Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp3358885pxb; Thu, 10 Feb 2022 19:50:06 -0800 (PST) X-Google-Smtp-Source: ABdhPJxzQWClt2U0DXah8FPJK3X2Xd6dxJuzVQe3e4DQHZ3sJlREHi3WMkyKhcF97K9C32l2SNJl X-Received: by 2002:a05:6a00:a87:: with SMTP id b7mr10607109pfl.51.1644551406143; Thu, 10 Feb 2022 19:50:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644551406; cv=none; d=google.com; s=arc-20160816; b=CmhmP8/E6KiEOPtvzLVjO6ivrtRTO6W7PLG2dzTzYPNHN1EzmL+Xh55y78/zGLj2nd Aino1XlOOb6TxDjuODX/TI9CZZNMvyS/l9zvvj80vVYopTjjkEh1idGicTFMeShxCxKe 97QI1sEWsHONQulycyCB5dOGcLfJ4u/bzykGrgNiqxxw9QI4ndLWBG5lQO0yuQHKogaC +oKBonrPUOOFd1lNcngMeSe4uOPz2TySsOsi2ZGcGguc34o0t2LXYd5AV2hY91BZdY9K AeJNO7mdrh8IQM9MTIMeDY7HKESZElWs93aGlKRgOE8VbcU2h/cYG49YAuNiaYgKcyhM cuIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=LrUyb0Wh6q+TWQdBAwHTHlIVx9+z8b9Fs7B5ywluypo=; b=lbZLJpQ6mxAgu8p2afDwU6Nn8XvtLWosB6dbUfXe0VEzwQdtnDW0whKokAKl6ijQTK FSJHozZju1arnsh7WurvOVw5KAXzQ3+wQwzXcQpIvRiiq5VuXaLmS1LXOTx4W9eQq+ku Ii5J2jy67OtlFg0yPQZteb1ht1nAwo45e6c8h/ARwbA2xAKnFjozIozb9DGWaAgKyydn Hex4ljwxQ46XwWBwEOYJ0iXRLDo1cMWaGOlLnj4zl6gevjz7WxsKZ0Ub2ilt+jI0FBqy tRAHj8VI9jkhftyHd9eccSbJ1g5CffZ0GYUdtq438LTBzu5+Y/oEotSNJ89stx054LxW iFZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=byNY5Pw6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l63si20727302pgd.579.2022.02.10.19.49.45; Thu, 10 Feb 2022 19:50:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=byNY5Pw6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235311AbiBKAYG (ORCPT + 99 others); Thu, 10 Feb 2022 19:24:06 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:54766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346239AbiBKAYF (ORCPT ); Thu, 10 Feb 2022 19:24:05 -0500 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D15505590 for ; Thu, 10 Feb 2022 16:24:05 -0800 (PST) Received: by mail-pj1-x1031.google.com with SMTP id r64-20020a17090a43c600b001b8854e682eso7282118pjg.0 for ; Thu, 10 Feb 2022 16:24:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=LrUyb0Wh6q+TWQdBAwHTHlIVx9+z8b9Fs7B5ywluypo=; b=byNY5Pw6n4O+A1Q3QFXWhgzmCWlIQeKjcQUWZJ+DB0iNn6tZK4MT+hS6YSspA+h6bs jQa8L7AoQ4gf7HiYdKT9kprrE3EEg2SozoFAdE6qCOgU4p/0vHsXRbay/qdPQRfSyE8c uoHZzTYhOGPFz+DVto+lcTWIDjTXeT8u1ckhRepZoJbX+yBc0h/qzWrXD3XNuktL30Pd uQDROctnatm8uQ2LT/yqgFQOe693BKBmpFVHStg1CYX1nse3bEoOVfETyM3b3sZHKx0X zou/jBtc5nB0F51EuGLQlbGzX66gCbBkBXBj4SUAMoY35zWFdMlxc5HuUWl2+oZKFDrK cxgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=LrUyb0Wh6q+TWQdBAwHTHlIVx9+z8b9Fs7B5ywluypo=; b=48v5nYUrfZ2FK9pNv2EF34xBlGJKnqI3hvf6w/Byzso1gIgkRUMyBVI98zLxSBgoPu wpRno+GNmQh3cDux7mfEMAWgAgO4isRTcrihoQBqF3SnM/3TfGaQZUPu5otu0Zoyi21r Tkqrv/Sn2ZiMiAPzYEAj9ylaGLMteTa4lfmrMSpO1Gy+9Sk9pb5iQCAtS1uh8DNep14N sWx7SBwLIlMMlHbtwt7iAO3ZAPOtYpv8wcpiQFbXtivDmQqH14PdUUXw+EO+cdrT/Lxh KCv2TIebizqc8TwUDLYDWC4674EnW0RlgOMYzrC9zgkdE9vgyQVIWy18eb+RGZKxDk1s ekug== X-Gm-Message-State: AOAM5329JAYwtYNgrued13H3LhSlhbGfyCdix0IHNgRx8P7hRx1mLtra glbqgglP1ESblt7NBxIAngnVdQ== X-Received: by 2002:a17:902:ea06:: with SMTP id s6mr9827627plg.163.1644539045142; Thu, 10 Feb 2022 16:24:05 -0800 (PST) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id iy13sm3338563pjb.51.2022.02.10.16.24.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 16:24:04 -0800 (PST) Date: Fri, 11 Feb 2022 00:24:00 +0000 From: Sean Christopherson To: Paolo Bonzini Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, vkuznets@redhat.com, mlevitsk@redhat.com, dmatlack@google.com Subject: Re: [PATCH 05/12] KVM: MMU: avoid NULL-pointer dereference on page freeing bugs Message-ID: References: <20220209170020.1775368-1-pbonzini@redhat.com> <20220209170020.1775368-6-pbonzini@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220209170020.1775368-6-pbonzini@redhat.com> X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 09, 2022, Paolo Bonzini wrote: > If kvm_mmu_free_roots encounters a PAE page table where a 64-bit page > table is expected, the result is a NULL pointer dereference. Instead > just WARN and exit. This confused the heck out of me, because we obviously free PAE page tables. What we don't do is back the root that gets shoved into CR3 with a shadow page. It'd be especially confusing without the context that this WARN was helpful during related development, as it's not super obvious why mmu_free_root_page() is a special snowflake and deserves a WARN. Something like this? WARN and bail if KVM attempts to free a root that isn't backed by a shadow page. KVM allocates a bare page for "special" roots, e.g. when using PAE paging or shadowing 2/3/4-level page tables with 4/5-level, and so root_hpa will be valid but won't be backed by a shadow page. It's all too easy to blindly call mmu_free_root_page() on root_hpa, be nice and WARN instead of crashing KVM and possibly the kernel. > Signed-off-by: Paolo Bonzini > --- > arch/x86/kvm/mmu/mmu.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c > index 7b5765ced928..d0f2077bd798 100644 > --- a/arch/x86/kvm/mmu/mmu.c > +++ b/arch/x86/kvm/mmu/mmu.c > @@ -3201,6 +3201,8 @@ static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa, > return; > > sp = to_shadow_page(*root_hpa & PT64_BASE_ADDR_MASK); > + if (WARN_ON(!sp)) Should this be KVM_BUG_ON()? I.e. when you triggered these, would continuing on potentially corrupt guest data, or was it truly benign-ish? > + return; > > if (is_tdp_mmu_page(sp)) > kvm_tdp_mmu_put_root(kvm, sp, false); > -- > 2.31.1 > >