From patchwork Sat Jul 29 00:51:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 127930 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:918b:0:b0:3e4:2afc:c1 with SMTP id s11csp791296vqg; Fri, 28 Jul 2023 18:36:39 -0700 (PDT) X-Google-Smtp-Source: APBJJlHymuT7aQvHvP741A/61+XMz3a7d0sJoQgw4ub6JaHPikrSB1IaIkUtCb+cLn7D9U+pEGv1 X-Received: by 2002:a17:907:75da:b0:997:beca:f9db with SMTP id jl26-20020a17090775da00b00997becaf9dbmr784213ejc.54.1690594599444; Fri, 28 Jul 2023 18:36:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690594599; cv=none; d=google.com; s=arc-20160816; b=0Mm7fDX+BjoHHPdgomAST8OUYqfvAoBCb5bOlfNdioqSXDHHtY53LKTS2FfgRIR9IF z2Owoh1L/VqdRMvtWI+lH0lAZ2VJG+ZyHE/g5N2P7TZWOeXbBBzT5xiIDm/7Yay9M1Y3 PXRUfUCLKKUbkFiYQ7vqx8JVvda2l3yV7DsfZOX+c8Za1G9KPEE9dVv1o73sn17fFQ2X OV7BVuei6Ex7TWPummUxN4uPuEe3UVDdkaOGlDBnbjRoDCKa7XlPZ8M9TXv6FDeSgIwX aUmay1s4NobNmBUiBjJyMkcutN8iGolPErceDqm8njNn5NosodPXPgYmtJe2krqOZ3rW x5ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; fh=5ox/zlAFQPnl383vszwIhsQYFuHPJFmQzI3udqQ+nUw=; b=ZpzxYBxjK+lyoF4GSdLubZ27LwEW3iqP4zrpeO5vh8cXpRzV7y7qlgcFeUyrGQjbd6 i9P8y4s0Xwey3N7SEjruBnm3jsJKVWcTKVg9u2cqTm8KB3wt+yAc+898bSPJnTmCxUc2 Ar0QEHC1+YdHErpo0VQyLAOUAJRaeJnP4WcbH46g/SEHg/WOQMbxWbU9pPGnaOyP/EHg a0WTuRGJZ7UzQEQS8Ltgfdea6FNs9uzpBdROdJg/VJFesrQjVT7MnRgzRWebtkpX2BK4 dwg1RCHrydV5rqnEWhuGR3GmyXxk5ij89GMZfK58whZko/bDkOiUY8wx373HYUSHYE7D O8Pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=r48oWTbm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a26-20020a17090640da00b0098895f19707si3646655ejk.171.2023.07.28.18.36.13; Fri, 28 Jul 2023 18:36:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=r48oWTbm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236942AbjG2Ayb (ORCPT + 99 others); Fri, 28 Jul 2023 20:54:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46094 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237145AbjG2Axe (ORCPT ); Fri, 28 Jul 2023 20:53:34 -0400 Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com [IPv6:2607:f8b0:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8770D49F5 for ; Fri, 28 Jul 2023 17:53:08 -0700 (PDT) Received: by mail-pl1-x649.google.com with SMTP id d9443c01a7336-1bb982d2572so17350305ad.0 for ; Fri, 28 Jul 2023 17:53:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1690591929; x=1691196729; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; b=r48oWTbmRTUWH3Z3twYcBmYDoGqgbAjjPqBmvui4nkkBegzbN6TfRQJYzbz5xJX0KK X9ZgKU6wFEwfylQNRownUXs6PJOB5Zz9LybqmE4Jq/UoiIhkKrzX5Dsf7A70vL1+afVG C4ifTpOrE/gja7r+0dRTQldVXd2mxVS+I4xcVPQgeGTjtGx0oky4JpuQpiVUt7s3EBid bPu5gqi8jKk1wp5vFmVU7LMTdXVrtPJ9Zbugk1qr8arQBbFqIvrye52e7QP0UQRIr+Rr NypmxslReFidTdyPqTe6dxxdhbgiOBtb20No55FnjNInlGL/tdCxerGILm33QsLb/W7A OUnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690591929; x=1691196729; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; b=Y7yKZ6C8EHTlRucTEmCwykvgRKPrWe+ZVKmulNQQu2fANVW1r33dy+7IEE59sk2aor FEjEMx3udQQlP+VHNrHlCtCLCQHHZkeoU492w31EBID+62bJM1UMnoTOp2d9gZsUUULV iRZzONmKJUuC7hR5bRv9pJ2JOwn0lV8cqJvaM+IvuNtTI3jAbKFdP8dJB0PCNAWwnhf+ DvJtiRfPgAat6TMPAylrKc9NCmJaLcuPY07+nHyAiNoxhgGNL0G8pzBBrZ/aP0zhkXWv i+kmnxwZzWdHZr83OJ828YvktAl2eyheBCVYgY4I/1HhY2Gfh5vMIJ84r/QiuIBE5EAT i45g== X-Gm-Message-State: ABy/qLbQ6mhpSEgusxtle6ZZ4PNebiKB+U6NSot4OhxnaeLq1v6mKQCm sj/grqO7/daFO/6ogIUmILnxxvq4o/g= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:902:c951:b0:1ae:6895:cb96 with SMTP id i17-20020a170902c95100b001ae6895cb96mr13176pla.5.1690591929667; Fri, 28 Jul 2023 17:52:09 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 28 Jul 2023 17:51:59 -0700 In-Reply-To: <20230729005200.1057358-1-seanjc@google.com> Mime-Version: 1.0 References: <20230729005200.1057358-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog Message-ID: <20230729005200.1057358-5-seanjc@google.com> Subject: [PATCH v2 4/5] KVM: x86/mmu: Disallow guest from using !visible slots for page tables From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yu Zhang , Reima Ishii X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772716922936811814 X-GMAIL-MSGID: 1772716922936811814 Explicitly inject a page fault if guest attempts to use a !visible gfn as a page table. kvm_vcpu_gfn_to_hva_prot() will naturally handle the case where there is no memslot, but doesn't catch the scenario where the gfn points at a KVM-internal memslot. Letting the guest backdoor its way into accessing KVM-internal memslots isn't dangerous on its own, e.g. at worst the guest can crash itself, but disallowing the behavior will simplify fixing how KVM handles !visible guest root gfns (immediately synthesizing a triple fault when loading the root is architecturally wrong). Signed-off-by: Sean Christopherson --- arch/x86/kvm/mmu/paging_tmpl.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h index 0662e0278e70..122bfc0124d3 100644 --- a/arch/x86/kvm/mmu/paging_tmpl.h +++ b/arch/x86/kvm/mmu/paging_tmpl.h @@ -351,6 +351,7 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, ++walker->level; do { + struct kvm_memory_slot *slot; unsigned long host_addr; pt_access = pte_access; @@ -381,7 +382,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, if (unlikely(real_gpa == INVALID_GPA)) return 0; - host_addr = kvm_vcpu_gfn_to_hva_prot(vcpu, gpa_to_gfn(real_gpa), + slot = kvm_vcpu_gfn_to_memslot(vcpu, gpa_to_gfn(real_gpa)); + if (!kvm_is_visible_memslot(slot)) + goto error; + + host_addr = gfn_to_hva_memslot_prot(slot, gpa_to_gfn(real_gpa), &walker->pte_writable[walker->level - 1]); if (unlikely(kvm_is_error_hva(host_addr))) goto error;