Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4611853pxb; Thu, 14 Oct 2021 08:33:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxvQ/f3fEq5JKURwemRxZkJPtPH3iF/7l4Pa8x6OI0WfAb/B2lT83DF11/YJ66/KjfqCVX0 X-Received: by 2002:a17:906:645:: with SMTP id t5mr4526135ejb.163.1634225598364; Thu, 14 Oct 2021 08:33:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634225598; cv=none; d=google.com; s=arc-20160816; b=Hz+fA9tMdAFm/tGTi2V8TFxJNvEqtKTAwRFNbXeC5wpjEuzPdx1NiSvX3SIU1B/3aF S/b/N1FEgz3CrjPF+ZvfogLDWVdizoKeuDCBZDHizMFZDebKMT8bvy53Fr/PJkf15BBo 2vEgNOm3kgpLeN2zXzFR8vWlWbAazJextkySnPWWAp961/bGSX+sfebdgoAN+JFcvhsu edv2EXFBgc936uxiCA5ZZ0e99OM+LtLnnalT2ds2UZpPOeOiVI4DlOWarct1JRWLO5Gm EzBowI9Mt1yyTJUqdlvVRmsDQP6gAMdOZhQ+a7cfMN30VboJNMEmzJdZQPw0wEL9VPnM gnww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=tsLEF6nEeuj2TWgFK3jrwFk5nYMWWbdG3+vtYFhZCAM=; b=FB24DmyI9qbFrp9Bh8PHHAy1en4YqceuwqPA1kLmUshy5kAtuDa22dt0A4f+Bobkqm 9ZEdQur0SWdzovw0ebAPtlsHaXNYHmzzTVUXkLj7NkazON59JIXekWuZqfGfA468zs05 vdmpMDCLXo45HCp4zSkZwp/FEe42rzI+9KPMXO+uHahLT7oSmKlFqaVTIlkwyQA2JNLf n7FnoJzYgxYtFutqDKLP4I7QozatOOOeCpiIVAOnvxANEH/Yr0k0wAM5TYS4w+Ektj/H KQ6WGWiKbtHPR5+2qe8uYPGJoRpk3QJaV66Jdo9tz4MsDajMbq0RZ0QxGisFqpQ9qfyg Bj+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CXxsJ30w; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u2si4041416ejy.557.2021.10.14.08.32.54; Thu, 14 Oct 2021 08:33:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CXxsJ30w; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231488AbhJNMZO (ORCPT + 99 others); Thu, 14 Oct 2021 08:25:14 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:23910 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230023AbhJNMZN (ORCPT ); Thu, 14 Oct 2021 08:25:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634214187; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tsLEF6nEeuj2TWgFK3jrwFk5nYMWWbdG3+vtYFhZCAM=; b=CXxsJ30wYQARZAHeKU1TnmCZ6dgTxaQzwhtB81E6yrmfnWoK/mmq9KCjQn1u/GTzY2UoCO 31Yq1HHfpPQ6G7atjwjxhZB05kOke9GnOcas19iE9OJCZzss1u4G8yDgmGB6CABcZRqERF HPhuuirJ4LKD5b68eibqfIqPOhmsmf4= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-391-GLXxkD7eNR-T-txkXmThWA-1; Thu, 14 Oct 2021 08:23:06 -0400 X-MC-Unique: GLXxkD7eNR-T-txkXmThWA-1 Received: by mail-ed1-f69.google.com with SMTP id v2-20020a50f082000000b003db24e28d59so5010989edl.5 for ; Thu, 14 Oct 2021 05:23:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=tsLEF6nEeuj2TWgFK3jrwFk5nYMWWbdG3+vtYFhZCAM=; b=5j1wZ8srdNWGurtWl1wR8PsqKbjvG/u+l6irVxxmGJgSif+1KgfkWT5LUh+DKNu/iK 3z7RHbKtssOTUdKliW9k4tyodPK9k0MSOeAwBdQOt3h0soQcZ7Y24KucXAW+3G0bhjhj i0EL5Y0gzLJXKFSOjhPbl9ZNe9zmkVV3X1ihLSuJ5Yv0tE05qIFxS9/Aw5eURGkFjjC0 cB3M0gmrp0CYzQtJhfyHxg6Hpv7UySi0zWcxGma60XPZBT0Rtl+v9zVBMzjR3Q2XJrnF xcF4R1lNjpBUvtp7PlEzqlfnE/fTJ/Bp2x6l8A00CRONvYljOPPvN9jhG/mdkszFrSZb Hg0w== X-Gm-Message-State: AOAM530I+Fwv4kiFWt8ZI4wj7a9eJuDYsRtGYzLhvbH5mNMvYZNhA8l5 a4H4ia2zVhMSv6kEFMknst7eM0diBOwyrP1e7Y9Z/AfY9Jg/zx6VWPslSlRVw3+JVwRMR+o5ZvH /35AtqzxBkxD7UeqacULNjaVM X-Received: by 2002:a17:906:fc11:: with SMTP id ov17mr3451451ejb.249.1634214185267; Thu, 14 Oct 2021 05:23:05 -0700 (PDT) X-Received: by 2002:a17:906:fc11:: with SMTP id ov17mr3451428ejb.249.1634214185039; Thu, 14 Oct 2021 05:23:05 -0700 (PDT) Received: from ?IPV6:2001:b07:6468:f312:c8dd:75d4:99ab:290a? ([2001:b07:6468:f312:c8dd:75d4:99ab:290a]) by smtp.gmail.com with ESMTPSA id g8sm2602585edb.60.2021.10.14.05.23.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Oct 2021 05:23:04 -0700 (PDT) Message-ID: <6ccde35b-bb3f-d2cb-b4a5-365cec0eff75@redhat.com> Date: Thu, 14 Oct 2021 14:23:03 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.1.0 Subject: Re: [PATCH] x86/kvm: restrict kvm user region memory size Content-Language: en-US To: Sabyrzhan Tasbolatov , seanjc@google.com, vkuznets@redhat.com, wanpengli@tencent.com, jmattson@google.com, joro@8bytes.org, hpa@zytor.com Cc: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+e0de2333cbf95ea473e8@syzkaller.appspotmail.com References: <20211014120151.1437018-1-snovitoll@gmail.com> From: Paolo Bonzini In-Reply-To: <20211014120151.1437018-1-snovitoll@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 14/10/21 14:01, Sabyrzhan Tasbolatov wrote: > syzbot found WARNING in memslot_rmap_alloc[1] when > struct kvm_userspace_memory_region .memory_size is bigger than > 0x40000000000, which is 4GB, e.g. KMALLOC_MAX_SIZE * 100 * PAGE_SIZE. > > Here is the PoC to trigger the warning: > > struct kvm_userspace_memory_region mem = { > .slot = 0, > .guest_phys_addr = 0, > /* + 0x100 extra to trigger kmalloc WARNING */ > .memory_size = 0x40000000000 + 0x100, > .userspace_addr = 0, > }; > > ioctl(kvm_fd, KVM_SET_USER_MEMORY_REGION, &mem); > > I couldn't find any relevant max constant to restrict unsigned long npages. > There might be another solution with chunking big portions of pages, but > there is already KVM_MAX_HUGEPAGE_LEVEL, though warning happens in > memslot_rmap_alloc() when level = 1, base_gfn = 0, e.g. > on the very first KVM_NR_PAGE_SIZES iteration. > > This is, seems, valid for early Linux versions as well. Can't tell which is > exactly can be considered for git bisect. > Here is Commit d89cc617b954af ("KVM: Push rmap into kvm_arch_memory_slot") > for example, Linux 3.7. The warning is bogus in this case. See the discussion in https://lkml.org/lkml/2021/9/7/669. The right fix is simply to use vmalloc instead of kmalloc. I'm woefully behind on my KVM maintainer duties, but this is on my todo list. Paolo > [1] > Call Trace: > kvmalloc include/linux/mm.h:806 [inline] > kvmalloc_array include/linux/mm.h:824 [inline] > kvcalloc include/linux/mm.h:829 [inline] > memslot_rmap_alloc+0xf6/0x310 arch/x86/kvm/x86.c:11320 > kvm_alloc_memslot_metadata arch/x86/kvm/x86.c:11388 [inline] > kvm_arch_prepare_memory_region+0x48d/0x610 arch/x86/kvm/x86.c:11462 > kvm_set_memslot+0xfe/0x1700 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1505 > ... > kvm_set_memory_region arch/x86/kvm/../../../virt/kvm/kvm_main.c:1689 > kvm_vm_ioctl_set_memory_region arch/x86/kvm/../../../virt/kvm/kvm_main.c > > Reported-by: syzbot+e0de2333cbf95ea473e8@syzkaller.appspotmail.com > Signed-off-by: Sabyrzhan Tasbolatov > --- > arch/x86/kvm/mmu/page_track.c | 3 +++ > arch/x86/kvm/x86.c | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/arch/x86/kvm/mmu/page_track.c b/arch/x86/kvm/mmu/page_track.c > index 21427e84a82e..e790bb341680 100644 > --- a/arch/x86/kvm/mmu/page_track.c > +++ b/arch/x86/kvm/mmu/page_track.c > @@ -35,6 +35,9 @@ int kvm_page_track_create_memslot(struct kvm_memory_slot *slot, > int i; > > for (i = 0; i < KVM_PAGE_TRACK_MAX; i++) { > + if (npages > KMALLOC_MAX_SIZE) > + return -ENOMEM; > + > slot->arch.gfn_track[i] = > kvcalloc(npages, sizeof(*slot->arch.gfn_track[i]), > GFP_KERNEL_ACCOUNT); > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index aabd3a2ec1bc..2bad607976a9 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -11394,6 +11394,9 @@ static int memslot_rmap_alloc(struct kvm_memory_slot *slot, > > WARN_ON(slot->arch.rmap[i]); > > + if (lpages > KMALLOC_MAX_SIZE) > + return -ENOMEM; > + > slot->arch.rmap[i] = kvcalloc(lpages, sz, GFP_KERNEL_ACCOUNT); > if (!slot->arch.rmap[i]) { > memslot_rmap_free(slot); >