From patchwork Fri Nov 13 14:28:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zenghui Yu X-Patchwork-Id: 11903693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA0E1C4742C for ; Fri, 13 Nov 2020 14:30:56 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8C20D20715 for ; Fri, 13 Nov 2020 14:30:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="d4GjEKos" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8C20D20715 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-ID:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=2X94plJeux2E3udEx3M5+u/JzmGqy1wrr6g25J0jcVk=; b=d4GjEKosSDDCy3ZCxnaCDCGnk zt1KtoZHoNsmiOfnz2Fj8e5+2SSFhJMhAgvCrK3BiMQcSfb7eyRh42v3vMfzjjXrxIjKOAaDzbKOi Dx5h/+/tngpGaf8kE0vPlVWGC9XLPd46xMPN7gxpPAW1CKAwKU+yID9uChvMszGlL0hD2noQ8xai/ NeS9hnHCi8i/zM0xLlOUCRoyhe/y2HxOi9cDfJ0Afh7kBumXdTemxMhIEM27GiTIix3BcpaJWvuvw GDjDzE++YJ8M1EIt74uAki7gnKUVbbN5NWUwDrJqh8+TrbHy5pyA7w0aMN5Kns1ukyTq1YDps+VsS V9q1R2uGA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kda4r-0000c7-Lg; Fri, 13 Nov 2020 14:29:25 +0000 Received: from szxga04-in.huawei.com ([45.249.212.190]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kda41-0008RD-87 for linux-arm-kernel@lists.infradead.org; Fri, 13 Nov 2020 14:28:34 +0000 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.60]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4CXgmp1RSpzkhGF; Fri, 13 Nov 2020 22:28:10 +0800 (CST) Received: from DESKTOP-8RFUVS3.china.huawei.com (10.174.185.179) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.487.0; Fri, 13 Nov 2020 22:28:14 +0800 From: Zenghui Yu To: , Subject: [PATCH 1/2] KVM: arm64: vgic: Forbid invalid userspace Redistributor accesses Date: Fri, 13 Nov 2020 22:28:00 +0800 Message-ID: <20201113142801.1659-2-yuzenghui@huawei.com> X-Mailer: git-send-email 2.23.0.windows.1 In-Reply-To: <20201113142801.1659-1-yuzenghui@huawei.com> References: <20201113142801.1659-1-yuzenghui@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.174.185.179] X-CFilter-Loop: Reflected X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201113_092833_674701_CDAA5FC4 X-CRM114-Status: GOOD ( 10.32 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: suzuki.poulose@arm.com, linux-kernel@vger.kernel.org, eric.auger@redhat.com, james.morse@arm.com, linux-arm-kernel@lists.infradead.org, Zenghui Yu , wanghaibin.wang@huawei.com, Keqian Zhu , julien.thierry.kdev@gmail.com Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org It's expected that users will access registers in the redistributor *if* the RD has been initialized properly. Unfortunately userspace can be bogus enough to access registers before setting the RD base address, and KVM implicitly allows it (we handle the access anyway, regardless of whether the base address is set). Bad thing happens when we're handling the user read of GICR_TYPER. We end up with an oops when deferencing the unset rdreg... gpa_t last_rdist_typer = rdreg->base + GICR_TYPER + (rdreg->free_index - 1) * KVM_VGIC_V3_REDIST_SIZE; Fix this issue by informing userspace what had gone wrong (-ENXIO). Reported-by: Keqian Zhu Signed-off-by: Zenghui Yu --- arch/arm64/kvm/vgic/vgic-mmio-v3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c index 52d6f24f65dc..30e370585a27 100644 --- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c +++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c @@ -1040,11 +1040,15 @@ int vgic_v3_dist_uaccess(struct kvm_vcpu *vcpu, bool is_write, int vgic_v3_redist_uaccess(struct kvm_vcpu *vcpu, bool is_write, int offset, u32 *val) { + struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu; struct vgic_io_device rd_dev = { .regions = vgic_v3_rd_registers, .nr_regions = ARRAY_SIZE(vgic_v3_rd_registers), }; + if (IS_VGIC_ADDR_UNDEF(vgic_cpu->rd_iodev.base_addr)) + return -ENXIO; + return vgic_uaccess(vcpu, &rd_dev, is_write, offset, val); } From patchwork Fri Nov 13 14:28:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zenghui Yu X-Patchwork-Id: 11903689 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9341C63697 for ; Fri, 13 Nov 2020 14:29:56 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5D27022226 for ; Fri, 13 Nov 2020 14:29:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="lNHjpQ7x" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5D27022226 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-ID:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=c5a/nmjbcHtfK1HMTDI0ZOhnqhcmd3jy7dYpJB7RpdI=; b=lNHjpQ7x4nxd39YvjswOr3f2o 1U2zKNjhLERZQ3J0oSO2IXOa1jLxCk3GG1E2kvDHcCmGSdQm5a8t0/JQBjdL73sOvHmO5PexKK8wO lhAU4O666HkjcVl/lFuokLW5LMes+tJ2i0pLyfJJ4mouWRVdvCASZ0H8MmKg2tvGsU6YO9Zr++DbP 8E8BuBr9D3GjeRzFlQlPKYmfEEYTymgoI17AN2SbSwIWG08WwGRAw5v4gxm8cgF5fRY627bDoWiF6 9Gm7pGz5VT31N9lolJfB2IWVaa/7JcrmnJac5SpD6tblKvNs87y9Rc1Agik4MLm3zjB8RZYyc7L7C oww7/AX8w==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kda4x-0000gk-US; Fri, 13 Nov 2020 14:29:31 +0000 Received: from szxga04-in.huawei.com ([45.249.212.190]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kda46-0008Pr-BO for linux-arm-kernel@lists.infradead.org; Fri, 13 Nov 2020 14:28:39 +0000 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.60]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4CXgmp1DY1zkWqj; Fri, 13 Nov 2020 22:28:10 +0800 (CST) Received: from DESKTOP-8RFUVS3.china.huawei.com (10.174.185.179) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.487.0; Fri, 13 Nov 2020 22:28:16 +0800 From: Zenghui Yu To: , Subject: [PATCH 2/2] KVM: arm64: vgic: Forbid invalid userspace Distributor accesses Date: Fri, 13 Nov 2020 22:28:01 +0800 Message-ID: <20201113142801.1659-3-yuzenghui@huawei.com> X-Mailer: git-send-email 2.23.0.windows.1 In-Reply-To: <20201113142801.1659-1-yuzenghui@huawei.com> References: <20201113142801.1659-1-yuzenghui@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.174.185.179] X-CFilter-Loop: Reflected X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201113_092838_742175_9DBE89CA X-CRM114-Status: UNSURE ( 9.93 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: suzuki.poulose@arm.com, linux-kernel@vger.kernel.org, eric.auger@redhat.com, james.morse@arm.com, linux-arm-kernel@lists.infradead.org, Zenghui Yu , wanghaibin.wang@huawei.com, julien.thierry.kdev@gmail.com Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Accessing registers in the Distributor before setting its base address should be treated as an invalid userspece behaviour. But KVM implicitly allows it as we handle the access anyway, regardless of whether the base address is set or not. Fix this issue by informing userspace what had gone wrong (-ENXIO). Signed-off-by: Zenghui Yu --- arch/arm64/kvm/vgic/vgic-mmio-v3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c index 30e370585a27..6a9e5eb311f0 100644 --- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c +++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c @@ -1029,11 +1029,15 @@ void vgic_v3_dispatch_sgi(struct kvm_vcpu *vcpu, u64 reg, bool allow_group1) int vgic_v3_dist_uaccess(struct kvm_vcpu *vcpu, bool is_write, int offset, u32 *val) { + struct vgic_dist *dist = &vcpu->kvm->arch.vgic; struct vgic_io_device dev = { .regions = vgic_v3_dist_registers, .nr_regions = ARRAY_SIZE(vgic_v3_dist_registers), }; + if (IS_VGIC_ADDR_UNDEF(dist->vgic_dist_base)) + return -ENXIO; + return vgic_uaccess(vcpu, &dev, is_write, offset, val); }