Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp784494imm; Mon, 21 May 2018 14:23:23 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq3180w40PngH5xhNbsytomkUCgOPRStgmz3l7rR6IhJ6BWOL4Y8FBsrxy7AdwbmIapYbOA X-Received: by 2002:a17:902:380c:: with SMTP id l12-v6mr22097752plc.19.1526937803281; Mon, 21 May 2018 14:23:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526937803; cv=none; d=google.com; s=arc-20160816; b=St30jwJSyhSW2rAj2AQgcRDziTtZAGd8XYpPC+F3Z6gFfkQ9hWK/9wSfzNE7h85i5g C4cCvx4h7zbKBGCiPWrWyhkXeMq3AcHj83P3f/bSHqJb5E+eLWuaAmYzah9P2Ls25ZhN CyOGQuALsKh+LL0FmH12Siu2B4iF2oJC90iAc5sa+PclKtvnkFSvK2h527ElcvfVVWum dGCtQFXkekKM8oF+OaE5v6oUHR2VC+GOLffVjloIG53o38qXoM127wfapG7ixTaJ+O7H ev8tOgHpXCzOnyVmyXvLXuLM3wPVmZYog9Xnb5ZqKgedqI4yBxIfnUVAUFtJAoWB0Vk8 pumw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=XQf9RaG3DKfdq0gwBEKowdbs+5PsgpATbAjKv0yENOo=; b=eAIFfD1bYHE1WDOrw5rAVDzxT8n6qBgJwdZFddPb4B2QhFA2LJ6WEwUxtVbYLutd79 6KLGcmG6TaXNeOCaGVLmyBBS6S6xUwp44f1VS/QPOeCETIeI8tqooGYUEOOgfDWXwwa+ 3hWbXvv6sUc5H983andEJyEJ32Onw8FSBrOqfxlvCWl/b2lIfKPfCClCyGJ1bxTLOSL6 75e36bwUZI9BHvDgCp3ghz+Abda9caOsh+Hvycd12VHBywj9kDSnKgKj/lHK1+1XkvJH yVD1K8FBDIdYceiF3IRP9ZjrsAXygoUIP+jspuSpudTqB518eUpDKVIv0Ddu8w9LHey9 XfDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=as3N5dJZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u198-v6si5430439pgc.460.2018.05.21.14.23.08; Mon, 21 May 2018 14:23:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=as3N5dJZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754304AbeEUVWu (ORCPT + 99 others); Mon, 21 May 2018 17:22:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:37656 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754283AbeEUVWp (ORCPT ); Mon, 21 May 2018 17:22:45 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BFCD520853; Mon, 21 May 2018 21:22:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526937765; bh=APZiK7y4Exd89V+IRgAKFrEaadttatoW2RFaT05t2H0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=as3N5dJZC6nmjCYcsDT+fGCwRSZPOfBk9mZnO9igsfb1DNKXCG4J2ys8uKQA7TTru TNiI1vzRrr3+Mopvka1zGWRqy3CvrTHKMbm1Za7TitFVl4EQ9hWBEOPVjyazdnInjg TexPQetBgcZGFn7eQDwFaVn3H4LT7dvwtvQwZ8B4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jan Glauber , Andre Przywara , Christoffer Dall , Paolo Bonzini Subject: [PATCH 4.16 018/110] KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock Date: Mon, 21 May 2018 23:11:15 +0200 Message-Id: <20180521210505.486580278@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180521210503.823249477@linuxfoundation.org> References: <20180521210503.823249477@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Andre Przywara commit bf308242ab98b5d1648c3663e753556bef9bec01 upstream. kvm_read_guest() will eventually look up in kvm_memslots(), which requires either to hold the kvm->slots_lock or to be inside a kvm->srcu critical section. In contrast to x86 and s390 we don't take the SRCU lock on every guest exit, so we have to do it individually for each kvm_read_guest() call. Provide a wrapper which does that and use that everywhere. Note that ending the SRCU critical section before returning from the kvm_read_guest() wrapper is safe, because the data has been *copied*, so we don't need to rely on valid references to the memslot anymore. Cc: Stable # 4.8+ Reported-by: Jan Glauber Signed-off-by: Andre Przywara Acked-by: Christoffer Dall Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/arm/include/asm/kvm_mmu.h | 16 ++++++++++++++++ arch/arm64/include/asm/kvm_mmu.h | 16 ++++++++++++++++ virt/kvm/arm/vgic/vgic-its.c | 15 ++++++++------- 3 files changed, 40 insertions(+), 7 deletions(-) --- a/arch/arm/include/asm/kvm_mmu.h +++ b/arch/arm/include/asm/kvm_mmu.h @@ -295,6 +295,22 @@ static inline unsigned int kvm_get_vmid_ return 8; } +/* + * We are not in the kvm->srcu critical section most of the time, so we take + * the SRCU read lock here. Since we copy the data from the user page, we + * can immediately drop the lock again. + */ +static inline int kvm_read_guest_lock(struct kvm *kvm, + gpa_t gpa, void *data, unsigned long len) +{ + int srcu_idx = srcu_read_lock(&kvm->srcu); + int ret = kvm_read_guest(kvm, gpa, data, len); + + srcu_read_unlock(&kvm->srcu, srcu_idx); + + return ret; +} + static inline void *kvm_get_hyp_vector(void) { return kvm_ksym_ref(__kvm_hyp_vector); --- a/arch/arm64/include/asm/kvm_mmu.h +++ b/arch/arm64/include/asm/kvm_mmu.h @@ -348,6 +348,22 @@ static inline unsigned int kvm_get_vmid_ return (cpuid_feature_extract_unsigned_field(reg, ID_AA64MMFR1_VMIDBITS_SHIFT) == 2) ? 16 : 8; } +/* + * We are not in the kvm->srcu critical section most of the time, so we take + * the SRCU read lock here. Since we copy the data from the user page, we + * can immediately drop the lock again. + */ +static inline int kvm_read_guest_lock(struct kvm *kvm, + gpa_t gpa, void *data, unsigned long len) +{ + int srcu_idx = srcu_read_lock(&kvm->srcu); + int ret = kvm_read_guest(kvm, gpa, data, len); + + srcu_read_unlock(&kvm->srcu, srcu_idx); + + return ret; +} + #ifdef CONFIG_HARDEN_BRANCH_PREDICTOR #include --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -281,8 +281,8 @@ static int update_lpi_config(struct kvm int ret; unsigned long flags; - ret = kvm_read_guest(kvm, propbase + irq->intid - GIC_LPI_OFFSET, - &prop, 1); + ret = kvm_read_guest_lock(kvm, propbase + irq->intid - GIC_LPI_OFFSET, + &prop, 1); if (ret) return ret; @@ -444,8 +444,9 @@ static int its_sync_lpi_pending_table(st * this very same byte in the last iteration. Reuse that. */ if (byte_offset != last_byte_offset) { - ret = kvm_read_guest(vcpu->kvm, pendbase + byte_offset, - &pendmask, 1); + ret = kvm_read_guest_lock(vcpu->kvm, + pendbase + byte_offset, + &pendmask, 1); if (ret) { kfree(intids); return ret; @@ -789,7 +790,7 @@ static bool vgic_its_check_id(struct vgi return false; /* Each 1st level entry is represented by a 64-bit value. */ - if (kvm_read_guest(its->dev->kvm, + if (kvm_read_guest_lock(its->dev->kvm, BASER_ADDRESS(baser) + index * sizeof(indirect_ptr), &indirect_ptr, sizeof(indirect_ptr))) return false; @@ -1370,8 +1371,8 @@ static void vgic_its_process_commands(st cbaser = CBASER_ADDRESS(its->cbaser); while (its->cwriter != its->creadr) { - int ret = kvm_read_guest(kvm, cbaser + its->creadr, - cmd_buf, ITS_CMD_SIZE); + int ret = kvm_read_guest_lock(kvm, cbaser + its->creadr, + cmd_buf, ITS_CMD_SIZE); /* * If kvm_read_guest() fails, this could be due to the guest * programming a bogus value in CBASER or something else going