From patchwork Wed Nov 23 00:20:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Woodhouse X-Patchwork-Id: 13052895 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44969C433FE for ; Wed, 23 Nov 2022 00:20:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235215AbiKWAUj (ORCPT ); Tue, 22 Nov 2022 19:20:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234512AbiKWAUh (ORCPT ); Tue, 22 Nov 2022 19:20:37 -0500 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFEA1D5A0D for ; Tue, 22 Nov 2022 16:20:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Sender:Content-Transfer-Encoding: MIME-Version:Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-Type: Content-ID:Content-Description:In-Reply-To:References; bh=mlp8veIal+exzXXUNMI9ARhDb1z9qQxsAhW32IRDmcY=; b=hfMXAvofT6pLU/7jE3YKFuSizs YApfrt8JRwrTPromb0Ek+h46oPYQDTfQ+aehtfj4F+2k5mE22i2F2M5llHRtTnaOOVGtzVboLmy8+ QJA5gC5xnY7OClkQ+pqjlRf98MTy4hkLak+UNAXKhLyJf3p3N16poenFr5TSW+0hJbZ+Y44SMljka QkJH4WQAFZsrtRWikyTkB9OYQ+BG1Gcj8mnxMcBQwiXNldL1+UHeHFSZBLr7aAzqHBIjbu7KH7hfh GokPKu0MiYiggFk76nwMh+6fKzIPZtE6hDHgaJimxLpF/4XYQqzrsvc/jbWDbVHsaqMZisqY+9iET ay0jcTgQ==; Received: from i7.infradead.org ([2001:8b0:10b:1:21e:67ff:fecb:7a92]) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxdVF-006uLD-Jo; Wed, 23 Nov 2022 00:20:37 +0000 Received: from dwoodhou by i7.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxdV8-000O7e-Gr; Wed, 23 Nov 2022 00:20:30 +0000 From: David Woodhouse To: Paolo Bonzini , Sean Christopherson Cc: Michal Luczaj , kvm@vger.kernel.org Subject: [PATCH 1/3] KVM: x86/xen: Validate port number in SCHEDOP_poll Date: Wed, 23 Nov 2022 00:20:28 +0000 Message-Id: <20221123002030.92716-1-dwmw2@infradead.org> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Sender: David Woodhouse X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org. See http://www.infradead.org/rpr.html Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: David Woodhouse We shouldn't allow guests to poll on arbitrary port numbers off the end of the event channel table. Fixes: 1a65105a5aba ("KVM: x86/xen: handle PV spinlocks slowpath") [dwmw2: my bug though; the original version did check the validity as a side-effect of an idr_find() which I ripped out in refactoring.] Reported-by: Michal Luczaj Signed-off-by: David Woodhouse Cc: stable@kernel.org Reviewed-by: Sean Christopherson --- arch/x86/kvm/xen.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c index 2dae413bd62a..dc2f304f2e69 100644 --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -954,6 +954,14 @@ static int kvm_xen_hypercall_complete_userspace(struct kvm_vcpu *vcpu) return kvm_xen_hypercall_set_result(vcpu, run->xen.u.hcall.result); } +static inline int max_evtchn_port(struct kvm *kvm) +{ + if (IS_ENABLED(CONFIG_64BIT) && kvm->arch.xen.long_mode) + return EVTCHN_2L_NR_CHANNELS; + else + return COMPAT_EVTCHN_2L_NR_CHANNELS; +} + static bool wait_pending_event(struct kvm_vcpu *vcpu, int nr_ports, evtchn_port_t *ports) { @@ -1042,6 +1050,10 @@ static bool kvm_xen_schedop_poll(struct kvm_vcpu *vcpu, bool longmode, *r = -EFAULT; goto out; } + if (ports[i] >= max_evtchn_port(vcpu->kvm)) { + *r = -EINVAL; + goto out; + } } if (sched_poll.nr_ports == 1) @@ -1297,14 +1309,6 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu) return 0; } -static inline int max_evtchn_port(struct kvm *kvm) -{ - if (IS_ENABLED(CONFIG_64BIT) && kvm->arch.xen.long_mode) - return EVTCHN_2L_NR_CHANNELS; - else - return COMPAT_EVTCHN_2L_NR_CHANNELS; -} - static void kvm_xen_check_poller(struct kvm_vcpu *vcpu, int port) { int poll_evtchn = vcpu->arch.xen.poll_evtchn; From patchwork Wed Nov 23 00:20:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Woodhouse X-Patchwork-Id: 13052897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FC56C43217 for ; Wed, 23 Nov 2022 00:20:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235220AbiKWAUm (ORCPT ); Tue, 22 Nov 2022 19:20:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234723AbiKWAUl (ORCPT ); Tue, 22 Nov 2022 19:20:41 -0500 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B2B8657C7 for ; Tue, 22 Nov 2022 16:20:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description; bh=2cdSSkt8hVjZTzlfdglHAos1iiy8w/MTdW54y5x5CRk=; b=CjrRZgNXmw11cLaDnHJuhZS8I3 ecE9ytLxQFN3hG6t+hhHORcHkN1KYcRpjdxCL+ricjIP1Rz8aGJN3OD/Rq4cuvtGjUsnOoD1I6pnx rhYeLL15rlX+u5yLjC8e3f9JhG8wMGA97amyDoTVNAHtkpC4AL/k9PnGjDLTRJlIeMT3cexSrAefb Fj9QlPyQsW7pb6HEXl83M4qhlq4jjkk5z8s4fgvGhLuExb6xSbweXeAGKh4zmOlbPwrdPgWz7vwcb Cnpil3ytjdy1ozw/b19cV1QGlE3tu42Qfd4hthbtbd83SXdE10pZxq7eAo6F5NjlrsNCEk+YWyrrL 7GCRWh0Q==; Received: from i7.infradead.org ([2001:8b0:10b:1:21e:67ff:fecb:7a92]) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxdV8-003dA4-QA; Wed, 23 Nov 2022 00:20:31 +0000 Received: from dwoodhou by i7.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxdV8-000O7h-HU; Wed, 23 Nov 2022 00:20:30 +0000 From: David Woodhouse To: Paolo Bonzini , Sean Christopherson Cc: Michal Luczaj , kvm@vger.kernel.org Subject: [PATCH 2/3] KVM: x86/xen: Only do in-kernel acceleration of hypercalls for guest CPL0 Date: Wed, 23 Nov 2022 00:20:29 +0000 Message-Id: <20221123002030.92716-2-dwmw2@infradead.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20221123002030.92716-1-dwmw2@infradead.org> References: <20221123002030.92716-1-dwmw2@infradead.org> MIME-Version: 1.0 Sender: David Woodhouse X-SRS-Rewrite: SMTP reverse-path rewritten from by desiato.infradead.org. See http://www.infradead.org/rpr.html Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: David Woodhouse There are almost no hypercalls which are valid from CPL > 0, and definitely none which are handled by the kernel. Fixes: 2fd6df2f2b47 ("KVM: x86/xen: intercept EVTCHNOP_send from guests") Reported-by: Michal Luczaj Signed-off-by: David Woodhouse Cc: stable@kernel.org Reviewed-by: Sean Christopherson --- arch/x86/kvm/xen.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c index dc2f304f2e69..f3098c0e386a 100644 --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -1227,6 +1227,7 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu) bool longmode; u64 input, params[6], r = -ENOSYS; bool handled = false; + u8 cpl; input = (u64)kvm_register_read(vcpu, VCPU_REGS_RAX); @@ -1254,9 +1255,17 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu) params[5] = (u64)kvm_r9_read(vcpu); } #endif + cpl = static_call(kvm_x86_get_cpl)(vcpu); trace_kvm_xen_hypercall(input, params[0], params[1], params[2], params[3], params[4], params[5]); + /* + * Only allow hypercall acceleration for CPL0. The rare hypercalls that + * are permitted in guest userspace can be handled by the VMM. + */ + if (unlikely(cpl > 0)) + goto handle_in_userspace; + switch (input) { case __HYPERVISOR_xen_version: if (params[0] == XENVER_version && vcpu->kvm->arch.xen.xen_version) { @@ -1291,10 +1300,11 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu) if (handled) return kvm_xen_hypercall_set_result(vcpu, r); +handle_in_userspace: vcpu->run->exit_reason = KVM_EXIT_XEN; vcpu->run->xen.type = KVM_EXIT_XEN_HCALL; vcpu->run->xen.u.hcall.longmode = longmode; - vcpu->run->xen.u.hcall.cpl = static_call(kvm_x86_get_cpl)(vcpu); + vcpu->run->xen.u.hcall.cpl = cpl; vcpu->run->xen.u.hcall.input = input; vcpu->run->xen.u.hcall.params[0] = params[0]; vcpu->run->xen.u.hcall.params[1] = params[1]; From patchwork Wed Nov 23 00:20:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: David Woodhouse X-Patchwork-Id: 13052896 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CFF3C4332F for ; Wed, 23 Nov 2022 00:20:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235048AbiKWAUk (ORCPT ); Tue, 22 Nov 2022 19:20:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45146 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234723AbiKWAUh (ORCPT ); Tue, 22 Nov 2022 19:20:37 -0500 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFD86663D4 for ; Tue, 22 Nov 2022 16:20:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Reply-To:Content-ID:Content-Description; bh=x+eM26eJCdZ8sbc1Hnhd3LnlnQYGjwWm7F++PTNqvjc=; b=TvjxyNy/iOImPCqHCJPL/SZli1 1vHw48cke9ICYPGUPR3p9j3rVWEhPKmRHKUmkIV4uKRx9iCmJNMEuwnlpR2DKGgnDXgrIRJGWMOrr 5uJvGFHiZB4niclMMUal4Ao5kfhWahttzEXB6D1OYSgX0kbRBZJoWT9T+qCkQdODIcylH48PKn9Df Bi5LNgtVZS++xRiUYsBLn5qlQ8by7yHzI+Ktk0zWxPyHXSiMZHqCnpjU4na79wM/4pdmhbVj+BRQ7 mMaR9AYG0jR5VLq1+9zwo5G0JXqMju/fq23sdm7hgzXPT6jh3z06Z02HLGpX6ocf/2J48mGolPoCF OT6MW3Yg==; Received: from i7.infradead.org ([2001:8b0:10b:1:21e:67ff:fecb:7a92]) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxdVF-006uLE-L7; Wed, 23 Nov 2022 00:20:37 +0000 Received: from dwoodhou by i7.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxdV8-000O7l-I7; Wed, 23 Nov 2022 00:20:30 +0000 From: David Woodhouse To: Paolo Bonzini , Sean Christopherson Cc: Michal Luczaj , kvm@vger.kernel.org Subject: [PATCH 3/3] KVM: Update gfn_to_pfn_cache khva when it moves within the same page Date: Wed, 23 Nov 2022 00:20:30 +0000 Message-Id: <20221123002030.92716-3-dwmw2@infradead.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20221123002030.92716-1-dwmw2@infradead.org> References: <20221123002030.92716-1-dwmw2@infradead.org> MIME-Version: 1.0 Sender: David Woodhouse X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org. See http://www.infradead.org/rpr.html Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org From: David Woodhouse In the case where a GPC is refreshed to a different location within the same page, we didn't bother to update it. Mostly we don't need to, but since the ->khva field also includes the offset within the page, that does have to be updated. Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support") Signed-off-by: David Woodhouse Reviewed-by: Paul Durrant Cc: stable@kernel.org Reviewed-by: Sean Christopherson --- virt/kvm/pfncache.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c index bd4a46aee384..5f83321bfd2a 100644 --- a/virt/kvm/pfncache.c +++ b/virt/kvm/pfncache.c @@ -297,7 +297,12 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, if (!gpc->valid || old_uhva != gpc->uhva) { ret = hva_to_pfn_retry(kvm, gpc); } else { - /* If the HVA→PFN mapping was already valid, don't unmap it. */ + /* + * If the HVA→PFN mapping was already valid, don't unmap it. + * But do update gpc->khva because the offset within the page + * may have changed. + */ + gpc->khva = old_khva + page_offset; old_pfn = KVM_PFN_ERR_FAULT; old_khva = NULL; ret = 0;