| Message ID | 20230316174546.3777507-1-maz@kernel.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | KVM: arm64: Plug a couple of MM races | expand |
On Thu, 16 Mar 2023 17:45:44 +0000, Marc Zyngier wrote: > Ard recently reported a really odd warning generated with KASAN, where > the page table walker we use to inspect the userspace page tables was > going into the weeds and accessing something that was looking totally > unrelated (and previously freed). > > Will and I spent quite some time looking into it, and while we were > not able to reproduce the issue, we were able to spot at least a > couple of issues that could partially explain the issue. > > [...] Applied to kvmarm/fixes, thanks! [1/2] KVM: arm64: Disable interrupts while walking userspace PTs https://git.kernel.org/kvmarm/kvmarm/c/e86fc1a3a3e9 [2/2] KVM: arm64: Check for kvm_vma_mte_allowed in the critical section https://git.kernel.org/kvmarm/kvmarm/c/8c2e8ac8ad4b -- Best, Oliver
Ard recently reported a really odd warning generated with KASAN, where the page table walker we use to inspect the userspace page tables was going into the weeds and accessing something that was looking totally unrelated (and previously freed). Will and I spent quite some time looking into it, and while we were not able to reproduce the issue, we were able to spot at least a couple of issues that could partially explain the issue. The first course of action is to disable interrupts while walking the userspace PTs. This prevents exit_mmap() from tearing down these PTs by blocking the IPI. We also fail gracefully if the IPI won the race and killed the page tables before we started the walk. The second issue is to not use a VMA pointer that was obtained with the mmap_read_lock held after that lock has been released. There is no guarantee that it is still valid. I've earmarked both for stable, though I expect backporting this to older revisions of the kernel could be... interesting. * From v1[1]: - Return -EAGAIN from get_user_mapping_size() when the mapping is gone instead of -EFAULT which would be fatal (which is still returned in cases that are not expected to be seen). Other error codes can also be returned from kvm_pgtable_get_leaf(), but always in conditions that are rather bad. - Rebased on top of kvmarm/fixes which already contains David's own MMU fix. [1] https://lore.kernel.org/r/20230313091425.1962708-1-maz@kernel.org Marc Zyngier (2): KVM: arm64: Disable interrupts while walking userspace PTs KVM: arm64: Check for kvm_vma_mte_allowed in the critical section arch/arm64/kvm/mmu.c | 53 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 44 insertions(+), 9 deletions(-)