linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Claudio Imbrenda <imbrenda@linux.ibm.com>
To: kvm@vger.kernel.org
Cc: cohuck@redhat.com, borntraeger@de.ibm.com, frankja@linux.ibm.com,
	thuth@redhat.com, pasic@linux.ibm.com, david@redhat.com,
	linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 04/13] KVM: s390: pv: handle secure storage violations for protected guests
Date: Wed, 28 Jul 2021 16:26:22 +0200	[thread overview]
Message-ID: <20210728142631.41860-5-imbrenda@linux.ibm.com> (raw)
In-Reply-To: <20210728142631.41860-1-imbrenda@linux.ibm.com>

With upcoming patches, protected guests will be able to trigger secure
storage violations in normal operation.

This patch adds handling of secure storage violations for protected
guests.

Pages that trigger the exception will be made non-secure before
attempting to use them again.

Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Janosch Frank <frankja@linux.ibm.com>
---
 arch/s390/include/asm/uv.h |  1 +
 arch/s390/kernel/uv.c      | 43 ++++++++++++++++++++++++++++++++++++++
 arch/s390/mm/fault.c       | 10 +++++++++
 3 files changed, 54 insertions(+)

diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h
index bbd51aa94d05..7722cde51912 100644
--- a/arch/s390/include/asm/uv.h
+++ b/arch/s390/include/asm/uv.h
@@ -351,6 +351,7 @@ static inline int is_prot_virt_host(void)
 }
 
 int gmap_make_secure(struct gmap *gmap, unsigned long gaddr, void *uvcb);
+int gmap_destroy_page(struct gmap *gmap, unsigned long gaddr);
 int uv_destroy_owned_page(unsigned long paddr);
 int uv_convert_from_secure(unsigned long paddr);
 int uv_convert_owned_from_secure(unsigned long paddr);
diff --git a/arch/s390/kernel/uv.c b/arch/s390/kernel/uv.c
index 5a6ac965f379..9cfd7979648c 100644
--- a/arch/s390/kernel/uv.c
+++ b/arch/s390/kernel/uv.c
@@ -337,6 +337,49 @@ int gmap_convert_to_secure(struct gmap *gmap, unsigned long gaddr)
 }
 EXPORT_SYMBOL_GPL(gmap_convert_to_secure);
 
+int gmap_destroy_page(struct gmap *gmap, unsigned long gaddr)
+{
+	struct vm_area_struct *vma;
+	unsigned long uaddr;
+	struct page *page;
+	int rc;
+
+	rc = -EFAULT;
+	mmap_read_lock(gmap->mm);
+
+	uaddr = __gmap_translate(gmap, gaddr);
+	if (IS_ERR_VALUE(uaddr))
+		goto out;
+	vma = find_vma(gmap->mm, uaddr);
+	if (!vma)
+		goto out;
+	/*
+	 * Huge pages should not be able to become secure
+	 */
+	if (is_vm_hugetlb_page(vma))
+		goto out;
+
+	rc = 0;
+	/* we take an extra reference here */
+	page = follow_page(vma, uaddr, FOLL_WRITE | FOLL_GET);
+	if (IS_ERR_OR_NULL(page))
+		goto out;
+	rc = uv_destroy_owned_page(page_to_phys(page));
+	/*
+	 * Fault handlers can race; it is possible that one CPU will destroy
+	 * and import the page, at which point the second CPU handling the
+	 * same fault will not be able to destroy. In that case we do not
+	 * want to terminate the process, we instead try to export the page.
+	 */
+	if (rc)
+		rc = uv_convert_owned_from_secure(page_to_phys(page));
+	put_page(page);
+out:
+	mmap_read_unlock(gmap->mm);
+	return rc;
+}
+EXPORT_SYMBOL_GPL(gmap_destroy_page);
+
 /*
  * To be called with the page locked or with an extra reference! This will
  * prevent gmap_make_secure from touching the page concurrently. Having 2
diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
index e33c43b38afe..eb68b4f36927 100644
--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@@ -850,6 +850,16 @@ NOKPROBE_SYMBOL(do_non_secure_storage_access);
 
 void do_secure_storage_violation(struct pt_regs *regs)
 {
+	unsigned long gaddr = regs->int_parm_long & __FAIL_ADDR_MASK;
+	struct gmap *gmap = (struct gmap *)S390_lowcore.gmap;
+
+	/*
+	 * If the VM has been rebooted, its address space might still contain
+	 * secure pages from the previous boot.
+	 * Clear the page so it can be reused.
+	 */
+	if (!gmap_destroy_page(gmap, gaddr))
+		return;
 	/*
 	 * Either KVM messed up the secure guest mapping or the same
 	 * page is mapped into multiple secure guests.
-- 
2.31.1


  parent reply	other threads:[~2021-07-28 14:27 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-28 14:26 [PATCH v2 00/13] KVM: s390: pv: implement lazy destroy Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 01/13] KVM: s390: pv: avoid stall notifications for some UVCs Claudio Imbrenda
2021-07-29  9:58   ` Janosch Frank
2021-07-29 12:52     ` Claudio Imbrenda
2021-07-29 10:49   ` Cornelia Huck
2021-07-29 13:22     ` Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 02/13] KVM: s390: pv: leak the ASCE page when destroy fails Claudio Imbrenda
2021-07-29 10:41   ` Janosch Frank
2021-07-29 12:54     ` Claudio Imbrenda
2021-07-29 13:45       ` Janosch Frank
2021-07-28 14:26 ` [PATCH v2 03/13] KVM: s390: pv: properly handle page flags for protected guests Claudio Imbrenda
2021-07-29 11:43   ` Janosch Frank
2021-07-28 14:26 ` Claudio Imbrenda [this message]
2021-07-28 14:26 ` [PATCH v2 05/13] KVM: s390: pv: handle secure storage exceptions for normal guests Claudio Imbrenda
2021-07-29 12:17   ` Janosch Frank
2021-07-29 13:28     ` Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 06/13] KVM: s390: pv: refactor s390_reset_acc Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 07/13] KVM: s390: pv: usage counter instead of flag Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 08/13] KVM: s390: pv: add export before import Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 09/13] KVM: s390: pv: lazy destroy for reboot Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 10/13] KVM: s390: pv: extend lazy destroy to handle shutdown Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 11/13] KVM: s390: pv: module parameter to fence lazy destroy Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 12/13] KVM: s390: pv: add OOM notifier for " Claudio Imbrenda
2021-07-28 14:26 ` [PATCH v2 13/13] KVM: s390: pv: add support for UV feature bits Claudio Imbrenda
2021-07-29  9:52   ` Janosch Frank
2021-07-29 13:28     ` Claudio Imbrenda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210728142631.41860-5-imbrenda@linux.ibm.com \
    --to=imbrenda@linux.ibm.com \
    --cc=borntraeger@de.ibm.com \
    --cc=cohuck@redhat.com \
    --cc=david@redhat.com \
    --cc=frankja@linux.ibm.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=pasic@linux.ibm.com \
    --cc=thuth@redhat.com \
    --subject='Re: [PATCH v2 04/13] KVM: s390: pv: handle secure storage violations for protected guests' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).