From patchwork Thu Dec 22 20:30:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Luczaj X-Patchwork-Id: 13080305 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59AB9C001B2 for ; Thu, 22 Dec 2022 20:37:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235420AbiLVUhG (ORCPT ); Thu, 22 Dec 2022 15:37:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54200 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235227AbiLVUg4 (ORCPT ); Thu, 22 Dec 2022 15:36:56 -0500 Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com [IPv6:2a0c:5a00:149::26]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 02A4F2127D for ; Thu, 22 Dec 2022 12:36:53 -0800 (PST) Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1p8SJ8-002IE9-HI; Thu, 22 Dec 2022 21:36:50 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector1; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From; bh=C4yMV8+Zqwwf16UocBmbBw4dV9YVec7XOkMKXgcKVtc=; b=HZLK9dgNwyBkUPfdqdfZGnrHGV S7wZN8Z2o9hi1mK3C9Vz1LNSgyfEKoak9AUefMvWn/kVPPlaXLVZpkvaXeoYLKsS0rm9lTxIwEMNc zJ0StLjWr8X5yxZCyzpMXqSmIr+rvtP26ZMg2cE3BxtdL3u7GDm0GzakgG/dNBMtJvR+9avl+HFje 5DtzQZEzJLux9pNoyHkpqkgmPtazRsGmNM3er2AfQhEdtCf9KfB5f2GxUrfJdy7XMl8OddVYCGTnL NstNE3Zio7bAk7pKSv/W1mqvRPHf0B01mejMDzEE1f6RDU5hcsn3HXD/GFYtMdQEnV9z0g8+NJugd A0mAL0iw==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1p8SJ7-0005EI-Vi; Thu, 22 Dec 2022 21:36:50 +0100 Received: by submission01.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1p8SJ3-0007g4-Q9; Thu, 22 Dec 2022 21:36:45 +0100 From: Michal Luczaj To: kvm@vger.kernel.org Cc: dwmw2@infradead.org, paul@xen.org, seanjc@google.com, pbonzini@redhat.com, Michal Luczaj Subject: [RFC PATCH 1/2] KVM: x86/xen: Fix use-after-free in kvm_xen_eventfd_update() Date: Thu, 22 Dec 2022 21:30:20 +0100 Message-Id: <20221222203021.1944101-2-mhal@rbox.co> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20221222203021.1944101-1-mhal@rbox.co> References: <20221222203021.1944101-1-mhal@rbox.co> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Protect `evtchnfd` by entering SRCU critical section. Signed-off-by: Michal Luczaj --- arch/x86/kvm/xen.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c index d7af40240248..8e17629e5665 100644 --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -1825,20 +1825,26 @@ static int kvm_xen_eventfd_update(struct kvm *kvm, { u32 port = data->u.evtchn.send_port; struct evtchnfd *evtchnfd; + int ret = -EINVAL; + int idx; if (!port || port >= max_evtchn_port(kvm)) return -EINVAL; + idx = srcu_read_lock(&kvm->srcu); + mutex_lock(&kvm->lock); evtchnfd = idr_find(&kvm->arch.xen.evtchn_ports, port); mutex_unlock(&kvm->lock); - if (!evtchnfd) - return -ENOENT; + if (!evtchnfd) { + ret = -ENOENT; + goto out_rcu; + } /* For an UPDATE, nothing may change except the priority/vcpu */ if (evtchnfd->type != data->u.evtchn.type) - return -EINVAL; + goto out_rcu; /* -EINVAL */ /* * Port cannot change, and if it's zero that was an eventfd @@ -1846,11 +1852,11 @@ static int kvm_xen_eventfd_update(struct kvm *kvm, */ if (!evtchnfd->deliver.port.port || evtchnfd->deliver.port.port != data->u.evtchn.deliver.port.port) - return -EINVAL; + goto out_rcu; /* -EINVAL */ /* We only support 2 level event channels for now */ if (data->u.evtchn.deliver.port.priority != KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL) - return -EINVAL; + goto out_rcu; /* -EINVAL */ mutex_lock(&kvm->lock); evtchnfd->deliver.port.priority = data->u.evtchn.deliver.port.priority; @@ -1859,7 +1865,10 @@ static int kvm_xen_eventfd_update(struct kvm *kvm, evtchnfd->deliver.port.vcpu_idx = -1; } mutex_unlock(&kvm->lock); - return 0; + ret = 0; +out_rcu: + srcu_read_unlock(&kvm->srcu, idx); + return ret; } /* From patchwork Thu Dec 22 20:30:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Luczaj X-Patchwork-Id: 13080303 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19FBBC3DA7D for ; Thu, 22 Dec 2022 20:37:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235065AbiLVUhC (ORCPT ); Thu, 22 Dec 2022 15:37:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54202 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235230AbiLVUg4 (ORCPT ); Thu, 22 Dec 2022 15:36:56 -0500 Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [IPv6:2a0c:5a00:149::25]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 321B021802 for ; Thu, 22 Dec 2022 12:36:54 -0800 (PST) Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1p8SJ9-002XCR-SJ for kvm@vger.kernel.org; Thu, 22 Dec 2022 21:36:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector1; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From; bh=d/eoFneG2urlmXWBt8PGcqdVYwM2kJS6R5trW3kXGkw=; b=gVlt0/rvrWCOqTHQpbnKuB7sXS T+WBvu+MoUPUffKrNkD3aF/H8S0/j7vJE7Gfo8F/jOmJ9VIcIZe63OLFCFXY97u2Hw33pE8W8wU5r L2aT6Xs/EphUUX5JlX7a8Wqwy0v+hjhv2OF91fYJoARtQ9XH4qWUzXdNId2rSUjrFxGVlT7gaYgzb OLlDOQwvNkackM5BOk96UYOVMT1UyxNblyPeCgNgh/Em4ak7AR9V3U9SNYs71Y7tn7aK1csFfOGn0 CJlLJ9IvGtQkgEMacT7VxxSgIG4VhVzfGMZv7ZIlDS2cqKE5/TQCob7WcW7xqmb4icMtl65aCOwN8 FY+qGigA==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1p8SJ7-0005EE-29; Thu, 22 Dec 2022 21:36:49 +0100 Received: by submission01.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1p8SJ4-0007g4-7W; Thu, 22 Dec 2022 21:36:46 +0100 From: Michal Luczaj To: kvm@vger.kernel.org Cc: dwmw2@infradead.org, paul@xen.org, seanjc@google.com, pbonzini@redhat.com, Michal Luczaj Subject: [RFC PATCH 2/2] KVM: x86/xen: Simplify eventfd IOCTLs Date: Thu, 22 Dec 2022 21:30:21 +0100 Message-Id: <20221222203021.1944101-3-mhal@rbox.co> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20221222203021.1944101-1-mhal@rbox.co> References: <20221222203021.1944101-1-mhal@rbox.co> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Port number is validated in kvm_xen_setattr_evtchn(). Remove superfluous checks in kvm_xen_eventfd_assign() and kvm_xen_eventfd_update(). Signed-off-by: Michal Luczaj --- arch/x86/kvm/xen.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c index 8e17629e5665..87da95ceba92 100644 --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -1828,9 +1828,6 @@ static int kvm_xen_eventfd_update(struct kvm *kvm, int ret = -EINVAL; int idx; - if (!port || port >= max_evtchn_port(kvm)) - return -EINVAL; - idx = srcu_read_lock(&kvm->srcu); mutex_lock(&kvm->lock); @@ -1880,12 +1877,9 @@ static int kvm_xen_eventfd_assign(struct kvm *kvm, { u32 port = data->u.evtchn.send_port; struct eventfd_ctx *eventfd = NULL; - struct evtchnfd *evtchnfd = NULL; + struct evtchnfd *evtchnfd; int ret = -EINVAL; - if (!port || port >= max_evtchn_port(kvm)) - return -EINVAL; - evtchnfd = kzalloc(sizeof(struct evtchnfd), GFP_KERNEL); if (!evtchnfd) return -ENOMEM;