From patchwork Tue Oct 17 20:24:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426021 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8EF6BCDB483 for ; Tue, 17 Oct 2023 20:25:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0204D8D0064; Tue, 17 Oct 2023 16:25:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F12598D00A8; Tue, 17 Oct 2023 16:25:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DB2BA8D0064; Tue, 17 Oct 2023 16:25:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id BDFC98D00A8 for ; Tue, 17 Oct 2023 16:25:32 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 97D51C0D49 for ; Tue, 17 Oct 2023 20:25:32 +0000 (UTC) X-FDA: 81356083704.22.70DACE0 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf05.hostedemail.com (Postfix) with ESMTP id 9D050100010 for ; Tue, 17 Oct 2023 20:25:30 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=R3fluf0f; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574330; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bHJdVxLWL7tmOR6rkkqndFqpRDxEeh3UF9/QOQa3Rd0=; b=3/3rmYdKRyxhYTKk+51yRAbQA6vBg++kFBmiC4ag1bx6GKUKmqTK1R2vp+P8HGeg2B+TTm Emrz3VF1UjLxx8lW7mIcthqZek7t/IKwwFhvJT6PkPJKvVMikC5Wt3mFbjaeL8yWgOwZg4 6vWA2lJEHW7dMofwD+ZBOmhOzlHmz48= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=R3fluf0f; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574330; a=rsa-sha256; cv=none; b=MuoXLoGLaup2OwmxD5GNsLMXnx1Q5JGvuk9HYe6OJz09sFdDrR4wTikh4F1UMu95Yn1Qfr L3yTVi/Uo11rAFGuS2G+iW1Wlt6Fy5MwLHSlxdA0Fw7Vi8OltYaEsiC69AsQxW7w4RT91k NiXhFRHYPJLyY5SgyypKcra2uWac+XM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574331; x=1729110331; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=+c/mkJRcRl/HTZD+PEVBiG6EmvprrHB2jpk4jFyydb0=; b=R3fluf0fh/ATMZxj4QR1ar7WWyHbOheknHez2wUPcS/4wL8fgEMdAagD UAmyJm53leDNz0Swnlbm3Fsp5yfwJRnB6g1WeU0Bi7CMH3sHvGBscRoPA Cov+osfqIarWBE0v28llZxPmlWM/neB/ewtJjLsu0kLgjjjCTHw9DAiaw syuadEEWiZMxbZ7PWDHHxKwn8leR7BfhM4aZ3m8yBumDL5dRPam4SgFWg rK9yIXg4EkU+0ZDSK6whzeeJUpaMMGNno8URYlqfwOJR0JOAGi9fPDkaR /n/az3Cw6uzpwHpsXRohz5M2Y3GkXY45kri4wuliszj5r978K8BXajGAe Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429485" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429485" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040434" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040434" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:25 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Dave Hansen Subject: [PATCH 01/10] mm: Add helper for freeing decrypted memory Date: Tue, 17 Oct 2023 13:24:56 -0700 Message-Id: <20231017202505.340906-2-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 9D050100010 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: ms3u676fu8m6ubx43gbqo6h73s33oant X-HE-Tag: 1697574330-385154 X-HE-Meta: U2FsdGVkX1+BV2TfZPNmj2QWcuAmp8696xGPFiSBYzugo7TGHGr3Fvau7fYr8wDz6rPRTvscBeD6aHDRLmCoL8RdTtjZtuBT07r7k+UlZLTLHeLscROUyh6sBYhoBLMhSrclW5d9UQe9al6uqdHP6X8NUTEqWJRRUp08LvioJtROfQepxCuMdzI4CeTgycyur4xNEjfPxumUjhK7d+fx+fvbFWDcETYaIZNUPadbP0pT+siFqg1c40DECSWN9HqxuReIhaHC+mCed7hR76tMhqRKLAw/E0O+S2JBPpmRAnBaCcuHOD5J48rC0LSqwRYH7WY4qHyMDAFc1EmFWGwgpP85ybHHpTf/FtHAwFAqJPRdX3w9Qg0IsQPcQCYu+MBqsoSUnXkT9uXOtKBcFSZErit0NuRCBN5CtW3Vk599x4y9+sAzPN74IHs/7lwACbqhzWHjZrAZulfe1jKNAwT+NMbdHu0uS5ZeTr6iQ5PmmDr3BfbTCTMFTF1sFDyulb0jIXWPWwvDmFir1/j+ceYJSP+XWaaiUoKcxwe2+vP8mpMbu0E4FZNKB9CCUx4eBDhFmLzs89sBlAniL//MiQiR+VNEORz+RtXYtivVWelt6FA6yLWQEtO6lQCjow2Z+4k6gPrzraxRAmHDN4t1i0AY1Z4BJ3E+G9nH4AUzyDRKVd64McP+ERfZ86HHfONdZBrBIvrvF+GZa/md77JNY/5X5bGIyAiZEGL5FJ8W+XBIJuMgDhv4jp67S4TGU6d4AQrJ4ceaTS+X271SRZxEwcUVhcbUpFJqUpsvmnvqSffIc1XAF28+to2wtbs0A46zPMpl8qwxjUQIJQssDF/S9GBzJhgWFEOsbQQWfnB7tGqKHYf3DGARajJekUNvtpdBeWDk3LpC3/XKHBpaG8c1VjDYJNT27KHf5itStTVs+N7Yos4S/kAEZSeQBbO9k2j8ud4b87EEFef13krskQHHD2D e3yqBIPf gCan7vPJmsHdhnJHBwNNW8yEanw3TSOtoI2UXgjULS73aT2atxL2WqmMKh1kVm3cDLeLA9k5mxGf1OH8NG5rjQknDxiBTgUxhYFBulzBSZOS9Ho108buM+2dZx8RElnxkzMGVK+HMk4U6IBINEvdcVTi9WVjWkMM2IHYwG5DoJvmbMjK4ShaSVM1lFMLuU37f45pK+mud62nDo+mqlUUWylHiSgwTgGUumc4MTb54LV9/4Tc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: When freeing decrypted memory to the page allocator the memory needs to be manually re-encrypted beforehand. If this step is skipped, then the next user of those pages will have the contents inadvertently exposed to the guest, or cause the guest to crash if the page is used in way disallowed by HW (i.e. for executable code or as a page table). Unfortunately, there are many instance of patterns like: set_memory_encrypted(pages); free_pages(pages); ...or... if (set_memory_decrypted(addr, 1)) free_pages(pages); This is a problem because set_memory_encrypted() and set_memory_decrypted() can be failed by the untrusted host in such a way that an error is returned and the resulting memory is shared. To aid in a tree-wide cleanup of these callers, add a free_decrypted_pages() function that will first try to encrypt the pages before returning them. If it is not successful, have it leak the pages and warn about this. This is preferable to returning shared pages to allocator or panicking. In some cases the code path's for freeing decrypted memory handle both encrypted and decrypted pages. In this case, rely on set_memory() to handle being asked to convert memory to the state it is already in. Going forward, rely on cross-arch callers to find and use free_decrypted_pages() instead of resorting to more heavy handed solutions like terminating the guest when nasty VMM behavior is observed. To make s390's arch set_memory_XXcrypted() definitions available in linux/set_memory.h, add include for s390's asm version of set_memory.h. Cc: Heiko Carstens Cc: Vasily Gorbik Cc: Alexander Gordeev Cc: Christian Borntraeger Cc: Sven Schnelle Cc: linux-s390@vger.kernel.org Suggested-by: Dave Hansen Signed-off-by: Rick Edgecombe --- arch/s390/include/asm/set_memory.h | 1 + include/linux/set_memory.h | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/arch/s390/include/asm/set_memory.h b/arch/s390/include/asm/set_memory.h index 06fbabe2f66c..09d36ebd64b5 100644 --- a/arch/s390/include/asm/set_memory.h +++ b/arch/s390/include/asm/set_memory.h @@ -3,6 +3,7 @@ #define _ASMS390_SET_MEMORY_H #include +#include extern struct mutex cpa_mutex; diff --git a/include/linux/set_memory.h b/include/linux/set_memory.h index 95ac8398ee72..a898b14b6b1f 100644 --- a/include/linux/set_memory.h +++ b/include/linux/set_memory.h @@ -5,6 +5,8 @@ #ifndef _LINUX_SET_MEMORY_H_ #define _LINUX_SET_MEMORY_H_ +#include + #ifdef CONFIG_ARCH_HAS_SET_MEMORY #include #else @@ -78,4 +80,15 @@ static inline int set_memory_decrypted(unsigned long addr, int numpages) } #endif /* CONFIG_ARCH_HAS_MEM_ENCRYPT */ +static inline void free_decrypted_pages(unsigned long addr, int order) +{ + int ret = set_memory_encrypted(addr, 1 << order); + + if (ret) { + WARN_ONCE(1, "Failed to re-encrypt memory before freeing, leaking pages!\n"); + return; + } + free_pages(addr, order); +} + #endif /* _LINUX_SET_MEMORY_H_ */ From patchwork Tue Oct 17 20:24:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426022 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8EB92CDB484 for ; Tue, 17 Oct 2023 20:25:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4684380010; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3F15580069; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 242C080010; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 0FEA68000C for ; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id E61EEB6248 for ; Tue, 17 Oct 2023 20:25:34 +0000 (UTC) X-FDA: 81356083788.02.A2180CD Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf21.hostedemail.com (Postfix) with ESMTP id A7E121C0002 for ; Tue, 17 Oct 2023 20:25:32 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=Wi0F77sy; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf21.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574332; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=0XBHahavpOJIV/T/BVaUyT1+R5H7YvZKt9BnisFoKfU=; b=423FeLiIRK2nMcnUMYLpvczepiRCXti38swbmKhZdmGlwO4CykxYTGMXYYKsbsjgh1K3QA blTwV8TX3UlJyZhae2I3hdFsU5UNc4VomhB7PPDgUL1FVj2G2yDLCGXFKuxd6+12GEWkqr AYQ/0HEQm6HEaa+NnPyQ89+DPIn8LMM= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=Wi0F77sy; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf21.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574332; a=rsa-sha256; cv=none; b=luaGdeqTBY8CQ+UQKe+xqfsV65Z7ANSe5gjWcej1gwkx+Znj5s1IN9MS+B8uFDjouvdTGN oOrVcNdJoTYpW94ATH0d/6qwlYxn/K5JTp5QGIfnpyLhFs7AARB6TBz2dComXnVOGZgapw L9KfBXyJCGc10f7w1plOEyB9+nQl/Hk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574333; x=1729110333; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=gcF+O4qhVSDzWKyOPqIfGB0MPXeZPkkPdOYMfsrWVF0=; b=Wi0F77syWz+Ww8UP/UUXMpKooC3U1D2uJrwQVcJPCiR7RDfBxg3kHCzD kz9THRKbpHMV8WJ4JGFOG5WPRIjtQ30E5254ejmDZQFzjBQgutUK3T0j+ jVw1/oSjE4hcIufGz/8afJT3d9YGJirdOvnH0iZNeeFYwrmWK28ykNHpf GSMHnCZ21/5ozGn385Rb650zKTihhuihTA44UIpYuHHKwa9sOLow3KAJd 0uk7TxUm5Lq/HvFCq9j2WNu4ghJ8obkGHlX+LkXSs5BRei8Z9rcTZgagz 3uYA5C6xanIHvO+aOpnP5PSuNrfCOMPUcdM7OGNb59A7eZ4MWWXIv9+TQ w==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429499" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429499" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:30 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040438" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040438" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:27 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com Subject: [PATCH 02/10] x86/mm/cpa: Reject incorrect encryption change requests Date: Tue, 17 Oct 2023 13:24:57 -0700 Message-Id: <20231017202505.340906-3-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: A7E121C0002 X-Stat-Signature: hwmuwuyno97s1kqafmzkg7axdi6j88xq X-HE-Tag: 1697574332-500845 X-HE-Meta: U2FsdGVkX199mddcsNBs1BLqLL8v25+ZxvGgo4Pcl3Kc+V0SP0bg4qJnQ88tyqjvM5fwhKvzY7ZUOuoil+0qhnPAr0f3XM+331fuLTDnByrgXxT2dSKJhlS5LhWEwG5lPCX0AFoM4HEQ+KuOq10FfW5ZPHdXD2qD6b1KjKJlYDUXeERmR0wDSutEPjNMcFT3+IcxB2ZXkN8fYj229TZhS2waFMFEdOpnWDpHQDhS4iTusC1SWmMR3qg77sXnryyRZ4dBAo5LVKXiZoFAzbAGV7UFPe3Z8IOLbblddTZwXrsRT2WlymX8sY80D7IDEn6nHkdyr7MsuBTpM+nmxrMDrQuNAAdifzKBgxMPqymREzDTU6XSz/75U0u7HbJiQcA3mt/EXVboU/G3IV4Thx67uTwX7xAlviJjivwwDc73hUxoB9umF8UN/ElEZ1DiK6eHXbsnyc6TjNdDFY96OL0/9AmhnFnqCNAVZzYzbf8gXRwOi+1C2fzD6+Pmkmf4eFWGaZbyYfDj9mT4I1CMA1G18fybpzpCes5LKG0agT+vNGht+/qCcM/Eo5+/Vq3U60podFmY3jdx5/KD85XxxsVmDCycyE2ieZWK4Y2xdmkAdTe/5cRfg0rqD5r4LKfUmow5CH4o+yksIG9Ry2r1zvYq8r7I3XI3umGilytodLiGlHCnDLqsDprto99fLWBT8J216znFdFLdV+udnTc+KAlcoXP4ASvk2wwMPW6J4rVbMtUtMR0UWCDZTLBBkF2zvpCQ+QOuZWH+Btf0bxHh8ArBnueLcTt2XYc/E5Nu7B9hAEflioti3jSLwkDu7maScvNbYlh7ynPnHKi8LNpQ1rvVE0aXLx7tMUyuugaD12p6uekLuQtfKIqyZzlsv9oI2Di/l+rP3mvXh/R9s5gb7rg40Gd9x3po4vQgUgdfHmM+Yc/BRUNLXFZ3owihOmq45FvRgGADJ8r/V5bhcV9eX6z 9zKLme1C cXgR+ZiOINE4yvyUIJn3KMOjt8VycHYdiwy8C6WSg+/1vkVIvJZJioQXBsVC+QejbY+L2G70hrjthiBZmc0aiKt99oti+YoKFz5tFq9YfOg1BIhR1z8hXIHmk6cfl9m11S00lji3B2Oqm/gnL4ZBBZHXxXeiGTNzxfoEz X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Kernel memory is "encrypted" by default. Some callers may "decrypt" it in order to share it with things outside the kernel like a device or an untrusted VMM. There is nothing to stop set_memory_encrypted() from being passed memory that is already "encrypted" (aka. "private" on TDX). In fact, some callers do this because ... $REASONS. Unfortunately, part of the TDX decrypted=>encrypted transition is truly one way*. It can't handle being asked to encrypt an already encrypted page Allow __set_memory_enc_pgtable() to detect already-encrypted memory before it hits the TDX code. * The one way part is "page acceptance" [commit log written by Dave Hansen] Signed-off-by: Rick Edgecombe --- arch/x86/mm/pat/set_memory.c | 41 +++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index bda9f129835e..1238b0db3e33 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -2122,6 +2122,21 @@ int set_memory_global(unsigned long addr, int numpages) __pgprot(_PAGE_GLOBAL), 0); } +static bool kernel_vaddr_encryped(unsigned long addr, bool enc) +{ + unsigned int level; + pte_t *pte; + + pte = lookup_address(addr, &level); + if (!pte) + return false; + + if (enc) + return pte_val(*pte) == cc_mkenc(pte_val(*pte)); + + return pte_val(*pte) == cc_mkdec(pte_val(*pte)); +} + /* * __set_memory_enc_pgtable() is used for the hypervisors that get * informed about "encryption" status via page tables. @@ -2130,7 +2145,7 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc) { pgprot_t empty = __pgprot(0); struct cpa_data cpa; - int ret; + int ret, numpages_in_state = 0; /* Should not be working on unaligned addresses */ if (WARN_ONCE(addr & ~PAGE_MASK, "misaligned address: %#lx\n", addr)) @@ -2143,6 +2158,30 @@ static int __set_memory_enc_pgtable(unsigned long addr, int numpages, bool enc) cpa.mask_clr = enc ? pgprot_decrypted(empty) : pgprot_encrypted(empty); cpa.pgd = init_mm.pgd; + /* + * If any page is already in the right state, bail with an error + * because the code doesn't handled it. This is likely because + * something has gone wrong and isn't worth optimizing for. + * + * If all the memory pages are already in the desired state return + * success. + * + * kernel_vaddr_encryped() does not synchronize against huge page + * splits so take pgd_lock. A caller doing strange things could + * get a new PMD mid level PTE confused with a huge PMD entry. Just + * lock to tie up loose ends. + */ + spin_lock(&pgd_lock); + for (int i = 0; i < numpages; i++) { + if (kernel_vaddr_encryped(addr + (PAGE_SIZE * i), enc)) + numpages_in_state++; + } + spin_unlock(&pgd_lock); + if (numpages_in_state == numpages) + return 0; + else if (numpages_in_state) + return 1; + /* Must avoid aliasing mappings in the highmem code */ kmap_flush_unused(); vm_unmap_aliases(); From patchwork Tue Oct 17 20:24:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E31A1CDB484 for ; Tue, 17 Oct 2023 20:25:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8D34A8006A; Tue, 17 Oct 2023 16:25:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 85D5E8000C; Tue, 17 Oct 2023 16:25:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6AEF68006A; Tue, 17 Oct 2023 16:25:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 536158000C for ; Tue, 17 Oct 2023 16:25:36 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 11FA180ED4 for ; Tue, 17 Oct 2023 20:25:36 +0000 (UTC) X-FDA: 81356083872.20.ED5B217 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf04.hostedemail.com (Postfix) with ESMTP id EE3914001A for ; Tue, 17 Oct 2023 20:25:32 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=iOtdwifd; spf=pass (imf04.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574333; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=dqWPT2ff4hQsZMyN/elKnwFrgzXTHpj6zlnnySJ8bWs=; b=L02IuLsHKD9ODaccxhtCBCZTebDwxsQ9aqlmU7m2E3uBzj/3d77VeR3PL0/P5hrvKh+XP4 RRR/rZFVaLvzqHVDDClTSrL+//cXAS4DV7A177UfkiMqDxDZ0FhXMtu439BPxZtKkHcaid P958IJEBiZKmklErOQQUexMd5w2Fpgk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574333; a=rsa-sha256; cv=none; b=lWRYUJaG4l8OiozHAlM/TbSsIQh0Ka5voMyLn2r3RwZ1AMUop5lUUmZUA1Wz9OZDgKJNDK SklAw5bZfD8Kztjn5OPXzFmM+wdrmPuJCN2Qyf1eRipNHvTRo1++FJTk3BYMpadkR0Nk7F 2eRl7tpjBYalVxPG5n/lI66aOWVYW1w= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=iOtdwifd; spf=pass (imf04.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574333; x=1729110333; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=DtMYE8N1kmDVdDJrac2n6n5keisOitJwN0pOUvbjeOE=; b=iOtdwifdgZNdAOf1Z+VGCMmN4qp6F4ygPpI4cb1wkGY0XY1ztYVqVsz9 2jMe72kUcNw1xeigaaZLYIU7mDXJMv5r9St5lQlAc0sPZC9FGVL+Ydkfn sV4TOqKyrh25Eywu6i32wNIZPjtJgCD/iTUts0nVFPJn/GHxYaw884p73 7D/9PsYiecmnFp9W0eCEqpz4Mv9+1keDdZ2QIDxPtRlb6xrc9FZtltKwz eyeUMe33xh9jFltTAYeF4XptV9b8vbVGZKsV8A6YAIrEBKtKwdFthOBYu ZFIMQkIfrGBYbeuXhV16yj7JW/DzoWcZEFPJbk7IZEWX45l/PsZfYLtzW w==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429514" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429514" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:31 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040443" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040443" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:28 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Paolo Bonzini , Wanpeng Li , Vitaly Kuznetsov , kvm@vger.kernel.org Subject: [PATCH 03/10] kvmclock: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:24:58 -0700 Message-Id: <20231017202505.340906-4-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: EE3914001A X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: eam3p5zi9zro86wrqsqan59arxc1em71 X-HE-Tag: 1697574332-963073 X-HE-Meta: U2FsdGVkX18RHJxQqLGlrFNOR0WIPeWrwA2vgVma180+bbc+/xuFqYTuwvj6c5hAEmNc3VjScBkg4WF8DZson6TsHOlWdgCWrO+NM1DVhVC7QvHFNS6woAySUm565P1+k1d5I/G+ml+meu6EhQ8ermRTGbZfCyMTSdosru8DNqBemokSaoDBf80Zf2Htr2QUIc0JRqNkiFWyi3pkjc8fGJEottFTpcySs6TraPCSAN/YhHTySHVfCbpPKW1u1B2/zySFNj/Vw+cd/wvUceTruWyRPfM1vUjfdPq7Ud5W9lLY+L9GdiUY5vdCGzZBtvYWKwpJAOqsO7LIg3OFV+gOrwMKaK5snNFfpJZZCPbPiIQK/r5ZiHYEc1naVANGVczjzDXAsE8p4j/5az0i+Ch+H866v0QYXc59zLqk5VmcenSZqMhQ0hAiaffkTJBZjJ5nIKTc/7HdaQ+470UvgFirKeuZoV+4Up3D9QwfdLr8yu36RrkcjBh9U7fdOeLqKQ8SJ9IJy/lzL/zQqT3U0YnWjqvmagkNdEhUsliGflRPansdL397L6uAOh0uqNqKPmvkkxsBdgSpC6KtYlcwSXR05962rPi3SrePTBkicsIRmgSYJd4qbO3wufNBFqD+KjZO/gxT56OmgmOEK9d8a9yHUFHfXtcIipBF4JTYrzejkx0avKlDh4Q0Ivc3JnkT/nI5fnzcmzHTIKUdRXMXKfTWE03KuRPmYcQwFbXnp8y8abVzE3535GyW3FIlulHKBwzMjviFXnlFqddDv4sRxdIwG/LWunbG3za4hMwCewOsmfwm65nd291yA4+DAdXJnF5iMB35UQKByqrzuMUOXP5jmrdHbP3LqZgS5bwqDbEyiJlj9eknTD4p91pIPwLl/msCg3RoujAHPCrVv1kr7Io7ppT4a67fPkvchdjHqNushTiGsRWYcfS8AdtJleCfOzrP1xWvFgTHrUJEVBNzMFF A41G+Zg0 uCwUogjTS4YbwE+n71SxNsIhtK3AO/ouC4Zh9Cb0UkM5m74/VJMh1cdAtxCktNmEe1NvIxLRF3ObDWrYhWHBoU9blebpz5q4hqcKNTut5QQBlHzsjsK/uU4uu+TgW3w+dmd8y2Z/jo1VR3TMnDIn/1O1Y91xcPheXCWi59JvepqsBDRA4zx6KL4foAZKyTRWaqE6mtUguQm6ldiZmZwcwYQky0c3Cxd6B1nceKzOIygSE1pu2P52c+eOeGirsO9uqN0v9fpe8y6JhsywINPT+9Elu/iAyZqZJJvldwyNdJTJb9Sac/wEjHuc7fy//nRNAsMsPASIwl5UeD3Q+jA2AcBc61E6Yc3CUAkhb X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Kvmclock could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Cc: Paolo Bonzini Cc: Wanpeng Li Cc: Vitaly Kuznetsov Cc: kvm@vger.kernel.org Signed-off-by: Rick Edgecombe Reviewed-by: Kuppuswamy Sathyanarayanan --- arch/x86/kernel/kvmclock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c index fb8f52149be9..587b159c4e53 100644 --- a/arch/x86/kernel/kvmclock.c +++ b/arch/x86/kernel/kvmclock.c @@ -227,7 +227,7 @@ static void __init kvmclock_init_mem(void) r = set_memory_decrypted((unsigned long) hvclock_mem, 1UL << order); if (r) { - __free_pages(p, order); + free_decrypted_pages((unsigned long)hvclock_mem, order); hvclock_mem = NULL; pr_warn("kvmclock: set_memory_decrypted() failed. Disabling\n"); return; From patchwork Tue Oct 17 20:24:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426023 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5FF3CDB482 for ; Tue, 17 Oct 2023 20:25:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 85EE580069; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7E7CD8000C; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5A69E8006A; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 2E0B68000C for ; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 04346B614C for ; Tue, 17 Oct 2023 20:25:34 +0000 (UTC) X-FDA: 81356083830.28.699E062 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf05.hostedemail.com (Postfix) with ESMTP id DDBC4100018 for ; Tue, 17 Oct 2023 20:25:32 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=TfJWvC4i; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574333; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2OIUddPavlDw4X1Ooc50ZlrwjQq7sSJ6/SveBJhDK64=; b=WxCEEt2QITFN5WAPFe0bcdkfF7OIhGPD9Y4trOnr18I1o0o+C12hQEUqtqO7LYNIgCcOUT RJNjUg/mZViJnxfSxUM9e8+oWG3Xt6NcuHIyBEGd6ntcXodOeRo5s1m0RKLshxkJ1TGq4H +HZFPhuI/s6i/A+wHm8iZ+utIOh2794= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=TfJWvC4i; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574333; a=rsa-sha256; cv=none; b=onAd6veBs2+UlNrB8uWv//uPXMwR7aTCIjOoD3JcsAI23PehXmNAY9isnNl+EMKqRbKOul aSCzXWKj1fqguPJennvqSlSK/0ruLXCt9lJKwHySAhmqdXmfDJvnBMWlYTvcPhMpm0D8Qj 4wOuf+XhCkSfZdncBEIMOSFd76h/YSY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574333; x=1729110333; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=3Ad9kgdhE7qzJyM/s24lZCoX+Aafx5OUit4Dj7g+sn8=; b=TfJWvC4iQYYjFbNMIfKU/VKXObTvIG5n5AyBser9uxYsyxd+0aZLsS3k ZRgM2B9t+bq6GLCHfGPDTxRvnqp945SqwNbH2UvPojLPG7sJ/0k1kyRr0 jBokC6Pc0EMMr3BC4Sa+tezyldQeVOclTMpK+zoILFz8+BUWLdZt2qWS4 bmamddXzSNOPmiXUYvoHBh6a9uHc4zu4TIQt7GuNKxhEaFvhu/x7YK39Y 5r08uCByUuZUTfqLW2/uSWU+wIRBhgfesrYAM2WIrSUoevCiZ71UISiyA nHtNUxfNJI+uzs0Lind/zRfdb+7Y36+7HJV351AKEDbGZk6euue8o2oGs Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429525" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429525" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040448" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040448" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:29 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Christoph Hellwig , Marek Szyprowski , Robin Murphy , iommu@lists.linux.dev Subject: [PATCH 04/10] swiotlb: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:24:59 -0700 Message-Id: <20231017202505.340906-5-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: DDBC4100018 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 1dptzxxbzsh3k6sf6snnq131e6p6gez3 X-HE-Tag: 1697574332-310136 X-HE-Meta: U2FsdGVkX19f9hPk+w8maa7cgDESRoMfZ9KODs6Q5O2iX9vYDIG5c0I/D7bA4GuEa3TZBOGq4JHf+KOVrD1pNvoBp1ut8nxtvjBXu+ghnp1plT2dXh/toopTHOMBPuzxsfrisWHmeqcBloCRpfK5CgQEXmIOONG0gGPgGLTOtmfZjSNu6S5aWBGy2hf4HRVddVOt7VDXBwzigL5p1YMz1Fieqbg8dWHYrqNVg1FaEHM6xlocH0nKKu/tiXSOHOvns5iIILam5VmuIfladm896qIVj+Bzxy2IG7kb6fJAgprc93Dcau1QIX27I25WqkPZeZZze6TZDXKAum0OXTZegqTw0+NLm5CYOQoTjGkxg+8JdhXssXmeGRgPu1AxRPT5kZRfMn+KL6jUGTLhi989ApQExFD0wCgzuwb5toWP4ejG06xsNAun9yH8DFmLUpJZpuUSMAFYEG/QTrHIShcCEET9ioL3T3VgMNqnDaXCrHAF0ytHJo6CXMMSjcuF6jKsc3gu3Lz2R1p54tqpM/CAQWYzM0eWiXIGHG9WJIBLa7y5RpPBRF7OICMo/Gym0hpk8/7+OpEltX9FOYmqz4MWUtDFjvbu5bAQdocOcUFp+yJ0ZG9mtoUcmuN4zKEx1w/BTC0xaJSYeCvWzvhvPzt0y/WGTDl4aB6nXxCQ4cIMGid/db4sz1EssUKLGE68O0VVeABmT9HEh6SENETAWEwgNcPTrZhrvmySzWi2mKBwWZs4r9HqIM/ryTVCgK6+9KcG3X1Yny3fM8nks3QxFs7EDc5dfLVnw8m3E09/aA4VcBhi0Bsc0+ETvRg240b70ZZWkAtRr4SwDnSXcc8yaoNAyJNJS8PixOHb9JIi2Ti7RO0symP0IQUf2Flaq8SZzSTOIJqajZxdvpvpu7XyyR2mvCt5H1T7tR5rg+sFbrCSVLyiN1qo5JR/iT7GGgG7LR9LtSEzKfxCZcAXyJZETCq Fnbboauk yMQp67XOqX4Zq2yi2YQ6M9aCD+CFIyXIZ9qWl9NmqJFJ8d1vyuYzzGydx/NcolJzUrsmgSpdAfalwp5yrkKOVwKN/U120LkP5AaTH/MWWumpBrLvlKYcbYL7vchhXak14VhFVE/g+VdG3TrSRhfGB6Mn7tRa0Cc7HCy+LwPArH4sJj4qxk/QayQwFGSZ2mdFd5v0EBezCYpqnYqJ3uZs3Fmvs4rqyTxr1oECXqaO9ATGog8D7GHECeIf1N1cNAODxMVbW+iiAmIOU+UYr9zicWnG1V19yaUsHmRN3 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Swiotlb could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. In swiotlb_exit(), check for set_memory_encrypted() errors manually, because the pages are not nessarily going to the page allocator. Cc: Christoph Hellwig Cc: Marek Szyprowski Cc: Robin Murphy Cc: iommu@lists.linux.dev Signed-off-by: Rick Edgecombe --- kernel/dma/swiotlb.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c index 394494a6b1f3..ad06786c4f98 100644 --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -524,6 +524,7 @@ void __init swiotlb_exit(void) unsigned long tbl_vaddr; size_t tbl_size, slots_size; unsigned int area_order; + int ret; if (swiotlb_force_bounce) return; @@ -536,17 +537,19 @@ void __init swiotlb_exit(void) tbl_size = PAGE_ALIGN(mem->end - mem->start); slots_size = PAGE_ALIGN(array_size(sizeof(*mem->slots), mem->nslabs)); - set_memory_encrypted(tbl_vaddr, tbl_size >> PAGE_SHIFT); + ret = set_memory_encrypted(tbl_vaddr, tbl_size >> PAGE_SHIFT); if (mem->late_alloc) { area_order = get_order(array_size(sizeof(*mem->areas), mem->nareas)); free_pages((unsigned long)mem->areas, area_order); - free_pages(tbl_vaddr, get_order(tbl_size)); + if (!ret) + free_pages(tbl_vaddr, get_order(tbl_size)); free_pages((unsigned long)mem->slots, get_order(slots_size)); } else { memblock_free_late(__pa(mem->areas), array_size(sizeof(*mem->areas), mem->nareas)); - memblock_free_late(mem->start, tbl_size); + if (!ret) + memblock_free_late(mem->start, tbl_size); memblock_free_late(__pa(mem->slots), slots_size); } @@ -581,7 +584,7 @@ static struct page *alloc_dma_pages(gfp_t gfp, size_t bytes) return page; error: - __free_pages(page, order); + free_decrypted_pages((unsigned long)vaddr, order); return NULL; } From patchwork Tue Oct 17 20:25:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E84B2C46CA1 for ; Tue, 17 Oct 2023 20:25:42 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8870A8006C; Tue, 17 Oct 2023 16:25:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 80FA78000C; Tue, 17 Oct 2023 16:25:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 639C98006C; Tue, 17 Oct 2023 16:25:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 4DD158006B for ; Tue, 17 Oct 2023 16:25:37 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 23B44160E7E for ; Tue, 17 Oct 2023 20:25:37 +0000 (UTC) X-FDA: 81356083914.11.E49034C Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf21.hostedemail.com (Postfix) with ESMTP id 1870E1C0002 for ; Tue, 17 Oct 2023 20:25:34 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b="QvX/ZOIV"; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf21.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574335; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=vn/QWymgXbx5kwDG9AWdS1zUsVcq5hgu1sjNh/vZ5E8=; b=58Sbg5iX4pRrw9QI5rzCoxhteLsgQwtnH4O0MeUFmZYVCD5SnGd7CypCa+4WWKrz6xI30h PJrWj7EqIMCkUaNxfwn1mYeXU+kWu37NaaEUcSZfc9rT/e/ZR91PqAjT5bQvvowg9SvYRx 2WuyfjhkcnOl8BxELYh/TTO+LCS12PA= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b="QvX/ZOIV"; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf21.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574335; a=rsa-sha256; cv=none; b=WLMTlNgOoheLNzzTK4KXF/epue2RqskRoHeAmzS/P6arP0HdZ0/gaFEgYEdCKDN2QUGqx2 ukhRVIW+U/GPWAAQFCeB2wbxel+T9YGudeHI6QyJR2lEhkGm9a2uZtnt+XJvFj9CerWdrP fBX+Qu6u/qZe14Qm01y6/Vr9g/sHvsE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574335; x=1729110335; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=J1x07zCPUyPDNEiTVhjwVyzpDF64pQWTC5hwW7cc64I=; b=QvX/ZOIVZ2DKIEQnQq00+y+T4KQ5HyNyFm8EvWEE4BfhKFBUf9UAPXVI ZS/EqOf98QcG3d7c0xwdiY+rDFmfd5di4QP46s2F3RXBmovGG2rlrwl6C Kdkay0Xw8l3Y8DIWpagDaY3dGreF5Oup4AKEzL3uMNdMsTSaqqRLf0BCE VvRuoeL4JBjZjus90ZFDx1x1jKIEctVUOOMGZ1xK0GxEdFdgeg2MZQNE2 Ogg0ftGYD2SGUUNXjnPRuvxEMiOpUVpL53j7SWOwM7vqQGc2TOqLUuw8e W/EFVQWOpr+MtZTiP6JIwQ5j++REik+OlXoYutX3cboDOTnF/8EslN1/3 g==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429544" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429544" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:33 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040454" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040454" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:30 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Richard Cochran , netdev@vger.kernel.org Subject: [PATCH 05/10] ptp: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:25:00 -0700 Message-Id: <20231017202505.340906-6-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 1870E1C0002 X-Stat-Signature: meg9csp8yp6iwtj4zf1s74zfst8fcjm3 X-HE-Tag: 1697574334-356209 X-HE-Meta: U2FsdGVkX1+T1eEhB0x20Azw7ke7r77Cb8ezCGTX0hqXVTZ9S54vh4MdRIztSWjlmHxSdmdzygjV13wOXIBPPUnpvclolTqynYfkQ94eqquVp27Y5MXzIMMzxb82jXhucc2Pv7i4rrJXTxatdiICTnSX/bW4Zu/2CtMa+OcHW8jl1vx9EtqujLCKxOMcNspB+y3XyJ618pIldQarf4n7UxvuBRTiMjc47irBg8yKLI7SVK/M7DHzNsPnya4ONN27RtZtRgRtgETpOE6nPWroAVB/P+aP1A7+xSPeIEUVmpDlLxTsVtVYmnZ0t600iU62AO9rQ4fJ5A0fUEwxbA+jvK3JDiT6C3iHs7/t2Sfyn2lPWF8pjwv6UCy5+vaEOstN9fvRq3JzQZad8syGzo03lL4OWq2916zybxbA8g2VgJbEVd5sDg9e8fwngtJ3MikPT/cv5DqPDoNzTi4vciPtieKVlTBz/ObBUebB/urxeRv+Hhv4szeQfiUtVJVDeokgIkHbphXSyCaLowZr61fYQRJLH0NXcYpLbv2x4DpGpMkc3A/X5/ZHxcwXZngLZJJfCjCTy9wNicnRaA/M4Si3UuU65xwFVoP5HMEmabWrTfmwxyJpfqO6DHWtxrfKj3SaWagEhWJHUsUO58np5Mt8SXcDyQTLzkU0snLGl5zFGfP6/427yi9cJfbsKeF4SX7BFxRfkLT3RHGwlkqJ1uZFu1RlfLhXop1aBh0D4IeJhEV0Zu80kZl+mCFbSMQiZFsYGBTP84/QB5U47TwZcOpiDyfblBWcXbMKtuNVHOJ9nJP1ZoAyq07XC7TOIw0QdsL7stlCbYHUuaXeWamZ41Tm+O9CXAf+FGlilbOP3HFxpASbwVRGximQUz2w+xJR/M1n7PWiN/XHtQw/iOiZ8Bx1rMMA6JOAmOdkiUXbndfEdOYoxvTZFYh0nmgfbEQjlm0scuY3XyY9mownl6pIQ8p 7GYDKG3u SY98mfZpjkeTUDPueDB818yReZIg+dd5o7htHOe+xfFnxVKR+oP+YBMmZem4fjRq/qLOEqDKXVHzyA5sXs/rXcebjc23omCs3P97gVDQQgOA2sm65Rgik338E3m2lhtucPF6wbKHMDkLc5a1Uszp1zJ8ZpHZYOM40UanSZxv/3K4Vjj7L0NQWjBOXw14jxe3assTPkPcD8la6RPsOC+6f4DMAxmg4lkYe7XvIpCfGSCaSoeoy0seQceSo+xW/KhGsNw5pzhcyw7VzpFiTVloPVYqqluLBYcfFL0P2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Ptp could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Cc: Richard Cochran Cc: netdev@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/ptp/ptp_kvm_x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ptp/ptp_kvm_x86.c b/drivers/ptp/ptp_kvm_x86.c index 902844cc1a17..203af060013d 100644 --- a/drivers/ptp/ptp_kvm_x86.c +++ b/drivers/ptp/ptp_kvm_x86.c @@ -36,7 +36,7 @@ int kvm_arch_ptp_init(void) clock_pair = page_address(p); ret = set_memory_decrypted((unsigned long)clock_pair, 1); if (ret) { - __free_page(p); + free_decrypted_pages((unsigned long)clock_pair, 0); clock_pair = NULL; goto nofree; } From patchwork Tue Oct 17 20:25:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9148CDB484 for ; Tue, 17 Oct 2023 20:25:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ACEB18000C; Tue, 17 Oct 2023 16:25:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9BDAA8006D; Tue, 17 Oct 2023 16:25:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 723B28006B; Tue, 17 Oct 2023 16:25:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 36DF98000C for ; Tue, 17 Oct 2023 16:25:37 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 11AE4C0EB8 for ; Tue, 17 Oct 2023 20:25:37 +0000 (UTC) X-FDA: 81356083914.09.078FC4C Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf05.hostedemail.com (Postfix) with ESMTP id 209A9100003 for ; Tue, 17 Oct 2023 20:25:34 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=NnrPIv5f; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574335; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=AvCyQwbXKjFfXAG0b7eB0SG9a2ztyacdff1oBiUujDQ=; b=j7D0QlEcTvb2bzl5qXCl4XSBmpQq7fnV057CxAe+soGo2ZKELVdIo+IpM5dJL3ktAk0l47 iHqRlXcTsaLQNAeQQGa86cL3hYo1NmsaAmwLixxa4mN1yRTP96hdNfXObzbfTqhw2QLW4o +4BEF+YzvXdIx0keONg/rW2Fsc1b6qA= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=NnrPIv5f; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574335; a=rsa-sha256; cv=none; b=aEKhKlkbNyY0jPN7nRdQzMztH9TMxxH2L14VQGHf0XRJIEJZkF1kC/uc9IxCBCe3g+/3Ct aLBKMGJjDz8+PQ85iNYdqaunXz2jxWN91CxXfJW3iOenr91C+6c3rtFiyrIK/yeLiHJyBL NwBxgl5LQEoa0LPZenWZXa2oKITojqg= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574335; x=1729110335; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1KnITalfSoEUJepIi5EFi3cXKWjkojf3kZ3un2NNboE=; b=NnrPIv5fKSyMVkk67iI5ylmjTZ9cZLCTxsyMcz7w3W+yac57UxZbCmIX li8hOnnXqElYlefL66UjMDmAL9BXz9wMbkeqtzGGC0mS7hPPvtYN4KY5N NMsnGyOFV8jqqUp2kDzD6eKu8QK2Ef3jcP4SEAdct9btON3Hx8P6OvXPE BF64XV4nvllAmMWbmOaO15wilnoCWd1F/Yh+PnUd16MUUnS0GqJtk0jPT 5b4JFnscG9p8hyD5C0XCcI55dO/piasSGritenD29uYugwEY9UvAZ8P58 N6Fb9ARnOJq8sUS1/d9C1Vn4iJ7VsaiueDjwiYSRvRdS0hDmNCOv13DCm Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429558" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429558" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:34 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040460" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040460" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:31 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Christoph Hellwig , Marek Szyprowski , Robin Murphy , iommu@lists.linux.dev Subject: [PATCH 06/10] dma: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:25:01 -0700 Message-Id: <20231017202505.340906-7-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 209A9100003 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 4sfmrnnkm1egb1fxmc155pwnw94ez8hx X-HE-Tag: 1697574334-419881 X-HE-Meta: U2FsdGVkX1+Z9HwS8Z2pYlOHMFnco84ZKfXd/w+vi1Ja9fZ7febyWaDknn4rT2PaDsjuXJkTDghtcoYg9m7ZL0lEGTkTzeGDVC90yGfzfJ+aoiznQf6pQMH7WxdxV6BqMLnwoJx2r7tstzEfeHWr/6yZxMhGtGlItt/5ad0cft7r+rdiJirOjaaWluSqKttK5FLst4GCePlvxgmz3menqzErUan2ZH8IBE8Djl6r32OHd0HrPIG4sxIuaL4p+rSnvP8eBzjlysVU6SijxjWJEHRiApEJ9dqgmTlCFqGPM2NtlIUTy8kebi3MHr0RBtpHWFrwVXImFUfXtFW2+xfzTsCaC/84MNdwa8uJBngFqnfSqQPt88HXKfT8rHTnT7pzjase9O+mxcVb1L8cyS6u28HotH+oOJtAkcj1k0B8X+1Y9hAx9m/R7EMjYIFHZr4rQtLkI8NfMJyaCEg8em/G8yUm8nVYPacVc1ScAE7WCJe/RSGj5epSZUBNr5QnFS6UEWOIrZmRZNhLGNZTCIQ15gZ7vISCXyP/jUsORvTiP4KlWI1uXyq5ZOBtoFAIgTBTqAhHWJKQmwrk9t8pKMbcABjHVZ4RFW3FLJ4n8ug0CZFBCpC1VWePQ37EbSTP/KJmO0MS2GY/2n4ILAtdTArh5MwdO56fQ99+Jhoq0JDkEw+Vv0txaWHD8OKJ1t1Wx5w3cwsT68J/CtqRBO8zwnBoHjq9Ij6+PLug0jsmQ0Lu8uGr+zW69soT7qy48/pMLaLca+b5I5cYDqKPDx121mR2pKKm1mAR3Wc3UCDR6v9JynV6SenmSy3pJrxFvvKi1OW/TiwYQiTTIljXUE4jubrmF5gN6BS5wGbIHY3A9rSmJeHAXq1GXtuzdPJ4Iq37juB4iDVfNrmO6IyL7XTn4Rn/l7CffxQqSWXb2KtS5b/JQ4Ztfe0z8Sa4/Loa1UZz5b2Pw2pEdkad1kqUWPxj0HN TcJ7NGko KhHecELhx+lIoicFoMmL3684mxl4G1BtRqZg9QxzgNFuR7v9qTzgbF0Zog4fFy9r8cKnZ6oYL9zBOG2+8JmviphzuFfFXoaPRzIdNOhRw7ZDK5ErVX9k3yoUbgD/0ca7uH9ISnICMof/sd0itSuecIWYCoWcGZPK/X6RlmnSyBSRSIXO3WS+GNoz4OuN1k932Ebd0a0nY/9vk9xjcaSnEPd8bH/aKdSEt2FU3V0K9gpPYig699hzSo8DGVnSpdRcEgVaXmSNIzG1pFkhIqfQXNOavISA7Q7VBaS/h X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. DMA could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Several paths also result in proper encrypted pages being freed through the same freeing function. Rely on free_decrypted_pages() to not leak the memory in these cases. Cc: Christoph Hellwig Cc: Marek Szyprowski Cc: Robin Murphy Cc: iommu@lists.linux.dev Signed-off-by: Rick Edgecombe --- include/linux/dma-map-ops.h | 3 ++- kernel/dma/contiguous.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/include/linux/dma-map-ops.h b/include/linux/dma-map-ops.h index f2fc203fb8a1..b0800cbbc357 100644 --- a/include/linux/dma-map-ops.h +++ b/include/linux/dma-map-ops.h @@ -9,6 +9,7 @@ #include #include #include +#include struct cma; @@ -165,7 +166,7 @@ static inline struct page *dma_alloc_contiguous(struct device *dev, size_t size, static inline void dma_free_contiguous(struct device *dev, struct page *page, size_t size) { - __free_pages(page, get_order(size)); + free_decrypted_pages((unsigned long)page_address(page), get_order(size)); } #endif /* CONFIG_DMA_CMA*/ diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c index f005c66f378c..e962f1f6434e 100644 --- a/kernel/dma/contiguous.c +++ b/kernel/dma/contiguous.c @@ -429,7 +429,7 @@ void dma_free_contiguous(struct device *dev, struct page *page, size_t size) } /* not in any cma, free from buddy */ - __free_pages(page, get_order(size)); + free_decrypted_pages((unsigned long)page_address(page), get_order(size)); } /* From patchwork Tue Oct 17 20:25:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426027 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CE96CDB485 for ; Tue, 17 Oct 2023 20:25:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A5DB48006E; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A0BE38006D; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 836A68006E; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 6537C8006B for ; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 3F3CD1CB8DA for ; Tue, 17 Oct 2023 20:25:39 +0000 (UTC) X-FDA: 81356083998.18.33FECC7 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf04.hostedemail.com (Postfix) with ESMTP id 25CC74001A for ; Tue, 17 Oct 2023 20:25:36 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=ibyLT5Me; spf=pass (imf04.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574336; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=XBsimUVzuD3nEV3NZdlfEVSzq/vsyq4vsE/zMpmgFSA=; b=J71rCiyPCsSevv9hv/lBWKx7D5Jp7lEhueUyiu47TSyrwH0XuL3tqiBfQ9r11Wq+4uHSIP PiRh/EeI2zgwJO0u06P+Bdh+39vJEyjOhIf7Kv7SY6lBeOZgA8wVQ25aIzJ+zpByB2PNBb QpKFv8SltFcxO7h/qbfZ9E05ZFqZHqI= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574336; a=rsa-sha256; cv=none; b=nNCgnBZj0/ONoDX0oHxIVg/xHEGH6M6pN6uGmonF0wqtCGjxWUg+o8XUUNx7RdLoAmxdj+ GYMtjMa86otjfh581wOlcdgNdGiyX7DZm3zjK6icjTeAb6/WttgTJ2ZsrCcdRf6MkjhSjw +Sm8+cPbXZEtuWbi8mQXUl8MWFYnbxY= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=ibyLT5Me; spf=pass (imf04.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574336; x=1729110336; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=DeK9M9T8xLg82lbSzsd9PGh1edTcS0OzTNpNIQkWt+o=; b=ibyLT5MepQhobD67/052nfhe6pYBEQu/Oy3Bz4PQaXwxoNNmUsmzruXB 2JPoCZAuETRn+kV2/hlOIGcSyYiXnaUswIaSF2sLKUwmiDjLAOg1dmWPo Sqq1GjHNS8STK5wZMyEe1a07nKuHWJSYa5ngdAihkYtDajbUVsnMg3VF3 yjGWnGMICqR3JPuwu+uYdamomDxnCuokp3b9kAgRM9lCmpGbYWuuu3OIf LRvwnG3p7I/8VTAz9aLtOi4nOFsAdtPqgtNxEDHHHfcqH8JHIS6lwBX1Y 1ZmhTDMShiAWHq5g6mdmSDRWwF8ydRUtrOjByStvvBPm9jASHivRKQ5xe g==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429574" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429574" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040468" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040468" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:32 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 07/10] hv: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:25:02 -0700 Message-Id: <20231017202505.340906-8-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 25CC74001A X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: b98cen4jzpmjmxwzqm8u4nsc7ixsa1hq X-HE-Tag: 1697574335-276312 X-HE-Meta: U2FsdGVkX1+y1CJ6c9q9gJNz13pZFSZI27UbUGsWxBJ/y5o5dvQFepN7CZyTNzlfmenW3o14omyLuoin7XhlEdZo0I/7V8aEBx1k8ck+ykH3L7CfXGPZjPIFzOOQR9JQIhRVfjk1oU655Vr8BByhElJYNd4JLmrmZfAdLD2Tti8/CLlut5tFLEGRVozSKH9Kjc1Fn2n3Y6UxR0asl+qYyZn2oSbfNxHDp11GqLJCWjggB5Nf0lhAxyRwC60Z4E44+hHqP3wbKEPtJrzRHffGDhK8UwIjzXbjGN6CJh4K4Ajbcyy2NQTozIqPkq7tFBIldmNVz64ZvTiyJNgZ3wv9H7GRw2TWG2QlvghIN9tOWFPijuadS5tY/MY53q3TMwHXzTnyaWwJPxhPZ9q4DH9kF43nAcf0SwwioNZsjpggNKo/QtvCeHPBU3Gdxs/IRHcG9VitQFUqnJLUORntIu8iyLjc3XWrItwHbL8UwMVLFowuSmzXN4qp9DcFP6SPFSqLyFz77Wa9hqSUmuJiP6gCT4di0Ox+NAdILlywK9FJdbtdQtvTQip+wzyxPh6tRpelrSUxZbqYWD/GoI9C1Mlhof8HaHMQ5HKR+kDC3Gn536a1/6r3YAxAOt9AS/k2q2zDhoaS34391d6rMcHeqhMzqIqYlcKEs2upow7wYUpSzsBDIz1iPQ2LhbyEb6qfRDhc8xKJPdOL5+j5fQdv3rooRgqWtELv9NR76uYzWTocx6piLj4ng52miwCF9YR6hI1n/6gGQFUesPA8E4VO7vMCzkesHk6lMYDKO8uUxt3DqNIhj/7MHl+trGP9MzEtbPPN1+QrWOPVBEt/X7l9y/4fzqKpu7Gdark1pEhxp52GkxPvCpMwHJefe7KW0c5Cq3CV1gc8X6n/XnfHiUVYFcfrypSX6rMkKqWQiUY/DcsRTofHHJsZYtF5Mc7QOKk1fn7OJxoguhhWmKbZhgYE0N9 4nq1txs1 7edyBteZFUCv1sWzS3SYzwo8aMJ+Ut3OPdlPB2D5iZT7D5QFvKiwZjsNLavdEZLgK7CdfKaXfK5vS2rAlML4DLoEf2/ZiSRiKCv2Rl2dGGrSeYD1eRlyxsp7H2e0o+WPcN2MDjNs5IALHL72Dm24HhbbawNRGOVy8HBnffRTsdyh3oYj8pXalY1oI0lY/2Vswc4Do456omnZloyW913iMUKtABIXKcOoF7WEB6UT+Y+dq7C/Rc6mo2kP3E0GqlRcNF72FlvTGlA9dpXOtextM7eivP/w8oSgN5qi3 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Hyperv could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/hv/channel.c | 7 ++++--- drivers/hv/connection.c | 13 +++++++++---- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 56f7e06c673e..1ad8f7fabe06 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -153,9 +153,10 @@ void vmbus_free_ring(struct vmbus_channel *channel) hv_ringbuffer_cleanup(&channel->inbound); if (channel->ringbuffer_page) { - __free_pages(channel->ringbuffer_page, - get_order(channel->ringbuffer_pagecount - << PAGE_SHIFT)); + int order = get_order(channel->ringbuffer_pagecount << PAGE_SHIFT); + unsigned long addr = (unsigned long)page_address(channel->ringbuffer_page); + + free_decrypted_pages(addr, order); channel->ringbuffer_page = NULL; } } diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index 3cabeeabb1ca..cffad9b139d3 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -315,6 +315,7 @@ int vmbus_connect(void) void vmbus_disconnect(void) { + int ret; /* * First send the unload request to the host. */ @@ -337,11 +338,15 @@ void vmbus_disconnect(void) vmbus_connection.int_page = NULL; } - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); - set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); + ret = set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1); + ret |= set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1); - hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); - hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); + if (!ret) { + hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); + hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); + } else { + WARN_ONCE(1, "Failed to re-encrypt memory before freeing, leaking pages!\n"); + } vmbus_connection.monitor_pages[0] = NULL; vmbus_connection.monitor_pages[1] = NULL; } From patchwork Tue Oct 17 20:25:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426028 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6E6DCDB474 for ; Tue, 17 Oct 2023 20:25:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D8E7F8006B; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CD1738006F; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 994AF8006B; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 777F08006D for ; Tue, 17 Oct 2023 16:25:39 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 4FB4E40CD7 for ; Tue, 17 Oct 2023 20:25:39 +0000 (UTC) X-FDA: 81356083998.22.5DA3F19 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf05.hostedemail.com (Postfix) with ESMTP id 3CC59100013 for ; Tue, 17 Oct 2023 20:25:37 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=Um+2RAUy; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574337; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=vc5v4fgr1CopUvy+HOCx9sW27JhlZQAVdbpIzt3MAOc=; b=qE7PvG7Rp1JLCi8M6e0v0tKCTKovh9RCwD76ZMGsOPhqYhYoSymO77YpRw2nrhxs3z1nVc l5oO6aKL2bMPML7plRLlzwqUw6RjdsUkW+EhkJTZOcoFWmBf+YfL8j0H+ausibtiJQ2l2S /Ui8haRU3rFY/e35i+vxWaPolUliovg= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=Um+2RAUy; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574337; a=rsa-sha256; cv=none; b=b+wR7U/CsUa7C0oyqineDAvKAY85MzfWL+96x5dD9wlGjuEr5/hGG7oOvI65DuZa0SB8uq ahmVNb45m/gJ8QgsikCGE7HAOKoKBYMbOfa4TAUo2nPEayQ9i5+t2xosaFFoROi5St60T0 YD82SvziWLkNIrW8pgNBf3wb6hLgKws= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574337; x=1729110337; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=xSf/vP0NH+csMyG/vIllMJkrSA3cYI1t+FXhK7zth7Y=; b=Um+2RAUycHg4eO51TJWq4jYMYZ6sC8BRA31uq0cfcE7e/l2kMDKlCic+ XXbJWSGe/0QxqaqPMuEFCrlu32xJ1yPAxbJ7PB7pb9OdP7xXDHWoy02s+ ZgLnqmBz6NdOqZLxWy+uS9iDfBz+/EzJ9gs9uuEa5AKYBdGkZBmLx4aq1 qNTxNpFhF+rxvwnuUXS0TctXsQWuEK4Nx2EeDyVZYsgqSpaJubi4Dksjf 8BxRN8SyEAJueIixOnv+Vg39pppoDdUzYkjnvWwH3VoM+PM+ihlz80IjU GukS1tRaIzt1FdHk2VegNZuk3AC3Wc2MQHcJxCjxjneFjggAHcLAGjrTh g==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429586" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429586" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040471" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040471" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:33 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 08/10] hv: Track decrypted status in vmbus_gpadl Date: Tue, 17 Oct 2023 13:25:03 -0700 Message-Id: <20231017202505.340906-9-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 3CC59100013 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 5d6m8eojm61a9a9ydgrpyectsb14ygru X-HE-Tag: 1697574337-979730 X-HE-Meta: U2FsdGVkX19vfsirivakYks73o8TKmgtu9lrzVO0b6rPkO7TQvbR/13cY8PD+fdkOpDf7QU6eD5wZIv/hoqZG0lQ/ju7DQjNl8KVxNGyD8jMr2c+CpkDa4PsQnRKY4WKuOjsKp6RwZj194Psot+mv2UR1H0PtBWrprl0k3JBFmgiG3aPdyodAXTXcv7/9wgGDnw34I6q0mpdWWTCG9XtAu0oP7q87kikOH4+PqS8Uz8sCIEVkXVAFDkZmC9sHbhegYdgpvvESpezfsI9WxVNHLaP455UOpqAtvCd+Wyta3KsRT5Ilhh11nR2w5QWMDY+9e7m6iyWIk/Ae230ejaVgSpZHlEsn2CDXHhEjyev6BcExXqIe9HgU5o/Oez7FFHZLFNApc9AmLPS27mKIxIGf703MkXi2N3fFMInDtKGufiY8RCKP5lTLjHy+6iFIeUBmL9fwpMgjd4qbpBPsE5Y2xIjv5KWuvMOZ9bmNU98qslwuSVR4lUeVgl9w8jk/qZYLDd/H35he5emRzekcIErvZR4pq07foRF7ejByztXmLyzcFzUqYYSPSQ3PR25cgQpyGK8xklh8ZkdIYA6/0rla6Zlwl5sinS5lrElqmojyLBOXlLX86hDWVONcuUGqqbC9vF5kk3O9bS6vJOH9E9WzzK8y/tpums3eRXO3aBL98aFBAIouSCT3Qp7xOsT0F1rFsdwx5Mzv4Y9DtXpBgScmfwBY3vuZVsejT62DLb27x+HneE7CpVCrGZjPfEPCFTVd8PC3VP9MqHiyW+lJFbTuQFbTY5yo+SQglKCHrsZT1SZZiqoT+x72PkaLIj0Fz3eGgvwKIl+JaHHoxA4sWHQ0kOit7lntsuzuqA6utl5p+tqsjsfiAoUuLuzqZ6LYOSfKovgMIbhy4oDHw6GwduOU8qTYO0kwQGRhC1Nuad5ZymumEd0Fk/VxuPYbQp6Bdt+2l1hdmjjuZvSrzQ7XOh xnS4T1rG 4rQfiDwSNZFWuIImxrm32RwvxtdlTw31j7aOsWMsZ1vOQ9dYFoe8qQulzqoijqfjNC0m9KSE6gMU9Ut3E+rZrtKOHHMZmwUg0fn92U8EdjjkIfGqWVGW2JyeCElGVbwTVMNp5rm+EfDJzKfjirWhqzeyx2z1zAeg5DC70ZNuzMZcMhM+ChkQQGb3JMzAx2t5uwoYp2K6Zhe7H9aap4Wj3/rtq+stjkkQP+cj5cwaDlul+8ONGXo80qgFZQIKXeGQn3ff5Ofh48mCBsQk/ziuJ4uYHLqRjEZ22MwTj X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. In order to make sure caller's of vmbus_establish_gpadl() and vmbus_teardown_gpadl() don't return decrypted/shared pages to allocators, add a field in struct vmbus_gpadl to keep track of the decryption status of the buffer's. This will allow the callers to know if they should free or leak the pages. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/hv/channel.c | 11 ++++++++--- include/linux/hyperv.h | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 1ad8f7fabe06..0a7dcbb48140 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -479,6 +479,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, ret = set_memory_decrypted((unsigned long)kbuffer, PFN_UP(size)); if (ret) { + gpadl->decrypted = false; dev_warn(&channel->device_obj->device, "Failed to set host visibility for new GPADL %d.\n", ret); @@ -551,6 +552,7 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, gpadl->gpadl_handle = gpadlmsg->gpadl; gpadl->buffer = kbuffer; gpadl->size = size; + gpadl->decrypted = true; cleanup: @@ -564,9 +566,10 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, kfree(msginfo); - if (ret) - set_memory_encrypted((unsigned long)kbuffer, - PFN_UP(size)); + if (ret) { + if (set_memory_encrypted((unsigned long)kbuffer, PFN_UP(size))) + gpadl->decrypted = false; + } return ret; } @@ -887,6 +890,8 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, struct vmbus_gpadl *gpad if (ret) pr_warn("Fail to set mem host visibility in GPADL teardown %d.\n", ret); + gpadl->decrypted = ret; + return ret; } EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 2b00faf98017..5bac136c268c 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -812,6 +812,7 @@ struct vmbus_gpadl { u32 gpadl_handle; u32 size; void *buffer; + bool decrypted; }; struct vmbus_channel { From patchwork Tue Oct 17 20:25:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426029 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19982CDB483 for ; Tue, 17 Oct 2023 20:25:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B6C4A8006F; Tue, 17 Oct 2023 16:25:40 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AF5DB8006D; Tue, 17 Oct 2023 16:25:40 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8AD2B8006F; Tue, 17 Oct 2023 16:25:40 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 6FB4D8006D for ; Tue, 17 Oct 2023 16:25:40 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 40BA9140E6A for ; Tue, 17 Oct 2023 20:25:40 +0000 (UTC) X-FDA: 81356084040.10.3CFA5AF Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf21.hostedemail.com (Postfix) with ESMTP id 2F3A81C0021 for ; Tue, 17 Oct 2023 20:25:38 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=YXuEGd1Y; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf21.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574338; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=52JQEUV6G5oXutFcAibbYbDTdVZXn8Kx/7l2gelzDac=; b=z3eCWrwZ92DEi9E2CNZJhkUsHhhrXpJxXo0APOCJnORQMJy65HEFHNGFxiVcW/CnHDY9+Q 0o0BMu623tF1psXNojXs/MNVqQWFQenZC00giE8kEa1pefKwm3U77rqBClVzODvR1p3RLx fKyXDySET5hqmnuhN5UhhERtjf4m1EA= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=YXuEGd1Y; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf21.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574338; a=rsa-sha256; cv=none; b=lsi3UuQJkrqUFXs8VAq/AGkbgLBjguQ/N8avPdwTE52smvy33AuBH3DR3zCALzBmfZ12v3 Igge8upFrsCerWI2Nu8PZplexcynZvMrJBrpef4hjTUPBwB2gpX7N6V+9a/J4/GK1RDfKY Sg/wbnL+h0VGfmQMbsMZluxgHrTSyGg= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574338; x=1729110338; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=n7cfqZUhm+mNRuq80sD29C7/lYhruGMsgMoNg518Mk8=; b=YXuEGd1YuuA8OqolNFitTWvyC72DXCtDVrq4iC64qSq0H+WUXbWwob+q moFldGrUAkrqIsmMoMBrwZ6+cuYbWgJb5SdNWl1xgaz271bELU9leP1Ew xzjHZB5UBcLRhfA3PLkJz1TK4OaCFuGBDJeRzpeRCuibVL7Jf3clrDbTy mNqR85YNWgSggizAPJxn3LEW2iBDTt1tJg/EpOSRWV1fSyhnn8uv4TGKX z2snsrvYHjwgkdn6EsgEwlC3CYsavy99A7Qulh4pyuiTTo9VxKiittR0C muzvRKkUiEFuZ0p6cHvGUTg99J7FnvevMoN32XQfR/dDcVVhpZOGCrPtu A==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429597" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429597" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:38 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040475" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040475" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:34 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 09/10] hv_nstvsc: Don't free decrypted memory Date: Tue, 17 Oct 2023 13:25:04 -0700 Message-Id: <20231017202505.340906-10-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 2F3A81C0021 X-Stat-Signature: 3eu7cpybka1pjr5jhbe1113jgabcjhnn X-HE-Tag: 1697574338-282644 X-HE-Meta: U2FsdGVkX19USR55xRwipD3loo7gzYiDgWj62/ddMj4AMtfSeOJHcbsXQ8rnkB9IJpYajLpCFCaPosfEiL77GZ4CpEPS6057Gd9mTKWxQHrsPyE7WrdcTcm1Ipt1IyMkvV35YxTohSoZwyBFQCWUmbu+pzkVNrso9IxF7iH1+dpKlZDBJRD9Uf05+oo1UFZceau6HK+OezwOY9gFtFUai+K5Ie42G9c8WhblNHORvpNjAzdSpJzFPucYXBnbpGY88xUX6z+ajlE7ohfc+niL9NE699mzn2QyNUyX4JxKjQwytbziejag+xbHODOQoLm/ZuMLnYl5hkivVTpU/PBD25K1cdUX7MeTPh9Q+RognRIJ50r4GDsMGMa0JquYwvRH+O6IHiUcotGLsXLiGB9A7EvFyX/Ccp6hcEHywpdu2NeotS/2Yq1bIfdqkPqBINaVbbC+ZALE1DrxM41TXz2gUfZMsJTn5KBnTbGEIPwgpXJhMkPJ9HAHJWJdkEw9Yx2v1/7Z/J58YWOFtyxBBCufjhs/GQnrpny6jnICQRxJb5TUVHNG7y/8fVRruPvMQBpnrdEzqhGEIWWNSpd7BtVTwkmOn8X9+yTr5TUfYNEv5QQdvImv3H1DCBGdiuDJ0myW1oLe7VZ5Q8Yd2okiwJv4ZZ6WT8HRfpDSKSrS5jfzxrtHs5EC/19SMPtM3bRWZg1sOmb+BxONuH2tqG4XuDZQthWfB0FP1N04+W4U5PZvXNToDWB430m56cRU4W3je5lrVvh0MQdU4dWA/tV7gUbRdTi27KuhGcDcztBixCRNnr4Wn1aWFgXxHhPkIq4shAt5Or2S3HL9ouiRqlZEmKck32YsWIZeaF1Sxl8n4me35n0GmSs9BR2ZmycXJTkYcqKCOZ1OQwmXKYLfKWvi5RCMEsksSFVMPx0G83ObJXNNJyllByDzjd9e7SwKXDQqo3HX5GLuRHVCYNaz7eCzhMQ ldGsFt8s +D3c2DAUyBU4O/sEGPe/tGx8hWFsl0RaBm6q0Ib8xtqqFEhBMsaMS+Ka+AvfB59fsgy3muoJJDHg8QDEr1PYWe/SOr3LuFIuVW/N5YzPQxA3uEhbzg0GsNk/FycX82hak7dxt9Py1an32CFAygNfDCPfPoPKySzmNIrZ9B3YlX9EC7LFaKLnK6QVBzMcpbxo6NWA4jWaa1bXxUarEePGx+o9rPfQddDMVHZiBOqV0X16pU66nvKjXfFeiGsFFoiCE8PPFr+a1KLsrDDw942NVSoCRudge4LSFdS4Y X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. hv_nstvsc could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl before freeing in order to not leak the memory. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/net/hyperv/netvsc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c index 82e9796c8f5e..70b7f91fb96b 100644 --- a/drivers/net/hyperv/netvsc.c +++ b/drivers/net/hyperv/netvsc.c @@ -154,8 +154,11 @@ static void free_netvsc_device(struct rcu_head *head) int i; kfree(nvdev->extension); - vfree(nvdev->recv_buf); - vfree(nvdev->send_buf); + + if (!nvdev->recv_buf_gpadl_handle.decrypted) + vfree(nvdev->recv_buf); + if (!nvdev->send_buf_gpadl_handle.decrypted) + vfree(nvdev->send_buf); bitmap_free(nvdev->send_section_map); for (i = 0; i < VRSS_CHANNEL_MAX; i++) { From patchwork Tue Oct 17 20:25:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426030 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4979BCDB474 for ; Tue, 17 Oct 2023 20:25:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C7D8B80070; Tue, 17 Oct 2023 16:25:41 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C08CB8006D; Tue, 17 Oct 2023 16:25:41 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9BD7280070; Tue, 17 Oct 2023 16:25:41 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 7A6548006D for ; Tue, 17 Oct 2023 16:25:41 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 5A88DA0E61 for ; Tue, 17 Oct 2023 20:25:41 +0000 (UTC) X-FDA: 81356084082.24.1FFD24F Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf04.hostedemail.com (Postfix) with ESMTP id 58BEC4001A for ; Tue, 17 Oct 2023 20:25:39 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=bAwYhPFD; spf=pass (imf04.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574339; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=cQn22U+CaFNzglZA9drV6DWVhDvn+L3lzTGWP/p2/NY=; b=RWMMPPpv91qWCGoKqQPLyGtibwSP9jZtlsI6iiF1XldMJ00ZnNSmx/lQX4Hp+A0NaR+5ut W5D9LBhMEFFAY6vaMF2FXVSGP0fmpATh4XJ8hUjw25zZ5cUi+F3edhvZ4h/OI4PNBAakhQ TK2zV6gjwaxVDqeoPM6pORRNgvLpHUw= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574339; a=rsa-sha256; cv=none; b=LnBwfTuRVOCEOHfq9RBjxU5f5uDDetlt2cIcySFtcepfJEch3x0Hfrf7CfL87WDGClDRsT uQSze9S1L2lR4f45bm4a7nCtzloXCO3ipiT2cfWy9SUeXCgUAiHopC2M4WSxOCHnLWgE1g k7jPu2YwNCI39VVQZPlDnPdmD7RZpjA= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=bAwYhPFD; spf=pass (imf04.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574339; x=1729110339; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=acK3P8RbFbLJ3Y/qsHvg8A7W0ea+PDycu9fLk45ERVg=; b=bAwYhPFDDn2o4/g5Fs2i2s5um2j26EQWQIyBaZJ2aaH4c46DESSmKzjG m8qgnDnrDqfr9zfj/plTmMMnQ9zukuTursZT/jQ40fKZMUrMtz/at8UjB 2l4v9tWYfqrSphZ+M3Cau2AbRLqI7cmk5duZAgPeY3kh5iehrPes69QO8 jBjP+2X9WgAAlW4iqXjd8rIbUUlrF8lLVOJR7htbOzfKiGP3cWF0qEI1e 21/snBiup9feaslOPp3z2p9HInLQpMahJKFB49EzoOfCu4atkY9+5wd+O Yaa8lCqGFJg1pF8Gipjp5bndl2kLgoWjnStIFm212TwtidEDXcPnrKg6U w==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429609" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429609" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040478" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040478" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:35 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , linux-hyperv@vger.kernel.org Subject: [RFC 10/10] uio_hv_generic: Don't free decrypted memory Date: Tue, 17 Oct 2023 13:25:05 -0700 Message-Id: <20231017202505.340906-11-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 58BEC4001A X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: 96r5ur58fdkuo9nsarjy1c578fan7cpo X-HE-Tag: 1697574339-6556 X-HE-Meta: U2FsdGVkX19MXZT2vczyIwKen3sFRd0b+2/a7t0qtIRjHXcBLeIEiRrj1Lh/714uyErRoqTP71b1VDmOccQqfCaFXkRczqKwD3ZSVsckq3G6H8+0JdOyKDsfO9Bg7nTaXoM42atZZqnPhhmZkZXcYvHP/5st8eCACjQnwJfta7aKzF+2GviDAw12T81jhfhLugIV+Kejw5JiTZ0c+Pukk5jEEJemIHo8p25YxnrSVu0OV0hdwr28whlJRlnLDIPJChx+BW2yFVEjTRcKjPjcKA46wCyEXzE0hMWD0xJU+1wW48bzkgQ24eNFn/6O+rMdF6cB7VxfUFOlQMp1BQNMTI5kh5zx3LFL6QOLVEQb0jPhJJ56NHxpa0+263klrLGMO9IEHiALhAjPf7VupSf3ef4h/T/OfuDuUhdu2G5hEJGpXkt1EAGMMKy9uHN6ziT9dZbwKXnaPwYWKR3V6g3nH+IEaElCFc4ItsGwQVOUrbzJO7EdzSec9UWJJtoxPnCJ8nE5qPAdoczHSHr4Wm1wio5DjLIcP5b0h9+wicJSi5uuU2SwvE+dJpdgo//OgIugvycSpx4a/bpTT3aAMHDpTIeF9ef5FU8jKxQZz4eQWe0/bOE8HL5LAkLSfZELY0UqU7/TdZDrYKUX3qY/cW6WHZMo3Dgd9JusS1CGmkyXsRlveKbF/hU0A9NcdiVV4apldJV9w8eOtwjqNBoLde2KezWM+7Lc47tYd3yWLXPF74lq/jfeUd+2O3m0pZJV/lcVd0hKQ2BWS45mcYEIoCjQqm3m0q3l0cIlR6lJksLSPikZPZ5F1RI2MhhO2XqAlIFsDHwDEMldwS3XQR+D2qqjPawtmPL2qkcijXeyYoYdjMF6ipZiVhJ6irpysL9oqi7K70MX/o7O0bS2svmF0oDbId3hbO6QLVB2p3E/QABfkvM3hVfVY8/weXsvT8PRA+uN4XC75PsYQJ4JD9ut3Dd h8ToxExn XZTo4squvNv8Vjv37ZzsVrkGrxh4nqQqwAzUrosTa0fUzeAiKHSQ/J1KxlsX5YgymjNO+F7dDK/xe3izy8fZbHWxMJQzNUDLYwq5Gbnkz3K+RHA7jlDXzUzOCuyzbzuvMdwgImWjJ2dkC+siL/RoJWkn53lKzScmzACLz0WdYMD9GrCwZGZ7oBHOFJw+/aAzoRkeFvjUWOdzsq/m6wzMarkK33bVrKy4Gs7qtC2uAbslBEWIkq0vpyORR4vk7aJIt8YVbgX3L9F+zgqaB1jU9ZhDcxT0unT9oDqbR X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. uio_hv_generic could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl before freeing in order to not leak the memory. Only compile tested. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Rick Edgecombe --- drivers/uio/uio_hv_generic.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 20d9762331bd..6be3462b109f 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -181,12 +181,14 @@ hv_uio_cleanup(struct hv_device *dev, struct hv_uio_private_data *pdata) { if (pdata->send_gpadl.gpadl_handle) { vmbus_teardown_gpadl(dev->channel, &pdata->send_gpadl); - vfree(pdata->send_buf); + if (!pdata->send_gpadl.decrypted) + vfree(pdata->send_buf); } if (pdata->recv_gpadl.gpadl_handle) { vmbus_teardown_gpadl(dev->channel, &pdata->recv_gpadl); - vfree(pdata->recv_buf); + if (!pdata->recv_gpadl.decrypted) + vfree(pdata->recv_buf); } } @@ -295,7 +297,8 @@ hv_uio_probe(struct hv_device *dev, ret = vmbus_establish_gpadl(channel, pdata->recv_buf, RECV_BUFFER_SIZE, &pdata->recv_gpadl); if (ret) { - vfree(pdata->recv_buf); + if (!pdata->recv_gpadl.decrypted) + vfree(pdata->recv_buf); goto fail_close; } @@ -317,7 +320,8 @@ hv_uio_probe(struct hv_device *dev, ret = vmbus_establish_gpadl(channel, pdata->send_buf, SEND_BUFFER_SIZE, &pdata->send_gpadl); if (ret) { - vfree(pdata->send_buf); + if (!pdata->send_gpadl.decrypted) + vfree(pdata->send_buf); goto fail_close; }