Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3396776rdg; Tue, 17 Oct 2023 13:27:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGDrIjaVLjJX8vqQeM6Nygk1x87X0b6XvgyZ20EThP8wfof0b+DxvHhVSRDqOL6VMP8VUjo X-Received: by 2002:a05:6359:5ea0:b0:166:d379:93c1 with SMTP id px32-20020a0563595ea000b00166d37993c1mr3010836rwb.20.1697574422055; Tue, 17 Oct 2023 13:27:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574422; cv=none; d=google.com; s=arc-20160816; b=ndmLSWZPkGJyTHW8qM98MAnteQnymrRieZisyt5KvrsN/HCP6/d398ipSPiYXGn3Jv /yXiP6aUp82gAYAHHeHX7MtkGE8TQ0EAcfYctO2gkQS7/vQADZCUiIvvzzdO0ShTXPzT zpnNjx8XB0SWjrdMQr03BX1B1auxn+Xwlv1+SKQLl23e27v+B8PO/cp1GcPXWImpn0ol YDw3H3Nlhqm2m64NYVHG0//jWhUWG+Znf7Sd3q1uCTFc1QtOJB3NsqbfY4/zbx7y8ZBH 6PW/d2Gn1HWJ0tTHl/XEaiBjoPquk8kIKLU6yELHZL28KwTB4UKO0q+OdDaDgm/IE+fQ 7QYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=dqWPT2ff4hQsZMyN/elKnwFrgzXTHpj6zlnnySJ8bWs=; fh=rpHONOI4nOSnLucy3eG5RPBO2psw2a+MP0jostdNrfk=; b=eUqDoQOHyTSazklEcfW7z9X0TEfo+AgnDzG1UdRI0ujrfDoVSFUsAwdwvps2I6BwxV AjBA9RAJAdl9OwEnquSA+v6RlqNIZQmHmXGdJfg1bxnrdA596fFSaeUDA/aCzmgLPCie a203LELGasHMagRQkoKd/eq4+i53JaeYBUVsLv56tIPVO4uv4afoAM8ss/vBZDZTa18L ef4B3Bq9PcmOUS5LwoIWyx8K4eJies7CEeV+fPqHyr8yTEMtkE9eH2bb9wCnKRto9mot 4OKSliJTHjg5ecN1ph1wuLQli2NFMraQcz8l3wg6WR2FauXlaU+qYpO7ywv1r3V+zM3C kKMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Wq1ZyfzE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id bv125-20020a632e83000000b005a1d88169casi501037pgb.189.2023.10.17.13.27.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:27:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=Wq1ZyfzE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 21B4C80A32E1; Tue, 17 Oct 2023 13:25:57 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344450AbjJQUZl (ORCPT + 99 others); Tue, 17 Oct 2023 16:25:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344034AbjJQUZd (ORCPT ); Tue, 17 Oct 2023 16:25:33 -0400 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC4EF9F; Tue, 17 Oct 2023 13:25:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574332; x=1729110332; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=DtMYE8N1kmDVdDJrac2n6n5keisOitJwN0pOUvbjeOE=; b=Wq1ZyfzEba+OjXqg5BUFD446IdXA5Zo16113OlkK1lkCSZuskG0VZb7p FFKFsUWVlcYh0KC312FWOHmQodtrnM59Ie6dYMDNWDr9DZOoPyq6qZ5et YLsHtvDUOO0HRResMWMztKqonRYi4hsxmrIBNvgeoK4Ej4szGnaFgjRgB 7aTI4EAVxGSD3cXbRX/en6zZdBfLrLHQKuN1b3GR7Wk8wcS/oBLUBUo+g WYYfGjZ43vuuQ1Pj5e/MLGVb/9BZkn+iiWMIbGb7BuPwAa3D3ONYqW0Wb Fk/BKCVQiDLNtAbInvgJ+kjAMwJB6H2w8aMZIK8cuVUAC7sOudBlzBnLM w==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429511" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429511" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:31 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040443" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040443" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:28 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Paolo Bonzini , Wanpeng Li , Vitaly Kuznetsov , kvm@vger.kernel.org Subject: [PATCH 03/10] kvmclock: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:24:58 -0700 Message-Id: <20231017202505.340906-4-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:25:57 -0700 (PDT) On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Kvmclock could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. Cc: Paolo Bonzini Cc: Wanpeng Li Cc: Vitaly Kuznetsov Cc: kvm@vger.kernel.org Signed-off-by: Rick Edgecombe --- arch/x86/kernel/kvmclock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c index fb8f52149be9..587b159c4e53 100644 --- a/arch/x86/kernel/kvmclock.c +++ b/arch/x86/kernel/kvmclock.c @@ -227,7 +227,7 @@ static void __init kvmclock_init_mem(void) r = set_memory_decrypted((unsigned long) hvclock_mem, 1UL << order); if (r) { - __free_pages(p, order); + free_decrypted_pages((unsigned long)hvclock_mem, order); hvclock_mem = NULL; pr_warn("kvmclock: set_memory_decrypted() failed. Disabling\n"); return; -- 2.34.1