From patchwork Wed Jul  5 06:20:31 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Graf <agraf@suse.de>
X-Patchwork-Id: 9825911
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D298260237 for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  5 Jul 2017 06:20:23 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C66B422B1F
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  5 Jul 2017 06:20:23 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B97A626E16; Wed,  5 Jul 2017 06:20:23 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 508D422B1F
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  5 Jul 2017 06:20:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751949AbdGEGUL (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Wed, 5 Jul 2017 02:20:11 -0400
Received: from mx2.suse.de ([195.135.220.15]:60979 "EHLO mx1.suse.de"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1750871AbdGEGUK (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 5 Jul 2017 02:20:10 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx1.suse.de (Postfix) with ESMTP id 42431AAF2;
	Wed,  5 Jul 2017 06:20:08 +0000 (UTC)
From: Alexander Graf <agraf@suse.de>
To: kvmarm@lists.cs.columbia.edu
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Christoffer Dall <cdall@linaro.org>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>, stable@vger.kernel.org
Subject: [PATCH v2] KVM: arm/arm64: Handle hva aging while destroying the vm
Date: Wed,  5 Jul 2017 08:20:31 +0200
Message-Id: <1499235631-141725-1-git-send-email-agraf@suse.de>
X-Mailer: git-send-email 1.8.5.6
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The kvm_age_hva callback may be called all the way concurrently while
kvm_mmu_notifier_release() is running.

The release function sets kvm->arch.pgd = NULL which the aging function
however implicitly relies on in stage2_get_pud(). That means they can
race and the aging function may dereference a NULL pgd pointer.

This patch adds a check for that case, so that we leave the aging
function silently.

Cc: stable@vger.kernel.org
Fixes: 293f29363 ("kvm-arm: Unmap shadow pagetables properly")
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Christoffer Dall <cdall@linaro.org>
---

v1 -> v2:

  - Fix commit message
  - Add Fixes and stable tags
---
 virt/kvm/arm/mmu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
index f2d5b6c..227931f 100644
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -861,6 +861,10 @@ static pud_t *stage2_get_pud(struct kvm *kvm, struct kvm_mmu_memory_cache *cache
 	pgd_t *pgd;
 	pud_t *pud;
 
+	/* Do we clash with kvm_free_stage2_pgd()? */
+	if (!kvm->arch.pgd)
+		return NULL;
+
 	pgd = kvm->arch.pgd + stage2_pgd_index(addr);
 	if (WARN_ON(stage2_pgd_none(*pgd))) {
 		if (!cache)