From patchwork Fri Dec 1 17:31:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nitesh Lal X-Patchwork-Id: 10087605 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C8B686035E for ; Fri, 1 Dec 2017 17:32:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B47C629E53 for ; Fri, 1 Dec 2017 17:32:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A955F2A619; Fri, 1 Dec 2017 17:32:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 48D9329E53 for ; Fri, 1 Dec 2017 17:32:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751811AbdLARcG (ORCPT ); Fri, 1 Dec 2017 12:32:06 -0500 Received: from mx1.redhat.com ([209.132.183.28]:45408 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751713AbdLARcF (ORCPT ); Fri, 1 Dec 2017 12:32:05 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8E5DF13A88; Fri, 1 Dec 2017 17:32:05 +0000 (UTC) Received: from Dungeon.bss.redhat.com (unknown [10.20.9.220]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1614C6A024; Fri, 1 Dec 2017 17:32:01 +0000 (UTC) From: nilal@redhat.com To: kvm@vger.kernel.org, pbonzini@redhat.com, pagupta@redhat.com, wei.w.wang@intel.com, yang.zhang.wz@gmail.com, riel@redhat.com, david@redhat.com, mst@redhat.com, dodgen@google.com, konrad.wilk@oracle.com Subject: [Patch v6 7/7] KVM: Disabling page poisoning to avoid memory corruption errors Date: Fri, 1 Dec 2017 12:31:36 -0500 Message-Id: <20171201173136.849-8-nilal@redhat.com> In-Reply-To: <20171201173136.849-1-nilal@redhat.com> References: <20171201173136.849-1-nilal@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 01 Dec 2017 17:32:05 +0000 (UTC) Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Nitesh Narayan Lal This patch disables page poisoning if guest page hinting is enabled. It is required to avoid possible guest memory corruption errors. Page Poisoning is a feature in which the page is filled with a specific pattern of (0x00 or 0xaa) after arch_free_page and the same is verified before arch_alloc_page to prevent following issues: *information leak from the freed data *use after free bugs *memory corruption Selection of the pattern depends on the CONFIG_PAGE_POISONING_ZERO Once the guest pages which are supposed to be freed are sent to the hypervisor it frees them. After freeing the pages in the global list following things may happen: *Hypervisor reallocates the freed memory back to the guest *Hypervisor frees the memory and maps a different physical memory In order to prevent any information leak hypervisor before allocating memory to the guest fills it with zeroes. The issue arises when the pattern used for Page Poisoning is 0xaa while the newly allocated page received from the hypervisor by the guest is filled with the pattern 0x00. This will result in memory corruption errors. Signed-off-by: Nitesh Narayan Lal --- include/linux/page_hinting.h | 9 +++++++++ mm/page_poison.c | 2 +- virt/kvm/page_hinting.c | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/include/linux/page_hinting.h b/include/linux/page_hinting.h index dd30644..b639078 100644 --- a/include/linux/page_hinting.h +++ b/include/linux/page_hinting.h @@ -1,3 +1,4 @@ +#include #define MAX_FGPT_ENTRIES 1000 /* * hypervisor_pages - It is a dummy structure passed with the hypercall. @@ -14,6 +15,7 @@ struct hypervisor_pages { extern struct hypervisor_pages hypervisor_pagelist[MAX_FGPT_ENTRIES]; extern void (*request_hypercall)(void *, int); extern void *balloon_ptr; +extern bool want_page_poisoning; extern struct static_key_false guest_page_hinting_key; int guest_page_hinting_sysctl(struct ctl_table *table, int write, @@ -21,3 +23,10 @@ int guest_page_hinting_sysctl(struct ctl_table *table, int write, extern int guest_page_hinting_flag; void guest_alloc_page(struct page *page, int order); void guest_free_page(struct page *page, int order); + +static inline void disable_page_poisoning(void) +{ +#ifdef CONFIG_PAGE_POISONING + want_page_poisoning = 0; +#endif +} diff --git a/mm/page_poison.c b/mm/page_poison.c index e83fd44..3e9f26d 100644 --- a/mm/page_poison.c +++ b/mm/page_poison.c @@ -7,7 +7,7 @@ #include #include -static bool want_page_poisoning __read_mostly; +bool want_page_poisoning __read_mostly; static int early_page_poison_param(char *buf) { diff --git a/virt/kvm/page_hinting.c b/virt/kvm/page_hinting.c index f66ad63..1ba2e0b 100644 --- a/virt/kvm/page_hinting.c +++ b/virt/kvm/page_hinting.c @@ -302,6 +302,7 @@ void guest_free_page(struct page *page, int order) * process context causing unwanted overwrites. This will be replaced * with a better solution to prevent such race conditions. */ + disable_page_poisoning(); local_irq_save(flags); free_page_obj = &get_cpu_var(kvm_pt)[0]; trace_guest_free_page(page, order);