Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp3226872iog; Mon, 27 Jun 2022 11:53:44 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vS3hqIWvnXgk0GCVlgQ7IVWPMmBZg5HhbMz/JhKvecrKYt9WYN44CKHH+l+Qt0yRkI+7LD X-Received: by 2002:a17:907:2cc3:b0:722:e993:c420 with SMTP id hg3-20020a1709072cc300b00722e993c420mr14018870ejc.145.1656356024376; Mon, 27 Jun 2022 11:53:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656356024; cv=none; d=google.com; s=arc-20160816; b=sm10CnmsJgeAmFnmkEM+++4gaSopIWTC8nMJ785V4QcHAlZKxvOFb9QQWMsP8lzeV5 8AA8SD+r6eNszQkelTxDmBx9YSyyMGtBKwTe6xt2bTKd6uUsxRDdmXCUHWJc1fqa7puo ouj9twoR1qSRQEHH/STnnZ/0D4aWcrRch557dQaG02gh5/ImP1HUev+YPBANJ4DjABkF Bg9ATmiv3puxvjJ918HaiwxEJey9qXUIlFJ8dNRxxNjegjb7smr65BdJv2Ogi6SJFYK/ nWTEf7ZrFBhtnxJlDaWAwRnoXAUGMAlz8/Jmt9pckCWfl2PiKamG/O4NWXNUUUnjIvsQ GeHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=j4hbmbJoMUR/043f1gtsU9ggy7W36/KPjU+Af3Jvda8=; b=pQ/s8+NYxqqHNE46ZZs8BU/7rxSluopsqURR7NpymuaqrcS93hFWD24Yd03vcndCXs UumP+FoiPiUJUISDMpBxxHcLv+8ACDCP0/oYskABOlYEmat+QW2Qz6wQOJ0APA6ymN/0 zSjAjpows1On5NuyHuOjzvvLOiAXRya8erY7kKBCxtaDkPS0RbZXzsj96ohGSJpEFtMI AzM+8nq3bSLujoke1vOBNtNIjtc5n4hX8O9PpX1OtzvRcW1h/LUIt/hZ5WYDswZW3BFm 3BM4kD3mj/GHY8zvG9L04mN1kfFfvjbY+bKUWX/ayIwnxQp9J0VdIeMZpxOEQ6U1el4n JQpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="W2bp3N/n"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l16-20020a056402255000b004358f57d80asi14876007edb.452.2022.06.27.11.53.17; Mon, 27 Jun 2022 11:53:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="W2bp3N/n"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240406AbiF0Sj7 (ORCPT + 99 others); Mon, 27 Jun 2022 14:39:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238686AbiF0Sj4 (ORCPT ); Mon, 27 Jun 2022 14:39:56 -0400 Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16467B25 for ; Mon, 27 Jun 2022 11:39:55 -0700 (PDT) Received: by mail-lj1-x22c.google.com with SMTP id s10so12016883ljh.12 for ; Mon, 27 Jun 2022 11:39:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j4hbmbJoMUR/043f1gtsU9ggy7W36/KPjU+Af3Jvda8=; b=W2bp3N/nc6A9fd8TGl01wDh9lzy9wHDNwzOb6PTiyT5sHPZ9gZsWvNOfQM+oO2QLy6 hn6cLw585q9YpYXzFr7ggc2fH86iRssYldTefymZoF3iUnFAgSvdGVCjX9WlaZ8im9q4 6g6HM3bkfYLU9V7ObvqHMofQwZw4Jmsz8Xv/qWgl3KXxofKkdfsaKS/5x/303/PhHMEn UhvAdPSSo0YVDSgcCT9pjeyj8yay52Ham8/uSv14B1iA991nV1cdeUFb9e0SmtFRjFyg tN7V4WRIv4w6Qqqv8Em05r4ZKFGt6EiC6pPmL/IG4V61eL8MjRNAhkz8U2fXq0jp1cLS ULUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j4hbmbJoMUR/043f1gtsU9ggy7W36/KPjU+Af3Jvda8=; b=UKGLBkm7oROtv1Xknez+VEJsgOvD0bqo5o1NEUkY799qAaCYx4w1tFXdLyhottazea Ul7edZtkF/7uFBY7L/HAMzmdOciYZInNoCsSHpTVxnaSnBkXUdfLonZlsvnNiUIY/vg2 L4OrRwygCvbY3IlvZMFSBIfFTXfWLlpaX0dYK8RZ9X+mU2V48b+QVfPnQYlDJkmhIHWt sxrb4fuoAEasMiRAEwj/ng6ZkV5HZUC8xMOUUOXichedHzmvLxqPRCLq8mfZnqQ4lleg BxhcvqN7aM2bFScoBsAgwhvglx7IJiQLQnMZEzWGyd1mZxKNBz0uXZehkYJQEQXW0o2o mhYA== X-Gm-Message-State: AJIora8FcaFPAEQUO7yczhHp+K4ldkYqJb5iWFfhDIjHCdWEHDFJYRbx dFI3j4TfBkIuaaAuhivySL7cIyWQ0yaQzu6V1pb9mY10Z0hQ2g== X-Received: by 2002:a2e:2a43:0:b0:25a:84a9:921c with SMTP id q64-20020a2e2a43000000b0025a84a9921cmr7461767ljq.83.1656355193311; Mon, 27 Jun 2022 11:39:53 -0700 (PDT) MIME-Version: 1.0 References: <20220627161123.1386853-1-pgonda@google.com> In-Reply-To: From: Peter Gonda Date: Mon, 27 Jun 2022 12:39:41 -0600 Message-ID: Subject: Re: [PATCH] KVM: SEV: Clear the pages pointer in sev_unpin_memory To: Sean Christopherson Cc: kvm list , Greg Thelen , Paolo Bonzini , Tom Lendacky , LKML Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 27, 2022 at 12:10 PM Sean Christopherson wrote: > > On Mon, Jun 27, 2022, Peter Gonda wrote: > > Clear to the @pages array pointer in sev_unpin_memory to avoid leaving a > > dangling pointer to invalid memory. > > > > Signed-off-by: Peter Gonda > > Cc: Greg Thelen > > Cc: Paolo Bonzini > > Cc: Sean Christopherson > > Cc: Tom Lendacky > > Cc: kvm@vger.kernel.org > > Cc: linux-kernel@vger.kernel.org > > --- > > arch/x86/kvm/svm/sev.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c > > index 309bcdb2f929..485ad86c01c6 100644 > > --- a/arch/x86/kvm/svm/sev.c > > +++ b/arch/x86/kvm/svm/sev.c > > @@ -452,6 +452,7 @@ static void sev_unpin_memory(struct kvm *kvm, struct page **pages, > > unpin_user_pages(pages, npages); > > kvfree(pages); > > sev->pages_locked -= npages; > > + *pages = NULL; > > Would this have helped detect a real bug? I generally like cleaning up, but this > leaves things in a somewhat inconsistent state, e.g. when unpinning a kvm_enc_region, > pages will be NULL but npages will be non-zero. It's somewhat moot because the > region is immediately freed in that case, but that begs the question of what real > benefit this provides. sev_dbg_crypt() is the only flow where there's much danger > of a use-after-free. > No strong opinion here, I just thought since this is a helper that takes a 'struct page **pages" we may as well clear this. While there are no bugs caught now if someone were to introduce something wrong this would make it more clear. We could update sev_unpin_memory() to take a int *npages so it can be cleared as well. Since kvm_enc_region describes a region with u64 instead of pointers that seemed "safer" give you'd have to cast them to dereference. Totally fine with the NACK of course. =]