Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4739811ybb; Tue, 24 Mar 2020 04:31:40 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsI1BLkqHMUKYJPzVfZWmjcWFcGeMTU6yXsHx3OC446gJ+Ab1Ms9iIxSQxyAQbMSilQ53tw X-Received: by 2002:a05:6830:2415:: with SMTP id j21mr21468717ots.93.1585049500533; Tue, 24 Mar 2020 04:31:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585049500; cv=none; d=google.com; s=arc-20160816; b=XhKYJFlUkUXY/rm/3UKFuu5RthpxOdPRYIkawFHtNj1NQZJjOwjBPKTaznRN/jOLer 4lWIoHfny/jTb1VqsgSkmriQG51e6Ap6BjknEJt2DZiVCKZ9e7R5ReE1hMNozVRfEYVk +9XHHW/mDPVtTk7lxfWGGNCChpfC3mooM1kgfPY1vaFtIma67DziRon/D+0DOwrjWVI3 dryTme5nloV6hI9o2+Ld1XTS/P3U8oZAMt7+idyRQRHAvtm3vugM2kCGYkhJnKE0Itfo GkjjW4SFTHHYgau1ND62GGajnDZEgTRntWHbKjE20cxuwV4VxaSM3qFupoJ+MnGqaINN PrvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=HUoI3izHtkIzFR5QtYPD1Igvkj0MnI7ELPqcHmKkEcc=; b=sss3lvEsfFEvhD2AHAL/jRT8AGdwnarOaWcmo71N8zLukY3zarSwnwbsu08eIP+Hag tBg9VtAKE9v+/7qP7fhbMt1x9AKOYhGpgOq9kBsKvfcY4FU5zXQ65ZFHupHfGLy3hns8 5F4Z+0P18aVHuHBbBlwrLpTi2gyI/RMEgHZVZjcv8TN5GQ0rqQPnIocOCr9qSQOQXauO cgA58uPKgRJPSdsKR2ouHCtayq8ec/1N6cso1ohfLW0P+5v3hPPnuxFEq/3o6IoHpLfC LEvpNH4sEUIKKbr+p/7FlmshfZN2CAedvNk5CtrmZJKL6Xzm2ujJGKhDHI30tlyC1CUQ JvNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YF3O1dS3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m18si8843257otf.196.2020.03.24.04.31.27; Tue, 24 Mar 2020 04:31:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YF3O1dS3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727480AbgCXLat (ORCPT + 99 others); Tue, 24 Mar 2020 07:30:49 -0400 Received: from us-smtp-delivery-74.mimecast.com ([216.205.24.74]:53135 "EHLO us-smtp-delivery-74.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727417AbgCXLap (ORCPT ); Tue, 24 Mar 2020 07:30:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1585049444; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HUoI3izHtkIzFR5QtYPD1Igvkj0MnI7ELPqcHmKkEcc=; b=YF3O1dS3DWY2Ci+o5+uKmAisijF+lxRc7BVlipwKeEmEQbSxOLlhR2BLyUY6Xsj2yoOV8t JDp87xgQGTKqXasgFDu0vBq5BPlvGWD6v5lyTqjl41x34m6VCYDJTZxRz1PgBCsTaZrLon 0IrwIlE5qKRihKaUk3fboY/frxtFQwA= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-427-HeG86xQLN8aCNQkFWopfug-1; Tue, 24 Mar 2020 07:30:42 -0400 X-MC-Unique: HeG86xQLN8aCNQkFWopfug-1 Received: by mail-wr1-f71.google.com with SMTP id f8so1422760wrp.1 for ; Tue, 24 Mar 2020 04:30:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=HUoI3izHtkIzFR5QtYPD1Igvkj0MnI7ELPqcHmKkEcc=; b=lRbxlawd6WVeXnoqQ25+gvhf8IJpmm+ryr3u8ov6X/Io+/im3H42jK4bs+ehs5oY9r QjFxPGJ94mkNi6PzVGTh6oAqq0s8BckBZFTLaVmEQwsogJ/ra9e7sehP9R7n2/6YqeYN eYZcC+l0HrRAnYWGka/me6cv5P2mBURDzSC5PMT0Ua7ZKmu3VOpgiukgFbd6N16eDTM0 SyaGDZRiz4I19IyRnL/3h1kj/VivwY8enZifgX/mal5aeqq19nmwMnR9av36zqd21+zJ IH3WjOw4MOxEJV9fZy7X4ql2rGmPGYI/IPG8OyPy6mFFxaZh44vHdCkbvc41j6hnDSKa 0PJQ== X-Gm-Message-State: ANhLgQ3sDrik3UXU/XhK0GNe6Z919DZ7s/gWo8MpFZgLeo7Ljy9v2/m+ FiJ6U0ytYhemhAZgahzTxvZ6217vpjOq31RbYDN/dcpcYDAD8TtcEmR83Bc26axbQaMGnCg1NJQ ALqZZS6ZljbxvUqWmsWWHcOGA X-Received: by 2002:adf:ab12:: with SMTP id q18mr37220831wrc.148.1585049441332; Tue, 24 Mar 2020 04:30:41 -0700 (PDT) X-Received: by 2002:adf:ab12:: with SMTP id q18mr37220804wrc.148.1585049440995; Tue, 24 Mar 2020 04:30:40 -0700 (PDT) Received: from ?IPv6:2001:b07:6468:f312:7848:99b4:482a:e888? ([2001:b07:6468:f312:7848:99b4:482a:e888]) by smtp.gmail.com with ESMTPSA id o67sm3965202wmo.5.2020.03.24.04.30.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 24 Mar 2020 04:30:40 -0700 (PDT) Subject: Re: [PATCH 0/7] KVM: Fix memslot use-after-free bug To: Sean Christopherson , Christian Borntraeger , Janosch Frank Cc: David Hildenbrand , Cornelia Huck , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Qian Cai , Peter Xu References: <20200320205546.2396-1-sean.j.christopherson@intel.com> From: Paolo Bonzini Message-ID: Date: Tue, 24 Mar 2020 12:30:37 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <20200320205546.2396-1-sean.j.christopherson@intel.com> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 20/03/20 21:55, Sean Christopherson wrote: > Fix a bug introduced by dynamic memslot allocation where the LRU slot can > become invalid and lead to a out-of-bounds/use-after-free scenario. > > The patch is different that what Qian has already tested, but I was able > to reproduce the bad behavior by enhancing the set memory region selftest, > i.e. I'm relatively confident the bug is fixed. > > Patches 2-6 are a variety of selftest cleanup, with the aforementioned > set memory region enhancement coming in patch 7. > > Note, I couldn't get the selftest to fail outright or with KASAN, but was > able to hit a WARN_ON an invalid slot 100% of the time (without the fix, > obviously). > > Regarding s390, I played around a bit with merging gfn_to_memslot_approx() > into search_memslots(). Code wise it's trivial since they're basically > identical, but doing so increases the code footprint of search_memslots() > on x86 by 30 bytes, so I ended up abandoning the effort. > > Sean Christopherson (7): > KVM: Fix out of range accesses to memslots > KVM: selftests: Fix cosmetic copy-paste error in vm_mem_region_move() > KVM: selftests: Take vcpu pointer instead of id in vm_vcpu_rm() > KVM: selftests: Add helpers to consolidate open coded list operations > KVM: selftests: Add util to delete memory region > KVM: selftests: Expose the primary memslot number to tests > KVM: selftests: Add "delete" testcase to set_memory_region_test > > arch/s390/kvm/kvm-s390.c | 3 + > include/linux/kvm_host.h | 3 + > .../testing/selftests/kvm/include/kvm_util.h | 3 + > tools/testing/selftests/kvm/lib/kvm_util.c | 139 ++++++++++-------- > .../kvm/x86_64/set_memory_region_test.c | 122 +++++++++++++-- > virt/kvm/kvm_main.c | 3 + > 6 files changed, 201 insertions(+), 72 deletions(-) > Queued patches 1-3, thanks. Paolo