From patchwork Thu Apr 13 15:50:46 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Suzuki K Poulose X-Patchwork-Id: 750503 Return-Path: X-Original-To: incoming-imx@patchwork.ozlabs.org Delivered-To: patchwork-incoming-imx@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3w3lfH4MGzz9s7t for ; Fri, 14 Apr 2017 01:52:07 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="j9/xOG/y"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=armh.onmicrosoft.com header.i=@armh.onmicrosoft.com header.b="oDsDvqSm"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=VxAeLNSHIcnfuymNsAfOl/UA83PKEcviFH9Y5RvUj7Y=; b=j9/xOG/ygB5yWp DwqnsbeM9EesS3uYaOth1GZo3cYrl6AqHpqZN5VNEtUXDaHoKf2pfJ+HXMUZ2zlff32l9KuiE4Mc0 0iwAa5Qct/k3e/T6zslJjDcvcE8xVXTmWSGGOZiIzoYL0nHhGku5QLiyzB2zMQVxmup8Rs+HydZsV KKQFohFzWbUNAGOQm0e/+uouBMNZNfMqPl+g3bdOkhr9azldGH8s5FJxhs1uL+MXKs8EQPiTwnu90 ZwLtnHUQuEy75XxxDNS2MXR5VhBNPbq06EpjKP3S/rfEKPZROo7g1fRxl4FcNTLGZxasOM0hGIYxI bXx0lgelxHwFw1fq6fxw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1cyh2T-0005NS-PZ; Thu, 13 Apr 2017 15:52:05 +0000 Received: from mail-eopbgr00047.outbound.protection.outlook.com ([40.107.0.47] helo=EUR02-AM5-obe.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cyh23-0005K7-UM for linux-arm-kernel@lists.infradead.org; Thu, 13 Apr 2017 15:51:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rDHstM8zNXgF6zh74DeIkeffiOuuzx7K/rO7dsjpFc0=; b=oDsDvqSm+PilR1DjNKW6SmPZyk07PeDmZO6dyHIZFLUtEK/RGej+EukHBWkTPK3IDJiwPNxZKE+GV81/DwBYK0kpdQq/EOVrp68g1jQlREn6jp/VDRA2vxvLfCxlmLQ79tGq2q9DxJaxvsICDrtwsAydCkWy9gYx3P9j66arcsw= Received: from VI1PR0801CA0087.eurprd08.prod.outlook.com (2603:10a6:800:7d::31) by AM2PR08MB0324.eurprd08.prod.outlook.com (2a01:111:e400:843b::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.10; Thu, 13 Apr 2017 15:51:15 +0000 Received: from AM5EUR03FT040.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::205) by VI1PR0801CA0087.outlook.office365.com (2603:10a6:800:7d::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.10 via Frontend Transport; Thu, 13 Apr 2017 15:51:14 +0000 Authentication-Results: spf=pass (sender IP is 217.140.96.140) smtp.mailfrom=arm.com; google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=bestguesspass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 217.140.96.140 as permitted sender) receiver=protection.outlook.com; client-ip=217.140.96.140; helo=nebula.arm.com; Received: from nebula.arm.com (217.140.96.140) by AM5EUR03FT040.mail.protection.outlook.com (10.152.17.148) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.1019.14 via Frontend Transport; Thu, 13 Apr 2017 15:51:14 +0000 Received: from e107814-lin.cambridge.arm.com (10.1.2.79) by mail.arm.com (10.1.105.66) with Microsoft SMTP Server id 14.3.294.0; Thu, 13 Apr 2017 16:50:45 +0100 Date: Thu, 13 Apr 2017 16:50:46 +0100 From: "Suzuki K. Poulose" To: Marc Zyngier , Andrey Konovalov , Paolo Bonzini Subject: Re: kvm/arm64: use-after-free in kvm_unmap_hva_handler/unmap_stage2_pmds Message-ID: <20170413155045.GA8387@e107814-lin.cambridge.arm.com> References: <20f6c994-d83e-7a6f-9f13-f10287211a6c@arm.com> <9f473bb9-d0eb-6803-1263-75ffef0301fe@redhat.com> <1050c9d8-5813-5df9-29e5-3ab6e61b5de6@arm.com> <88715300-ef58-e7bd-81f5-95e0b9c9c533@arm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <88715300-ef58-e7bd-81f5-95e0b9c9c533@arm.com> User-Agent: Mutt/1.7.1 (2016-10-04) X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:217.140.96.140; IPV:CAL; SCL:-1; CTRY:GB; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(39860400002)(39450400003)(39840400002)(39850400002)(39410400002)(2980300002)(438002)(199003)(189002)(24454002)(40434004)(4326008)(23676002)(38730400002)(230783001)(6246003)(2950100002)(229853002)(8936002)(8746002)(106466001)(104016004)(33656002)(4001350100001)(86362001)(189998001)(7696004)(50466002)(53546009)(1076002)(7416002)(83506001)(5890100001)(356003)(305945005)(77096006)(93886004)(5660300001)(54906002)(47776003)(8676002)(50986999)(76176999)(54356999)(55016002)(18370500001)(15760500002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM2PR08MB0324; H:nebula.arm.com; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; AM5EUR03FT040; 1:zjGd6CdNHGuf3GCHG+d5X1WMkx8RHpr/CG967RbbfQBwl8msmQ6//wfAbLmtteDwebmYRs09o4/ZhUsy4zKZZv+xqY8z23BzYpwvKRBnXqLXon801Lz0OQ/AGJ9HSC2dxAHbHOvJxQJgz6T/lLhcNS/+NUTQ7TYouZ71d2SHyEMAUrQfo8181zawi/OSGXsMh9EwdvMNR5Ci+tW8PjvVyBniEMc7Vco+7Xu5TgroHS2GEHljaXxogNSmQZYzXd6VNCbtSxdhlwEYyp9TFU7BYTD39dzDDtmGqHNlEbELTcfA/l94ACLnsGqF6NGXUNxqxb5CQk5JQPDCACsRo7R+DNbq4sOqKbYVPWrvnbr41O8fl5ClRk/p9aMEzGdXUul3sNiIrWFV1+oelxNF6LpYUdpxVGv0umkSeKO5RrJoU7G+1OxEruY85ruYbz8QutKP9lEd37/nBIJ+9farsCKY3x+WFcLKkXiAjCKjGRUXHM/bUbiMGokiDXH9NXh1LCNCWzBQnwgLB2X2OZGbZ7gf+XGEdb+EP1z5LxBHzvaXuSkpocUEkrQ8oJzxIA6g43icIofS1x2o70BoknTjOd4Bef6E2ggbvEIoTF2rgV0sBbD/f0iFvrsqqyBsj/hPjT+K X-MS-Office365-Filtering-Correlation-Id: 00bf9905-57e5-4e2b-9d16-08d48284ea88 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(8251501002)(2017030254075)(201703131423075)(201703031133081); SRVR:AM2PR08MB0324; X-Microsoft-Exchange-Diagnostics: 1; AM2PR08MB0324; 3:NpxxTEd6zFMyOmXI+xtb2jGpeZzqlEuD/O9YEcZSAtxQNb5EyVgtDTouvGDtR/flvAp/g3xzuKL4UO+1EP/XA1Wo8TKOC1i8qtV0VftDgtcFhHCod/FNfyAG6gj8SQnPG5/qgjR54c0U4K5RKHnfSGQ4kbg1mImrpUV8Zux4Ykgu3/sfWEtbBU9O/WYWW3ZKBe8k7mFsNKir9aNyeScj1hfe/hu/KmlAe6Z1EtAA1/I+Kp9+uF0RWfR21vPhALDIMUNKeJB6wSLpHSc+EO7i0ipR1rQhPrmhA9ICbO1u3rxP6BbabYETJZZ0K3zbKsGGcWwN/BXMCu0ySQbw5JX+SdrlvnZnJyw6IDj6B+zBjFN063y785g4CVp/7AeKJUtmVnbhsLj46e6VPIHDGEBO1y5i7mTJzjDUC5wnN5wm/wHYFL0OHj+UQDlzG7iIAAP9JvkFnJb/LfWMr/93seYBvXJewoH7GXXg86FtlFQRe9kkQruxmy6MqNeEyg6NTCky X-Microsoft-Exchange-Diagnostics: 1; AM2PR08MB0324; 25:bTaGV1M2oXHZif96g3KnftAmU9prO5+adH64j3qzFIK+zsgJa/MlRM1p7RUPtcbiWY9yJyYA5D6nAbOlsLKYwLQ2WiV+TYfKGkEakLcEh8SHm2cwNIYp9T3F9OBrBeUBRanQ8O208iKzjdDly8mg+a7VNxh2RGdRL09H7CGFNHpMfUgyUub69ylrWWPlxDR1zsNepBP7sJelHg8OvRnHLQUkhSx4J5Fpkb61Ih/46O9djSyfZgKH0O7S/HHr2AGK78HMw9COx5TprcysgY6UuD9hl7WrMyyqIi5TKQR7BSL13Ckmci8XgndZMVDp0Z0bVi/FvEdAp5M6IIM9aZogrfYcLr5etjIt1coybN3lAFAyHotZYwKi3tAv4qO1jMW6HtSPE2lfZel4jLb9kcE5okPypvsNpmfNQFDsLu7vdVgSqpw8ChLYOkifGVlftck8ul+N/3gDv+5Opd0LW6HYFw==; 31:WSird4kim/ND9eTjaCb+hAxXnd2IIDblXQO4FYvovN9dYF1FwBt1Q8IqgwktzYYq1EFF9eHpdFwHH7/rSdud5+93hEHfx3j6vlzZh50ZqkCUu+K1mkh9OcH7aROEfz4WFMdJic+H/fmWbBOdSIrsttSqY9OyfZRpnnImBxBB2p51JkY+PgSwzCgidDeqPo3X7ioGiH9UJX2/ecKbQ/vSfTa5DDjnc/0o/U1st94/665IcjdONt56TBREwUAoI5daQxVAuqi+ESNpyM1BB4Oeqg== X-Microsoft-Exchange-Diagnostics: 1; AM2PR08MB0324; 20:y5kyE6uCJxBfZ4GnSJa3eSHKxYR6rxbnqbnsVT9A6EW3Pv7fVMEl2a+qS09fcjV4FJFAD5Pn39MRzO0ybU7t85fJZxIfCleK6kZehD0kO3QV9QX28+mYTYZE9auW8IdXjLirNepq04cFZDe69R/zPP2jlFTv5oG48CN7Fjxb9QiEiiw/h6tqdhPFobskJufOjquGy60cu1ss2KUrH53Rz8/RSvQIEeoKS5qhz1qQp3u+U+3QYlRuQOy2g9LJ8ZlcBGH+StV2LhRARmC27LxC2RFCip7HfpqL4RxbrgLBswmAvkmB9PZlMaVfcg1o6WIx2jAZbvd8RE/2o//aGxQlz6rkSiPEcN3WjPoeZdSx2kKbvbPzcfyOyu2M/gZDKupAodZ4rkvc5QNge9wJVKGH0j1CMQzGboH1OsBha1PFLAuZhVsBH0idDHDs8VZc0U0cIuxWslI9Fs67zUfryadDKM7qvH9DqoBHq2ewqJcZP0cM9xcDXG9+0sZkJ/qzqfIt X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(180628864354917)(211936372134217); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(13024025)(13023025)(13020025)(13013025)(5005006)(8121501046)(93006095)(93004095)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(20161123555025)(20161123562025)(6072148); SRVR:AM2PR08MB0324; BCL:0; PCL:0; RULEID:; SRVR:AM2PR08MB0324; X-Microsoft-Exchange-Diagnostics: 1; AM2PR08MB0324; 4:ktdWtuAVJ5TmqjavaU1mCfdnyXD8nRQeMWvBKcSxcuo8aB1escjXgZS04sYVynZNwK9nkXSFwqi60D+PxNTOby/wRfRfWNpa6JU6azwv9TfhYEa0eh23x3ZRbBcn3FQ+4BqoFlUohK3bYzx3VEQvkz6+FMaejTM6BW+D7WZyRxAZpyD6WmsC2DGn++BYuUzhqAtNfB3J76aRV1XoSMGS93cvmiJJWB3mHiI4C1v9BPSF6FLJdyHDhPkrswvG0+XzyRE9qThdthETfO9TiAqIu6MEQDqR7roJqSljimGw7/TVTF3uTU1gTCoIutZyF24voD5pqqMdS3tLxOGMrDu3+qqAQTpm0rQGjZs9P7Ve3dy3luQhdsvZIhhD0V9azTL8zqfYNmLsY64NosWyJDrZmkf3kXHKawqzQcBdwo/e9wmDgSMLDgCii5Zz8yt9kcl+/2VPGt80v24Dih0GZszTEsBMi7q0dx20irZugiIX8ap6fGIXt/Plc350tkXD4TVnd5vc9ndCfWRCIaxsRhLynvwX1rwDVW3pmdePnzmew16hcSmmf8H3hQ/9Ss6UxD8AwZC2mdg5Sdrr9nt6U1m4InsuGkzuzbfAnHm1jT5LRNUrZAuNy4fzsOOypqz1bmtqpcPg/55H2SShEeKdVRkI3yPeBRdciRBBwHAMAd1ds54h7GMavK61OLUeVBsylYcwmZgZhPyqAQvRtc1dVKI5DlpYRwC7UgIB+gs3bfDL1b/ATRvrRua8tk+7k6OypmDrb0HAgtPxb7LUVv9/zzyMdTw7+sdjK1kF7DTISaGZGAZmqucagRRCApQU6FP0jwwCW8tj41YV/up1/4YQHVDPe5vHNdw6XyDpTWSDwWY3MaLRaPSatMbZiXdV4V+LemNKSFf8pzp1q8EtF/y3dR0Hrw== X-Forefront-PRVS: 02760F0D1C X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtBTTJQUjA4TUIwMzI0OzIzOnNjYTFqdFlpOG9iWUdycFd4dHIwOEhhaUJv?= =?utf-8?B?cDBYUGFjTjlCVFFhU040WlJWc2pJbmpmbDhlOHVIYkc1TWFoRG52N0MyM1Fp?= =?utf-8?B?K0pLTmlDUjZpN1FXY3JiTHhiV3RMQ1NCc3lOTTA2ZlVqS0ZDWjc5TmtESmE1?= =?utf-8?B?Vjd5dk40eUpnc2d3ZlAwVlpqaUdWWWkzb3d3di9mUVJXTVdMV0FEckVabmZ0?= =?utf-8?B?UXFvMmZHM2c0cy84eGlFaFVFNUFuamhoOFdhWXZvV3BVelh2TmkrWUtUTm41?= =?utf-8?B?a0xYL2tmTmViT0M4bUZ1WEg2cWZQZ05UemlSQTMzVUZuY1RidjB2S2JWTGdw?= =?utf-8?B?QXd6Qk9HajBNLzFUbmpyYnpQcXNkaVdqNGJ2bzUvM3dzUVRncjlTRzhnL0Fk?= =?utf-8?B?bVhrUU9iS1J0VC82bEFrRGZkK0x0aEJmQ2h0ZXhWUFZ6Y1Rmd01IQWFLQmpy?= =?utf-8?B?TXhESXFVT0FkMWF6OERPRXFxUG85NnU4eWtQRzRZK0h0WStCTkl5MnFDemFB?= =?utf-8?B?d094SE41Q21keXkvVG4vRkhoTlRsdEFqYWcwK3prOUsvcFdNWk1BNmFZVytw?= =?utf-8?B?dXZYYkFlOWxGOWZXZGY5OG1zbUFveDhpM252N0o5WjQ0bThaeFh4Um5sNmNP?= =?utf-8?B?RGxGcG5ZWFhad0tjVlNuTlhEUUZxVUplYStZMnQ5cUVDNU9qaDB4ZzhDNGoy?= =?utf-8?B?ZVJoUGNoWXVYZzg1MWpiNlg3NEl2TlBxWFcwSHplMU5mQmxOTFV3Y2t6bkcv?= =?utf-8?B?R2NGNnJ4VHpDYm5xWldhSTdhYUpkTDF3Z1Y4cUg4TFZVVnZxcG5hblBhelg1?= =?utf-8?B?djltK29nYzJxaGk1eWwrSWtkZ2dqa0xXS0U1QklZUXJEblJrb3ZMQVBDL29Z?= =?utf-8?B?aCtyMGp6Zk11OWZBSWo3SW43OGpodEZnVVJZTTltdk80RGczd3cvTFBoT01r?= =?utf-8?B?STlBU2xwUHBLVmgwRDZHY2w0V2haYitneXdIaU4yem1IOExZRUJmOStITHkr?= =?utf-8?B?SEZBNGZvdUZiQVVjUlN1TUg2SjBsbnVRdXhDMnJiblpYY2pwVmdLanZwKy81?= =?utf-8?B?dGhGNFd4SU4vMGZGbUxpYVFPSWc2QTRpWDJJZWxlNGlHN0F2ZXJkR2hIbFU3?= =?utf-8?B?Y2V1MWxsajQ3cXJPdmlqN3FSSi9RS0wyVE5oNGJ5OUl4TzQ0K0lBTzMwdFV4?= =?utf-8?B?dU1EbWpXZlJzWFlQTkpja1RWRG9qdDhORHFjU2lHdmFKcmVzZC9VTWpZMzM5?= =?utf-8?B?bEVSczFSdzV2Zi81VXpvVHRhUkZYRHJsZEh4aSsrK0xLRWxadmtKVnRsaDBH?= =?utf-8?B?VE9VUEpEZDNmdUcxUEJOVTBmSHhrYU85Qzl4UG4wMXJkKzMxQW1uaHYwYWZy?= =?utf-8?B?cjJzdGNEeU00Vld0UG1HWldodFpPVmF2QTdKQ3FlS25QRDBueTJaQXJ2NHpm?= =?utf-8?B?OUp3cURYQkRlNy9uYlFJdjlKT24rRVVyY1BnUU43RksrVzRXalBnNWFmWStr?= =?utf-8?B?bnJxWEFRaTJXeWNyNzNhcEU2dVM5K1l4a09Qb3ZRd0FGMW9qenZKMTM2UXZr?= =?utf-8?B?cHlMZTJCcDNMQkIwbFlDcVRvSkQvemNmU01hU3BpdFlqd2YydmlGNlEwSm40?= =?utf-8?Q?X/IouZc5rK735woDZkZ/?= X-Microsoft-Exchange-Diagnostics: 1; AM2PR08MB0324; 6:4gG0jznlrAcuzC54ar6sZ23NdNb4IwHusewNsyTvk+4v/ERVg4wPhebQSiLRmtfOdIJ08Ob6jyIKJK6/oqmLjbzeTb4HusjCLrnCTdmnalrxukXFQoPrkFxLc4f/vXIR9g5NF9RrcpCXGVr/mA8aAQ55MtKWtfwiHIz+LV78nYtS+9NxaaxDWcAXCEZz7QC1+kXBlqGxXDUhkqeDYHU8Z+WK5wnIgkGLGXX+FxgLSnMsZLKMo8bzIUGr+r0Mdo0GX5p785P6StKRCf5pglVBTqd3MZ8KeFJY1QEHOj90SXhVn4G5Q+dWPw4SZ2oQHtrmNF8CacrA+X/rTT/l2gwD/WJFDw0wZ67pSZdtRnwiG/HxSveQTGQPVnuJAZ7UseFJx8ZgK4V/QkhJXz3FQiE07x5MvMHme1iQmdXtggZIzRifJsy3EBGWIg8KiC0EkSapYXC6R76qsPD+RcaMMHoaWIRoTZwvbRTIWQ7WAoyZyCg=; 5:ObZqA30CultaGxG8sK8iNjTBc6exDhsha86rXfHtwBxN0y+Vkvo2kvkZz4AE6mV0Ot0OQq3lVV+zCflxWUAmet2D61scnRZKzFGFObKN2XVeN2EugwHtHtMhLzjAxGPA94NMzm2l0NIPr0iotzNuYk40Ogz7IhNFslhYexLKK08=; 24:gUr1MVWVrhob5H65/0fdNTardvN0BPitwvVsQn2MTKQr3PKdRRV9AiQTI+j6qNUwoQdyG/dRtitezVF/6Eym3b/Mh7pNi4CP3Ml4i5p8YMM= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; AM2PR08MB0324; 7:R7toj3gKYGphl61lUNDHpBYPxu9q5efJXrLF8k2qZXtr3EG9qjmCfZCF8EdplE93NSJYGam+/qsiuMv66fyQ4Eu04/zeCWAxm8EXBe2l9zj/Ra3JrMwj9OSJGoFbOaWJdMn/HrJFnxSuIVdLV/0eRm2081VmHPODTim3iqwsiiUkWgCq8hBPfRmFvB8DBoyM5yu+a6dJscs08+hAKVpfJWGQEG9D6gFhoXvr5bViJWo9HcIz+obYTbPiSRo4YT8na0sQedI64AKihCCvHaKuv/45ovNuCogXO0eC03RvjBa4YXu3Kuellf5vIaUrIa9Z23wKmLLhsxOjBor/zGsFww== X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Apr 2017 15:51:14.3354 (UTC) X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[217.140.96.140]; Helo=[nebula.arm.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM2PR08MB0324 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170413_085140_430650_067886FB X-CRM114-Status: GOOD ( 13.78 ) X-Spam-Score: -4.7 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [40.107.0.47 listed in list.dnswl.org] -2.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [40.107.0.47 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mark.rutland@arm.com, kvm@vger.kernel.org, rkrcmar@redhat.com, christoffer.dall@linaro.org, catalin.marinas@arm.com, will.deacon@arm.com, linux-kernel@vger.kernel.org, kcc@google.com, syzkaller@googlegroups.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, dvyukov@google.com Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+incoming-imx=patchwork.ozlabs.org@lists.infradead.org List-Id: linux-imx-kernel.lists.patchwork.ozlabs.org On Thu, Apr 13, 2017 at 10:17:54AM +0100, Suzuki K Poulose wrote: > On 12/04/17 19:43, Marc Zyngier wrote: > > On 12/04/17 17:19, Andrey Konovalov wrote: > > > > Hi Andrey, > > > > > Apparently this wasn't fixed, I've got this report again on > > > linux-next-c4e7b35a3 (Apr 11), which includes 8b3405e34 "kvm: > > > arm/arm64: Fix locking for kvm_free_stage2_pgd". > > > > This looks like a different bug. > > > > > > > > I now have a way to reproduce it, so I can test proposed patches. I > > > don't have a simple C reproducer though. > > > > > > The bug happens when the following syzkaller program is executed: > > > > > > mmap(&(0x7f0000000000/0xc000)=nil, (0xc000), 0x3, 0x32, 0xffffffffffffffff, 0x0) > > > unshare(0x400) > > > perf_event_open(&(0x7f000002f000-0x78)={0x1, 0x78, 0x0, 0x0, 0x0, 0x0, > > > 0x0, 0x6, 0x0, 0x0, 0xd34, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, > > > 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffff, > > > 0xffffffffffffffff, 0x0) > > > r0 = openat$kvm(0xffffffffffffff9c, > > > &(0x7f000000c000-0x9)="2f6465762f6b766d00", 0x0, 0x0) > > > ioctl$TIOCSBRK(0xffffffffffffffff, 0x5427) > > > r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) > > > syz_kvm_setup_cpu$arm64(r1, 0xffffffffffffffff, > > > &(0x7f0000dc6000/0x18000)=nil, &(0x7f000000c000)=[{0x0, > > > &(0x7f000000c000)="5ba3c16f533efbed09f8221253c73763327fadce2371813b45dd7f7982f84a873e4ae89a6c2bd1af83a6024c36a1ff518318", > > > 0x32}], 0x1, 0x0, &(0x7f000000d000-0x10)=[@featur2={0x1, 0x3}], 0x1) > > > > Is that the only thing the program does? Or is there anything running in > > parallel? > > > > > ================================================================== > > > BUG: KASAN: use-after-free in arch_spin_is_locked > > > include/linux/compiler.h:254 [inline] > > > BUG: KASAN: use-after-free in unmap_stage2_range+0x990/0x9a8 > > > arch/arm64/kvm/../../../arch/arm/kvm/mmu.c:295 > > > Read of size 8 at addr ffff800004476730 by task syz-executor/13106 > > > > > > CPU: 1 PID: 13106 Comm: syz-executor Not tainted > > > 4.11.0-rc6-next-20170411-xc2-11025-gc4e7b35a33d4-dirty #5 > > > Hardware name: Hardkernel ODROID-C2 (DT) > > > Call trace: > > > [] dump_backtrace+0x0/0x440 arch/arm64/kernel/traps.c:505 > > > [] show_stack+0x20/0x30 arch/arm64/kernel/traps.c:228 > > > [] __dump_stack lib/dump_stack.c:16 [inline] > > > [] dump_stack+0x110/0x168 lib/dump_stack.c:52 > > > [] print_address_description+0x60/0x248 mm/kasan/report.c:252 > > > [] kasan_report_error mm/kasan/report.c:351 [inline] > > > [] kasan_report+0x218/0x300 mm/kasan/report.c:408 > > > [] __asan_report_load8_noabort+0x18/0x20 mm/kasan/report.c:429 > > > [] arch_spin_is_locked include/linux/compiler.h:254 [inline] > > > > This is the assert on the spinlock, and the memory is gone. > > > > > [] unmap_stage2_range+0x990/0x9a8 > > > arch/arm64/kvm/../../../arch/arm/kvm/mmu.c:295 > > > [] kvm_free_stage2_pgd.part.16+0x30/0x98 > > > arch/arm64/kvm/../../../arch/arm/kvm/mmu.c:842 > > > [] kvm_free_stage2_pgd > > > arch/arm64/kvm/../../../arch/arm/kvm/mmu.c:838 [inline] > > > > But we've taken than lock here. There's only a handful of instructions > > in between, and the memory can only go away if there is something > > messing with us in parallel. > > > > > [] kvm_arch_flush_shadow_all+0x40/0x58 > > > arch/arm64/kvm/../../../arch/arm/kvm/mmu.c:1895 > > > [] kvm_mmu_notifier_release+0x154/0x1d0 > > > arch/arm64/kvm/../../../virt/kvm/kvm_main.c:472 > > > [] __mmu_notifier_release+0x1c0/0x3e0 mm/mmu_notifier.c:75 > > > [] mmu_notifier_release > > > include/linux/mmu_notifier.h:235 [inline] > > > [] exit_mmap+0x21c/0x288 mm/mmap.c:2941 > > > [] __mmput kernel/fork.c:888 [inline] > > > [] mmput+0xdc/0x2e0 kernel/fork.c:910 > > > [] exit_mm kernel/exit.c:557 [inline] > > > [] do_exit+0x648/0x2020 kernel/exit.c:865 > > > [] do_group_exit+0xdc/0x260 kernel/exit.c:982 > > > [] get_signal+0x358/0xf58 kernel/signal.c:2318 > > > [] do_signal+0x170/0xc10 arch/arm64/kernel/signal.c:370 > > > [] do_notify_resume+0xe4/0x120 arch/arm64/kernel/signal.c:421 > > > [] work_pending+0x8/0x14 > > > > So we're being serviced with a signal. Do you know if this signal is > > generated by your syzkaller program? We could be racing between do_exit > > triggered by a fatal signal (this trace) and the closing of the two file > > descriptors (vcpu and vm). > > > > Paolo: does this look possible to you? I can't see what locking we have > > that could prevent this race. > > On a quick look, I see two issues: > > 1) It looks like the mmu_notifier->ops.release could be called twice for a notifier, > from mmu_notifier_unregister() and exit_mmap()->mmu_notifier_release(), which is > causing the problem as above. > > This could possibly be avoided by swapping the order of the following operations > in themmu_notifier_unregister(): > > a) Invoke ops->release under src_read_lock() > b) Delete the notifier from the list. > > which can prevent mmu_notifier_release() calling the ops->release() again, before > we reach (b). > > > 2) The core KVM code does an mmgrab()/mmdrop on the current->mm to pin the mm_struct. But > this doesn't prevent the "real_address user space" from being destroyed. Since KVM > actually depends on the user pages and page tables, it should really/also(?) use > mmget()/mmput() (See Documentation/vm/active_mm.txt). I understand that mmget() shouldn't > be used for pinning unbounded amount of time. But since we do it from within the same > process context (like say threads), we should be safe to do so. Here is a patch which implements (2) above. ----8>----- kvm: Hold reference to the user address space The core KVM code, uses mmgrab/mmdrop to pin the mm struct of the user application. mmgrab only guarantees that the mm struct is available, while the "real address space" (see Documentation/vm/active_mm.txt) may be destroyed. Since the KVM depends on the user space page tables for the Guest pages, we should instead do an mmget/mmput. Even though mmget/mmput is not encouraged for uses with unbounded time, the KVM is fine to do so, as we are doing it from the context of the same process. This also prevents the race condition where mmu_notifier_release() could be called in parallel and one instance could end up using a free'd kvm instance. Cc: Mark Rutland Cc: Paolo Bonzin Cc: Radim Krčmář Cc: Marc Zyngier Cc: Christoffer Dall Cc: andreyknvl@google.com Signed-off-by: Suzuki K Poulose --- virt/kvm/kvm_main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.7.4 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 88257b3..555712e 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -613,7 +613,7 @@ static struct kvm *kvm_create_vm(unsigned long type) return ERR_PTR(-ENOMEM); spin_lock_init(&kvm->mmu_lock); - mmgrab(current->mm); + mmget(current->mm); kvm->mm = current->mm; kvm_eventfd_init(kvm); mutex_init(&kvm->lock); @@ -685,7 +685,7 @@ static struct kvm *kvm_create_vm(unsigned long type) for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) kvm_free_memslots(kvm, kvm->memslots[i]); kvm_arch_free_vm(kvm); - mmdrop(current->mm); + mmput(current->mm); return ERR_PTR(r); } @@ -747,7 +747,7 @@ static void kvm_destroy_vm(struct kvm *kvm) kvm_arch_free_vm(kvm); preempt_notifier_dec(); hardware_disable_all(); - mmdrop(mm); + mmput(mm); } void kvm_get_kvm(struct kvm *kvm)