Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp5813046rwi; Tue, 18 Oct 2022 04:38:42 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6fabSL3LGq0s+XhTTyS24qWEWSNEHkguViXsxlQcFE9eId6xR4eM/Tu7h4TR3FVswqM7YF X-Received: by 2002:a17:906:5dae:b0:78e:3109:36d1 with SMTP id n14-20020a1709065dae00b0078e310936d1mr2046125ejv.470.1666093121932; Tue, 18 Oct 2022 04:38:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666093121; cv=none; d=google.com; s=arc-20160816; b=Wq9i8A8gwVHwAkuCT096hS+5f7Yplw+G/mxWjaq9Ee5Nu73h1RU0YyGr4XDdhkxgJG 3oVJRq7G5rZFPO9/522//+evCTlzW9+/I+p8IxHVowUZrRQs6JNhkDvQ4SPZaUipCIPv 16ixfYE5nur6z4/EfvDUgY3AO/bjD29qeqCuH5qBZh5opMKGpDAId/ptRyUQ1PwIY+Lz qK5T1vGUNGVpSJzTR/jY6FwdHgNa6+NeAaOcQYYVPmRfxzf2WVAYplCeI8uyjgySjH05 Po15AsFmHnFfmqzIruY3E9MH8PZu6VDqw5M9b1SorE4gYsyL1/weOmOk+iy4CGNijlVV ncUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=/oO7gDFSCqJwvHDXoFqlm+XodfhyUhtj9wWrRX+3h+8=; b=C/o7M8OB5vwP0M1ONp8lhwvqv2OAsr3uohTLPwfpGkXbC4Fm+Vp9twpNyB6ZVuwtAw d8K8nFDQ79Msqu3EmBpRkElUvpIx7Zqjd5V8uOrSzusuPINT658MX734as+0NeZSa6Lq 6YOrLJFauJRxecUk87z/Qll0rDt4xy3uzw38iG9vDgQSZhETJ13u593gPI6WqY5xVlgR mgOA+oRjlXsV6FbJmnt+WAZiS3yXmC3c4j/co0fEsx9QC3kccsWVGxffalHGAnZ44M8+ iVdhURTZesHXZwDtenUX/iCI80bt6oezhTmi3rG72pKN4oH0jenoVcWAWfZmbCkFg4Ix d6QA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=K2+MiNIb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g7-20020a1709065d0700b007316ac034a1si9649111ejt.831.2022.10.18.04.38.16; Tue, 18 Oct 2022 04:38:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=K2+MiNIb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230190AbiJRLgE (ORCPT + 99 others); Tue, 18 Oct 2022 07:36:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229979AbiJRLfa (ORCPT ); Tue, 18 Oct 2022 07:35:30 -0400 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20B10868A0 for ; Tue, 18 Oct 2022 04:35:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1666092903; x=1697628903; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=kLvyVSLWSQb+POxDNMInSWdsGrXEv5cSfT1ANJOQpLA=; b=K2+MiNIbFHz3yC+VlrHgew5pRe1TsaG55Ei0Ttc3b0hCHMpzcoslcGLG 8OF2EUy5KzhkCcKc3CgzCMuiOt+4gI1wFldPujDR1rF83mT9iHE7Oh/76 9rvnfUT8yc3m5W6UEYe8IPr684WNp/ulvr4lC54YEb+tw5qLotrTvgagU r6L2NbQ9rR6xRnx8KwXum3zLYhlYKxwxtS8GN3/wU6cep4xY6vDbSpKW4 U5qJbFO2Ai4mnAM6F4AxFPSarC7l24wrGTOVEqETtZp+X+e2KD/FbjpGp YNnd2xFQRyEQ5PAAesMso1XF9yufd5uzzGE3lBndfCnAoJFqOPTfEq7Up g==; X-IronPort-AV: E=McAfee;i="6500,9779,10503"; a="392382133" X-IronPort-AV: E=Sophos;i="5.95,193,1661842800"; d="scan'208";a="392382133" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Oct 2022 04:34:18 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10503"; a="661861181" X-IronPort-AV: E=Sophos;i="5.95,193,1661842800"; d="scan'208";a="661861181" Received: from vhavel-mobl.ger.corp.intel.com (HELO box.shutemov.name) ([10.252.51.115]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Oct 2022 04:34:13 -0700 Received: by box.shutemov.name (Postfix, from userid 1000) id 3000D104716; Tue, 18 Oct 2022 14:34:04 +0300 (+03) From: "Kirill A. Shutemov" To: Dave Hansen , Andy Lutomirski , Peter Zijlstra Cc: x86@kernel.org, Kostya Serebryany , Andrey Ryabinin , Andrey Konovalov , Alexander Potapenko , Taras Madan , Dmitry Vyukov , "H . J . Lu" , Andi Kleen , Rick Edgecombe , Bharata B Rao , Jacob Pan , Ashok Raj , linux-mm@kvack.org, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" , Marc Zyngier Subject: [PATCHv10 06/15] KVM: Serialize tagged address check against tagging enabling Date: Tue, 18 Oct 2022 14:33:49 +0300 Message-Id: <20221018113358.7833-7-kirill.shutemov@linux.intel.com> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221018113358.7833-1-kirill.shutemov@linux.intel.com> References: <20221018113358.7833-1-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org KVM forbids usage of tagged userspace addresses for memslots. It is done by checking if the address stays the same after untagging. It is works fine for ARM TBI, but it the check gets racy for LAM. TBI enabling happens per-thread, so nobody can enable tagging for the thread while the memslot gets added. LAM gets enabled per-process. If it gets enabled after the untagged_addr() check, but before access_ok() check the kernel can wrongly allow tagged userspace_addr. Use mmap lock to protect against parallel LAM enabling. Signed-off-by: Kirill A. Shutemov Reported-by: Rick Edgecombe Cc: Marc Zyngier --- virt/kvm/kvm_main.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 8c86b06b35da..833742c21c91 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1943,12 +1943,22 @@ int __kvm_set_memory_region(struct kvm *kvm, return -EINVAL; if (mem->guest_phys_addr & (PAGE_SIZE - 1)) return -EINVAL; + + /* Serialize against tagging enabling */ + if (mmap_read_lock_killable(kvm->mm)) + return -EINTR; + /* We can read the guest memory with __xxx_user() later on. */ if ((mem->userspace_addr & (PAGE_SIZE - 1)) || (mem->userspace_addr != untagged_addr(kvm->mm, mem->userspace_addr)) || !access_ok((void __user *)(unsigned long)mem->userspace_addr, - mem->memory_size)) + mem->memory_size)) { + mmap_read_unlock(kvm->mm); return -EINVAL; + } + + mmap_read_unlock(kvm->mm); + if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM) return -EINVAL; if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr) -- 2.38.0