From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: KVM <kvm@vger.kernel.org>, Janosch Frank <frankja@linux.ibm.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
David Hildenbrand <david@redhat.com>,
linux-s390 <linux-s390@vger.kernel.org>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>
Subject: [GIT PULL 01/17] s390/gmap: validate VMA in __gmap_zap()
Date: Sun, 31 Oct 2021 13:10:48 +0100 [thread overview]
Message-ID: <20211031121104.14764-2-borntraeger@de.ibm.com> (raw)
In-Reply-To: <20211031121104.14764-1-borntraeger@de.ibm.com>
From: David Hildenbrand <david@redhat.com>
We should not walk/touch page tables outside of VMA boundaries when
holding only the mmap sem in read mode. Evil user space can modify the
VMA layout just before this function runs and e.g., trigger races with
page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
with read mmap_sem in munmap"). The pure prescence in our guest_to_host
radix tree does not imply that there is a VMA.
Further, we should not allocate page tables (via get_locked_pte()) outside
of VMA boundaries: if evil user space decides to map hugetlbfs to these
ranges, bad things will happen because we suddenly have PTE or PMD page
tables where we shouldn't have them.
Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
calling get_locked_pte().
Note that gmap_discard() is different:
zap_page_range()->unmap_single_vma() makes sure to stay within VMA
boundaries.
Fixes: b31288fa83b2 ("s390/kvm: support collaborative memory management")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://lore.kernel.org/r/20210909162248.14969-2-david@redhat.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
---
arch/s390/mm/gmap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
index 4d3b33ce81c6..e0735c343775 100644
--- a/arch/s390/mm/gmap.c
+++ b/arch/s390/mm/gmap.c
@@ -672,6 +672,7 @@ EXPORT_SYMBOL_GPL(gmap_fault);
*/
void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
{
+ struct vm_area_struct *vma;
unsigned long vmaddr;
spinlock_t *ptl;
pte_t *ptep;
@@ -681,6 +682,11 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
gaddr >> PMD_SHIFT);
if (vmaddr) {
vmaddr |= gaddr & ~PMD_MASK;
+
+ vma = vma_lookup(gmap->mm, vmaddr);
+ if (!vma || is_vm_hugetlb_page(vma))
+ return;
+
/* Get pointer to the page table entry */
ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
if (likely(ptep))
--
2.31.1
next prev parent reply other threads:[~2021-10-31 12:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-31 12:10 [GIT PULL 00/17] KVM: s390: Fixes and Features for 5.16 Christian Borntraeger
2021-10-31 12:10 ` Christian Borntraeger [this message]
2021-10-31 12:10 ` [GIT PULL 02/17] s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap() Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 03/17] s390/mm: validate VMA in PGSTE manipulation functions Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 04/17] s390/mm: fix VMA and page table handling code in storage key handling functions Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 05/17] s390/uv: fully validate the VMA before calling follow_page() Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 06/17] s390/mm: no need for pte_alloc_map_lock() if we know the pmd is present Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 07/17] s390/mm: optimize set_guest_storage_key() Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 08/17] s390/mm: optimize reset_guest_reference_bit() Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 09/17] KVM: s390: pv: add macros for UVC CC values Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 10/17] KVM: s390: pv: avoid double free of sida page Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 11/17] KVM: s390: pv: avoid stalls for kvm_s390_pv_init_vm Christian Borntraeger
2021-10-31 12:10 ` [GIT PULL 12/17] KVM: s390: pv: avoid stalls when making pages secure Christian Borntraeger
2021-10-31 12:11 ` [GIT PULL 13/17] KVM: s390: Simplify SIGP Set Arch handling Christian Borntraeger
2021-10-31 12:11 ` [GIT PULL 14/17] KVM: s390: Add a routine for setting userspace CPU state Christian Borntraeger
2021-10-31 12:11 ` [GIT PULL 15/17] KVM: s390: Fix handle_sske page fault handling Christian Borntraeger
2021-10-31 12:11 ` [GIT PULL 16/17] KVM: s390: pv: properly handle page flags for protected guests Christian Borntraeger
2021-10-31 12:11 ` [GIT PULL 17/17] KVM: s390: add debug statement for diag 318 CPNC data Christian Borntraeger
2021-11-01 7:35 ` [GIT PULL 00/17] KVM: s390: Fixes and Features for 5.16 Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211031121104.14764-2-borntraeger@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.