From patchwork Tue Oct 25 00:17:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Kirill A. Shutemov" X-Patchwork-Id: 13018305 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C13D5C38A2D for ; Tue, 25 Oct 2022 00:17:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 10FD380009; Mon, 24 Oct 2022 20:17:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0980180007; Mon, 24 Oct 2022 20:17:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D6A0380009; Mon, 24 Oct 2022 20:17:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id BDB8580007 for ; Mon, 24 Oct 2022 20:17:44 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 7A1E6C0B07 for ; Tue, 25 Oct 2022 00:17:44 +0000 (UTC) X-FDA: 80057558448.13.7889421 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by imf29.hostedemail.com (Postfix) with ESMTP id EF173120040 for ; Tue, 25 Oct 2022 00:17:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1666657064; x=1698193064; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=kLvyVSLWSQb+POxDNMInSWdsGrXEv5cSfT1ANJOQpLA=; b=djrvlDSYU1YcjeuPIjnkiYr5uwqoOFMkojpp+/U9ttcsNJYzTSkTxyvZ 3JrF6l8S8zBBsXxvRjxKJDNFCP5JpKu3+oRxky/jtTWKUp4RoS5hI3kX0 wTUxmsXbIgxKPhkVkHA8gI+lOsJkul/87Mt0/Ekp4sal5Yi/+2VD8CrwM jxpUvAqpmol6nwZ4Tb5L1TpCAo8Q2U247xUvq8Qyr4nguqMB81ekc2mb5 PwiH84zX04mcIdo3FFAueduU4D7r1f5lbrqJEXUvQjncdNQTyjApWZUdb dZtKeaD0qDcXJuHvxn95/ZdTuwAJEuZ70s8M1w9Gpy2nK1IVxOpeF3dpQ g==; X-IronPort-AV: E=McAfee;i="6500,9779,10510"; a="294953560" X-IronPort-AV: E=Sophos;i="5.95,210,1661842800"; d="scan'208";a="294953560" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 17:17:39 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10510"; a="582587481" X-IronPort-AV: E=Sophos;i="5.95,210,1661842800"; d="scan'208";a="582587481" Received: from ghoyler-mobl.ger.corp.intel.com (HELO box.shutemov.name) ([10.249.39.118]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 17:17:35 -0700 Received: by box.shutemov.name (Postfix, from userid 1000) id DB0371095BB; Tue, 25 Oct 2022 03:17:25 +0300 (+03) From: "Kirill A. Shutemov" To: Dave Hansen , Andy Lutomirski , Peter Zijlstra Cc: x86@kernel.org, Kostya Serebryany , Andrey Ryabinin , Andrey Konovalov , Alexander Potapenko , Taras Madan , Dmitry Vyukov , "H . J . Lu" , Andi Kleen , Rick Edgecombe , Bharata B Rao , Jacob Pan , Ashok Raj , linux-mm@kvack.org, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" , Marc Zyngier Subject: [PATCHv11 06/16] KVM: Serialize tagged address check against tagging enabling Date: Tue, 25 Oct 2022 03:17:12 +0300 Message-Id: <20221025001722.17466-7-kirill.shutemov@linux.intel.com> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221025001722.17466-1-kirill.shutemov@linux.intel.com> References: <20221025001722.17466-1-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1666657064; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/oO7gDFSCqJwvHDXoFqlm+XodfhyUhtj9wWrRX+3h+8=; b=pA7jm/2sPL2DgHs/RS/Ix9bkdspWM2Gil0G8oBcetM5UCi9Pmzaschne65kD7ABejJEWqP 5vrJW5ndDgn85ZloSt/7Gx1gRGZxcM9e7F4Qzi4u7ItM7eozhOY8jd3R/gJA2cqUDSuZwn umSxFpRjrtPtDhOuPMSlNfPaEIpB5YQ= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=djrvlDSY; spf=none (imf29.hostedemail.com: domain of kirill.shutemov@linux.intel.com has no SPF policy when checking 134.134.136.20) smtp.mailfrom=kirill.shutemov@linux.intel.com; dmarc=fail reason="No valid SPF" header.from=intel.com (policy=none) ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666657064; a=rsa-sha256; cv=none; b=NkFPwuLyh4FlKTQRedcYDd4STOPbPGuQWmPqJdRWLAe2yj5xvFPhWFUYJlKt5S5SVPKzIt RZCHjr9klVFgz1ZQ6CEPX1v3CdsLKapYXHNKKP6AOcV38WKRzUPbbPeyaFGebMMUnE1Giv GlCsqLWrWbcRhpiUUzCMFk5oKqdMUAs= X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: EF173120040 X-Rspam-User: Authentication-Results: imf29.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=djrvlDSY; spf=none (imf29.hostedemail.com: domain of kirill.shutemov@linux.intel.com has no SPF policy when checking 134.134.136.20) smtp.mailfrom=kirill.shutemov@linux.intel.com; dmarc=fail reason="No valid SPF" header.from=intel.com (policy=none) X-Stat-Signature: rhjw6k4rt99ykcm9hfj8q3fq7hks7db3 X-HE-Tag: 1666657063-745324 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: KVM forbids usage of tagged userspace addresses for memslots. It is done by checking if the address stays the same after untagging. It is works fine for ARM TBI, but it the check gets racy for LAM. TBI enabling happens per-thread, so nobody can enable tagging for the thread while the memslot gets added. LAM gets enabled per-process. If it gets enabled after the untagged_addr() check, but before access_ok() check the kernel can wrongly allow tagged userspace_addr. Use mmap lock to protect against parallel LAM enabling. Signed-off-by: Kirill A. Shutemov Reported-by: Rick Edgecombe Cc: Marc Zyngier --- virt/kvm/kvm_main.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 8c86b06b35da..833742c21c91 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1943,12 +1943,22 @@ int __kvm_set_memory_region(struct kvm *kvm, return -EINVAL; if (mem->guest_phys_addr & (PAGE_SIZE - 1)) return -EINVAL; + + /* Serialize against tagging enabling */ + if (mmap_read_lock_killable(kvm->mm)) + return -EINTR; + /* We can read the guest memory with __xxx_user() later on. */ if ((mem->userspace_addr & (PAGE_SIZE - 1)) || (mem->userspace_addr != untagged_addr(kvm->mm, mem->userspace_addr)) || !access_ok((void __user *)(unsigned long)mem->userspace_addr, - mem->memory_size)) + mem->memory_size)) { + mmap_read_unlock(kvm->mm); return -EINVAL; + } + + mmap_read_unlock(kvm->mm); + if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM) return -EINVAL; if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)