From patchwork Sat Jul 29 00:51:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 127913 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:918b:0:b0:3e4:2afc:c1 with SMTP id s11csp785577vqg; Fri, 28 Jul 2023 18:17:34 -0700 (PDT) X-Google-Smtp-Source: APBJJlGquFDjtLsOyNuIIW8AzvDmdVUpNsfGGB6hg5nXK7p0Z5N+LCMEfe1F+CKiL1kXA6cmRQ30 X-Received: by 2002:a05:6a00:2d23:b0:66d:514c:cb33 with SMTP id fa35-20020a056a002d2300b0066d514ccb33mr4232031pfb.6.1690593454304; Fri, 28 Jul 2023 18:17:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690593454; cv=none; d=google.com; s=arc-20160816; b=H/dWtM45xBcj5aqlSmtuBSLtget5+T+5gRZIUg3vX032WR6Umaz0GSYnhf8DI6/w/h tNf7/jHYrHZwEmASwutwwnsB742vQ9k1YGSc2RNGiXhLHkhksglyhReAq1PoQix9yLqV oRKdvGQ9GXcfvJuPNqDu5ExGYKq0gAj0fbXGoHh7tYRM4gE5DBle2cst8oP/bGbVITe3 yQuC3Sm6J6a1jiwyG9NMkEPqriOFPaTHTmdXmVdPM1/VFmWIr3Mgv0NEAQVKXWlOgF56 khavX25KEZREgof2OLwjVYZosqts+kcoFo9EQox+oi0xGf1gXSdyqkxawFQuMUAHKlQD oa0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=wviPOsS6wxIVOzMjjv3mWVw+feSBMfs9pmoqRvrXCaY=; fh=5ox/zlAFQPnl383vszwIhsQYFuHPJFmQzI3udqQ+nUw=; b=kj0HDfdkUgspIQLJs2yOyjft7Gb1XFcHMdq9XN9QcdM6ERlOgbxMamiqEiQ1OcIy6R duAmjFbQ7xtzfacbfWWY3HyV81pNiDxuxTx1VV65K8rPbKZRvEGbD8Rnql6COx+SXEII 2cuRx1woP2qOFU/ZUiHgCySJM3rVT57IcvzgBsQMQqJDUihLwsuClDciOh6dfVyEpCYn EkpBrfoZGMDImgHCA3jq+ggCHO4mEJbmCiDveBBhYJI7OkI4NY9s9ETnhsDAoYe6ha5T H4Www3lcbCjSsqBvlwitqHdVwYxjkmAWc3V820pd9H02Nm25hmnIT/Qjv3+rckDyP6Hr kc4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=EKB+UIYo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h123-20020a636c81000000b0056406432f69si3060729pgc.132.2023.07.28.18.17.21; Fri, 28 Jul 2023 18:17:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=EKB+UIYo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237295AbjG2AyY (ORCPT + 99 others); Fri, 28 Jul 2023 20:54:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237127AbjG2Axe (ORCPT ); Fri, 28 Jul 2023 20:53:34 -0400 Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com [IPv6:2607:f8b0:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C165326B2 for ; Fri, 28 Jul 2023 17:53:05 -0700 (PDT) Received: by mail-pl1-x64a.google.com with SMTP id d9443c01a7336-1bb982d2572so17350195ad.0 for ; Fri, 28 Jul 2023 17:53:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1690591926; x=1691196726; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=wviPOsS6wxIVOzMjjv3mWVw+feSBMfs9pmoqRvrXCaY=; b=EKB+UIYo3U8JrsxxkoCQHi5oERvy0PlpE5t8T6ECPd1S920laYGLkn5v+VUuZuVRNx TNdT8RcQ0UGfrMuKrJodH/v6mmbDBatABlksyCDAMRh43mT0KlZhqGmXtI3C5fpZpBNQ iw09XJROxq8kshDmgjI9DCbOP1qWMKVyiMTGDY+VVhxgCX25iLB0Pw1e2eevCGa4nI8D xPPeR7CawBIktWLbE6vQ55sQ47znxIYdnLKYz1NKvJ5CiqzCZpN9b1p/ZncxygvkZcDo hoRZVAMyaQb6fuI17sz8+UvDEkP3iIAMtdcF+6fpJ1UJnq4Bowf+GNAYZCbq85JAvBIK jztg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690591926; x=1691196726; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wviPOsS6wxIVOzMjjv3mWVw+feSBMfs9pmoqRvrXCaY=; b=Idmmniw73h7yxUNWTwpWSb8fuhcT/gyqz1yjTuM9OsvF8fOtchXlDkA3CBy/xoWfcc I5EtXCZMo20sH21YVYQDrma/AlQUcmx6kE2kwkm2AZsD+8kiH3TC0CL7q/do+EgKn/nP YNLdJV30uGjyXdmdaICmuDUliv0cudmyGbrqerlG2KWfIUzhaza30lHVjP5eGi1WNEE+ gfSFRKDXO6zOq7BId9l0WXkPqLrtRnv+wum1XKbQ1g2kDWmWlOKztqWn4EvJhsZUtxmW kISAwv/f1gYQ6Jqf/2Xa3fGkAsMjccMIq/jN5xcZNkVniAaRoDOevaVoUv2CKHhXHqB3 CaHg== X-Gm-Message-State: ABy/qLaDpzRwzG/WDWqoLSuuILyW5jqh1qphAU4vQDUIChauqxtrcOxr wRyQ1PjUiWWO/EX5gbk8++hMkdM2uJs= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:902:f990:b0:1bb:1ffd:5cc8 with SMTP id ky16-20020a170902f99000b001bb1ffd5cc8mr12038plb.11.1690591925918; Fri, 28 Jul 2023 17:52:05 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 28 Jul 2023 17:51:57 -0700 In-Reply-To: <20230729005200.1057358-1-seanjc@google.com> Mime-Version: 1.0 References: <20230729005200.1057358-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog Message-ID: <20230729005200.1057358-3-seanjc@google.com> Subject: [PATCH v2 2/5] KVM: x86/mmu: Harden new PGD against roots without shadow pages From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yu Zhang , Reima Ishii X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772715721961846005 X-GMAIL-MSGID: 1772715721961846005 Harden kvm_mmu_new_pgd() against NULL pointer dereference bugs by sanity checking that the target root has an associated shadow page prior to dereferencing said shadow page. The code in question is guaranteed to only see roots with shadow pages as fast_pgd_switch() explicitly frees the current root if it doesn't have a shadow page, i.e. is a PAE root, and that in turn prevents valid roots from being cached, but that's all very subtle. Signed-off-by: Sean Christopherson --- arch/x86/kvm/mmu/mmu.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index 1eadfcde30be..dd8cc46551b2 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -4560,9 +4560,19 @@ static void nonpaging_init_context(struct kvm_mmu *context) static inline bool is_root_usable(struct kvm_mmu_root_info *root, gpa_t pgd, union kvm_mmu_page_role role) { - return (role.direct || pgd == root->pgd) && - VALID_PAGE(root->hpa) && - role.word == root_to_sp(root->hpa)->role.word; + struct kvm_mmu_page *sp; + + if (!VALID_PAGE(root->hpa)) + return false; + + if (!role.direct && pgd != root->pgd) + return false; + + sp = root_to_sp(root->hpa); + if (WARN_ON_ONCE(!sp)) + return false; + + return role.word == sp->role.word; } /* @@ -4682,9 +4692,12 @@ void kvm_mmu_new_pgd(struct kvm_vcpu *vcpu, gpa_t new_pgd) * If this is a direct root page, it doesn't have a write flooding * count. Otherwise, clear the write flooding count. */ - if (!new_role.direct) - __clear_sp_write_flooding_count( - root_to_sp(vcpu->arch.mmu->root.hpa)); + if (!new_role.direct) { + struct kvm_mmu_page *sp = root_to_sp(vcpu->arch.mmu->root.hpa); + + if (!WARN_ON_ONCE(!sp)) + __clear_sp_write_flooding_count(sp); + } } EXPORT_SYMBOL_GPL(kvm_mmu_new_pgd);