From patchwork Thu May 18 09:47:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Christoffer Dall X-Patchwork-Id: 100076 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp634538qge; Thu, 18 May 2017 02:48:12 -0700 (PDT) X-Received: by 10.99.126.20 with SMTP id z20mr3409792pgc.158.1495100892657; Thu, 18 May 2017 02:48:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1495100892; cv=none; d=google.com; s=arc-20160816; b=ySBf2J/wWz+7mwmZtRNKv+Cd5/Fqevqh+tL2EdzQZVU+eHRu7JAYTb+9++22LlXmK8 rFqd9qkgbuV6psBsNl6uCaehMrfIwlzqRMxiu3V4tf/i/qfG/59pLFX49jF9D0VE3dY+ eJmvTVL1iBJ5Jmql5oTupBWBzKvjikzxtDwOc16ZAzGMDBdSFiQoVWro0LSQl8eJddDi fbY2HCpwtK9czdzXUa9jCXHiKgNEi7tSSLMZbuus7lEYHNTIjE/tcjRWXSoXjp9BLlxE LPohNnHAxBM6GcTMiRXtDybTbAImXkSsh5H4yxmljsUoxhoL1HyK4hunHfuVJo9nADzU 5ndw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=UJ4ttGo1yIqZOj1ZDuN3LmBaUNvY9FDwdN8JzwZ8ZaM=; b=g2XLAR3VEeHi9KoiCE7/uZ5fW8IkJKtDP1XRN+2+P8HFLkFDX2Cvg125yDwMKZHouZ u4e54ton1P+TPGTHhBuZtTupIuO/aSWPG1ea6hmw4nvbzx7LhXSrZwTkBE957Apv4UXy 9/xdUhjJmdwF7nP2MnG9TqGe1ZIKFbMEqOyZ8XcjpLo6yX2gWn0UeGzY+i80gV0TutZE gdc1u28QYAdzBUfRPFB+I9dusWQdiOOVNSt74IPWrMk7k47Wm5UmIssbEpWLS0kUYHry 6htTM2asK+qjDkLWTvJvbgy9PNKmI0UC5wM6LwmoBSkOorLo1Rmvddn0YmmBqb9OIHSo 0i4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i35si4751361plg.102.2017.05.18.02.48.12; Thu, 18 May 2017 02:48:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755317AbdERJsK (ORCPT + 6 others); Thu, 18 May 2017 05:48:10 -0400 Received: from mail-wm0-f49.google.com ([74.125.82.49]:38128 "EHLO mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755112AbdERJry (ORCPT ); Thu, 18 May 2017 05:47:54 -0400 Received: by mail-wm0-f49.google.com with SMTP id v15so45997495wmv.1 for ; Thu, 18 May 2017 02:47:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UJ4ttGo1yIqZOj1ZDuN3LmBaUNvY9FDwdN8JzwZ8ZaM=; b=Z8e9bf0UyhhCkhzOTyUlFeTFe6k2zhNs5XHTwZ6huV/aKHUUAVpz6/jD/DLWOZCIIF 0o56jSU/5V6P/rtekA07cHPThJhO5c7VwU1iKYgaJuI7pgHL5Y44qDXgbt25nx9nHPau mqlgFyqcTV1qo89/1bOIZEkgoUBHel+h5MsqE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UJ4ttGo1yIqZOj1ZDuN3LmBaUNvY9FDwdN8JzwZ8ZaM=; b=FEiqkBftcGQFRa/MO91CHBe9WLFIVp2hj3Wx413Ao9eOh3aBhexSz/j8jg4dIwBvR/ 11Q930KF3vg+Q/2qlcLRmlC94rOyHVd31dGWlSywfIaaPboHBkajMlLpR1D1kZCmczs8 WGDDsgN+exiuy68Qxc1xtP7IFl2d7HXrLtog/CV9tJHLT56huNAo7Z1HIfmYtr3DyUGE J9GImzuIjRwMZIOpTCWcxMzZbicLK88WVsF4te204cD98Nh+xIPD1m0RQtgqPgdBvwrp wPc5GlOjU8Dp/fBQjRyuzQlPpE93xuiyGP874NaFAEavPZACSE47ne1bO8w08B4pICDt q0Yw== X-Gm-Message-State: AODbwcAweM8Z04zv3t2O+2wxGnbLRWu5lophg+b7b7+/UoNu8olqMvbM 6iX+MBEhhmXMa9pw X-Received: by 10.80.138.34 with SMTP id i31mr2494083edi.145.1495100868357; Thu, 18 May 2017 02:47:48 -0700 (PDT) Received: from localhost.localdomain (xd93ddc2d.cust.hiper.dk. [217.61.220.45]) by smtp.gmail.com with ESMTPSA id w15sm2377437edw.27.2017.05.18.02.47.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 18 May 2017 02:47:47 -0700 (PDT) From: Christoffer Dall To: Paolo Bonzini , =?utf-8?b?UmFkaW0gS3LEjW3DocWZ?= Cc: Marc Zyngier , kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Suzuki K Poulose , Mark Rutland , andreyknvl@google.com, stable@vger.kernel.org, Christoffer Dall Subject: [PULL 11/13] kvm: arm/arm64: Fix use after free of stage2 page table Date: Thu, 18 May 2017 11:47:20 +0200 Message-Id: <20170518094722.9926-12-cdall@linaro.org> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20170518094722.9926-1-cdall@linaro.org> References: <20170518094722.9926-1-cdall@linaro.org> MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Suzuki K Poulose We yield the kvm->mmu_lock occassionaly while performing an operation (e.g, unmap or permission changes) on a large area of stage2 mappings. However this could possibly cause another thread to clear and free up the stage2 page tables while we were waiting for regaining the lock and thus the original thread could end up in accessing memory that was freed. This patch fixes the problem by making sure that the stage2 pagetable is still valid after we regain the lock. The fact that mmu_notifer->release() could be called twice (via __mmu_notifier_release and mmu_notifier_unregsister) enhances the possibility of hitting this race where there are two threads trying to unmap the entire guest shadow pages. While at it, cleanup the redudant checks around cond_resched_lock in stage2_wp_range(), as cond_resched_lock already does the same checks. Cc: Mark Rutland Cc: Radim Krčmář Cc: andreyknvl@google.com Cc: Paolo Bonzini Cc: stable@vger.kernel.org Acked-by: Marc Zyngier Signed-off-by: Suzuki K Poulose Reviewed-by: Christoffer Dall Signed-off-by: Christoffer Dall --- virt/kvm/arm/mmu.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) -- 2.9.0 diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c index 704e35f..a2d6324 100644 --- a/virt/kvm/arm/mmu.c +++ b/virt/kvm/arm/mmu.c @@ -295,6 +295,13 @@ static void unmap_stage2_range(struct kvm *kvm, phys_addr_t start, u64 size) assert_spin_locked(&kvm->mmu_lock); pgd = kvm->arch.pgd + stage2_pgd_index(addr); do { + /* + * Make sure the page table is still active, as another thread + * could have possibly freed the page table, while we released + * the lock. + */ + if (!READ_ONCE(kvm->arch.pgd)) + break; next = stage2_pgd_addr_end(addr, end); if (!stage2_pgd_none(*pgd)) unmap_stage2_puds(kvm, pgd, addr, next); @@ -1170,11 +1177,13 @@ static void stage2_wp_range(struct kvm *kvm, phys_addr_t addr, phys_addr_t end) * large. Otherwise, we may see kernel panics with * CONFIG_DETECT_HUNG_TASK, CONFIG_LOCKUP_DETECTOR, * CONFIG_LOCKDEP. Additionally, holding the lock too long - * will also starve other vCPUs. + * will also starve other vCPUs. We have to also make sure + * that the page tables are not freed while we released + * the lock. */ - if (need_resched() || spin_needbreak(&kvm->mmu_lock)) - cond_resched_lock(&kvm->mmu_lock); - + cond_resched_lock(&kvm->mmu_lock); + if (!READ_ONCE(kvm->arch.pgd)) + break; next = stage2_pgd_addr_end(addr, end); if (stage2_pgd_present(*pgd)) stage2_wp_puds(pgd, addr, next);