From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Dmitry Vyukov" <dvyukov@google.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Eric Biggers" <ebiggers3@gmail.com>,
"Wanpeng Li" <wanpeng.li@hotmail.com>
Subject: [PATCH 4.4 10/36] KVM: mmu: Fix overlap between public and private memslots
Date: Fri, 9 Mar 2018 16:18:26 -0800 [thread overview]
Message-ID: <20180310001807.773303334@linuxfoundation.org> (raw)
In-Reply-To: <20180310001807.213987241@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit b28676bb8ae4569cced423dc2a88f7cb319d5379 upstream.
Reported by syzkaller:
pte_list_remove: ffff9714eb1f8078 0->BUG
------------[ cut here ]------------
kernel BUG at arch/x86/kvm/mmu.c:1157!
invalid opcode: 0000 [#1] SMP
RIP: 0010:pte_list_remove+0x11b/0x120 [kvm]
Call Trace:
drop_spte+0x83/0xb0 [kvm]
mmu_page_zap_pte+0xcc/0xe0 [kvm]
kvm_mmu_prepare_zap_page+0x81/0x4a0 [kvm]
kvm_mmu_invalidate_zap_all_pages+0x159/0x220 [kvm]
kvm_arch_flush_shadow_all+0xe/0x10 [kvm]
kvm_mmu_notifier_release+0x6c/0xa0 [kvm]
? kvm_mmu_notifier_release+0x5/0xa0 [kvm]
__mmu_notifier_release+0x79/0x110
? __mmu_notifier_release+0x5/0x110
exit_mmap+0x15a/0x170
? do_exit+0x281/0xcb0
mmput+0x66/0x160
do_exit+0x2c9/0xcb0
? __context_tracking_exit.part.5+0x4a/0x150
do_group_exit+0x50/0xd0
SyS_exit_group+0x14/0x20
do_syscall_64+0x73/0x1f0
entry_SYSCALL64_slow_path+0x25/0x25
The reason is that when creates new memslot, there is no guarantee for new
memslot not overlap with private memslots. This can be triggered by the
following program:
#include <fcntl.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/kvm.h>
long r[16];
int main()
{
void *p = valloc(0x4000);
r[2] = open("/dev/kvm", 0);
r[3] = ioctl(r[2], KVM_CREATE_VM, 0x0ul);
uint64_t addr = 0xf000;
ioctl(r[3], KVM_SET_IDENTITY_MAP_ADDR, &addr);
r[6] = ioctl(r[3], KVM_CREATE_VCPU, 0x0ul);
ioctl(r[3], KVM_SET_TSS_ADDR, 0x0ul);
ioctl(r[6], KVM_RUN, 0);
ioctl(r[6], KVM_RUN, 0);
struct kvm_userspace_memory_region mr = {
.slot = 0,
.flags = KVM_MEM_LOG_DIRTY_PAGES,
.guest_phys_addr = 0xf000,
.memory_size = 0x4000,
.userspace_addr = (uintptr_t) p
};
ioctl(r[3], KVM_SET_USER_MEMORY_REGION, &mr);
return 0;
}
This patch fixes the bug by not adding a new memslot even if it
overlaps with private memslots.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
---
virt/kvm/kvm_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -902,8 +902,7 @@ int __kvm_set_memory_region(struct kvm *
/* Check for overlaps */
r = -EEXIST;
kvm_for_each_memslot(slot, __kvm_memslots(kvm, as_id)) {
- if ((slot->id >= KVM_USER_MEM_SLOTS) ||
- (slot->id == id))
+ if (slot->id == id)
continue;
if (!((base_gfn + npages <= slot->base_gfn) ||
(base_gfn >= slot->base_gfn + slot->npages)))
next prev parent reply other threads:[~2018-03-10 0:18 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-10 0:18 [PATCH 4.4 00/36] 4.4.121-stable review Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 01/36] tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 02/36] tpm_i2c_infineon: " Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 03/36] tpm_i2c_nuvoton: " Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 04/36] ALSA: usb-audio: Add a quirck for B&W PX headphones Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 05/36] ALSA: hda: Add a power_save blacklist Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 06/36] cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 07/36] media: m88ds3103: dont call a non-initalized function Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 08/36] nospec: Allow index argument to have const-qualified type Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 09/36] ARM: mvebu: Fix broken PL310_ERRATA_753970 selects Greg Kroah-Hartman
2018-03-10 0:18 ` Greg Kroah-Hartman [this message]
2018-03-10 0:18 ` [PATCH 4.4 11/36] x86/syscall: Sanitize syscall table de-references under speculation fix Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 12/36] btrfs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 13/36] ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux Greg Kroah-Hartman
2018-03-12 23:29 ` Ben Hutchings
2018-03-14 21:31 ` Adam Ford
2018-03-16 12:32 ` Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 14/36] x86/apic/vector: Handle legacy irq data correctly Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 15/36] leds: do not overflow sysfs buffer in led_trigger_show Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 16/36] x86/spectre: Fix an error message Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 17/36] Revert "led: core: Fix brightness setting when setting delay_off=0" Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 18/36] bridge: check brport attr show in brport_show Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 19/36] fib_semantics: Dont match route with mismatching tclassid Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 20/36] hdlc_ppp: carrier detect ok, dont turn off negotiation Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 21/36] ipv6 sit: work around bogus gcc-8 -Wrestrict warning Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 22/36] net: fix race on decreasing number of TX queues Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 23/36] net: ipv4: dont allow setting net.ipv4.route.min_pmtu below 68 Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 24/36] netlink: ensure to loop over all netns in genlmsg_multicast_allns() Greg Kroah-Hartman
2018-03-13 0:04 ` Ben Hutchings
2018-03-14 17:06 ` Nicolas Dichtel
2018-03-14 20:10 ` [PATCH net] netlink: avoid a double skb free in genlmsg_mcast() Nicolas Dichtel
2018-03-16 16:36 ` David Miller
2018-03-10 0:18 ` [PATCH 4.4 25/36] ppp: prevent unregistered channels from connecting to PPP units Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 26/36] udplite: fix partial checksum initialization Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 27/36] sctp: fix dst refcnt leak in sctp_v4_get_dst Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 28/36] sctp: fix dst refcnt leak in sctp_v6_get_dst() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 29/36] s390/qeth: fix SETIP command handling Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 30/36] s390/qeth: fix IPA command submission race Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 31/36] sctp: verify size of a new chunk in _sctp_make_chunk() Greg Kroah-Hartman
2018-03-13 0:46 ` Ben Hutchings
2018-03-13 9:56 ` Greg Kroah-Hartman
2018-03-14 16:23 ` Ben Hutchings
2018-03-10 0:18 ` [PATCH 4.4 32/36] net: mpls: Pull common label check into helper Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 33/36] mpls, nospec: Sanitize array index in mpls_label_ok() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 34/36] dm io: fix duplicate bio completion due to missing ref count Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 35/36] bpf, x64: implement retpoline for tail call Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 36/36] btrfs: preserve i_mode if __btrfs_set_acl() fails Greg Kroah-Hartman
2018-03-10 0:50 ` [PATCH 4.4 00/36] 4.4.121-stable review Nathan Chancellor
2018-03-10 1:03 ` Greg Kroah-Hartman
2018-03-10 1:07 ` Nathan Chancellor
2018-03-10 5:16 ` Shuah Khan
2018-03-10 7:19 ` kernelci.org bot
2018-03-10 15:43 ` Guenter Roeck
2018-03-12 11:39 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180310001807.773303334@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dvyukov@google.com \
--cc=ebiggers3@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=stable@vger.kernel.org \
--cc=wanpeng.li@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).