From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Paul Mackerras" <paulus@ozlabs.org>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Janosch Frank" <frankja@linux.ibm.com>,
"David Hildenbrand" <david@redhat.com>,
"Cornelia Huck" <cohuck@redhat.com>,
"Sean Christopherson" <sean.j.christopherson@intel.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Wanpeng Li" <wanpengli@tencent.com>,
"Jim Mattson" <jmattson@google.com>,
"Joerg Roedel" <joro@8bytes.org>, "Marc Zyngier" <maz@kernel.org>,
"James Morse" <james.morse@arm.com>,
"Julien Thierry" <julien.thierry.kdev@gmail.com>,
"Suzuki K Poulose" <suzuki.poulose@arm.com>,
linux-mips@vger.kernel.org, kvm@vger.kernel.org,
kvm-ppc@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org,
"Christoffer Dall" <christoffer.dall@arm.com>,
"Peter Xu" <peterx@redhat.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>
Subject: [PATCH v5 01/19] KVM: x86: Allocate new rmap and large page tracking when moving memslot
Date: Tue, 21 Jan 2020 14:31:39 -0800 [thread overview]
Message-ID: <20200121223157.15263-2-sean.j.christopherson@intel.com> (raw)
In-Reply-To: <20200121223157.15263-1-sean.j.christopherson@intel.com>
Reallocate a rmap array and recalcuate large page compatibility when
moving an existing memslot to correctly handle the alignment properties
of the new memslot. The number of rmap entries required at each level
is dependent on the alignment of the memslot's base gfn with respect to
that level, e.g. moving a large-page aligned memslot so that it becomes
unaligned will increase the number of rmap entries needed at the now
unaligned level.
Not updating the rmap array is the most obvious bug, as KVM accesses
garbage data beyond the end of the rmap. KVM interprets the bad data as
pointers, leading to non-canonical #GPs, unexpected #PFs, etc...
general protection fault: 0000 [#1] SMP
CPU: 0 PID: 1909 Comm: move_memory_reg Not tainted 5.4.0-rc7+ #139
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:rmap_get_first+0x37/0x50 [kvm]
Code: <48> 8b 3b 48 85 ff 74 ec e8 6c f4 ff ff 85 c0 74 e3 48 89 d8 5b c3
RSP: 0018:ffffc9000021bbc8 EFLAGS: 00010246
RAX: ffff00617461642e RBX: ffff00617461642e RCX: 0000000000000012
RDX: ffff88827400f568 RSI: ffffc9000021bbe0 RDI: ffff88827400f570
RBP: 0010000000000000 R08: ffffc9000021bd00 R09: ffffc9000021bda8
R10: ffffc9000021bc48 R11: 0000000000000000 R12: 0030000000000000
R13: 0000000000000000 R14: ffff88827427d700 R15: ffffc9000021bce8
FS: 00007f7eda014700(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7ed9216ff8 CR3: 0000000274391003 CR4: 0000000000162eb0
Call Trace:
kvm_mmu_slot_set_dirty+0xa1/0x150 [kvm]
__kvm_set_memory_region.part.64+0x559/0x960 [kvm]
kvm_set_memory_region+0x45/0x60 [kvm]
kvm_vm_ioctl+0x30f/0x920 [kvm]
do_vfs_ioctl+0xa1/0x620
ksys_ioctl+0x66/0x70
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x4c/0x170
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f7ed9911f47
Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 6f 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc00937498 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000001ab0010 RCX: 00007f7ed9911f47
RDX: 0000000001ab1350 RSI: 000000004020ae46 RDI: 0000000000000004
RBP: 000000000000000a R08: 0000000000000000 R09: 00007f7ed9214700
R10: 00007f7ed92149d0 R11: 0000000000000246 R12: 00000000bffff000
R13: 0000000000000003 R14: 00007f7ed9215000 R15: 0000000000000000
Modules linked in: kvm_intel kvm irqbypass
---[ end trace 0c5f570b3358ca89 ]---
The disallow_lpage tracking is more subtle. Failure to update results
in KVM creating large pages when it shouldn't, either due to stale data
or again due to indexing beyond the end of the metadata arrays, which
can lead to memory corruption and/or leaking data to guest/userspace.
Note, the arrays for the old memslot are freed by the unconditional call
to kvm_free_memslot() in __kvm_set_memory_region().
Fixes: 05da45583de9b ("KVM: MMU: large page support")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
---
arch/x86/kvm/x86.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4c30ebe74e5d..1953c71c52f2 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9793,6 +9793,13 @@ int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
{
int i;
+ /*
+ * Clear out the previous array pointers for the KVM_MR_MOVE case. The
+ * old arrays will be freed by __kvm_set_memory_region() if installing
+ * the new memslot is successful.
+ */
+ memset(&slot->arch, 0, sizeof(slot->arch));
+
for (i = 0; i < KVM_NR_PAGE_SIZES; ++i) {
struct kvm_lpage_info *linfo;
unsigned long ugfn;
@@ -9867,6 +9874,10 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
const struct kvm_userspace_memory_region *mem,
enum kvm_mr_change change)
{
+ if (change == KVM_MR_MOVE)
+ return kvm_arch_create_memslot(kvm, memslot,
+ mem->memory_size >> PAGE_SHIFT);
+
return 0;
}
--
2.24.1
WARNING: multiple messages have this Message-ID (diff)
From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Wanpeng Li" <wanpengli@tencent.com>,
kvm@vger.kernel.org, "David Hildenbrand" <david@redhat.com>,
linux-mips@vger.kernel.org, "Paul Mackerras" <paulus@ozlabs.org>,
kvmarm@lists.cs.columbia.edu,
"Janosch Frank" <frankja@linux.ibm.com>,
"Marc Zyngier" <maz@kernel.org>, "Joerg Roedel" <joro@8bytes.org>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
kvm-ppc@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
"Jim Mattson" <jmattson@google.com>,
"Cornelia Huck" <cohuck@redhat.com>,
"Sean Christopherson" <sean.j.christopherson@intel.com>,
linux-kernel@vger.kernel.org,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>
Subject: [PATCH v5 01/19] KVM: x86: Allocate new rmap and large page tracking when moving memslot
Date: Tue, 21 Jan 2020 14:31:39 -0800 [thread overview]
Message-ID: <20200121223157.15263-2-sean.j.christopherson@intel.com> (raw)
In-Reply-To: <20200121223157.15263-1-sean.j.christopherson@intel.com>
Reallocate a rmap array and recalcuate large page compatibility when
moving an existing memslot to correctly handle the alignment properties
of the new memslot. The number of rmap entries required at each level
is dependent on the alignment of the memslot's base gfn with respect to
that level, e.g. moving a large-page aligned memslot so that it becomes
unaligned will increase the number of rmap entries needed at the now
unaligned level.
Not updating the rmap array is the most obvious bug, as KVM accesses
garbage data beyond the end of the rmap. KVM interprets the bad data as
pointers, leading to non-canonical #GPs, unexpected #PFs, etc...
general protection fault: 0000 [#1] SMP
CPU: 0 PID: 1909 Comm: move_memory_reg Not tainted 5.4.0-rc7+ #139
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:rmap_get_first+0x37/0x50 [kvm]
Code: <48> 8b 3b 48 85 ff 74 ec e8 6c f4 ff ff 85 c0 74 e3 48 89 d8 5b c3
RSP: 0018:ffffc9000021bbc8 EFLAGS: 00010246
RAX: ffff00617461642e RBX: ffff00617461642e RCX: 0000000000000012
RDX: ffff88827400f568 RSI: ffffc9000021bbe0 RDI: ffff88827400f570
RBP: 0010000000000000 R08: ffffc9000021bd00 R09: ffffc9000021bda8
R10: ffffc9000021bc48 R11: 0000000000000000 R12: 0030000000000000
R13: 0000000000000000 R14: ffff88827427d700 R15: ffffc9000021bce8
FS: 00007f7eda014700(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7ed9216ff8 CR3: 0000000274391003 CR4: 0000000000162eb0
Call Trace:
kvm_mmu_slot_set_dirty+0xa1/0x150 [kvm]
__kvm_set_memory_region.part.64+0x559/0x960 [kvm]
kvm_set_memory_region+0x45/0x60 [kvm]
kvm_vm_ioctl+0x30f/0x920 [kvm]
do_vfs_ioctl+0xa1/0x620
ksys_ioctl+0x66/0x70
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x4c/0x170
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f7ed9911f47
Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 6f 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc00937498 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000001ab0010 RCX: 00007f7ed9911f47
RDX: 0000000001ab1350 RSI: 000000004020ae46 RDI: 0000000000000004
RBP: 000000000000000a R08: 0000000000000000 R09: 00007f7ed9214700
R10: 00007f7ed92149d0 R11: 0000000000000246 R12: 00000000bffff000
R13: 0000000000000003 R14: 00007f7ed9215000 R15: 0000000000000000
Modules linked in: kvm_intel kvm irqbypass
---[ end trace 0c5f570b3358ca89 ]---
The disallow_lpage tracking is more subtle. Failure to update results
in KVM creating large pages when it shouldn't, either due to stale data
or again due to indexing beyond the end of the metadata arrays, which
can lead to memory corruption and/or leaking data to guest/userspace.
Note, the arrays for the old memslot are freed by the unconditional call
to kvm_free_memslot() in __kvm_set_memory_region().
Fixes: 05da45583de9b ("KVM: MMU: large page support")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
---
arch/x86/kvm/x86.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4c30ebe74e5d..1953c71c52f2 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9793,6 +9793,13 @@ int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
{
int i;
+ /*
+ * Clear out the previous array pointers for the KVM_MR_MOVE case. The
+ * old arrays will be freed by __kvm_set_memory_region() if installing
+ * the new memslot is successful.
+ */
+ memset(&slot->arch, 0, sizeof(slot->arch));
+
for (i = 0; i < KVM_NR_PAGE_SIZES; ++i) {
struct kvm_lpage_info *linfo;
unsigned long ugfn;
@@ -9867,6 +9874,10 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
const struct kvm_userspace_memory_region *mem,
enum kvm_mr_change change)
{
+ if (change == KVM_MR_MOVE)
+ return kvm_arch_create_memslot(kvm, memslot,
+ mem->memory_size >> PAGE_SHIFT);
+
return 0;
}
--
2.24.1
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Wanpeng Li" <wanpengli@tencent.com>,
kvm@vger.kernel.org, "David Hildenbrand" <david@redhat.com>,
"Peter Xu" <peterx@redhat.com>,
linux-mips@vger.kernel.org, "Paul Mackerras" <paulus@ozlabs.org>,
kvmarm@lists.cs.columbia.edu,
"Janosch Frank" <frankja@linux.ibm.com>,
"Marc Zyngier" <maz@kernel.org>, "Joerg Roedel" <joro@8bytes.org>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Julien Thierry" <julien.thierry.kdev@gmail.com>,
"Suzuki K Poulose" <suzuki.poulose@arm.com>,
kvm-ppc@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
"Jim Mattson" <jmattson@google.com>,
"Cornelia Huck" <cohuck@redhat.com>,
"Christoffer Dall" <christoffer.dall@arm.com>,
"Sean Christopherson" <sean.j.christopherson@intel.com>,
linux-kernel@vger.kernel.org, "James Morse" <james.morse@arm.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>
Subject: [PATCH v5 01/19] KVM: x86: Allocate new rmap and large page tracking when moving memslot
Date: Tue, 21 Jan 2020 14:31:39 -0800 [thread overview]
Message-ID: <20200121223157.15263-2-sean.j.christopherson@intel.com> (raw)
In-Reply-To: <20200121223157.15263-1-sean.j.christopherson@intel.com>
Reallocate a rmap array and recalcuate large page compatibility when
moving an existing memslot to correctly handle the alignment properties
of the new memslot. The number of rmap entries required at each level
is dependent on the alignment of the memslot's base gfn with respect to
that level, e.g. moving a large-page aligned memslot so that it becomes
unaligned will increase the number of rmap entries needed at the now
unaligned level.
Not updating the rmap array is the most obvious bug, as KVM accesses
garbage data beyond the end of the rmap. KVM interprets the bad data as
pointers, leading to non-canonical #GPs, unexpected #PFs, etc...
general protection fault: 0000 [#1] SMP
CPU: 0 PID: 1909 Comm: move_memory_reg Not tainted 5.4.0-rc7+ #139
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:rmap_get_first+0x37/0x50 [kvm]
Code: <48> 8b 3b 48 85 ff 74 ec e8 6c f4 ff ff 85 c0 74 e3 48 89 d8 5b c3
RSP: 0018:ffffc9000021bbc8 EFLAGS: 00010246
RAX: ffff00617461642e RBX: ffff00617461642e RCX: 0000000000000012
RDX: ffff88827400f568 RSI: ffffc9000021bbe0 RDI: ffff88827400f570
RBP: 0010000000000000 R08: ffffc9000021bd00 R09: ffffc9000021bda8
R10: ffffc9000021bc48 R11: 0000000000000000 R12: 0030000000000000
R13: 0000000000000000 R14: ffff88827427d700 R15: ffffc9000021bce8
FS: 00007f7eda014700(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7ed9216ff8 CR3: 0000000274391003 CR4: 0000000000162eb0
Call Trace:
kvm_mmu_slot_set_dirty+0xa1/0x150 [kvm]
__kvm_set_memory_region.part.64+0x559/0x960 [kvm]
kvm_set_memory_region+0x45/0x60 [kvm]
kvm_vm_ioctl+0x30f/0x920 [kvm]
do_vfs_ioctl+0xa1/0x620
ksys_ioctl+0x66/0x70
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x4c/0x170
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f7ed9911f47
Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 6f 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc00937498 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000001ab0010 RCX: 00007f7ed9911f47
RDX: 0000000001ab1350 RSI: 000000004020ae46 RDI: 0000000000000004
RBP: 000000000000000a R08: 0000000000000000 R09: 00007f7ed9214700
R10: 00007f7ed92149d0 R11: 0000000000000246 R12: 00000000bffff000
R13: 0000000000000003 R14: 00007f7ed9215000 R15: 0000000000000000
Modules linked in: kvm_intel kvm irqbypass
---[ end trace 0c5f570b3358ca89 ]---
The disallow_lpage tracking is more subtle. Failure to update results
in KVM creating large pages when it shouldn't, either due to stale data
or again due to indexing beyond the end of the metadata arrays, which
can lead to memory corruption and/or leaking data to guest/userspace.
Note, the arrays for the old memslot are freed by the unconditional call
to kvm_free_memslot() in __kvm_set_memory_region().
Fixes: 05da45583de9b ("KVM: MMU: large page support")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
---
arch/x86/kvm/x86.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4c30ebe74e5d..1953c71c52f2 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9793,6 +9793,13 @@ int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
{
int i;
+ /*
+ * Clear out the previous array pointers for the KVM_MR_MOVE case. The
+ * old arrays will be freed by __kvm_set_memory_region() if installing
+ * the new memslot is successful.
+ */
+ memset(&slot->arch, 0, sizeof(slot->arch));
+
for (i = 0; i < KVM_NR_PAGE_SIZES; ++i) {
struct kvm_lpage_info *linfo;
unsigned long ugfn;
@@ -9867,6 +9874,10 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
const struct kvm_userspace_memory_region *mem,
enum kvm_mr_change change)
{
+ if (change == KVM_MR_MOVE)
+ return kvm_arch_create_memslot(kvm, memslot,
+ mem->memory_size >> PAGE_SHIFT);
+
return 0;
}
--
2.24.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Paul Mackerras" <paulus@ozlabs.org>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Janosch Frank" <frankja@linux.ibm.com>,
"David Hildenbrand" <david@redhat.com>,
"Cornelia Huck" <cohuck@redhat.com>,
"Sean Christopherson" <sean.j.christopherson@intel.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Wanpeng Li" <wanpengli@tencent.com>,
"Jim Mattson" <jmattson@google.com>,
"Joerg Roedel" <joro@8bytes.org>, "Marc Zyngier" <maz@kernel.org>,
"James Morse" <james.morse@arm.com>,
"Julien Thierry" <julien.thierry.kdev@gmail.com>,
"Suzuki K Poulose" <suzuki.poulose@arm.com>,
linux-mips@vger.kernel.org, kvm@vger.kernel.org,
kvm-ppc@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org,
"Christoffer Dall" <christoffer.dall@arm.com>,
"Peter Xu" <peterx@redhat.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>
Subject: [PATCH v5 01/19] KVM: x86: Allocate new rmap and large page tracking when moving memslot
Date: Tue, 21 Jan 2020 22:31:39 +0000 [thread overview]
Message-ID: <20200121223157.15263-2-sean.j.christopherson@intel.com> (raw)
In-Reply-To: <20200121223157.15263-1-sean.j.christopherson@intel.com>
Reallocate a rmap array and recalcuate large page compatibility when
moving an existing memslot to correctly handle the alignment properties
of the new memslot. The number of rmap entries required at each level
is dependent on the alignment of the memslot's base gfn with respect to
that level, e.g. moving a large-page aligned memslot so that it becomes
unaligned will increase the number of rmap entries needed at the now
unaligned level.
Not updating the rmap array is the most obvious bug, as KVM accesses
garbage data beyond the end of the rmap. KVM interprets the bad data as
pointers, leading to non-canonical #GPs, unexpected #PFs, etc...
general protection fault: 0000 [#1] SMP
CPU: 0 PID: 1909 Comm: move_memory_reg Not tainted 5.4.0-rc7+ #139
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:rmap_get_first+0x37/0x50 [kvm]
Code: <48> 8b 3b 48 85 ff 74 ec e8 6c f4 ff ff 85 c0 74 e3 48 89 d8 5b c3
RSP: 0018:ffffc9000021bbc8 EFLAGS: 00010246
RAX: ffff00617461642e RBX: ffff00617461642e RCX: 0000000000000012
RDX: ffff88827400f568 RSI: ffffc9000021bbe0 RDI: ffff88827400f570
RBP: 0010000000000000 R08: ffffc9000021bd00 R09: ffffc9000021bda8
R10: ffffc9000021bc48 R11: 0000000000000000 R12: 0030000000000000
R13: 0000000000000000 R14: ffff88827427d700 R15: ffffc9000021bce8
FS: 00007f7eda014700(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7ed9216ff8 CR3: 0000000274391003 CR4: 0000000000162eb0
Call Trace:
kvm_mmu_slot_set_dirty+0xa1/0x150 [kvm]
__kvm_set_memory_region.part.64+0x559/0x960 [kvm]
kvm_set_memory_region+0x45/0x60 [kvm]
kvm_vm_ioctl+0x30f/0x920 [kvm]
do_vfs_ioctl+0xa1/0x620
ksys_ioctl+0x66/0x70
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x4c/0x170
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f7ed9911f47
Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 6f 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc00937498 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000001ab0010 RCX: 00007f7ed9911f47
RDX: 0000000001ab1350 RSI: 000000004020ae46 RDI: 0000000000000004
RBP: 000000000000000a R08: 0000000000000000 R09: 00007f7ed9214700
R10: 00007f7ed92149d0 R11: 0000000000000246 R12: 00000000bffff000
R13: 0000000000000003 R14: 00007f7ed9215000 R15: 0000000000000000
Modules linked in: kvm_intel kvm irqbypass
---[ end trace 0c5f570b3358ca89 ]---
The disallow_lpage tracking is more subtle. Failure to update results
in KVM creating large pages when it shouldn't, either due to stale data
or again due to indexing beyond the end of the metadata arrays, which
can lead to memory corruption and/or leaking data to guest/userspace.
Note, the arrays for the old memslot are freed by the unconditional call
to kvm_free_memslot() in __kvm_set_memory_region().
Fixes: 05da45583de9b ("KVM: MMU: large page support")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
---
arch/x86/kvm/x86.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4c30ebe74e5d..1953c71c52f2 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9793,6 +9793,13 @@ int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
{
int i;
+ /*
+ * Clear out the previous array pointers for the KVM_MR_MOVE case. The
+ * old arrays will be freed by __kvm_set_memory_region() if installing
+ * the new memslot is successful.
+ */
+ memset(&slot->arch, 0, sizeof(slot->arch));
+
for (i = 0; i < KVM_NR_PAGE_SIZES; ++i) {
struct kvm_lpage_info *linfo;
unsigned long ugfn;
@@ -9867,6 +9874,10 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
const struct kvm_userspace_memory_region *mem,
enum kvm_mr_change change)
{
+ if (change = KVM_MR_MOVE)
+ return kvm_arch_create_memslot(kvm, memslot,
+ mem->memory_size >> PAGE_SHIFT);
+
return 0;
}
--
2.24.1
next prev parent reply other threads:[~2020-01-21 22:32 UTC|newest]
Thread overview: 281+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-21 22:31 [PATCH v5 00/19] KVM: Dynamically size memslot arrays Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson [this message]
2020-01-21 22:31 ` [PATCH v5 01/19] KVM: x86: Allocate new rmap and large page tracking when moving memslot Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-05 21:49 ` Peter Xu
2020-02-05 21:49 ` Peter Xu
2020-02-05 21:49 ` Peter Xu
2020-02-05 21:49 ` Peter Xu
2020-02-05 23:55 ` Sean Christopherson
2020-02-05 23:55 ` Sean Christopherson
2020-02-05 23:55 ` Sean Christopherson
2020-02-05 23:55 ` Sean Christopherson
2020-02-06 2:00 ` Peter Xu
2020-02-06 2:00 ` Peter Xu
2020-02-06 2:00 ` Peter Xu
2020-02-06 2:00 ` Peter Xu
2020-02-06 2:17 ` Sean Christopherson
2020-02-06 2:17 ` Sean Christopherson
2020-02-06 2:17 ` Sean Christopherson
2020-02-06 2:17 ` Sean Christopherson
2020-02-06 2:58 ` Peter Xu
2020-02-06 2:58 ` Peter Xu
2020-02-06 2:58 ` Peter Xu
2020-02-06 2:58 ` Peter Xu
2020-02-06 5:05 ` Sean Christopherson
2020-02-06 5:05 ` Sean Christopherson
2020-02-06 5:05 ` Sean Christopherson
2020-02-06 5:05 ` Sean Christopherson
2020-01-21 22:31 ` [PATCH v5 02/19] KVM: Reinstall old memslots if arch preparation fails Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-05 22:08 ` Peter Xu
2020-02-05 22:08 ` Peter Xu
2020-02-05 22:08 ` Peter Xu
2020-02-05 22:08 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 03/19] KVM: Don't free new memslot if allocation of said memslot fails Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-05 22:28 ` Peter Xu
2020-02-05 22:28 ` Peter Xu
2020-02-05 22:28 ` Peter Xu
2020-02-05 22:28 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 04/19] KVM: PPC: Move memslot memory allocation into prepare_memory_region() Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-05 22:41 ` Peter Xu
2020-02-05 22:41 ` Peter Xu
2020-02-05 22:41 ` Peter Xu
2020-02-05 22:41 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 05/19] KVM: x86: Allocate memslot resources during prepare_memory_region() Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` [PATCH v5 06/19] KVM: Drop kvm_arch_create_memslot() Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-05 22:45 ` Peter Xu
2020-02-05 22:45 ` Peter Xu
2020-02-05 22:45 ` Peter Xu
2020-02-05 22:45 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 07/19] KVM: Explicitly free allocated-but-unused dirty bitmap Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` [PATCH v5 08/19] KVM: Refactor error handling for setting memory region Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-05 22:48 ` Peter Xu
2020-02-05 22:48 ` Peter Xu
2020-02-05 22:48 ` Peter Xu
2020-02-05 22:48 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 09/19] KVM: Move setting of memslot into helper routine Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 16:26 ` Peter Xu
2020-02-06 16:26 ` Peter Xu
2020-02-06 16:26 ` Peter Xu
2020-02-06 16:26 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 10/19] KVM: Drop "const" attribute from old memslot in commit_memory_region() Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 16:26 ` Peter Xu
2020-02-06 16:26 ` Peter Xu
2020-02-06 16:26 ` Peter Xu
2020-02-06 16:26 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 11/19] KVM: x86: Free arrays for old memslot when moving memslot's base gfn Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` [PATCH v5 12/19] KVM: Move memslot deletion to helper function Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 16:14 ` Peter Xu
2020-02-06 16:14 ` Peter Xu
2020-02-06 16:14 ` Peter Xu
2020-02-06 16:14 ` Peter Xu
2020-02-06 16:28 ` Sean Christopherson
2020-02-06 16:28 ` Sean Christopherson
2020-02-06 16:28 ` Sean Christopherson
2020-02-06 16:28 ` Sean Christopherson
2020-02-06 16:51 ` Peter Xu
2020-02-06 16:51 ` Peter Xu
2020-02-06 16:51 ` Peter Xu
2020-02-06 16:51 ` Peter Xu
2020-02-07 17:59 ` Sean Christopherson
2020-02-07 17:59 ` Sean Christopherson
2020-02-07 17:59 ` Sean Christopherson
2020-02-07 17:59 ` Sean Christopherson
2020-02-07 18:07 ` Sean Christopherson
2020-02-07 18:07 ` Sean Christopherson
2020-02-07 18:07 ` Sean Christopherson
2020-02-07 18:07 ` Sean Christopherson
2020-02-07 18:17 ` Peter Xu
2020-02-07 18:17 ` Peter Xu
2020-02-07 18:17 ` Peter Xu
2020-02-07 18:17 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 13/19] KVM: Simplify kvm_free_memslot() and all its descendents Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 16:29 ` Peter Xu
2020-02-06 16:29 ` Peter Xu
2020-02-06 16:29 ` Peter Xu
2020-02-06 16:29 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 14/19] KVM: Clean up local variable usage in __kvm_set_memory_region() Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 19:06 ` Peter Xu
2020-02-06 19:06 ` Peter Xu
2020-02-06 19:06 ` Peter Xu
2020-02-06 19:06 ` Peter Xu
2020-02-06 19:22 ` Sean Christopherson
2020-02-06 19:22 ` Sean Christopherson
2020-02-06 19:22 ` Sean Christopherson
2020-02-06 19:22 ` Sean Christopherson
2020-02-06 19:36 ` Peter Xu
2020-02-06 19:36 ` Peter Xu
2020-02-06 19:36 ` Peter Xu
2020-02-06 19:36 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 15/19] KVM: Provide common implementation for generic dirty log functions Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 20:02 ` Peter Xu
2020-02-06 20:02 ` Peter Xu
2020-02-06 20:02 ` Peter Xu
2020-02-06 20:02 ` Peter Xu
2020-02-06 21:21 ` Sean Christopherson
2020-02-06 21:21 ` Sean Christopherson
2020-02-06 21:21 ` Sean Christopherson
2020-02-06 21:21 ` Sean Christopherson
2020-02-06 21:41 ` Peter Xu
2020-02-06 21:41 ` Peter Xu
2020-02-06 21:41 ` Peter Xu
2020-02-06 21:41 ` Peter Xu
2020-02-07 19:45 ` Sean Christopherson
2020-02-07 19:45 ` Sean Christopherson
2020-02-07 19:45 ` Sean Christopherson
2020-02-07 19:45 ` Sean Christopherson
2020-02-08 0:18 ` Peter Xu
2020-02-08 0:18 ` Peter Xu
2020-02-08 0:18 ` Peter Xu
2020-02-08 0:18 ` Peter Xu
2020-02-08 0:42 ` Sean Christopherson
2020-02-08 0:42 ` Sean Christopherson
2020-02-08 0:42 ` Sean Christopherson
2020-02-08 0:42 ` Sean Christopherson
2020-02-08 0:53 ` Peter Xu
2020-02-08 0:53 ` Peter Xu
2020-02-08 0:53 ` Peter Xu
2020-02-08 0:53 ` Peter Xu
2020-02-08 1:29 ` Sean Christopherson
2020-02-08 1:29 ` Sean Christopherson
2020-02-08 1:29 ` Sean Christopherson
2020-02-08 1:29 ` Sean Christopherson
2020-02-17 15:39 ` Vitaly Kuznetsov
2020-02-17 15:39 ` Vitaly Kuznetsov
2020-02-17 15:39 ` Vitaly Kuznetsov
2020-02-17 15:39 ` Vitaly Kuznetsov
2020-02-18 17:10 ` Sean Christopherson
2020-02-18 17:10 ` Sean Christopherson
2020-02-18 17:10 ` Sean Christopherson
2020-02-18 17:10 ` Sean Christopherson
2020-02-17 15:35 ` Vitaly Kuznetsov
2020-02-17 15:35 ` Vitaly Kuznetsov
2020-02-17 15:35 ` Vitaly Kuznetsov
2020-02-17 15:35 ` Vitaly Kuznetsov
2020-02-06 21:24 ` Peter Xu
2020-02-06 21:24 ` Peter Xu
2020-02-06 21:24 ` Peter Xu
2020-02-06 21:24 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 16/19] KVM: Ensure validity of memslot with respect to kvm_get_dirty_log() Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` [PATCH v5 17/19] KVM: Terminate memslot walks via used_slots Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 21:09 ` Peter Xu
2020-02-06 21:09 ` Peter Xu
2020-02-06 21:09 ` Peter Xu
2020-02-06 21:09 ` Peter Xu
2020-02-07 18:33 ` Sean Christopherson
2020-02-07 18:33 ` Sean Christopherson
2020-02-07 18:33 ` Sean Christopherson
2020-02-07 18:33 ` Sean Christopherson
2020-02-07 20:39 ` Peter Xu
2020-02-07 20:39 ` Peter Xu
2020-02-07 20:39 ` Peter Xu
2020-02-07 20:39 ` Peter Xu
2020-02-07 21:10 ` Sean Christopherson
2020-02-07 21:10 ` Sean Christopherson
2020-02-07 21:10 ` Sean Christopherson
2020-02-07 21:10 ` Sean Christopherson
2020-02-07 21:46 ` Peter Xu
2020-02-07 21:46 ` Peter Xu
2020-02-07 21:46 ` Peter Xu
2020-02-07 21:46 ` Peter Xu
2020-02-07 22:03 ` Sean Christopherson
2020-02-07 22:03 ` Sean Christopherson
2020-02-07 22:03 ` Sean Christopherson
2020-02-07 22:03 ` Sean Christopherson
2020-02-07 22:24 ` Peter Xu
2020-02-07 22:24 ` Peter Xu
2020-02-07 22:24 ` Peter Xu
2020-02-07 22:24 ` Peter Xu
2020-01-21 22:31 ` [PATCH v5 18/19] KVM: Dynamically size memslot array based on number of used slots Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 22:12 ` Peter Xu
2020-02-06 22:12 ` Peter Xu
2020-02-06 22:12 ` Peter Xu
2020-02-06 22:12 ` Peter Xu
2020-02-07 15:38 ` Sean Christopherson
2020-02-07 15:38 ` Sean Christopherson
2020-02-07 15:38 ` Sean Christopherson
2020-02-07 15:38 ` Sean Christopherson
2020-02-07 16:05 ` Peter Xu
2020-02-07 16:05 ` Peter Xu
2020-02-07 16:05 ` Peter Xu
2020-02-07 16:05 ` Peter Xu
2020-02-07 16:09 ` Peter Xu
2020-02-07 16:15 ` Sean Christopherson
2020-02-07 16:15 ` Sean Christopherson
2020-02-07 16:15 ` Sean Christopherson
2020-02-07 16:15 ` Sean Christopherson
2020-02-07 16:37 ` Peter Xu
2020-02-07 16:37 ` Peter Xu
2020-02-07 16:37 ` Peter Xu
2020-02-07 16:37 ` Peter Xu
2020-02-07 16:47 ` Sean Christopherson
2020-02-07 16:47 ` Sean Christopherson
2020-02-07 16:47 ` Sean Christopherson
2020-02-07 16:47 ` Sean Christopherson
2020-01-21 22:31 ` [PATCH v5 19/19] KVM: selftests: Add test for KVM_SET_USER_MEMORY_REGION Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-01-21 22:31 ` Sean Christopherson
2020-02-06 22:30 ` Peter Xu
2020-02-06 22:30 ` Peter Xu
2020-02-06 22:30 ` Peter Xu
2020-02-06 22:30 ` Peter Xu
2020-02-06 23:11 ` Sean Christopherson
2020-02-06 23:11 ` Sean Christopherson
2020-02-06 23:11 ` Sean Christopherson
2020-02-06 23:11 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200121223157.15263-2-sean.j.christopherson@intel.com \
--to=sean.j.christopherson@intel.com \
--cc=borntraeger@de.ibm.com \
--cc=christoffer.dall@arm.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=f4bug@amsat.org \
--cc=frankja@linux.ibm.com \
--cc=james.morse@arm.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=julien.thierry.kdev@gmail.com \
--cc=kvm-ppc@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=maz@kernel.org \
--cc=paulus@ozlabs.org \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=suzuki.poulose@arm.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.