From patchwork Fri Nov 13 14:28:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zenghui Yu X-Patchwork-Id: 11903693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA0E1C4742C for ; Fri, 13 Nov 2020 14:30:56 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8C20D20715 for ; Fri, 13 Nov 2020 14:30:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="d4GjEKos" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8C20D20715 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-ID:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=2X94plJeux2E3udEx3M5+u/JzmGqy1wrr6g25J0jcVk=; b=d4GjEKosSDDCy3ZCxnaCDCGnk zt1KtoZHoNsmiOfnz2Fj8e5+2SSFhJMhAgvCrK3BiMQcSfb7eyRh42v3vMfzjjXrxIjKOAaDzbKOi Dx5h/+/tngpGaf8kE0vPlVWGC9XLPd46xMPN7gxpPAW1CKAwKU+yID9uChvMszGlL0hD2noQ8xai/ NeS9hnHCi8i/zM0xLlOUCRoyhe/y2HxOi9cDfJ0Afh7kBumXdTemxMhIEM27GiTIix3BcpaJWvuvw GDjDzE++YJ8M1EIt74uAki7gnKUVbbN5NWUwDrJqh8+TrbHy5pyA7w0aMN5Kns1ukyTq1YDps+VsS V9q1R2uGA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kda4r-0000c7-Lg; Fri, 13 Nov 2020 14:29:25 +0000 Received: from szxga04-in.huawei.com ([45.249.212.190]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kda41-0008RD-87 for linux-arm-kernel@lists.infradead.org; Fri, 13 Nov 2020 14:28:34 +0000 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.60]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4CXgmp1RSpzkhGF; Fri, 13 Nov 2020 22:28:10 +0800 (CST) Received: from DESKTOP-8RFUVS3.china.huawei.com (10.174.185.179) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.487.0; Fri, 13 Nov 2020 22:28:14 +0800 From: Zenghui Yu To: , Subject: [PATCH 1/2] KVM: arm64: vgic: Forbid invalid userspace Redistributor accesses Date: Fri, 13 Nov 2020 22:28:00 +0800 Message-ID: <20201113142801.1659-2-yuzenghui@huawei.com> X-Mailer: git-send-email 2.23.0.windows.1 In-Reply-To: <20201113142801.1659-1-yuzenghui@huawei.com> References: <20201113142801.1659-1-yuzenghui@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.174.185.179] X-CFilter-Loop: Reflected X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201113_092833_674701_CDAA5FC4 X-CRM114-Status: GOOD ( 10.32 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: suzuki.poulose@arm.com, linux-kernel@vger.kernel.org, eric.auger@redhat.com, james.morse@arm.com, linux-arm-kernel@lists.infradead.org, Zenghui Yu , wanghaibin.wang@huawei.com, Keqian Zhu , julien.thierry.kdev@gmail.com Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org It's expected that users will access registers in the redistributor *if* the RD has been initialized properly. Unfortunately userspace can be bogus enough to access registers before setting the RD base address, and KVM implicitly allows it (we handle the access anyway, regardless of whether the base address is set). Bad thing happens when we're handling the user read of GICR_TYPER. We end up with an oops when deferencing the unset rdreg... gpa_t last_rdist_typer = rdreg->base + GICR_TYPER + (rdreg->free_index - 1) * KVM_VGIC_V3_REDIST_SIZE; Fix this issue by informing userspace what had gone wrong (-ENXIO). Reported-by: Keqian Zhu Signed-off-by: Zenghui Yu --- arch/arm64/kvm/vgic/vgic-mmio-v3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c index 52d6f24f65dc..30e370585a27 100644 --- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c +++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c @@ -1040,11 +1040,15 @@ int vgic_v3_dist_uaccess(struct kvm_vcpu *vcpu, bool is_write, int vgic_v3_redist_uaccess(struct kvm_vcpu *vcpu, bool is_write, int offset, u32 *val) { + struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu; struct vgic_io_device rd_dev = { .regions = vgic_v3_rd_registers, .nr_regions = ARRAY_SIZE(vgic_v3_rd_registers), }; + if (IS_VGIC_ADDR_UNDEF(vgic_cpu->rd_iodev.base_addr)) + return -ENXIO; + return vgic_uaccess(vcpu, &rd_dev, is_write, offset, val); }