Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4611853pxb;
        Thu, 14 Oct 2021 08:33:18 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxvQ/f3fEq5JKURwemRxZkJPtPH3iF/7l4Pa8x6OI0WfAb/B2lT83DF11/YJ66/KjfqCVX0
X-Received: by 2002:a17:906:645:: with SMTP id t5mr4526135ejb.163.1634225598364;
        Thu, 14 Oct 2021 08:33:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1634225598; cv=none;
        d=google.com; s=arc-20160816;
        b=Hz+fA9tMdAFm/tGTi2V8TFxJNvEqtKTAwRFNbXeC5wpjEuzPdx1NiSvX3SIU1B/3aF
         S/b/N1FEgz3CrjPF+ZvfogLDWVdizoKeuDCBZDHizMFZDebKMT8bvy53Fr/PJkf15BBo
         2vEgNOm3kgpLeN2zXzFR8vWlWbAazJextkySnPWWAp961/bGSX+sfebdgoAN+JFcvhsu
         edv2EXFBgc936uxiCA5ZZ0e99OM+LtLnnalT2ds2UZpPOeOiVI4DlOWarct1JRWLO5Gm
         EzBowI9Mt1yyTJUqdlvVRmsDQP6gAMdOZhQ+a7cfMN30VboJNMEmzJdZQPw0wEL9VPnM
         gnww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=tsLEF6nEeuj2TWgFK3jrwFk5nYMWWbdG3+vtYFhZCAM=;
        b=FB24DmyI9qbFrp9Bh8PHHAy1en4YqceuwqPA1kLmUshy5kAtuDa22dt0A4f+Bobkqm
         9ZEdQur0SWdzovw0ebAPtlsHaXNYHmzzTVUXkLj7NkazON59JIXekWuZqfGfA468zs05
         vdmpMDCLXo45HCp4zSkZwp/FEe42rzI+9KPMXO+uHahLT7oSmKlFqaVTIlkwyQA2JNLf
         n7FnoJzYgxYtFutqDKLP4I7QozatOOOeCpiIVAOnvxANEH/Yr0k0wAM5TYS4w+Ektj/H
         KQ6WGWiKbtHPR5+2qe8uYPGJoRpk3QJaV66Jdo9tz4MsDajMbq0RZ0QxGisFqpQ9qfyg
         Bj+g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CXxsJ30w;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u2si4041416ejy.557.2021.10.14.08.32.54;
        Thu, 14 Oct 2021 08:33:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CXxsJ30w;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231488AbhJNMZO (ORCPT <rfc822;longbowk@gmail.com> + 99 others);
        Thu, 14 Oct 2021 08:25:14 -0400
Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:23910 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S230023AbhJNMZN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Oct 2021 08:25:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1634214187;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=tsLEF6nEeuj2TWgFK3jrwFk5nYMWWbdG3+vtYFhZCAM=;
        b=CXxsJ30wYQARZAHeKU1TnmCZ6dgTxaQzwhtB81E6yrmfnWoK/mmq9KCjQn1u/GTzY2UoCO
        31Yq1HHfpPQ6G7atjwjxhZB05kOke9GnOcas19iE9OJCZzss1u4G8yDgmGB6CABcZRqERF
        HPhuuirJ4LKD5b68eibqfIqPOhmsmf4=
Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com
 [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-391-GLXxkD7eNR-T-txkXmThWA-1; Thu, 14 Oct 2021 08:23:06 -0400
X-MC-Unique: GLXxkD7eNR-T-txkXmThWA-1
Received: by mail-ed1-f69.google.com with SMTP id v2-20020a50f082000000b003db24e28d59so5010989edl.5
        for <linux-kernel@vger.kernel.org>; Thu, 14 Oct 2021 05:23:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:cc:references:from:in-reply-to
         :content-transfer-encoding;
        bh=tsLEF6nEeuj2TWgFK3jrwFk5nYMWWbdG3+vtYFhZCAM=;
        b=5j1wZ8srdNWGurtWl1wR8PsqKbjvG/u+l6irVxxmGJgSif+1KgfkWT5LUh+DKNu/iK
         3z7RHbKtssOTUdKliW9k4tyodPK9k0MSOeAwBdQOt3h0soQcZ7Y24KucXAW+3G0bhjhj
         i0EL5Y0gzLJXKFSOjhPbl9ZNe9zmkVV3X1ihLSuJ5Yv0tE05qIFxS9/Aw5eURGkFjjC0
         cB3M0gmrp0CYzQtJhfyHxg6Hpv7UySi0zWcxGma60XPZBT0Rtl+v9zVBMzjR3Q2XJrnF
         xcF4R1lNjpBUvtp7PlEzqlfnE/fTJ/Bp2x6l8A00CRONvYljOPPvN9jhG/mdkszFrSZb
         Hg0w==
X-Gm-Message-State: AOAM530I+Fwv4kiFWt8ZI4wj7a9eJuDYsRtGYzLhvbH5mNMvYZNhA8l5
        a4H4ia2zVhMSv6kEFMknst7eM0diBOwyrP1e7Y9Z/AfY9Jg/zx6VWPslSlRVw3+JVwRMR+o5ZvH
        /35AtqzxBkxD7UeqacULNjaVM
X-Received: by 2002:a17:906:fc11:: with SMTP id ov17mr3451451ejb.249.1634214185267;
        Thu, 14 Oct 2021 05:23:05 -0700 (PDT)
X-Received: by 2002:a17:906:fc11:: with SMTP id ov17mr3451428ejb.249.1634214185039;
        Thu, 14 Oct 2021 05:23:05 -0700 (PDT)
Received: from ?IPV6:2001:b07:6468:f312:c8dd:75d4:99ab:290a? ([2001:b07:6468:f312:c8dd:75d4:99ab:290a])
        by smtp.gmail.com with ESMTPSA id g8sm2602585edb.60.2021.10.14.05.23.03
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 14 Oct 2021 05:23:04 -0700 (PDT)
Message-ID: <6ccde35b-bb3f-d2cb-b4a5-365cec0eff75@redhat.com>
Date:   Thu, 14 Oct 2021 14:23:03 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.1.0
Subject: Re: [PATCH] x86/kvm: restrict kvm user region memory size
Content-Language: en-US
To:     Sabyrzhan Tasbolatov <snovitoll@gmail.com>, seanjc@google.com,
        vkuznets@redhat.com, wanpengli@tencent.com, jmattson@google.com,
        joro@8bytes.org, hpa@zytor.com
Cc:     tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org,
        kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzbot+e0de2333cbf95ea473e8@syzkaller.appspotmail.com
References: <20211014120151.1437018-1-snovitoll@gmail.com>
From:   Paolo Bonzini <pbonzini@redhat.com>
In-Reply-To: <20211014120151.1437018-1-snovitoll@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 14/10/21 14:01, Sabyrzhan Tasbolatov wrote:
> syzbot found WARNING in memslot_rmap_alloc[1] when
> struct kvm_userspace_memory_region .memory_size is bigger than
> 0x40000000000, which is 4GB, e.g. KMALLOC_MAX_SIZE * 100 * PAGE_SIZE.
> 
> Here is the PoC to trigger the warning:
> 
>      struct kvm_userspace_memory_region mem = {
>          .slot = 0,
>          .guest_phys_addr = 0,
>          /* + 0x100 extra to trigger kmalloc WARNING */
>          .memory_size = 0x40000000000 + 0x100,
>          .userspace_addr = 0,
>      };
> 
>      ioctl(kvm_fd, KVM_SET_USER_MEMORY_REGION, &mem);
> 
> I couldn't find any relevant max constant to restrict unsigned long npages.
> There might be another solution with chunking big portions of pages, but
> there is already KVM_MAX_HUGEPAGE_LEVEL, though warning happens in
> memslot_rmap_alloc() when level = 1, base_gfn = 0, e.g.
> on the very first KVM_NR_PAGE_SIZES iteration.
> 
> This is, seems, valid for early Linux versions as well. Can't tell which is
> exactly can be considered for git bisect.
> Here is Commit d89cc617b954af ("KVM: Push rmap into kvm_arch_memory_slot")
> for example, Linux 3.7.

The warning is bogus in this case.  See the discussion in 
https://lkml.org/lkml/2021/9/7/669.  The right fix is simply to use 
vmalloc instead of kmalloc.

I'm woefully behind on my KVM maintainer duties, but this is on my todo 
list.

Paolo

> [1]
> Call Trace:
>   kvmalloc include/linux/mm.h:806 [inline]
>   kvmalloc_array include/linux/mm.h:824 [inline]
>   kvcalloc include/linux/mm.h:829 [inline]
>   memslot_rmap_alloc+0xf6/0x310 arch/x86/kvm/x86.c:11320
>   kvm_alloc_memslot_metadata arch/x86/kvm/x86.c:11388 [inline]
>   kvm_arch_prepare_memory_region+0x48d/0x610 arch/x86/kvm/x86.c:11462
>   kvm_set_memslot+0xfe/0x1700 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1505
>   ...
>   kvm_set_memory_region arch/x86/kvm/../../../virt/kvm/kvm_main.c:1689
>   kvm_vm_ioctl_set_memory_region arch/x86/kvm/../../../virt/kvm/kvm_main.c
> 
> Reported-by: syzbot+e0de2333cbf95ea473e8@syzkaller.appspotmail.com
> Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
> ---
>   arch/x86/kvm/mmu/page_track.c | 3 +++
>   arch/x86/kvm/x86.c            | 3 +++
>   2 files changed, 6 insertions(+)
> 
> diff --git a/arch/x86/kvm/mmu/page_track.c b/arch/x86/kvm/mmu/page_track.c
> index 21427e84a82e..e790bb341680 100644
> --- a/arch/x86/kvm/mmu/page_track.c
> +++ b/arch/x86/kvm/mmu/page_track.c
> @@ -35,6 +35,9 @@ int kvm_page_track_create_memslot(struct kvm_memory_slot *slot,
>   	int  i;
>   
>   	for (i = 0; i < KVM_PAGE_TRACK_MAX; i++) {
> +		if (npages > KMALLOC_MAX_SIZE)
> +			return -ENOMEM;
> +
>   		slot->arch.gfn_track[i] =
>   			kvcalloc(npages, sizeof(*slot->arch.gfn_track[i]),
>   				 GFP_KERNEL_ACCOUNT);
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index aabd3a2ec1bc..2bad607976a9 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -11394,6 +11394,9 @@ static int memslot_rmap_alloc(struct kvm_memory_slot *slot,
>   
>   		WARN_ON(slot->arch.rmap[i]);
>   
> +		if (lpages > KMALLOC_MAX_SIZE)
> +			return -ENOMEM;
> +
>   		slot->arch.rmap[i] = kvcalloc(lpages, sz, GFP_KERNEL_ACCOUNT);
>   		if (!slot->arch.rmap[i]) {
>   			memslot_rmap_free(slot);
>