Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7727742rwb;
        Mon, 12 Dec 2022 19:35:10 -0800 (PST)
X-Google-Smtp-Source: AA0mqf7RCLcCU2qqgFSJUNrPmQ1GEPcBXb0IWZYEnzCqaULMRLgK59yIYH8TqPRF8vFLrkG0iT6U
X-Received: by 2002:a50:cbcd:0:b0:46a:331:8e72 with SMTP id l13-20020a50cbcd000000b0046a03318e72mr15437760edi.37.1670902510679;
        Mon, 12 Dec 2022 19:35:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670902510; cv=none;
        d=google.com; s=arc-20160816;
        b=INZbd+fMozDE4i5xxiGi/vomzhurca1PJUwIZNkYcRlXG1N0xMw/Iv0XsWbHMU+IQo
         EGlStwT8OZPKuHaSzrpuFv696MD6i4IR4V6YNumgBMqflO7ezwB8k4Og1jQsT/crkFGi
         wIoYjWia/DDHHemavp6nH90gJLoVgr1FTdLbb7m3jpLTebp4DaYkYQpYOUHq6fwDHCnj
         UpKiyeuf33Uh7R+5UHlQP8T+OLfIBvjF89YPsSy2r0aP+o0QQgzAdYkgxtoc/PzfGdkP
         e3Ug5minbOaW2qRRf/U7VzpfiJP1pXbyIx921IZwYbDvjcVThncpoVl3Gm0AKGDs1in7
         IaQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=bLDSe44cZJY4RzP8rOml9E7i99VNmaADCbamzPObvzE=;
        b=uVw9cZpb0Hk9oYwJTFArlt+bL/JMDVshgJd+TDsmw4lYWbtCjCRgh9ftrknns5BI5B
         UNlZZYYNU6nTFziz2cBGIWvFvCZLt9cmvFYQw30xMC/U6lQoA9a3kHBsYoN4qT5JxehP
         0gLwmNahM2a4XwlDrep/N8K6VOV/KLusoy85ptTiJbFGwcShA/Gvdv35cd379oh2ks+W
         aWS7cnXDgRhNRMG0e57Zge8Ctn9WtvwqHydnCvRo4Z7YGFtSb6zz2XgxE6aS4xujuu4M
         qPye3wIp4uxEjcixMTJcEFkeuWHBo1F0BTsqMO1bh0IWm4RleG1GPHtAYMfBzzVXeKsH
         6vyw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=mStYLDUi;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id h18-20020a056402281200b0046b953601besi10220454ede.29.2022.12.12.19.34.53;
        Mon, 12 Dec 2022 19:35:10 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=mStYLDUi;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234032AbiLMDat (ORCPT <rfc822;41i3n8@gmail.com> + 74 others);
        Mon, 12 Dec 2022 22:30:49 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40140 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233635AbiLMDak (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Dec 2022 22:30:40 -0500
Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com [IPv6:2607:f8b0:4864:20::649])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47F361B9DA
        for <linux-kernel@vger.kernel.org>; Mon, 12 Dec 2022 19:30:39 -0800 (PST)
Received: by mail-pl1-x649.google.com with SMTP id y6-20020a17090322c600b00189892baa53so11955323plg.6
        for <linux-kernel@vger.kernel.org>; Mon, 12 Dec 2022 19:30:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=bLDSe44cZJY4RzP8rOml9E7i99VNmaADCbamzPObvzE=;
        b=mStYLDUilolo88aKNZelPa7R3nhuaL6QqfjDhv4UqW2a7w8/JewZlZWuBbsotirhp8
         gXJYjLrgktEjDDnVsfQCKA47IPpeF4J3geWrPF3yYu5TNgBKOnM2VWJGzxwMX68i/7L9
         t6xkATqedo9eqh40NrBVM7IHNi5Y8qpauTrufSI2OWK9XX7RPzwShQS/WC011ZFug9m5
         yk9liybJzj54qGiFEKmxVN5BB39J1WyDMmdHR+EUIiwhhLFU/zKVSz1MNixU4DI3iawL
         QmH9ro9g1VH7ViLX/eot/wXJAXJOADgvi5aNmQxud844kXBYojZNOlbUHpSdJbhQaECz
         495g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=bLDSe44cZJY4RzP8rOml9E7i99VNmaADCbamzPObvzE=;
        b=IWa2I2wW27zFaHmfqDU9vopPBVKAoZiBwBG9rdz9SzHngdC5ycD3EoAzmbyy/PYB7g
         PzEMimgRceO0BBjs2lYWy0ntD4wBregqu92Gfjqghwa72we5QDOsvDuBrrOc4Uv4eUQ5
         LgMW5GHhJO3synA2wg9BXfbOC4/momY0Oj/pevZl2UqQdg1vpIpG0ZObfZJFOAeqmvYv
         Yfm1nJS5W1UG90f3tHCulEc7122yvvV8qF9lHv0TRHlZ5aP/svzmPBRttJcyHBokSoeW
         wPHYrpZTN5yLlzdXLgu0flj0fOG2AEehRXmnunk93GA2eKxvoG4fkXHIQy5aSP9Vy8y6
         ZEtQ==
X-Gm-Message-State: ANoB5pmkORV9oT5uAb71RCabPbekgdhQ46wjR/XdgaI1f6+vvLeWeBz5
        71F1mfhFZBmBw3OI5uHqtwzzZ2s3Ez4=
X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a17:902:ea02:b0:189:7441:1ad7 with SMTP id
 s2-20020a170902ea0200b0018974411ad7mr59350990plg.1.1670902238808; Mon, 12 Dec
 2022 19:30:38 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date:   Tue, 13 Dec 2022 03:30:28 +0000
In-Reply-To: <20221213033030.83345-1-seanjc@google.com>
Mime-Version: 1.0
References: <20221213033030.83345-1-seanjc@google.com>
X-Mailer: git-send-email 2.39.0.rc1.256.g54fd8350bd-goog
Message-ID: <20221213033030.83345-4-seanjc@google.com>
Subject: [PATCH 3/5] KVM: x86/mmu: Re-check under lock that TDP MMU SP
 hugepage is disallowed
From:   Sean Christopherson <seanjc@google.com>
To:     Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc:     kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Robert Hoo <robert.hu@linux.intel.com>,
        Greg Thelen <gthelen@google.com>,
        David Matlack <dmatlack@google.com>,
        Ben Gardon <bgardon@google.com>,
        Mingwei Zhang <mizhang@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Re-check sp->nx_huge_page_disallowed under the tdp_mmu_pages_lock spinlock
when adding a new shadow page in the TDP MMU.  To ensure the NX reclaim
kthread can't see a not-yet-linked shadow page, the page fault path links
the new page table prior to adding the page to possible_nx_huge_pages.

If the page is zapped by different task, e.g. because dirty logging is
disabled, between linking the page and adding it to the list, KVM can end
up triggering use-after-free by adding the zapped SP to the aforementioned
list, as the zapped SP's memory is scheduled for removal via RCU callback.
The bug is detected by the sanity checks guarded by CONFIG_DEBUG_LIST=y,
i.e. the below splat is just one possible signature.

  ------------[ cut here ]------------
  list_add corruption. prev->next should be next (ffffc9000071fa70), but was ffff88811125ee38. (prev=ffff88811125ee38).
  WARNING: CPU: 1 PID: 953 at lib/list_debug.c:30 __list_add_valid+0x79/0xa0
  Modules linked in: kvm_intel
  CPU: 1 PID: 953 Comm: nx_huge_pages_t Tainted: G        W          6.1.0-rc4+ #71
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
  RIP: 0010:__list_add_valid+0x79/0xa0
  RSP: 0018:ffffc900006efb68 EFLAGS: 00010286
  RAX: 0000000000000000 RBX: ffff888116cae8a0 RCX: 0000000000000027
  RDX: 0000000000000027 RSI: 0000000100001872 RDI: ffff888277c5b4c8
  RBP: ffffc90000717000 R08: ffff888277c5b4c0 R09: ffffc900006efa08
  R10: 0000000000199998 R11: 0000000000199a20 R12: ffff888116cae930
  R13: ffff88811125ee38 R14: ffffc9000071fa70 R15: ffff88810b794f90
  FS:  00007fc0415d2740(0000) GS:ffff888277c40000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 0000000115201006 CR4: 0000000000172ea0
  Call Trace:
   <TASK>
   track_possible_nx_huge_page+0x53/0x80
   kvm_tdp_mmu_map+0x242/0x2c0
   kvm_tdp_page_fault+0x10c/0x130
   kvm_mmu_page_fault+0x103/0x680
   vmx_handle_exit+0x132/0x5a0 [kvm_intel]
   vcpu_enter_guest+0x60c/0x16f0
   kvm_arch_vcpu_ioctl_run+0x1e2/0x9d0
   kvm_vcpu_ioctl+0x271/0x660
   __x64_sys_ioctl+0x80/0xb0
   do_syscall_64+0x2b/0x50
   entry_SYSCALL_64_after_hwframe+0x46/0xb0
   </TASK>
  ---[ end trace 0000000000000000 ]---

Fixes: 61f94478547b ("KVM: x86/mmu: Set disallowed_nx_huge_page in TDP MMU before setting SPTE")
Reported-by: Greg Thelen <gthelen@google.com>
Analyzed-by: David Matlack <dmatlack@google.com>
Cc: David Matlack <dmatlack@google.com>
Cc: Ben Gardon <bgardon@google.com>
Cc: Mingwei Zhang <mizhang@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/mmu/tdp_mmu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
index e2e197d41780..fd4ae99790d7 100644
--- a/arch/x86/kvm/mmu/tdp_mmu.c
+++ b/arch/x86/kvm/mmu/tdp_mmu.c
@@ -1203,7 +1203,8 @@ int kvm_tdp_mmu_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
 		if (fault->huge_page_disallowed &&
 		    fault->req_level >= iter.level) {
 			spin_lock(&kvm->arch.tdp_mmu_pages_lock);
-			track_possible_nx_huge_page(kvm, sp);
+			if (sp->nx_huge_page_disallowed)
+				track_possible_nx_huge_page(kvm, sp);
 			spin_unlock(&kvm->arch.tdp_mmu_pages_lock);
 		}
 	}
-- 
2.39.0.rc1.256.g54fd8350bd-goog