From patchwork Tue Oct 1 22:01:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Whitfield X-Patchwork-Id: 1991729 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XJBjb6Xp0z1xt1 for ; Wed, 2 Oct 2024 08:01:38 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1svkvv-0001MI-8X; Tue, 01 Oct 2024 22:01:27 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1svkvt-0001Lu-Ht for kernel-team@lists.ubuntu.com; Tue, 01 Oct 2024 22:01:25 +0000 Received: from mail-oi1-f200.google.com (mail-oi1-f200.google.com [209.85.167.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 66B0F3F140 for ; Tue, 1 Oct 2024 22:01:25 +0000 (UTC) Received: by mail-oi1-f200.google.com with SMTP id 5614622812f47-3e27a0f86a1so6228418b6e.2 for ; Tue, 01 Oct 2024 15:01:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727820084; x=1728424884; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nUKmzGLxwhuAx5XQKZFXwQgGvQRLi77FvFJ9LQkKC7U=; b=rR5UZB+h/GT7cZGpGwGQksHD8WrENcGncvaC8JOuXOPPRWUQyLP9+iRqIcXwvt+pH4 mh1tbtGorNXzQ4Jt+sGspnuAkG75dcwi279NvxdQ5+/USLXR2e5CzPjCXm5Vlxu3nDHc chwc1SyZnV9LkHcOOroK46xqAeVdF0ZPMu2hmbjQgri7zsjr9yRviEMdhcSpp/b4g5Fz MOldlMoByw7F/RRyo35YlRKjovzvz1/NT854ZXXTTOuCeQqbKA0ZwgwCLn/ZR8ctdsgc cZGSkdTXTVNoGtJgyfv/fLwx5TCxITa9HbRB/ZLy1mQ8X8mru4SbRwkjvskzBBjQ/Wyw 3GGw== X-Gm-Message-State: AOJu0Ywdz1CFOCLugwmy+959bLFJGNpvA+Ct400NaUJlATJ9lfLq3/eq IlJYLFoM//Flmj9yEuJyttEDqLMTSbNOouI1eYRhFzw4dJfIjQohiXKLFCqQb8pf/AtNEvocQYO yiJRAw9GTj6GIr38QGUd/EEqvWGGijmCsJgahBwKAzOQ9P47HglYmGjyazFYAADTXqpy6J7nAaV XizBdNu4Xirw== X-Received: by 2002:a05:6808:3199:b0:3e3:a465:2b3e with SMTP id 5614622812f47-3e3b40731bcmr1441715b6e.0.1727820083938; Tue, 01 Oct 2024 15:01:23 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEPeixWkYdCaA8+373BvVz3TEMINh7BXVwOlL5NzcmH44Kp9xS0uos8FgNlxP5PnSXDr2PIDA== X-Received: by 2002:a05:6808:3199:b0:3e3:a465:2b3e with SMTP id 5614622812f47-3e3b40731bcmr1441693b6e.0.1727820083445; Tue, 01 Oct 2024 15:01:23 -0700 (PDT) Received: from localhost ([2600:1700:3ec0:2680:a659:ad4b:1c79:ccd8]) by smtp.gmail.com with ESMTPSA id 5614622812f47-3e393598ecdsm3343251b6e.32.2024.10.01.15.01.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Oct 2024 15:01:23 -0700 (PDT) From: Ian Whitfield To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] KVM: s390: vsie: fix race during shadow creation Date: Tue, 1 Oct 2024 15:01:20 -0700 Message-ID: <20241001220121.32335-2-ian.whitfield@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241001220121.32335-1-ian.whitfield@canonical.com> References: <20241001220121.32335-1-ian.whitfield@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Christian Borntraeger Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the fact that we add gmap->private == kvm after creation: static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) { [...] gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); gmap->private = vcpu->kvm; Let children inherit the private field of the parent. Reported-by: Marc Hartmayer Fixes: a3508fbe9dc6 ("KVM: s390: vsie: initial support for nested virtualization") Cc: Cc: David Hildenbrand Reviewed-by: Janosch Frank Reviewed-by: David Hildenbrand Reviewed-by: Claudio Imbrenda Signed-off-by: Christian Borntraeger Link: https://lore.kernel.org/r/20231220125317.4258-1-borntraeger@linux.ibm.com (backported from commit fe752331d4b361d43cfd0b89534b4b2176057c32) [ijwhitfield: adjusted context due to missing commit c3235e2dd695 ("KVM: s390: add stat counter for shadow gmap events")] CVE-2023-52639 Signed-off-by: Ian Whitfield --- arch/s390/kvm/vsie.c | 1 - arch/s390/mm/gmap.c | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c index 05db4bad8502..8bcb24e961d2 100644 --- a/arch/s390/kvm/vsie.c +++ b/arch/s390/kvm/vsie.c @@ -1115,7 +1115,6 @@ static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); - gmap->private = vcpu->kvm; WRITE_ONCE(vsie_page->gmap, gmap); return 0; } diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c index dd68b3044b2b..36ff989d3880 100644 --- a/arch/s390/mm/gmap.c +++ b/arch/s390/mm/gmap.c @@ -1670,6 +1670,7 @@ struct gmap *gmap_shadow(struct gmap *parent, unsigned long asce, return ERR_PTR(-ENOMEM); new->mm = parent->mm; new->parent = gmap_get(parent); + new->private = parent->private; new->orig_asce = asce; new->edat_level = edat_level; new->initialized = false;