Postfix, from userid 1000) id 93A4C109472; Wed, 9 Nov 2022 19:52:00 +0300 (+03) From: "Kirill A. Shutemov" To: Dave Hansen , Andy Lutomirski , Peter Zijlstra Cc: x86@kernel.org, Kostya Serebryany , Andrey Ryabinin , Andrey Konovalov , Alexander Potapenko , Taras Madan , Dmitry Vyukov , "H . J . Lu" , Andi Kleen , Rick Edgecombe , Bharata B Rao , Jacob Pan , Ashok Raj , linux-mm@kvack.org, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" , Marc Zyngier Subject: [PATCHv12 06/16] KVM: Serialize tagged address check against tagging enabling Date: Wed, 9 Nov 2022 19:51:30 +0300 Message-Id: <20221109165140.9137-7-kirill.shutemov@linux.intel.com> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221109165140.9137-1-kirill.shutemov@linux.intel.com> References: <20221109165140.9137-1-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749038341578439437?= X-GMAIL-MSGID: =?utf-8?q?1749038341578439437?= KVM forbids usage of tagged userspace addresses for memslots. It is done by checking if the address stays the same after untagging. It is works fine for ARM TBI, but it the check gets racy for LAM. TBI enabling happens per-thread, so nobody can enable tagging for the thread while the memslot gets added. LAM gets enabled per-process. If it gets enabled after the untagged_addr() check, but before access_ok() check the kernel can wrongly allow tagged userspace_addr. Use mmap lock to protect against parallel LAM enabling. Signed-off-by: Kirill A. Shutemov Reported-by: Rick Edgecombe Cc: Marc Zyngier --- virt/kvm/kvm_main.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index d2139906ff91..8399aae16e83 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1943,12 +1943,22 @@ int __kvm_set_memory_region(struct kvm *kvm, return -EINVAL; if (mem->guest_phys_addr & (PAGE_SIZE - 1)) return -EINVAL; + + /* Serialize against tagging enabling */ + if (mmap_read_lock_killable(kvm->mm)) + return -EINTR; + /* We can read the guest memory with __xxx_user() later on. */ if ((mem->userspace_addr & (PAGE_SIZE - 1)) || (mem->userspace_addr != untagged_addr(kvm->mm, mem->userspace_addr)) || !access_ok((void __user *)(unsigned long)mem->userspace_addr, - mem->memory_size)) + mem->memory_size)) { + mmap_read_unlock(kvm->mm); return -EINVAL; + } + + mmap_read_unlock(kvm->mm); + if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM) return -EINVAL; if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)