From patchwork Thu May 18 09:47:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Christoffer Dall X-Patchwork-Id: 9733095 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 76906601A1 for ; Thu, 18 May 2017 09:49:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F67F285F7 for ; Thu, 18 May 2017 09:49:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 52F0B2860A; Thu, 18 May 2017 09:49:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id EA31C285F7 for ; Thu, 18 May 2017 09:49:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=+DYml5xlfTEcKVU+/QYUO4K2JsT0XTISDqTq/gnD0Iw=; b=Vh/Tpr5CKRpkZq 5dMnTZORJ3+DTTQDoLtQjVZdPNofBwT8I5goVbwR05koEWhTaQ3gpYXcwvP87zMatxtM+EWemj+fr fcFuND8GsgS40NiwoBvXzlw5XdoplMjv0lo0ImZMc3BBa94x/2x7bJHvV9pNisryEp93d75u5E63f rufrWcG3NB4f3yYYtocAPuFt6C5tOASitwBqjP4cocgfkbzC4tYOrWBQlmY24TX7WSauOFkl+lecx JKUzc+9014GanbtHW4D0NFpVh2YvSfIXdMZ3zDhN1WzC75hZaRrQriN7Te/xJuGg9jBmGlGivg3GG eC4sdLrNUoctHAHiuAFg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dBI3m-00077I-Tn; Thu, 18 May 2017 09:49:30 +0000 Received: from mail-wm0-x22c.google.com ([2a00:1450:400c:c09::22c]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dBI2Q-0005Mk-Mr for linux-arm-kernel@lists.infradead.org; Thu, 18 May 2017 09:48:16 +0000 Received: by mail-wm0-x22c.google.com with SMTP id v15so45997497wmv.1 for ; Thu, 18 May 2017 02:47:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UJ4ttGo1yIqZOj1ZDuN3LmBaUNvY9FDwdN8JzwZ8ZaM=; b=Z8e9bf0UyhhCkhzOTyUlFeTFe6k2zhNs5XHTwZ6huV/aKHUUAVpz6/jD/DLWOZCIIF 0o56jSU/5V6P/rtekA07cHPThJhO5c7VwU1iKYgaJuI7pgHL5Y44qDXgbt25nx9nHPau mqlgFyqcTV1qo89/1bOIZEkgoUBHel+h5MsqE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UJ4ttGo1yIqZOj1ZDuN3LmBaUNvY9FDwdN8JzwZ8ZaM=; b=tviH3M2js6BIqBcP37YLua42QC2Ua5aZbYwNjBV8i9/emx4IsIOjSaetFEvXJLZ/i0 hW76nR9YQS7OmlcX6FTBsQfyG8Vtk2oVPcHVPw0oJubY898zs28kcD/L+UtzaKNvteNq Xga5rm2Jj3d98F6EdYM3ILXmhfj4Ou17gVVVQ+z1FZnEI62bfZlEnUUiVFs7BKijZ/rA HYmfEzLLVZWTQT2n3afDibSd+awttzi92ksXEKoHBHWxccuollpIAVNCDwgrw7z+U2ud lu+8qPkWjfDVbta4I96TJ2NL6o8yXkhUxNxU1Jy5Qc3LsR0rPPelDhl+FkHBo37y5bsQ OcvA== X-Gm-Message-State: AODbwcCRRb8c4oHs/wMmX6xWJ4S24QftXOTDTE4ym5yznDDq+L4E275x VUikOZ6EijoqvAr8 X-Received: by 10.80.138.34 with SMTP id i31mr2494083edi.145.1495100868357; Thu, 18 May 2017 02:47:48 -0700 (PDT) Received: from localhost.localdomain (xd93ddc2d.cust.hiper.dk. [217.61.220.45]) by smtp.gmail.com with ESMTPSA id w15sm2377437edw.27.2017.05.18.02.47.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 18 May 2017 02:47:47 -0700 (PDT) From: Christoffer Dall To: Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= Subject: [PULL 11/13] kvm: arm/arm64: Fix use after free of stage2 page table Date: Thu, 18 May 2017 11:47:20 +0200 Message-Id: <20170518094722.9926-12-cdall@linaro.org> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20170518094722.9926-1-cdall@linaro.org> References: <20170518094722.9926-1-cdall@linaro.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170518_024807_508090_429DAD95 X-CRM114-Status: GOOD ( 15.44 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Christoffer Dall , kvm@vger.kernel.org, Suzuki K Poulose , Marc Zyngier , andreyknvl@google.com, stable@vger.kernel.org, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP From: Suzuki K Poulose We yield the kvm->mmu_lock occassionaly while performing an operation (e.g, unmap or permission changes) on a large area of stage2 mappings. However this could possibly cause another thread to clear and free up the stage2 page tables while we were waiting for regaining the lock and thus the original thread could end up in accessing memory that was freed. This patch fixes the problem by making sure that the stage2 pagetable is still valid after we regain the lock. The fact that mmu_notifer->release() could be called twice (via __mmu_notifier_release and mmu_notifier_unregsister) enhances the possibility of hitting this race where there are two threads trying to unmap the entire guest shadow pages. While at it, cleanup the redudant checks around cond_resched_lock in stage2_wp_range(), as cond_resched_lock already does the same checks. Cc: Mark Rutland Cc: Radim Krčmář Cc: andreyknvl@google.com Cc: Paolo Bonzini Cc: stable@vger.kernel.org Acked-by: Marc Zyngier Signed-off-by: Suzuki K Poulose Reviewed-by: Christoffer Dall Signed-off-by: Christoffer Dall --- virt/kvm/arm/mmu.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c index 704e35f..a2d6324 100644 --- a/virt/kvm/arm/mmu.c +++ b/virt/kvm/arm/mmu.c @@ -295,6 +295,13 @@ static void unmap_stage2_range(struct kvm *kvm, phys_addr_t start, u64 size) assert_spin_locked(&kvm->mmu_lock); pgd = kvm->arch.pgd + stage2_pgd_index(addr); do { + /* + * Make sure the page table is still active, as another thread + * could have possibly freed the page table, while we released + * the lock. + */ + if (!READ_ONCE(kvm->arch.pgd)) + break; next = stage2_pgd_addr_end(addr, end); if (!stage2_pgd_none(*pgd)) unmap_stage2_puds(kvm, pgd, addr, next); @@ -1170,11 +1177,13 @@ static void stage2_wp_range(struct kvm *kvm, phys_addr_t addr, phys_addr_t end) * large. Otherwise, we may see kernel panics with * CONFIG_DETECT_HUNG_TASK, CONFIG_LOCKUP_DETECTOR, * CONFIG_LOCKDEP. Additionally, holding the lock too long - * will also starve other vCPUs. + * will also starve other vCPUs. We have to also make sure + * that the page tables are not freed while we released + * the lock. */ - if (need_resched() || spin_needbreak(&kvm->mmu_lock)) - cond_resched_lock(&kvm->mmu_lock); - + cond_resched_lock(&kvm->mmu_lock); + if (!READ_ONCE(kvm->arch.pgd)) + break; next = stage2_pgd_addr_end(addr, end); if (stage2_pgd_present(*pgd)) stage2_wp_puds(pgd, addr, next);