From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Dmitry Vyukov" <dvyukov@google.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Eric Biggers" <ebiggers3@gmail.com>,
"Wanpeng Li" <wanpeng.li@hotmail.com>
Subject: [PATCH 4.9 21/65] KVM: mmu: Fix overlap between public and private memslots
Date: Fri, 9 Mar 2018 16:18:21 -0800 [thread overview]
Message-ID: <20180310001826.622986326@linuxfoundation.org> (raw)
In-Reply-To: <20180310001824.927996722@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit b28676bb8ae4569cced423dc2a88f7cb319d5379 upstream.
Reported by syzkaller:
pte_list_remove: ffff9714eb1f8078 0->BUG
------------[ cut here ]------------
kernel BUG at arch/x86/kvm/mmu.c:1157!
invalid opcode: 0000 [#1] SMP
RIP: 0010:pte_list_remove+0x11b/0x120 [kvm]
Call Trace:
drop_spte+0x83/0xb0 [kvm]
mmu_page_zap_pte+0xcc/0xe0 [kvm]
kvm_mmu_prepare_zap_page+0x81/0x4a0 [kvm]
kvm_mmu_invalidate_zap_all_pages+0x159/0x220 [kvm]
kvm_arch_flush_shadow_all+0xe/0x10 [kvm]
kvm_mmu_notifier_release+0x6c/0xa0 [kvm]
? kvm_mmu_notifier_release+0x5/0xa0 [kvm]
__mmu_notifier_release+0x79/0x110
? __mmu_notifier_release+0x5/0x110
exit_mmap+0x15a/0x170
? do_exit+0x281/0xcb0
mmput+0x66/0x160
do_exit+0x2c9/0xcb0
? __context_tracking_exit.part.5+0x4a/0x150
do_group_exit+0x50/0xd0
SyS_exit_group+0x14/0x20
do_syscall_64+0x73/0x1f0
entry_SYSCALL64_slow_path+0x25/0x25
The reason is that when creates new memslot, there is no guarantee for new
memslot not overlap with private memslots. This can be triggered by the
following program:
#include <fcntl.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/kvm.h>
long r[16];
int main()
{
void *p = valloc(0x4000);
r[2] = open("/dev/kvm", 0);
r[3] = ioctl(r[2], KVM_CREATE_VM, 0x0ul);
uint64_t addr = 0xf000;
ioctl(r[3], KVM_SET_IDENTITY_MAP_ADDR, &addr);
r[6] = ioctl(r[3], KVM_CREATE_VCPU, 0x0ul);
ioctl(r[3], KVM_SET_TSS_ADDR, 0x0ul);
ioctl(r[6], KVM_RUN, 0);
ioctl(r[6], KVM_RUN, 0);
struct kvm_userspace_memory_region mr = {
.slot = 0,
.flags = KVM_MEM_LOG_DIRTY_PAGES,
.guest_phys_addr = 0xf000,
.memory_size = 0x4000,
.userspace_addr = (uintptr_t) p
};
ioctl(r[3], KVM_SET_USER_MEMORY_REGION, &mr);
return 0;
}
This patch fixes the bug by not adding a new memslot even if it
overlaps with private memslots.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
---
virt/kvm/kvm_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -976,8 +976,7 @@ int __kvm_set_memory_region(struct kvm *
/* Check for overlaps */
r = -EEXIST;
kvm_for_each_memslot(slot, __kvm_memslots(kvm, as_id)) {
- if ((slot->id >= KVM_USER_MEM_SLOTS) ||
- (slot->id == id))
+ if (slot->id == id)
continue;
if (!((base_gfn + npages <= slot->base_gfn) ||
(base_gfn >= slot->base_gfn + slot->npages)))
next prev parent reply other threads:[~2018-03-10 0:18 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-10 0:18 [PATCH 4.9 00/65] 4.9.87-stable review Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 01/65] tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 02/65] tpm_i2c_infineon: " Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 03/65] tpm_i2c_nuvoton: " Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 04/65] tpm_tis: " Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 05/65] tpm: constify transmit data pointers Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 06/65] tpm_tis_spi: Use DMA-safe memory for SPI transfers Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 07/65] tpm-dev-common: Reject too short writes Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 08/65] ALSA: usb-audio: Add a quirck for B&W PX headphones Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 09/65] ALSA: hda: Add a power_save blacklist Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 10/65] ALSA: hda - Fix pincfg at resume on Lenovo T470 dock Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 11/65] timers: Forward timer base before migrating timers Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 12/65] parisc: Fix ordering of cache and TLB flushes Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 13/65] cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 14/65] dax: fix vma_is_fsdax() helper Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 15/65] x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 16/65] x86/platform/intel-mid: Handle Intel Edison reboot correctly Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 17/65] media: m88ds3103: dont call a non-initalized function Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 18/65] nospec: Allow index argument to have const-qualified type Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 19/65] ARM: mvebu: Fix broken PL310_ERRATA_753970 selects Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 20/65] ARM: kvm: fix building with gcc-8 Greg Kroah-Hartman
2018-03-10 0:18 ` Greg Kroah-Hartman [this message]
2018-03-10 0:18 ` [PATCH 4.9 22/65] KVM/x86: Remove indirect MSR op calls from SPEC_CTRL Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 23/65] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 24/65] PCI/ASPM: Deal with missing root ports in link state handling Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 25/65] dm io: fix duplicate bio completion due to missing ref count Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 26/65] ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 27/65] ARM: dts: LogicPD Torpedo: " Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 28/65] x86/mm: Give each mm TLB flush generation a unique ID Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 29/65] x86/speculation: Use Indirect Branch Prediction Barrier in context switch Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 30/65] md: only allow remove_and_add_spares when no sync_thread running Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 31/65] netlink: put module reference if dump start fails Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 32/65] x86/apic/vector: Handle legacy irq data correctly Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 33/65] bridge: check brport attr show in brport_show Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 34/65] fib_semantics: Dont match route with mismatching tclassid Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 35/65] hdlc_ppp: carrier detect ok, dont turn off negotiation Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 36/65] ipv6 sit: work around bogus gcc-8 -Wrestrict warning Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 37/65] net: fix race on decreasing number of TX queues Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 38/65] net: ipv4: dont allow setting net.ipv4.route.min_pmtu below 68 Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 39/65] netlink: ensure to loop over all netns in genlmsg_multicast_allns() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 40/65] ppp: prevent unregistered channels from connecting to PPP units Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 41/65] udplite: fix partial checksum initialization Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 42/65] sctp: fix dst refcnt leak in sctp_v4_get_dst Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 43/65] mlxsw: spectrum_switchdev: Check success of FDB add operation Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 44/65] net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 45/65] tcp: Honor the eor bit in tcp_mtu_probe Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 46/65] rxrpc: Fix send in rxrpc_send_data_packet() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 47/65] tcp_bbr: better deal with suboptimal GSO Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 48/65] sctp: fix dst refcnt leak in sctp_v6_get_dst() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 49/65] s390/qeth: fix underestimated count of buffer elements Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 50/65] s390/qeth: fix SETIP command handling Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 51/65] s390/qeth: fix overestimated count of buffer elements Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 52/65] s390/qeth: fix IP removal on offline cards Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 53/65] s390/qeth: fix double-free on IP add/remove race Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 54/65] s390/qeth: fix IP address lookup for L3 devices Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 55/65] s390/qeth: fix IPA command submission race Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 56/65] sctp: verify size of a new chunk in _sctp_make_chunk() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 57/65] net: mpls: Pull common label check into helper Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 58/65] mpls, nospec: Sanitize array index in mpls_label_ok() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.9 59/65] bpf: fix wrong exposure of map_flags into fdinfo for lpm Greg Kroah-Hartman
2018-03-10 0:19 ` [PATCH 4.9 60/65] bpf: fix mlock precharge on arraymaps Greg Kroah-Hartman
2018-03-10 0:19 ` [PATCH 4.9 61/65] bpf, x64: implement retpoline for tail call Greg Kroah-Hartman
2018-03-10 0:19 ` [PATCH 4.9 62/65] bpf, arm64: fix out of bounds access in " Greg Kroah-Hartman
2018-03-10 0:19 ` [PATCH 4.9 63/65] bpf: add schedule points in percpu arrays management Greg Kroah-Hartman
2018-03-10 0:19 ` [PATCH 4.9 64/65] bpf, ppc64: fix out of bounds access in tail call Greg Kroah-Hartman
2018-03-10 0:19 ` [PATCH 4.9 65/65] btrfs: preserve i_mode if __btrfs_set_acl() fails Greg Kroah-Hartman
2018-03-10 5:14 ` [PATCH 4.9 00/65] 4.9.87-stable review Shuah Khan
2018-03-10 7:59 ` kernelci.org bot
2018-03-10 15:44 ` Guenter Roeck
2018-03-12 7:02 ` Naresh Kamboju
2018-03-12 9:32 ` Naresh Kamboju
2018-03-12 10:01 ` Naresh Kamboju
2018-03-12 10:26 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180310001826.622986326@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dvyukov@google.com \
--cc=ebiggers3@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=stable@vger.kernel.org \
--cc=wanpeng.li@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).