From patchwork Tue Oct 17 20:24:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154497 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381081vqb; Tue, 17 Oct 2023 13:26:31 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGm24CRXvVCdQm+JFZ0D1IogIb8+n6DZO+vux7zY0nQsi0LMU4a0GpVBmGFG8CG+zyQJuHE X-Received: by 2002:a05:6a00:428e:b0:692:b3d4:e6c3 with SMTP id bx14-20020a056a00428e00b00692b3d4e6c3mr3462903pfb.0.1697574391508; Tue, 17 Oct 2023 13:26:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574391; cv=none; d=google.com; s=arc-20160816; b=vULw5q64dWzd8gakOBI8XxlKXs3xFxktxgMwEEYcMZk0jcyEeTJtyi12+VsmQ9N2OP wmG58I8lL3v1LxKTOmsrO80dgRQizmuIu2+8Ft4B/Mw+OiTOd2k94Tf5Is8krWKw6s4T 2K729tqQPFS/6UGBnUBaEZzto9TbOUSLasIhqdMkTCiwz1z+EK47sKkc4QY28BW1O+em EJqyHiMjwC0+GUVWmZxghW4tXLKpYv6bW52oT26+TBenzBEZoVMu2Ofh3mEchfI3vT1u NJHl4x50eS3/rPgqHabzC3MjblF08R+uHSGzblKFIyVZZLVxuLVlNjiivo6ktceyQ/5d SqBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=bHJdVxLWL7tmOR6rkkqndFqpRDxEeh3UF9/QOQa3Rd0=; fh=VcY0H07N31qXwTiA/WYKk4sD4rXfVVpVq9f5fZi5Co8=; b=WpXAffhyAwuY0fdVzaFB+ks6jpjR8E++zp7a5E98VnVslLp8Rczwy9CUcZH3grLDsR uTyR8W1BTk3myma2PH2GjU7I7Jacfy7UdefHwShQXQSeyHtE7GDJPAi17Gmrj/nWZ5JP IX21dKoLNbEEzA2esaApMafhVd3ka23FmyrHo/0t45O9xkYUCnpeBjt6L87qP/hMML5T eh6lJ1QmEOFMzV2hvHP8F7GFjfFd+t9+Cy3nKOwfbPpQd8PvWCSDk99LNBHZo0/jhth3 krr64CCHzgVk0b0iVL1PKadD1p/FiyKKLo5ozisIXskmGnbBMDbWiLGbTNb1HAfkNa/B NlHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=YOaXpWmq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id z6-20020aa78886000000b00690ba709d02si2465247pfe.381.2023.10.17.13.26.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:26:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=YOaXpWmq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id DCB19807D98A; Tue, 17 Oct 2023 13:25:43 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344259AbjJQUZd (ORCPT + 21 others); Tue, 17 Oct 2023 16:25:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234726AbjJQUZb (ORCPT ); Tue, 17 Oct 2023 16:25:31 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A59989F; Tue, 17 Oct 2023 13:25:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574330; x=1729110330; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=+c/mkJRcRl/HTZD+PEVBiG6EmvprrHB2jpk4jFyydb0=; b=YOaXpWmqlBQ/fBIZtCORTY+HA8/+90LrE3kyDLgvDrwexUZho+rd1h2P wiDFd/Idu9HUrcVy8Wg2/YZJj9vDqzJ9eRxpzonDM7emQKFbWhadXIMjJ ct8tPeDXtb6AiSlLpxK6aWwKxLeavr6Sc2fpLfKmCFoENW1SpBMg4fHJI eYNWooVl9cXbWr6XlxCEXNL/ihUF0DToa0+qHUjaklJ+cuHv2drrouFL6 P9G1HH7gHvoKTv9fjBtMVc4OAJ6snuj2m//1pmhqjaWtNh+o8BsNXKjik 7aV8L3B0Ncx0PT62eW8Wrb3IMwx5kOWgU9e7pL4e1MdF0o87IjIWs6LTS w==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429487" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429487" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040434" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040434" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:25 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Dave Hansen Subject: [PATCH 01/10] mm: Add helper for freeing decrypted memory Date: Tue, 17 Oct 2023 13:24:56 -0700 Message-Id: <20231017202505.340906-2-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:25:43 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035765399103552 X-GMAIL-MSGID: 1780035765399103552 When freeing decrypted memory to the page allocator the memory needs to be manually re-encrypted beforehand. If this step is skipped, then the next user of those pages will have the contents inadvertently exposed to the guest, or cause the guest to crash if the page is used in way disallowed by HW (i.e. for executable code or as a page table). Unfortunately, there are many instance of patterns like: set_memory_encrypted(pages); free_pages(pages); ...or... if (set_memory_decrypted(addr, 1)) free_pages(pages); This is a problem because set_memory_encrypted() and set_memory_decrypted() can be failed by the untrusted host in such a way that an error is returned and the resulting memory is shared. To aid in a tree-wide cleanup of these callers, add a free_decrypted_pages() function that will first try to encrypt the pages before returning them. If it is not successful, have it leak the pages and warn about this. This is preferable to returning shared pages to allocator or panicking. In some cases the code path's for freeing decrypted memory handle both encrypted and decrypted pages. In this case, rely on set_memory() to handle being asked to convert memory to the state it is already in. Going forward, rely on cross-arch callers to find and use free_decrypted_pages() instead of resorting to more heavy handed solutions like terminating the guest when nasty VMM behavior is observed. To make s390's arch set_memory_XXcrypted() definitions available in linux/set_memory.h, add include for s390's asm version of set_memory.h. Cc: Heiko Carstens Cc: Vasily Gorbik Cc: Alexander Gordeev Cc: Christian Borntraeger Cc: Sven Schnelle Cc: linux-s390@vger.kernel.org Suggested-by: Dave Hansen Signed-off-by: Rick Edgecombe --- arch/s390/include/asm/set_memory.h | 1 + include/linux/set_memory.h | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/arch/s390/include/asm/set_memory.h b/arch/s390/include/asm/set_memory.h index 06fbabe2f66c..09d36ebd64b5 100644 --- a/arch/s390/include/asm/set_memory.h +++ b/arch/s390/include/asm/set_memory.h @@ -3,6 +3,7 @@ #define _ASMS390_SET_MEMORY_H #include +#include extern struct mutex cpa_mutex; diff --git a/include/linux/set_memory.h b/include/linux/set_memory.h index 95ac8398ee72..a898b14b6b1f 100644 --- a/include/linux/set_memory.h +++ b/include/linux/set_memory.h @@ -5,6 +5,8 @@ #ifndef _LINUX_SET_MEMORY_H_ #define _LINUX_SET_MEMORY_H_ +#include + #ifdef CONFIG_ARCH_HAS_SET_MEMORY #include #else @@ -78,4 +80,15 @@ static inline int set_memory_decrypted(unsigned long addr, int numpages) } #endif /* CONFIG_ARCH_HAS_MEM_ENCRYPT */ +static inline void free_decrypted_pages(unsigned long addr, int order) +{ + int ret = set_memory_encrypted(addr, 1 << order); + + if (ret) { + WARN_ONCE(1, "Failed to re-encrypt memory before freeing, leaking pages!\n"); + return; + } + free_pages(addr, order); +} + #endif /* _LINUX_SET_MEMORY_H_ */ From patchwork Tue Oct 17 20:24:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154495 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381028vqb; Tue, 17 Oct 2023 13:26:23 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGTBIZ1ZeYHbg6WoK5/eiTEAC+cQlVZJbLrof0VPDUnj1Nu4WPoVyg5+jJmcEiWYHhLbx80 X-Received: by 2002:a05:6359:320a:b0:166:d975:8dab with SMTP id rj10-20020a056359320a00b00166d9758dabmr3040790rwb.1.1697574383292; Tue, 17 Oct 2023 13:26:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574383; cv=none; d=google.com; s=arc-20160816; b=Lg/VmvWK+TnBnpDUgkgLOSFeCgOb8Z6ildj0lRpNGzCcXpXd6uL0ZUK9gHYdqV6zfh gaDcVk8Lb/u4rL4LGLA7/ABVUr0qlle5N237KlsoYNXuDNsevKGrb8c3eSaOhAeQVR+B 8liAdUdO0akR21gcRpMoO/ByvDwoKlqHuiy+w9e4BM4YH8b9N0CvrZH+n5KMxrLYoFmz j/dFn2A4+AlM/1y41D14Lh+H4+5vj4MFHtnxQjndXiZT5iKYW6f6plz1ZmzOikFqYFrI OLYttdWOHC1N9XCw7bdWB2bHPt2Mhh3jkhA/5//WBmrFqAfg4opOnsd1skt5KlCW7l60 U6tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=0XBHahavpOJIV/T/BVaUyT1+R5H7YvZKt9BnisFoKfU=; fh=dkaLeLJAV/GL3hXyLGO5Eid9rwmYacfd29/J1KkcTNo=; b=F7VO5dwDhHkQJ+10v/GsP9cTBnwFVhgb2qHZgAqTM8TR3AWbOhgnfpimFk6ILlBdKe HduL360oA0PD1Zc6pj8HHNWvJDirmU8UJe/GYP3Oa9bfrlE4EGphFakFSkeCaypaW6Rk j3gNnzESHwvly6BjjVPX5bxxqtFrXqGy9iHfGY+36s4p3Yr1GvdvZ1AuGSmdIjZWP+6t RFh1POIxaca0GRiPAAKehSvccH+90PGNpWmfM/pQ9vg1Vw8nf5qk4JIUFZpeuoY2eIAd uVfOr5cbGaT+z3J7fEsnU7PJRJuX/tA//oTOMJJ9SH/3O8WV2k+3z5r7Yq6qPaHmlNhl 7Krw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=OYVqzXze; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id t16-20020a639550000000b005b02d7bb426si527386pgn.282.2023.10.17.13.26.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:26:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=OYVqzXze; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id D6F5B80BB562; Tue, 17 Oct 2023 13:26:06 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344430AbjJQUZh (ORCPT + 21 others); Tue, 17 Oct 2023 16:25:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55518 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234861AbjJQUZb (ORCPT ); Tue, 17 Oct 2023 16:25:31 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86A61BA; Tue, 17 Oct 2023 13:25:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574330; x=1729110330; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=gcF+O4qhVSDzWKyOPqIfGB0MPXeZPkkPdOYMfsrWVF0=; b=OYVqzXze13qHqoLPgXrwAY1F5UxX6jgrbXAmmnmxbiLJ497jgzMcTWai qdfXq9pVmhPDreyTj+WhdVcVJbiNHTjkWvtY4A42/tsaxBTH3dWVjAyLJ QOjIy5W2LYnxzuRil79sygRtMcYlD35iD5q3QnbirkaXZOIY8Fbg7KRpR Jyjo8LefcxdAvOK6Vf2/e61NIEgGUaiwgNoDxdgRpbyfigYnKkWYlCdeS LQnAKXfH5Cv6BGjiMZU1iKfnAJ9EtAEyB2n3c1mLV5NyKFOn867eZ8bSo ka3u0mYopThZlRF0EUZoWqoNxDMIJISGlbLVgdu6N0ZlMYgFR0HxlaXZx g==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429498" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429498" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:30 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040438" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040438" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:27 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com Subject: [PATCH 02/10] x86/mm/cpa: Reject incorrect encryption change requests Date: Tue, 17 Oct 2023 13:24:57 -0700 Message-Id: <20231017202505.340906-3-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:26:06 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035756850174209 X-GMAIL-MSGID: 1780035756850174209 Kernel memory is "encrypted" by default. Some callers may "decrypt" it in order to share it with things outside the kernel like a device or an untrusted VMM. There is nothing to stop set_memory_encrypted() from being passed memory that is already "encrypted" (aka. "private" on TDX). In fact, some callers do this because ... $REASONS. Unfortunately, part of the TDX decrypted=>encrypted transition is truly one way*. It can't handle being asked to encrypt an already encrypted page Allow __set_memory_enc_pgtable() to detect already-encrypted memory before it hits the TDX code. * The one way part is "page acceptance" [commit log written by Dave Hansen] Signed-off-by: Rick Edgecombe --- arch/x86/mm/pat/set_memory.c | 41 +++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index bda9f129835e..1238b0db3e33 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -2122,6 +2122,21 @@ int set_memory_global(unsigned long addr, int numpages) __pgprot(_PAGE_GLOBAL), 0); } +static bool kernel_vaddr_encryped(unsigned long addr, bool enc) +{ + unsigned int level; + pte_t *pte; + + pte = lookup_address(addr, &level); + if (!pte) + return false; + + if (enc) + return pte_val(*pte) == cc_mkenc(pte_val(*pte)); + + return pte_val(*pte) == cc_mkdec(pte_val(*pte)); +} + /* * __set_memory_enc_pgtable() is used for the hypervisors that get * informed about "encryption" status via page tables. @@ -2130,7 +2145,7 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc) { pgprot_t empty = __pgprot(0); struct cpa_data cpa; - int ret; + int ret, numpages_in_state = 0; /* Should not be working on unaligned addresses */ if (WARN_ONCE(addr & ~PAGE_MASK, "misaligned address: %#lx\n", addr)) @@ -2143,6 +2158,30 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc) cpa.mask_clr = enc ? pgprot_decrypted(empty) : pgprot_encrypted(empty); cpa.pgd = init_mm.pgd; + /* + * If any page is already in the right state, bail with an error + * because the code doesn't handled it. This is likely because + * something has gone wrong and isn't worth optimizing for. + * + * If all the memory pages are already in the desired state return + * success. + * + * kernel_vaddr_encryped() does not synchronize against huge page + * splits so take pgd_lock. A caller doing strange things could + * get a new PMD mid level PTE confused with a huge PMD entry. Just + * lock to tie up loose ends. + */ + spin_lock(&pgd_lock); + for (int i = 0; i < numpages; i++) { + if (kernel_vaddr_encryped(addr + (PAGE_SIZE * i), enc)) + numpages_in_state++; + } + spin_unlock(&pgd_lock); + if (numpages_in_state == numpages) + return 0; + else if (numpages_in_state) + return 1; + /* Must avoid aliasing mappings in the highmem code */ kmap_flush_unused(); vm_unmap_aliases(); From patchwork Tue Oct 17 20:24:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154496 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381075vqb; Tue, 17 Oct 2023 13:26:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEx7XR1dmO05ewZqo3vNTyOxJmTX/cq/tvxW8w1qdFkOkSdXMDIr6SiOIiELjIU0Xaf6T04 X-Received: by 2002:a05:6358:9fa2:b0:166:d93c:1c47 with SMTP id fy34-20020a0563589fa200b00166d93c1c47mr3210154rwb.0.1697574390495; Tue, 17 Oct 2023 13:26:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574390; cv=none; d=google.com; s=arc-20160816; b=Hgw7Lg9GoCmC9VAT6kz62Dr057HDobe36WQNiDLEAA0RiUTlJE0nn/Z9GtaECynU8L Ahf4GebpKBEhk+7q3Kz0FStfQkBTZXZWnPNxmRJJt4adDcuuemcnKsxiwAz+Ef0fJ6QB 2FF1CCgx5q38zrW7DADva9jX750tPPUhT8hRKr3Enb51Q2nS4YmvPwary9ajqZ/xkOwg 3Mm54UIPpQrYLHa7R/ynGBEk4zCIO1k0yh6cVvQ/XjzG9y7MKSuvMwv5bkU8amgLF7ql oT8LV7U6ZiFAYW7MDzB2Ui8wBKSAK9E3zDknN4qZlo2FC7isXZ3ttgJtb6uROkIrhVvF g7DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=dqWPT2ff4hQsZMyN/elKnwFrgzXTHpj6zlnnySJ8bWs=; fh=rpHONOI4nOSnLucy3eG5RPBO2psw2a+MP0jostdNrfk=; b=eUqDoQOHyTSazklEcfW7z9X0TEfo+AgnDzG1UdRI0ujrfDoVSFUsAwdwvps2I6BwxV AjBA9RAJAdl9OwEnquSA+v6RlqNIZQmHmXGdJfg1bxnrdA596fFSaeUDA/aCzmgLPCie a203LELGasHMagRQkoKd/eq4+i53JaeYBUVsLv56tIPVO4uv4afoAM8ss/vBZDZTa18L ef4B3Bq9PcmOUS5LwoIWyx8K4eJies7CEeV+fPqHyr8yTEMtkE9eH2bb9wCnKRto9mot 4OKSliJTHjg5ecN1ph1wuLQli2NFMraQcz8l3wg6WR2FauXlaU+qYpO7ywv1r3V+zM3C kKMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Wq1ZyfzE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id w70-20020a638249000000b00569cd6ead3asi510866pgd.643.2023.10.17.13.26.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:26:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Wq1ZyfzE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id B564F802121E; Tue, 17 Oct 2023 13:25:58 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344456AbjJQUZl (ORCPT + 21 others); Tue, 17 Oct 2023 16:25:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344034AbjJQUZd (ORCPT ); Tue, 17 Oct 2023 16:25:33 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC4EF9F; Tue, 17 Oct 2023 13:25:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574332; x=1729110332; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=DtMYE8N1kmDVdDJrac2n6n5keisOitJwN0pOUvbjeOE=; b=Wq1ZyfzEba+OjXqg5BUFD446IdXA5Zo16113OlkK1lkCSZuskG0VZb7p FFKFsUWVlcYh0KC312FWOHmQodtrnM59Ie6dYMDNWDr9DZOoPyq6qZ5et YLsHtvDUOO0HRResMWMztKqonRYi4hsxmrIBNvgeoK4Ej4szGnaFgjRgB 7aTI4EAVxGSD3cXbRX/en6zZdBfLrLHQKuN1b3GR7Wk8wcS/oBLUBUo+g WYYfGjZ43vuuQ1Pj5e/MLGVb/9BZkn+iiWMIbGb7BuPwAa3D3ONYqW0Wb Fk/BKCVQiDLNtAbInvgJ+kjAMwJB6H2w8aMZIK8cuVUAC7sOudBlzBnLM w==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429511" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429511" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:31 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040443" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040443" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:28 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Paolo Bonzini , Wanpeng Li , Vitaly Kuznetsov , kvm@vger.kernel.org Subject: [PATCH 03/10] kvmclock: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:24:58 -0700 Message-Id: <20231017202505.340906-4-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:25:58 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035763945925097 X-GMAIL-MSGID: 1780035763945925097 On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Kvmclock could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Cc: Paolo Bonzini Cc: Wanpeng Li Cc: Vitaly Kuznetsov Cc: kvm@vger.kernel.org Signed-off-by: Rick Edgecombe Reviewed-by: Kuppuswamy Sathyanarayanan --- arch/x86/kernel/kvmclock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c index fb8f52149be9..587b159c4e53 100644 --- a/arch/x86/kernel/kvmclock.c +++ b/arch/x86/kernel/kvmclock.c @@ -227,7 +227,7 @@ static void __init kvmclock_init_mem(void) r = set_memory_decrypted((unsigned long) hvclock_mem, 1UL << order); if (r) { - __free_pages(p, order); + free_decrypted_pages((unsigned long)hvclock_mem, order); hvclock_mem = NULL; pr_warn("kvmclock: set_memory_decrypted() failed. Disabling\n"); return; From patchwork Tue Oct 17 20:24:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154498 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381110vqb; Tue, 17 Oct 2023 13:26:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFHAEp6wymu1xPTMDTJpagB15zOftLZefIPq7DrP+wC4Bo7eeNkwqn6i2aBxOC+lWCr6HiQ X-Received: by 2002:a17:902:e80c:b0:1c4:1e65:1e5e with SMTP id u12-20020a170902e80c00b001c41e651e5emr3512382plg.0.1697574394644; Tue, 17 Oct 2023 13:26:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574394; cv=none; d=google.com; s=arc-20160816; b=z71CIgyhGa8c4WlD7ftYkIHR1nygxzJ1G4qT4LgqNEMlEvlv38dOLsrYfAucKh9M/S mgUUItDGoE2OHs89WQSqPi8pIm2CYgdccBR+vKMORc4zOGYGofd8rOoe4s15yEeoMSSr mso+OXIQp+VspLTaMIGnDL6TJc/6vvEiSd1D3E1SgILAtnWKTajJ5HlgFzV4tJYKkthI rc6pmwPuzgR+QfQdUbbmoAL4ulCX4ZftHZwti5pQBi0py5Z5chMb3vZgLOaK+mYQUFBY G1P0XVcHKtxkfW1ccHgG4QKecbKD7oj9d5IJxCo3SEpIYBNK+AXVWYbhx7osXG+Umxdh w85w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=2OIUddPavlDw4X1Ooc50ZlrwjQq7sSJ6/SveBJhDK64=; fh=frtIwp1xk65Umr2Bhyin7LkdduuEOGxwnK2K2LIo1HU=; b=U66+JMkyRd1DbBWzfSmIr7mgLhaKg9ElSsWqKr8bPjl6fEaiN/m2fd0F4W3Tyfaq+D ANHdfwaSFdjS+SeVtCuflSp86YqCFyiwn6Ht/OmrznBxpFu41rFfAVhUJdM4tBC1DMLd IHyvlKzCOMLW5XeJbJN6Ft6EqqG2F1vDHK4/ZPN4ttmDQAwRodhWtVWVtQwBsAZ6iRt9 ee6yS4wJzbxzDKho5fnNOmY0ZIeM8RlvsUrwUll8ckz4g2PxGH0lmnCafeFxmaNOI97v hVOyLM7Op3qoKvqFw0vo8pE9tpv7OWYaJLd25S5AJOKecfWQ4i69YPy9xiDcSAIygZoH GrhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=TfJWvC4i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id q5-20020a170902dac500b001c60d1de681si788799plx.108.2023.10.17.13.26.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:26:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=TfJWvC4i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id CAF7E80BB55C; Tue, 17 Oct 2023 13:26:25 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235016AbjJQUZq (ORCPT + 21 others); Tue, 17 Oct 2023 16:25:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344358AbjJQUZe (ORCPT ); Tue, 17 Oct 2023 16:25:34 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9B9CF0; Tue, 17 Oct 2023 13:25:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574333; x=1729110333; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=3Ad9kgdhE7qzJyM/s24lZCoX+Aafx5OUit4Dj7g+sn8=; b=TfJWvC4iQYYjFbNMIfKU/VKXObTvIG5n5AyBser9uxYsyxd+0aZLsS3k ZRgM2B9t+bq6GLCHfGPDTxRvnqp945SqwNbH2UvPojLPG7sJ/0k1kyRr0 jBokC6Pc0EMMr3BC4Sa+tezyldQeVOclTMpK+zoILFz8+BUWLdZt2qWS4 bmamddXzSNOPmiXUYvoHBh6a9uHc4zu4TIQt7GuNKxhEaFvhu/x7YK39Y 5r08uCByUuZUTfqLW2/uSWU+wIRBhgfesrYAM2WIrSUoevCiZ71UISiyA nHtNUxfNJI+uzs0Lind/zRfdb+7Y36+7HJV351AKEDbGZk6euue8o2oGs Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429526" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429526" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040448" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040448" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:29 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Christoph Hellwig , Marek Szyprowski , Robin Murphy , iommu@lists.linux.dev Subject: [PATCH 04/10] swiotlb: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:24:59 -0700 Message-Id: <20231017202505.340906-5-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:26:25 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035768403246716 X-GMAIL-MSGID: 1780035768403246716 On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Swiotlb could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. In swiotlb_exit(), check for set_memory_encrypted() errors manually, because the pages are not nessarily going to the page allocator. Cc: Christoph Hellwig Cc: Marek Szyprowski Cc: Robin Murphy Cc: iommu@lists.linux.dev Signed-off-by: Rick Edgecombe --- kernel/dma/swiotlb.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c index 394494a6b1f3..ad06786c4f98 100644 --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -524,6 +524,7 @@ void __init swiotlb_exit(void) unsigned long tbl_vaddr; size_t tbl_size, slots_size; unsigned int area_order; + int ret; if (swiotlb_force_bounce) return; @@ -536,17 +537,19 @@ void __init swiotlb_exit(void) tbl_size = PAGE_ALIGN(mem->end - mem->start); slots_size = PAGE_ALIGN(array_size(sizeof(*mem->slots), mem->nslabs)); - set_memory_encrypted(tbl_vaddr, tbl_size >> PAGE_SHIFT); + ret = set_memory_encrypted(tbl_vaddr, tbl_size >> PAGE_SHIFT); if (mem->late_alloc) { area_order = get_order(array_size(sizeof(*mem->areas), mem->nareas)); free_pages((unsigned long)mem->areas, area_order); - free_pages(tbl_vaddr, get_order(tbl_size)); + if (!ret) + free_pages(tbl_vaddr, get_order(tbl_size)); free_pages((unsigned long)mem->slots, get_order(slots_size)); } else { memblock_free_late(__pa(mem->areas), array_size(sizeof(*mem->areas), mem->nareas)); - memblock_free_late(mem->start, tbl_size); + if (!ret) + memblock_free_late(mem->start, tbl_size); memblock_free_late(__pa(mem->slots), slots_size); } @@ -581,7 +584,7 @@ static struct page *alloc_dma_pages(gfp_t gfp, size_t bytes) return page; error: - __free_pages(page, order); + free_decrypted_pages((unsigned long)vaddr, order); return NULL; } From patchwork Tue Oct 17 20:25:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154502 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381192vqb; Tue, 17 Oct 2023 13:26:50 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEC5RY613/y17rBSLy2Ez5VfM0OtPUFWQH+Cay+WgDYrL5Bb3AxSyT2X3mwxW9uMla1wgrX X-Received: by 2002:a05:6a20:ce9a:b0:16c:b95c:6d38 with SMTP id if26-20020a056a20ce9a00b0016cb95c6d38mr3069751pzb.2.1697574410469; Tue, 17 Oct 2023 13:26:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574410; cv=none; d=google.com; s=arc-20160816; b=HG8rHkW/rGJV53OMl/Y+lOJCIajrdR7EoArnIac6lcIjEl4LYEK7GXIIfM9bPKpp0K jBQ4wyhsxzLYM/eK5wWtH0JWCD6bDaAng/z3vGt88AJ1jxyYaMEycaXBL+Vh9pOCDqNZ HtAULkSo1ENDwvUpGfxLgMupnQ18IWcjJJyTr5wpZHPzEn0Dxq5J+N3P86dzvnE1M0P9 9smhXJYynCZ8AKopMZO27UDFIA3L35CJX5tt9RxWgWSdhiY++PBHBUVqpZfOVpZQ1qA/ JsFUBshnpU5nQyTbU+0wXtUZIX51El15Y9TtGU2h3gyQeKr4vxIP2Vjz4N7niG98FGLo pmuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=vn/QWymgXbx5kwDG9AWdS1zUsVcq5hgu1sjNh/vZ5E8=; fh=X9QvV0BO2F+cTly6D10ZZGlmIPBgNYl95NLqT4MLBLo=; b=crsh/Uz0uZyMsbbRJPFWXlMc1Rv3Vi00/Yicww8kibCOYD8fyhTiCwcpw0jcQOduoB vfDFKkEJtTywU4jsaH19HJrffzfXHa9FLsPee6iG81szUIK9UC3lRO++lEpk/OuUQ4IZ T412LlTgfnHNAmR7thujhj/9coLZAcIqV0XAF5U0X63n9lr+2tepjFOcLUpoxRd6VMpM nbvU1CzpPr/xUyyU0xj69UCoeHegBKZ7LzOqIQHNHBvB4AMV+tRIkICGyuWzmlIfB2pe VWRTi7JVQWZN0yABb6oQfmfxIkAYdaHEa4lDxfHBTaMD/1lyLbQ1Lpd64q6FrAOas4vz Fvqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=JPwgOfLZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id d68-20020a633647000000b00574021e070fsi543522pga.106.2023.10.17.13.26.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:26:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=JPwgOfLZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 053D58090250; Tue, 17 Oct 2023 13:26:20 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344509AbjJQUZs (ORCPT + 21 others); Tue, 17 Oct 2023 16:25:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344414AbjJQUZf (ORCPT ); Tue, 17 Oct 2023 16:25:35 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEB9DF1; Tue, 17 Oct 2023 13:25:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574334; x=1729110334; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=J1x07zCPUyPDNEiTVhjwVyzpDF64pQWTC5hwW7cc64I=; b=JPwgOfLZ9GdBCkxOf6zyBuHh9bI/hzxijRF9qCVbj79tO1Zq44WeMtrc MB/3ZrdSEl7aDYrISHf1zWT+trYgMeSvGUhd3EmtX+1iyY8S8zoStLkdF WyBDviZUTokGKjcIMCI3du5Mrdo//UW0z4lYWBPvg+hfjP+n+CpM+1vkU RIH/5wvTi8LJrNWGx1GRM/ry5ifWnZf3ZQcGK4AIG+ZW/65aBstNHhCAc jaFpwg5bLUyN4gclLtuoneLZMALDO7KgBLHaWGAwOqUBMG5PJIE5FBxXp uKSaY/JTk8tfpscskWMc4mQowRmLQJU9hmha441tnfWOXzGvB8ep4lutJ w==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429543" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429543" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:33 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040454" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040454" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:30 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Richard Cochran , netdev@vger.kernel.org Subject: [PATCH 05/10] ptp: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:25:00 -0700 Message-Id: <20231017202505.340906-6-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:26:20 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035785099172824 X-GMAIL-MSGID: 1780035785099172824 On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Ptp could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Cc: Richard Cochran Cc: netdev@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/ptp/ptp_kvm_x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ptp/ptp_kvm_x86.c b/drivers/ptp/ptp_kvm_x86.c index 902844cc1a17..203af060013d 100644 --- a/drivers/ptp/ptp_kvm_x86.c +++ b/drivers/ptp/ptp_kvm_x86.c @@ -36,7 +36,7 @@ int kvm_arch_ptp_init(void) clock_pair = page_address(p); ret = set_memory_decrypted((unsigned long)clock_pair, 1); if (ret) { - __free_page(p); + free_decrypted_pages((unsigned long)clock_pair, 0); clock_pair = NULL; goto nofree; } From patchwork Tue Oct 17 20:25:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154500 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381136vqb; Tue, 17 Oct 2023 13:26:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEuPHwd0nVPNQYs3Kdwnx1DTlYihf/SoTLbBAdPnUugGUY/B9IqAh5YyEdM3qqbOf6NCw/7 X-Received: by 2002:a05:6358:72a6:b0:166:d9f6:fbbc with SMTP id w38-20020a05635872a600b00166d9f6fbbcmr3611374rwf.3.1697574401358; Tue, 17 Oct 2023 13:26:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574401; cv=none; d=google.com; s=arc-20160816; b=tbgLrznh6WG57tl9BHW1GH+VO5WFn9joxWNkIjUINb0/8CwvasHdmTz8sBaB9MrVuj kZcecReihrEYwVhTM5wSSr20k+jvxVSNptvfebmtep9Xi+NfL416UFHaQRfFVfP+0OIb HGlz9t02qMPMPly0C1x+YDA4/8mL07t+WZSVioePs+S8hCUsFrwYfUmLMNAtN8RC2KHj Yny/s3+6evUkV6iITBpgJu/EjselHUaLENKm7SpfN+5f1I19TnFnaLwvWph7LOadPI5+ 3AKSLbT7IUXf7Okjfv8+3po7YKGEQ2rbwyYTgJRRayjRQ/BuMNZEQszcoNXcxFS78RVF xgEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=AvCyQwbXKjFfXAG0b7eB0SG9a2ztyacdff1oBiUujDQ=; fh=frtIwp1xk65Umr2Bhyin7LkdduuEOGxwnK2K2LIo1HU=; b=tNLNtGXceOiPZISaaO9fTWeORTi2mQc38Agc8Wshh6OWYEzK10UZMLEJuTAOb5M84u EyAmyngUNJjCFdUcgDmO4mKBnTjdmqucWDLkHDH206xTbgDOrcI550wvbodFkIGpSv+8 2aZhbatcMNHxOolxkFqKYGRg+F8KVAsRFsxOv6dWSQuHCMUciDyyjofA0nfpA+14fVKs FxKxXlsIsMbB18Qpoee6BGBzn4jdMf/Q7IpD1iLiZcUzC90V1CPyJ5SY+i9A+KaCSvEn atEyYG1LdpzGYzD99iStlrSi6i5YLXU2uvVocr7xsbSDbVKbEyG9pHdCzxShC6Xnpp8q n7vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=NnrPIv5f; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id a73-20020a63904c000000b0057c7d7036b8si525239pge.389.2023.10.17.13.26.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:26:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=NnrPIv5f; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 218C88025414; Tue, 17 Oct 2023 13:26:39 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344519AbjJQUZw (ORCPT + 21 others); Tue, 17 Oct 2023 16:25:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234700AbjJQUZg (ORCPT ); Tue, 17 Oct 2023 16:25:36 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0AA9EF9; Tue, 17 Oct 2023 13:25:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574335; x=1729110335; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1KnITalfSoEUJepIi5EFi3cXKWjkojf3kZ3un2NNboE=; b=NnrPIv5fKSyMVkk67iI5ylmjTZ9cZLCTxsyMcz7w3W+yac57UxZbCmIX li8hOnnXqElYlefL66UjMDmAL9BXz9wMbkeqtzGGC0mS7hPPvtYN4KY5N NMsnGyOFV8jqqUp2kDzD6eKu8QK2Ef3jcP4SEAdct9btON3Hx8P6OvXPE BF64XV4nvllAmMWbmOaO15wilnoCWd1F/Yh+PnUd16MUUnS0GqJtk0jPT 5b4JFnscG9p8hyD5C0XCcI55dO/piasSGritenD29uYugwEY9UvAZ8P58 N6Fb9ARnOJq8sUS1/d9C1Vn4iJ7VsaiueDjwiYSRvRdS0hDmNCOv13DCm Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429557" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429557" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:34 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040460" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040460" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:31 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Christoph Hellwig , Marek Szyprowski , Robin Murphy , iommu@lists.linux.dev Subject: [PATCH 06/10] dma: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:25:01 -0700 Message-Id: <20231017202505.340906-7-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:26:39 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035775421842631 X-GMAIL-MSGID: 1780035775421842631 On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. DMA could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Several paths also result in proper encrypted pages being freed through the same freeing function. Rely on free_decrypted_pages() to not leak the memory in these cases. Cc: Christoph Hellwig Cc: Marek Szyprowski Cc: Robin Murphy Cc: iommu@lists.linux.dev Signed-off-by: Rick Edgecombe --- include/linux/dma-map-ops.h | 3 ++- kernel/dma/contiguous.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/include/linux/dma-map-ops.h b/include/linux/dma-map-ops.h index f2fc203fb8a1..b0800cbbc357 100644 --- a/include/linux/dma-map-ops.h +++ b/include/linux/dma-map-ops.h @@ -9,6 +9,7 @@ #include #include #include +#include struct cma; @@ -165,7 +166,7 @@ static inline struct page *dma_alloc_contiguous(struct device *dev, size_t size, static inline void dma_free_contiguous(struct device *dev, struct page *page, size_t size) { - __free_pages(page, get_order(size)); + free_decrypted_pages((unsigned long)page_address(page), get_order(size)); } #endif /* CONFIG_DMA_CMA*/ diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c index f005c66f378c..e962f1f6434e 100644 --- a/kernel/dma/contiguous.c +++ b/kernel/dma/contiguous.c @@ -429,7 +429,7 @@ void dma_free_contiguous(struct device *dev, struct page *page, size_t size) } /* not in any cma, free from buddy */ - __free_pages(page, get_order(size)); + free_decrypted_pages((unsigned long)page_address(page), get_order(size)); } /* From patchwork Tue Oct 17 20:25:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154499 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381121vqb; Tue, 17 Oct 2023 13:26:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHLUS/QsRXz+SWotIVGAETcOkoVKGx8DCBCTnVo8uVCmBrOr5M9IBHKXO/tGCIYc6cVOHEZ X-Received: by 2002:a17:90b:1b44:b0:274:60c7:e15a with SMTP id nv4-20020a17090b1b4400b0027460c7e15amr3541958pjb.4.1697574397171; Tue, 17 Oct 2023 13:26:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574397; cv=none; d=google.com; s=arc-20160816; b=H5nOBGxzrKePO4qzxY5S3q3gXlCRUffjqUp8m9oNueXz9slLcjLOQRzytegxazFlb0 hTAVgZwQ9zmIo4XrAO9WMPVHIwluj9Vr6LMEyiA9hFwrMTQ6+Qdo6Cwxew9UNoO09p+T 2HeMlDNVEIaEFxv1zZ6hJoIA0K9f0eUm7TWJcLO+Dnueqmr3qqQPH4E9AF3xwTXThkWp 52+HGGJcNhUQ/+GNOha4A/uiYb2w+8pjVpgvIkUc53TtsuEgLI/ClaJ5z0I72/l38Ik/ hQJxJozcKz/3+JzcXafd/RO3fu251fHTUFInF4sR9JUtgtpCHpeMpVvUIXmL/2huOpBu gA4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=XBsimUVzuD3nEV3NZdlfEVSzq/vsyq4vsE/zMpmgFSA=; fh=SYvEGz8seZYs1sK9WnZjLPVTgNFsGd9AM19ibQrXG3o=; b=Ptd68HKHhjPACeN9zKYMk+dypm6ocp+pSnXOgqfYvQgleqQeaBLVlHA/ioGQuMUlLS 762ajmmgEaG8cR+e9+xpAwgUTsTToDGIsEtbxisOcBrGXT9jfPrgf8UZtLrcIIMh/iHj EHt4BggBEXNZo3yqhfXuXaSxH2qRrz97I1nzcwbG0EGqbTprKwwWEmCI3dnbx4qfDi38 vJUSt26XD3m+tkBSSQvKU8GEIBT7twK707MJHPAaQgh+chDkqUpfOgN6KF/i5UYK9i1S Sc9EBGVyd0GffFfU74FWCeHCpKaB1vcMWgpk4b2sd4ceJ1v0v5hU0aTiidbSo/CFKlRs INuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ibyLT5Me; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id v8-20020a17090a6b0800b00262f937bf93si2466409pjj.77.2023.10.17.13.26.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:26:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ibyLT5Me; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id AA33E8088A95; Tue, 17 Oct 2023 13:26:31 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235121AbjJQUZz (ORCPT + 21 others); Tue, 17 Oct 2023 16:25:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344429AbjJQUZh (ORCPT ); Tue, 17 Oct 2023 16:25:37 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2023FF; Tue, 17 Oct 2023 13:25:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574336; x=1729110336; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=DeK9M9T8xLg82lbSzsd9PGh1edTcS0OzTNpNIQkWt+o=; b=ibyLT5MepQhobD67/052nfhe6pYBEQu/Oy3Bz4PQaXwxoNNmUsmzruXB 2JPoCZAuETRn+kV2/hlOIGcSyYiXnaUswIaSF2sLKUwmiDjLAOg1dmWPo Sqq1GjHNS8STK5wZMyEe1a07nKuHWJSYa5ngdAihkYtDajbUVsnMg3VF3 yjGWnGMICqR3JPuwu+uYdamomDxnCuokp3b9kAgRM9lCmpGbYWuuu3OIf LRvwnG3p7I/8VTAz9aLtOi4nOFsAdtPqgtNxEDHHHfcqH8JHIS6lwBX1Y 1ZmhTDMShiAWHq5g6mdmSDRWwF8ydRUtrOjByStvvBPm9jASHivRKQ5xe g==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429573" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429573" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040468" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040468" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:32 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 07/10] hv: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:25:02 -0700 Message-Id: <20231017202505.340906-8-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:26:31 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035771058718688 X-GMAIL-MSGID: 1780035771058718688 On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Hyperv could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/hv/channel.c | 7 ++++--- drivers/hv/connection.c | 13 +++++++++---- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 56f7e06c673e..1ad8f7fabe06 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -153,9 +153,10 @@ void vmbus_free_ring(struct vmbus_channel *channel) hv_ringbuffer_cleanup(&channel->inbound); if (channel->ringbuffer_page) { - __free_pages(channel->ringbuffer_page, - get_order(channel->ringbuffer_pagecount - << PAGE_SHIFT)); + int order = get_order(channel->ringbuffer_pagecount << PAGE_SHIFT); + unsigned long addr = (unsigned long)page_address(channel->ringbuffer_page); + + free_decrypted_pages(addr, order); channel->ringbuffer_page = NULL; } } diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index 3cabeeabb1ca..cffad9b139d3 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -315,6 +315,7 @@ int vmbus_connect(void) void vmbus_disconnect(void) { + int ret; /* * First send the unload request to the host. */ @@ -337,11 +338,15 @@ void vmbus_disconnect(void) vmbus_connection.int_page = NULL; } - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); + ret = set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); + ret |= set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); - hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); - hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); + if (!ret) { + hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); + hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); + } else { + WARN_ONCE(1, "Failed to re-encrypt memory before freeing, leaking pages!\n"); + } vmbus_connection.monitor_pages[0] = NULL; vmbus_connection.monitor_pages[1] = NULL; } From patchwork Tue Oct 17 20:25:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154504 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381411vqb; Tue, 17 Oct 2023 13:27:19 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE18Dcn0544T++bwLdnU2nU8dPsi0c+Shf7I/gHum3ocmROXbZ7XbPyzSOU9iOi0zzoQCvE X-Received: by 2002:a05:6a20:8f2a:b0:163:d382:ba84 with SMTP id b42-20020a056a208f2a00b00163d382ba84mr3523882pzk.5.1697574439126; Tue, 17 Oct 2023 13:27:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574439; cv=none; d=google.com; s=arc-20160816; b=mpBKsws1qm9cmdma55lPPJ55wJwwx9ceU+QMJzSOa164YgGYfUQKlanZpo8b51Dgtx 1L/7fP2FiwUo+P3XfE18OmPcoaa8hZVMrmqMS8Zsv2aDFdsDWIVyHm+GWlsPJMj3obaE YYRLoLG4I7/3DM2KlbxF7phbKwOA1CZA8NDXAjqDErXjjHf++Bu19z/wWiy+Y1s0MdHA P7souiJnpqPICmO2Bv7+Chc1E6kO1L8jFoknBWcb1sx7p5hJlScP5E4ATuNf6eg6oQpQ t9Xp9JzkO4IVkt+QuaWQ0R1ux6uFlOF7mVY3b3/7e+k0F2NCJeQuc3iZRxr8rAjNzKDa asGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=vc5v4fgr1CopUvy+HOCx9sW27JhlZQAVdbpIzt3MAOc=; fh=SYvEGz8seZYs1sK9WnZjLPVTgNFsGd9AM19ibQrXG3o=; b=W+BlSmkJ/CptYYikVeckI8oAOFQkciAbTTGdWPj80H71klCEOpn5UxJqAaWUMZyiFR S077VMOfrxylTCMpWGjaWfyDjEtvYmahP7gx+pkSSFklgHu1o+KIe8jVoRO+EGyqyI4N xKKI4HQadDKDOrnnq4ERyZqilmCIix8IeAHpFPLv2e4bbO32j5QXFL+rxJoe0ggnyM5o 8FOmvLg5JqY5zU9wiPHL2g956iuXLCp1+Wbp+oaQ185jHYfQjGdWGrxXogFqF6RGGzVN pWpqOi2mwIxvKb3cdbqMUspez3x9I9CNnRWxLQXZBgQuTNwyNTvqUyw7xA44HiAuQCLy jvjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Um+2RAUy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id 71-20020a63014a000000b005b57aa8517bsi577781pgb.91.2023.10.17.13.27.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:27:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Um+2RAUy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id E8F5880A44DB; Tue, 17 Oct 2023 13:27:16 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344524AbjJQU0J (ORCPT + 21 others); Tue, 17 Oct 2023 16:26:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344476AbjJQUZn (ORCPT ); Tue, 17 Oct 2023 16:25:43 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1BB2110F; Tue, 17 Oct 2023 13:25:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574337; x=1729110337; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=xSf/vP0NH+csMyG/vIllMJkrSA3cYI1t+FXhK7zth7Y=; b=Um+2RAUycHg4eO51TJWq4jYMYZ6sC8BRA31uq0cfcE7e/l2kMDKlCic+ XXbJWSGe/0QxqaqPMuEFCrlu32xJ1yPAxbJ7PB7pb9OdP7xXDHWoy02s+ ZgLnqmBz6NdOqZLxWy+uS9iDfBz+/EzJ9gs9uuEa5AKYBdGkZBmLx4aq1 qNTxNpFhF+rxvwnuUXS0TctXsQWuEK4Nx2EeDyVZYsgqSpaJubi4Dksjf 8BxRN8SyEAJueIixOnv+Vg39pppoDdUzYkjnvWwH3VoM+PM+ihlz80IjU GukS1tRaIzt1FdHk2VegNZuk3AC3Wc2MQHcJxCjxjneFjggAHcLAGjrTh g==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429585" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429585" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040471" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040471" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:33 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 08/10] hv: Track decrypted status in vmbus_gpadl Date: Tue, 17 Oct 2023 13:25:03 -0700 Message-Id: <20231017202505.340906-9-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:27:16 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035815235516609 X-GMAIL-MSGID: 1780035815235516609 On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. In order to make sure caller's of vmbus_establish_gpadl() and vmbus_teardown_gpadl() don't return decrypted/shared pages to allocators, add a field in struct vmbus_gpadl to keep track of the decryption status of the buffer's. This will allow the callers to know if they should free or leak the pages. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/hv/channel.c | 11 ++++++++--- include/linux/hyperv.h | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 1ad8f7fabe06..0a7dcbb48140 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -479,6 +479,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, ret = set_memory_decrypted((unsigned long)kbuffer, PFN_UP(size)); if (ret) { + gpadl->decrypted = false; dev_warn(&channel->device_obj->device, "Failed to set host visibility for new GPADL %d.\n", ret); @@ -551,6 +552,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, gpadl->gpadl_handle = gpadlmsg->gpadl; gpadl->buffer = kbuffer; gpadl->size = size; + gpadl->decrypted = true; cleanup: @@ -564,9 +566,10 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, kfree(msginfo); - if (ret) - set_memory_encrypted((unsigned long)kbuffer, - PFN_UP(size)); + if (ret) { + if (set_memory_encrypted((unsigned long)kbuffer, PFN_UP(size))) + gpadl->decrypted = false; + } return ret; } @@ -887,6 +890,8 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, struct vmbus_gpadl *gpad if (ret) pr_warn("Fail to set mem host visibility in GPADL teardown %d.\n", ret); + gpadl->decrypted = ret; + return ret; } EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 2b00faf98017..5bac136c268c 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -812,6 +812,7 @@ struct vmbus_gpadl { u32 gpadl_handle; u32 size; void *buffer; + bool decrypted; }; struct vmbus_channel { From patchwork Tue Oct 17 20:25:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154501 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381195vqb; Tue, 17 Oct 2023 13:26:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGF/px1oESUyBfTJ4Q0dnB392poYF8tGWz6l9PVrk3YnIGZ6gF2P9QUnxaWHxMueZ4CN0gN X-Received: by 2002:a05:6870:7d11:b0:1e9:bb3a:9a32 with SMTP id os17-20020a0568707d1100b001e9bb3a9a32mr3600335oab.0.1697574410740; Tue, 17 Oct 2023 13:26:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574410; cv=none; d=google.com; s=arc-20160816; b=bJ0hedJPYZTtu5Lbh9gWG6xCFQLlnubdZSbXwl4nzeHfuDwh7pC5LnxnfMOqBj3keh lFiIS5KNtmOR0YNMVHfyOoMyv4x4vFYv1QB6fw7tsuCZehFofGd9CXmmjWcZ5mjBoFyX yI86IzMYKkHHR7EZySPmDKbPml+6WHiI1k5Zhd4XabVe43ut1uTouv9MLLge56yc1KHv jT4BbqkyH3SUwl8Eb5hsTVh95et6/jl4CoBfTBbDBTcU9av4Q3BVk/1+pps1GXd4EK00 jlWq9I25x+cSWWEOUF351JODL4bwQoKADYp1VuvBW25zSvJx3IYuWvkAFy5wr+faGkOk mHXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=52JQEUV6G5oXutFcAibbYbDTdVZXn8Kx/7l2gelzDac=; fh=SYvEGz8seZYs1sK9WnZjLPVTgNFsGd9AM19ibQrXG3o=; b=Y6DTwndx1SPS8UNxiDghKwOLZrw1vBTi2s9f1lxgTmxv78Li9HW9Z7kzyqP5V+ItEh C/tv6Y7SVIAo6BefVLcsWjg0OAdOP/pI42SEgRqjjDu5AZMDYljOb4vg73N7QAj/r+p1 7eOaJVv9sNhP8+QP33Tn5ICw3VXkvdKc3eyTkKNx39KIn5wfMaP7otNZrqtqlgXZJtvF IMHBAHa0pJdDu1rYjLGRfB2h2Ns41EFav04ZqbQux7q5jpFmFDVQiS6AbGMdkvlRi9LL gjNM/sRKPdgN3FDzJZ6zGqOI5z7Zaf3uo2ULcgtiT1rMx8hto6QBvN0Ewb/PsWE4kYcV EFpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=YXuEGd1Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id o28-20020a63921c000000b005abcd0ad422si493037pgd.533.2023.10.17.13.26.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:26:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=YXuEGd1Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id CBB318027E94; Tue, 17 Oct 2023 13:26:31 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344020AbjJQU0B (ORCPT + 21 others); Tue, 17 Oct 2023 16:26:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344481AbjJQUZo (ORCPT ); Tue, 17 Oct 2023 16:25:44 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 340EE113; Tue, 17 Oct 2023 13:25:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574338; x=1729110338; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=n7cfqZUhm+mNRuq80sD29C7/lYhruGMsgMoNg518Mk8=; b=YXuEGd1YuuA8OqolNFitTWvyC72DXCtDVrq4iC64qSq0H+WUXbWwob+q moFldGrUAkrqIsmMoMBrwZ6+cuYbWgJb5SdNWl1xgaz271bELU9leP1Ew xzjHZB5UBcLRhfA3PLkJz1TK4OaCFuGBDJeRzpeRCuibVL7Jf3clrDbTy mNqR85YNWgSggizAPJxn3LEW2iBDTt1tJg/EpOSRWV1fSyhnn8uv4TGKX z2snsrvYHjwgkdn6EsgEwlC3CYsavy99A7Qulh4pyuiTTo9VxKiittR0C muzvRKkUiEFuZ0p6cHvGUTg99J7FnvevMoN32XQfR/dDcVVhpZOGCrPtu A==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429596" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429596" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:38 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040475" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040475" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:34 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 09/10] hv_nstvsc: Don't free decrypted memory Date: Tue, 17 Oct 2023 13:25:04 -0700 Message-Id: <20231017202505.340906-10-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:26:31 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035785013763790 X-GMAIL-MSGID: 1780035785013763790 On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. hv_nstvsc could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl before freeing in order to not leak the memory. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/net/hyperv/netvsc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c index 82e9796c8f5e..70b7f91fb96b 100644 --- a/drivers/net/hyperv/netvsc.c +++ b/drivers/net/hyperv/netvsc.c @@ -154,8 +154,11 @@ static void free_netvsc_device(struct rcu_head *head) int i; kfree(nvdev->extension); - vfree(nvdev->recv_buf); - vfree(nvdev->send_buf); + + if (!nvdev->recv_buf_gpadl_handle.decrypted) + vfree(nvdev->recv_buf); + if (!nvdev->send_buf_gpadl_handle.decrypted) + vfree(nvdev->send_buf); bitmap_free(nvdev->send_section_map); for (i = 0; i < VRSS_CHANNEL_MAX; i++) { From patchwork Tue Oct 17 20:25:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 154505 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4381427vqb; Tue, 17 Oct 2023 13:27:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFlcRajTUg/tfFrc1BihhTFdbKe65EU2+YahzwQPW6zInjv548CYmV+3e9Jh5q3dLvYBTrU X-Received: by 2002:a05:6a00:1d12:b0:6b2:51a0:e1c9 with SMTP id a18-20020a056a001d1200b006b251a0e1c9mr3436759pfx.1.1697574442207; Tue, 17 Oct 2023 13:27:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574442; cv=none; d=google.com; s=arc-20160816; b=jz1ioRp+ik8ubIXrbQBve3Qf57+cSIwCsRcDEyqFa7k7SZvmM/zV5cCkf92aSqldVd /dnrfssPOM4pH3zraBqL92le9vQ3axuPHeT/jiilzKohlWXYso0PeBRPZGj3/1kKnxxO QRtsRWTi3xsbNeZpDzFR+kZzjc/K5dfkHnf1ljmNdjnv5GKE3Pmue/07fwRpXfV/fOH2 OP0bqbVlz+9MHkDTAyWdNPbPalrUiZpuGNbWFGVHSm6aWretvcQqLyoMYVJYwpJqdGLZ qdp0ujV8e6Qwb7WWoYEKunk8qbkAKu5HmDJFMwwhrMgciImU/sIk+Uh6Jcf4ianp/9dR 8NNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=cQn22U+CaFNzglZA9drV6DWVhDvn+L3lzTGWP/p2/NY=; fh=SYvEGz8seZYs1sK9WnZjLPVTgNFsGd9AM19ibQrXG3o=; b=ceupWBxShUVlfvFv3wCMhzgsFLLevgUwjfcOgwqQRftd5taN1rIr/H69pP9g3DrmzW 10aFuF1c9HQxQJS0OC4E1ZnTCSv/lLfnCBXfzT87HkdT7l0ZkFH0AGoRWMelBGaGo9yP vVB2fLCpQmaevA2tWE6mDgMgGayxyB0fh+3h5lVchT1jT9F/tVrzDGTw1AK2el5VLm6e +HCbRrghMIieCEokjLtv/9KzJy4lsnmlpO6XiFeCVxYWNveIMCoCVUkTK60L4uOUG9y8 gWO4TY4xJJSSsLUfbFvqEebQNb+6p3yMXCR+tg3dnzBI8Lb/wVWOXePG+xNz0cB7IkIz WjKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=bAwYhPFD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id j69-20020a638048000000b0056603994af8si458074pgd.666.2023.10.17.13.27.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:27:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=bAwYhPFD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id CF74080BB54C; Tue, 17 Oct 2023 13:27:18 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344481AbjJQU0F (ORCPT + 21 others); Tue, 17 Oct 2023 16:26:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41338 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344496AbjJQUZo (ORCPT ); Tue, 17 Oct 2023 16:25:44 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 273F8118; Tue, 17 Oct 2023 13:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574339; x=1729110339; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=acK3P8RbFbLJ3Y/qsHvg8A7W0ea+PDycu9fLk45ERVg=; b=bAwYhPFDDn2o4/g5Fs2i2s5um2j26EQWQIyBaZJ2aaH4c46DESSmKzjG m8qgnDnrDqfr9zfj/plTmMMnQ9zukuTursZT/jQ40fKZMUrMtz/at8UjB 2l4v9tWYfqrSphZ+M3Cau2AbRLqI7cmk5duZAgPeY3kh5iehrPes69QO8 jBjP+2X9WgAAlW4iqXjd8rIbUUlrF8lLVOJR7htbOzfKiGP3cWF0qEI1e 21/snBiup9feaslOPp3z2p9HInLQpMahJKFB49EzoOfCu4atkY9+5wd+O Yaa8lCqGFJg1pF8Gipjp5bndl2kLgoWjnStIFm212TwtidEDXcPnrKg6U w==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429610" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429610" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040478" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040478" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:35 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 10/10] uio_hv_generic: Don't free decrypted memory Date: Tue, 17 Oct 2023 13:25:05 -0700 Message-Id: <20231017202505.340906-11-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:27:18 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780035818426760394 X-GMAIL-MSGID: 1780035818426760394 On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. uio_hv_generic could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl before freeing in order to not leak the memory. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/uio/uio_hv_generic.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 20d9762331bd..6be3462b109f 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -181,12 +181,14 @@ hv_uio_cleanup(struct hv_device *dev, struct hv_uio_private_data *pdata) { if (pdata->send_gpadl.gpadl_handle) { vmbus_teardown_gpadl(dev->channel, &pdata->send_gpadl); - vfree(pdata->send_buf); + if (!pdata->send_gpadl.decrypted) + vfree(pdata->send_buf); } if (pdata->recv_gpadl.gpadl_handle) { vmbus_teardown_gpadl(dev->channel, &pdata->recv_gpadl); - vfree(pdata->recv_buf); + if (!pdata->recv_gpadl.decrypted) + vfree(pdata->recv_buf); } } @@ -295,7 +297,8 @@ hv_uio_probe(struct hv_device *dev, ret = vmbus_establish_gpadl(channel, pdata->recv_buf, RECV_BUFFER_SIZE, &pdata->recv_gpadl); if (ret) { - vfree(pdata->recv_buf); + if (!pdata->recv_gpadl.decrypted) + vfree(pdata->recv_buf); goto fail_close; } @@ -317,7 +320,8 @@ hv_uio_probe(struct hv_device *dev, ret = vmbus_establish_gpadl(channel, pdata->send_buf, SEND_BUFFER_SIZE, &pdata->send_gpadl); if (ret) { - vfree(pdata->send_buf); + if (!pdata->send_gpadl.decrypted) + vfree(pdata->send_buf); goto fail_close; }