From patchwork Sat Jul 22 01:23:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 124182 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp576963vqg; Fri, 21 Jul 2023 19:18:49 -0700 (PDT) X-Google-Smtp-Source: APBJJlFYuyhdlb9/ZOks6u7YRxGpSMi+MUmFrk5Nxj/61/0yRLKe/bawWiygMrrse64trHKG9GeB X-Received: by 2002:a05:6a20:734f:b0:137:57fc:4f9d with SMTP id v15-20020a056a20734f00b0013757fc4f9dmr3817579pzc.10.1689992328976; Fri, 21 Jul 2023 19:18:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689992328; cv=none; d=google.com; s=arc-20160816; b=d/+ZaI0CU1Zur9i/AHKtBtbt9dChJ7Z6JiWgxwajVUJkexE3Ihd+dWWsoJ1GRmdvhn 4yEg39AXMYWpTty6S/hwMqi0SVKdvCoZvEG+/HLLOMrO8ijiNPssIuiH4Um0sTcs+a/N +8ueao3b7tDj1GEgOGfaXjoPYl5hTeghXeoQXE6/j142EeoQW12GBYBo03qUw/OGNM0h SDSEJKWMyixafRdZXhhPxThJIWnHlhA4Dk1NubDX+sZlODvgQqPT1BHPLrJlfiU63euq QRycfFjOBYAs6QHHLaQqMntKgAyV5YUArNYA5jF+ujIIWSdF41XVj8M28yP8ofoRylp8 DFfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; fh=+wFND6X2PweTsJwZ99iP2DHiwxyX/zx7C8kEbHFvmqg=; b=mt/JKPi5sslBPETJbXA/QoK1Um+o+bh1d4V/keIXfRBifi7Pxr1L64On73yi+EUFGc AJcmucNwt0RpSfjFzCywuBG1ITMvjLdDdJfN6l4jgAuJnFCi9GtxsIXSZauVjxq0V9N1 ZiAXXO1sbxULNjY0z5yiHaoH5HySSoX3z+v2KLSVMQDA99oVB22O4ZTro/MEvcYnUDq3 GnRYsJpGa9a4MFQ7K74tuxVCBvQv38rsvFD4ZP1zdTi9QBo6rHC5uUL8o7K4NNvwvO/d RPBtdKBhHuls4noPzmuyFxPpUOZqtOt+f3rtTePCStN0KGcuR5S3giRflBE+10lRKnQ0 vjoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=jA6SOzCZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o17-20020a637e51000000b0053490e8df4dsi4290137pgn.104.2023.07.21.19.18.36; Fri, 21 Jul 2023 19:18:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=jA6SOzCZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231251AbjGVBYM (ORCPT + 99 others); Fri, 21 Jul 2023 21:24:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231373AbjGVBYB (ORCPT ); Fri, 21 Jul 2023 21:24:01 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2788530C4 for ; Fri, 21 Jul 2023 18:24:00 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-d0737b86c45so381085276.2 for ; Fri, 21 Jul 2023 18:24:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689989039; x=1690593839; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; b=jA6SOzCZ5JV7gpezuMZaywqy77akcRhAVmKuF6oqtso7tzhrR5MVVK0jfJGHg7rfJb FaPJ742hNwflKbWuQ22IMhyWTrBH4002LLDcFa1S87vsGhPwjHQnYseUqYK6KJ7g2RMc XUGtCCZRZWaTSAPtYDlqRaGN7Dx4oGErykWf4zUhs9BZ46uJlFZh46ZN8QN1Up7cpWj0 W9zo7aSE/D5zytti/7d1f1srapwfpt/aGgQUKvId1yAi0P2UPz1QopjoYVUiZDViSRUZ kOqhG40It9Hg+4Hbnogmc7L/jM3hweiBdcpjXezcVzs4ENU0p4nyRFqVvowFX1ru6cuC TEFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689989039; x=1690593839; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; b=DiG9oXEoLyBKWeROj51hPwxpUTg9/L/Q8xvegc0kHINtpkmZyOQlGqHpcNMNzR9+rM PtDlUeSrnwaYW1njN3DIcGbYWWaQi61DsL4oVwpIRBMy/LR2yhnTJ7EbzBxjioUHvO7I haGR/3RLUe7jKXCwg7dNZyOmz8TW4+3ESjLtisEBko5K4+EIH3KI8oRF03JjmZULhPH/ UahoQdkJs2OG6vl3XbYLHuaRlF0IYsW22M9nuS3MkJw2ZOZPJDiZv9gJF/rRfGDxSB+n 7zEcXLRer1NC/nV5QtrUvW4+M856GtWMuxZFeMU3EliJvfQN/58SpEymGxWLbK+lEJWJ Y7Cg== X-Gm-Message-State: ABy/qLYvEa9Cd8+nSTFfVexJ/nrX8V0uwunhho0yefgFwgP8gbUI06CN tw6w22S22HF/W9Vq8mJk/DHYqU5vvdA= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a25:d6ce:0:b0:c6d:a342:99f1 with SMTP id n197-20020a25d6ce000000b00c6da34299f1mr21928ybg.13.1689989039471; Fri, 21 Jul 2023 18:23:59 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 21 Jul 2023 18:23:49 -0700 In-Reply-To: <20230722012350.2371049-1-seanjc@google.com> Mime-Version: 1.0 References: <20230722012350.2371049-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog Message-ID: <20230722012350.2371049-5-seanjc@google.com> Subject: [PATCH 4/5] KVM: x86/mmu: Disallow guest from using !visible slots for page tables From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Reima Ishii X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772085396428232359 X-GMAIL-MSGID: 1772085396428232359 Explicitly inject a page fault if guest attempts to use a !visible gfn as a page table. kvm_vcpu_gfn_to_hva_prot() will naturally handle the case where there is no memslot, but doesn't catch the scenario where the gfn points at a KVM-internal memslot. Letting the guest backdoor its way into accessing KVM-internal memslots isn't dangerous on its own, e.g. at worst the guest can crash itself, but disallowing the behavior will simplify fixing how KVM handles !visible guest root gfns (immediately synthesizing a triple fault when loading the root is architecturally wrong). Signed-off-by: Sean Christopherson --- arch/x86/kvm/mmu/paging_tmpl.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h index 0662e0278e70..122bfc0124d3 100644 --- a/arch/x86/kvm/mmu/paging_tmpl.h +++ b/arch/x86/kvm/mmu/paging_tmpl.h @@ -351,6 +351,7 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, ++walker->level; do { + struct kvm_memory_slot *slot; unsigned long host_addr; pt_access = pte_access; @@ -381,7 +382,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, if (unlikely(real_gpa == INVALID_GPA)) return 0; - host_addr = kvm_vcpu_gfn_to_hva_prot(vcpu, gpa_to_gfn(real_gpa), + slot = kvm_vcpu_gfn_to_memslot(vcpu, gpa_to_gfn(real_gpa)); + if (!kvm_is_visible_memslot(slot)) + goto error; + + host_addr = gfn_to_hva_memslot_prot(slot, gpa_to_gfn(real_gpa), &walker->pte_writable[walker->level - 1]); if (unlikely(kvm_is_error_hva(host_addr))) goto error;