Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7222001rwb; Wed, 23 Nov 2022 04:00:34 -0800 (PST) X-Google-Smtp-Source: AA0mqf7imEpQS1CxsJXQ/0C+7iVKzN55u59kTvsbo8434jJbze0kYDv1zk4owk31MTgJf86YwQYj X-Received: by 2002:a17:902:b184:b0:189:1d01:a4ae with SMTP id s4-20020a170902b18400b001891d01a4aemr8848647plr.93.1669204833995; Wed, 23 Nov 2022 04:00:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669204833; cv=none; d=google.com; s=arc-20160816; b=KP/m+oCg5Qi8iscYr3wSth2tc4hhJK6Dnpm7d3cFoGfpb8nDJCO5g5Ggti2GcgNyrt i3mB0UOYJWKo9L50TE16r7+H0e0u3LLEd4lK3CpQbupht3g01PoxlpA+lUkxebFP1M5l gvteE4lav8hcUBxOtqiA1+7P/MjzfHt2UjVqa3eF5X9NH2WSYaVS6mloHvA43WOyMiji g+NwwfTKByRysCdao8R4AKFGIcdXSprhCFl5+RBx1oVT3I2Hk7EA6WBFztMHNvSiiEPl EokQRiZD8fpPppc7ISaeJwJAbL2Pfw6KE9klRV96DGL14wm+9sjAnAPBgWrtz+HWyI+a o1KA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=sSCQP9l7EhlMRg+/Nb1FBm7eXGpDbXJPkykAqRekjL8=; b=oQgySAX4hDvFM9VDVbmvsa99OKBfAgBifOGybl6SUTPWXqErYsuLlfRnITk20zYYOy Sak7yF3y+Par/aL/6JXeoUjJi1trDXFrOekhpkeiHf2TmUVUuDsNKXHdh3n+2fLr84ph kDrYbirapVDiglXPnEmB5cuqNY7tHhDY3IoDcWdtMPMGP7yYUECLL44pvLxNEoFNquOy eoPdQss9p/nW6sFV0u6mYWMq8jLeYe7RtYbBp0Res6jjfCbX44oHJ2cmHdxoWMRemS9C mDwLnWVMjTOCTjS/Cd0UUw07CwROXJAp1lRIyToiykfA4cKLgnBWhEAVoG5YjqJ2bhpc yvZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=XChS0OLb; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x15-20020a17090a0bcf00b001fab0d18bcasi1448253pjd.66.2022.11.23.04.00.06; Wed, 23 Nov 2022 04:00:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=XChS0OLb; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237390AbiKWLkv (ORCPT + 99 others); Wed, 23 Nov 2022 06:40:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236235AbiKWLkr (ORCPT ); Wed, 23 Nov 2022 06:40:47 -0500 Received: from mail.skyhub.de (mail.skyhub.de [5.9.137.197]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6716C11E813; Wed, 23 Nov 2022 03:40:46 -0800 (PST) Received: from zn.tnic (p200300ea9733e747329c23fffea6a903.dip0.t-ipconnect.de [IPv6:2003:ea:9733:e747:329c:23ff:fea6:a903]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id DF82D1EC0409; Wed, 23 Nov 2022 12:40:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1669203645; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=sSCQP9l7EhlMRg+/Nb1FBm7eXGpDbXJPkykAqRekjL8=; b=XChS0OLbpDpwYCthmECg64pzeg2wuaUGEsH7mVtaY8AyG9TAyxZJ2z8EseMsdi8ctBUmFD JHK+Ue4N3Z1Miq7lXAZGQZpIJEeOKOffGTstEdq2e1h76z7sIfdz11x9l/WSGmiR4HMI+x T9jayzgCDzwQxtJAQVGE3G5IjeSHWWE= Date: Wed, 23 Nov 2022 12:40:40 +0100 From: Borislav Petkov To: "Kalra, Ashish" Cc: x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, jroedel@suse.de, thomas.lendacky@amd.com, hpa@zytor.com, ardb@kernel.org, pbonzini@redhat.com, seanjc@google.com, vkuznets@redhat.com, jmattson@google.com, luto@kernel.org, dave.hansen@linux.intel.com, slp@redhat.com, pgonda@google.com, peterz@infradead.org, srinivas.pandruvada@linux.intel.com, rientjes@google.com, dovmurik@linux.ibm.com, tobin@ibm.com, michael.roth@amd.com, vbabka@suse.cz, kirill@shutemov.name, ak@linux.intel.com, tony.luck@intel.com, marcorr@google.com, sathyanarayanan.kuppuswamy@linux.intel.com, alpergun@google.com, dgilbert@redhat.com, jarkko@kernel.org Subject: Re: [PATCH Part2 v6 14/49] crypto: ccp: Handle the legacy TMR allocation when SNP is enabled Message-ID: References: <3a51840f6a80c87b39632dc728dbd9b5dd444cd7.1655761627.git.ashish.kalra@amd.com> <380c9748-1c86-4763-ea18-b884280a3b60@amd.com> <13bd73b6-592c-66c4-cd42-0913380da745@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <13bd73b6-592c-66c4-cd42-0913380da745@amd.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Nov 22, 2022 at 05:44:47AM -0600, Kalra, Ashish wrote: > It is important to note that if invalid address/len are supplied, the > failure will happen at the initial stage itself of transitioning these pages > to firmware state. /me goes and checks out your v6 tree based on 5.18. Lemme choose one: static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp) { ... inpages = sev_pin_memory(kvm, params.uaddr, params.len, &npages, 1); ... for (i = 0; i < npages; i++) { pfn = page_to_pfn(inpages[i]); ... ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_LAUNCH_UPDATE, &data, error); if (ret) { /* * If the command failed then need to reclaim the page. */ snp_page_reclaim(pfn); and here it would leak the pages if it cannot reclaim them. Now how did you get those? Through params.uaddr and params.len which come from userspace: if (copy_from_user(¶ms, (void __user *)(uintptr_t)argp->data, sizeof(params))) return -EFAULT; Now, think about it, can userspace be trusted? Exactly. Yeah, yeah, I see it does is_hva_registered() but userspace can just as well supply the wrong region which fits. > In such a case the kernel panic is justifiable, So userspace can supply whatever it wants and you'd panic? You surely don't mean that. > but again if incorrect addresses are supplied, the failure will happen > at the initial stage of transitioning these pages to firmware state > and there is no need to reclaim. See above. > Or, otherwise dump a warning and let the pages not be freed/returned > back to the page allocator. > > It is either innocent pages or kernel panic or an innocent host > process crash (these are the choices to make). No, it is make the kernel as resilient as possible. Which means, no panic, add the pages to a not-to-be-used-anymore list and scream loudly with warning messages when it must leak pages so that people can fix the issue. Ok? -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette