[PATCH V2 0/2] Do not try to access unaccepted memory

[PATCH V2 0/2] Do not try to access unaccepted memory

[Adrian Hunter]

Hi

Support for unaccepted memory was added recently, refer commit
dcdfdd40fa82 ("mm: Add support for unaccepted memory"), whereby
a virtual machine may need to accept memory before it can be used.

Plug a few gaps where RAM is exposed without checking if it is
unaccepted memory.


Changes in V2:

      efi/unaccepted: Do not let /proc/vmcore try to access unaccepted memory
          Change patch subject and commit message
          Use vmcore_cb->.pfn_is_ram() instead of changing vmcore.c

      proc/kcore: Do not try to access unaccepted memory
          Change patch subject and commit message
          Do not open code pfn_is_unaccepted_memory()

      /dev/mem: Do not map unaccepted memory
          Patch dropped because it is not required


Adrian Hunter (2):
      efi/unaccepted: Do not let /proc/vmcore try to access unaccepted memory
      proc/kcore: Do not try to access unaccepted memory

 drivers/firmware/efi/unaccepted_memory.c | 20 ++++++++++++++++++++
 fs/proc/kcore.c                          |  3 ++-
 include/linux/mm.h                       |  7 +++++++
 3 files changed, 29 insertions(+), 1 deletion(-)


Regards
Adrian

[PATCH V2 1/2] efi/unaccepted: Do not let /proc/vmcore try to access unaccepted memory

[Adrian Hunter]

Support for unaccepted memory was added recently, refer commit dcdfdd40fa82
("mm: Add support for unaccepted memory"), whereby a virtual machine may
need to accept memory before it can be used.

Do not let /proc/vmcore try to access unaccepted memory because it can
cause the guest to fail.

For /proc/vmcore, which is read-only, this means a read or mmap of
unaccepted memory will return zeros.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
---
 drivers/firmware/efi/unaccepted_memory.c | 20 ++++++++++++++++++++
 include/linux/mm.h                       |  7 +++++++
 2 files changed, 27 insertions(+)


Changes in V2:

          Change patch subject and commit message
          Use vmcore_cb->.pfn_is_ram() instead of changing vmcore.c


diff --git a/drivers/firmware/efi/unaccepted_memory.c b/drivers/firmware/efi/unaccepted_memory.c
index 853f7dc3c21d..79ba576b22e3 100644
--- a/drivers/firmware/efi/unaccepted_memory.c
+++ b/drivers/firmware/efi/unaccepted_memory.c
@@ -3,6 +3,7 @@
 #include <linux/efi.h>
 #include <linux/memblock.h>
 #include <linux/spinlock.h>
+#include <linux/crash_dump.h>
 #include <asm/unaccepted_memory.h>
 
 /* Protects unaccepted memory bitmap */
@@ -145,3 +146,22 @@ bool range_contains_unaccepted_memory(phys_addr_t start, phys_addr_t end)
 
 	return ret;
 }
+
+#ifdef CONFIG_PROC_VMCORE
+static bool unaccepted_memory_vmcore_pfn_is_ram(struct vmcore_cb *cb,
+						unsigned long pfn)
+{
+	return !pfn_is_unaccepted_memory(pfn);
+}
+
+static struct vmcore_cb vmcore_cb = {
+	.pfn_is_ram = unaccepted_memory_vmcore_pfn_is_ram,
+};
+
+static int __init unaccepted_memory_init_kdump(void)
+{
+	register_vmcore_cb(&vmcore_cb);
+	return 0;
+}
+core_initcall(unaccepted_memory_init_kdump);
+#endif /* CONFIG_PROC_VMCORE */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index bf5d0b1b16f4..86511150f1d4 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -4062,4 +4062,11 @@ static inline void accept_memory(phys_addr_t start, phys_addr_t end)
 
 #endif
 
+static inline bool pfn_is_unaccepted_memory(unsigned long pfn)
+{
+	phys_addr_t paddr = pfn << PAGE_SHIFT;
+
+	return range_contains_unaccepted_memory(paddr, paddr + PAGE_SIZE);
+}
+
 #endif /* _LINUX_MM_H */
-- 
2.34.1

[PATCH V2 2/2] proc/kcore: Do not try to access unaccepted memory

[Adrian Hunter]

Support for unaccepted memory was added recently, refer commit
dcdfdd40fa82 ("mm: Add support for unaccepted memory"), whereby a virtual
machine may need to accept memory before it can be used.

Do not try to access unaccepted memory because it can cause the guest to
fail.

For /proc/kcore, which is read-only and does not support mmap, this means a
read of unaccepted memory will return zeros.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
---
 fs/proc/kcore.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


Changes in V2:

          Change patch subject and commit message
          Do not open code pfn_is_unaccepted_memory()


diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index 23fc24d16b31..6422e569b080 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -546,7 +546,8 @@ static ssize_t read_kcore_iter(struct kiocb *iocb, struct iov_iter *iter)
 			 * and explicitly excluded physical ranges.
 			 */
 			if (!page || PageOffline(page) ||
-			    is_page_hwpoison(page) || !pfn_is_ram(pfn)) {
+			    is_page_hwpoison(page) || !pfn_is_ram(pfn) ||
+			    pfn_is_unaccepted_memory(pfn)) {
 				if (iov_iter_zero(tsz, iter) != tsz) {
 					ret = -EFAULT;
 					goto out;
-- 
2.34.1

Re: [PATCH V2 2/2] proc/kcore: Do not try to access unaccepted memory

[David Hildenbrand]

On 11.09.23 13:21, Adrian Hunter wrote:
> Support for unaccepted memory was added recently, refer commit
> dcdfdd40fa82 ("mm: Add support for unaccepted memory"), whereby a virtual
> machine may need to accept memory before it can be used.
> 
> Do not try to access unaccepted memory because it can cause the guest to
> fail.
> 
> For /proc/kcore, which is read-only and does not support mmap, this means a
> read of unaccepted memory will return zeros.
> 
> Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
> ---
>   fs/proc/kcore.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> 
> Changes in V2:
> 
>            Change patch subject and commit message
>            Do not open code pfn_is_unaccepted_memory()
> 
> 
> diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
> index 23fc24d16b31..6422e569b080 100644
> --- a/fs/proc/kcore.c
> +++ b/fs/proc/kcore.c
> @@ -546,7 +546,8 @@ static ssize_t read_kcore_iter(struct kiocb *iocb, struct iov_iter *iter)
>   			 * and explicitly excluded physical ranges.
>   			 */
>   			if (!page || PageOffline(page) ||
> -			    is_page_hwpoison(page) || !pfn_is_ram(pfn)) {
> +			    is_page_hwpoison(page) || !pfn_is_ram(pfn) ||
> +			    pfn_is_unaccepted_memory(pfn)) {
>   				if (iov_iter_zero(tsz, iter) != tsz) {
>   					ret = -EFAULT;
>   					goto out;

Reviewed-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb

Re: [PATCH V2 1/2] efi/unaccepted: Do not let /proc/vmcore try to access unaccepted memory

[David Hildenbrand]

On 11.09.23 13:21, Adrian Hunter wrote:
> Support for unaccepted memory was added recently, refer commit dcdfdd40fa82
> ("mm: Add support for unaccepted memory"), whereby a virtual machine may
> need to accept memory before it can be used.
> 
> Do not let /proc/vmcore try to access unaccepted memory because it can
> cause the guest to fail.
> 
> For /proc/vmcore, which is read-only, this means a read or mmap of
> unaccepted memory will return zeros.
> 
> Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
> ---

[...]

> +static inline bool pfn_is_unaccepted_memory(unsigned long pfn)
> +{
> +	phys_addr_t paddr = pfn << PAGE_SHIFT;
> +
> +	return range_contains_unaccepted_memory(paddr, paddr + PAGE_SIZE);
> +}
> +
>   #endif /* _LINUX_MM_H */

As stated, if the relevant table is not already properly populated with 
information about unaccepted memory by the first kernel, this probably 
logically belongs into Kirills series.

Reviewed-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb

Re: [PATCH V2 1/2] efi/unaccepted: Do not let /proc/vmcore try to access unaccepted memory

[David Hildenbrand]

On 11.09.23 13:21, Adrian Hunter wrote:
> Support for unaccepted memory was added recently, refer commit dcdfdd40fa82
> ("mm: Add support for unaccepted memory"), whereby a virtual machine may
> need to accept memory before it can be used.
> 
> Do not let /proc/vmcore try to access unaccepted memory because it can
> cause the guest to fail.

Oh, hold on. What are the actual side effects of this?

Once we're in the kdump kernel, any guest is already dead. So failing a 
guest doesn't apply, no?

-- 
Cheers,

David / dhildenb

Re: [PATCH V2 1/2] efi/unaccepted: Do not let /proc/vmcore try to access unaccepted memory

[Adrian Hunter]

On 12/09/23 10:19, David Hildenbrand wrote:
> On 11.09.23 13:21, Adrian Hunter wrote:
>> Support for unaccepted memory was added recently, refer commit dcdfdd40fa82
>> ("mm: Add support for unaccepted memory"), whereby a virtual machine may
>> need to accept memory before it can be used.
>>
>> Do not let /proc/vmcore try to access unaccepted memory because it can
>> cause the guest to fail.
> 
> Oh, hold on. What are the actual side effects of this?
> 
> Once we're in the kdump kernel, any guest is already dead. So failing a guest doesn't apply, no?
> 
Unaccepted Memory is used by virtual machines.  In this case the guest
has kexec'ed to a dump-capture kernel, so the virtual machine is still
alive and running the dump-capture kernel.

Re: [PATCH V2 1/2] efi/unaccepted: Do not let /proc/vmcore try to access unaccepted memory

[David Hildenbrand]

On 12.09.23 09:47, Adrian Hunter wrote:
> On 12/09/23 10:19, David Hildenbrand wrote:
>> On 11.09.23 13:21, Adrian Hunter wrote:
>>> Support for unaccepted memory was added recently, refer commit dcdfdd40fa82
>>> ("mm: Add support for unaccepted memory"), whereby a virtual machine may
>>> need to accept memory before it can be used.
>>>
>>> Do not let /proc/vmcore try to access unaccepted memory because it can
>>> cause the guest to fail.
>>
>> Oh, hold on. What are the actual side effects of this?
>>
>> Once we're in the kdump kernel, any guest is already dead. So failing a guest doesn't apply, no?
>>
> Unaccepted Memory is used by virtual machines.  In this case the guest
> has kexec'ed to a dump-capture kernel, so the virtual machine is still
> alive and running the dump-capture kernel.

Ah, I got lost in TDX host semantics. So what you're saying, if we 
(guest) are reading unnaccepted memory we will get zapped. Makes sense.

-- 
Cheers,

David / dhildenb