From patchwork Mon Mar 11 16:15:54 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Kelley <mhkelley58@gmail.com>
X-Patchwork-Id: 13589019
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17C4D47F77;
	Mon, 11 Mar 2024 16:16:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710173789; cv=none;
 b=RDW/sUWSTVRDHfGqA6vccXPhsnfzyrXl39gNxM3u7W1pdCYIGBHaO4oXsV0HjG643NkUF/ZsTw3eCciT8O4wNfy+Obsvswt54315qfKcf2xlkDIWxl3Qg5KeldwHOBZ5xkcMEZCSAERJ6/Lj7HHYvm09yjVD5qP1esrvB4BdoXI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710173789; c=relaxed/simple;
	bh=cstlKRvM05MrUPSFlewFMd/M+rP+hCvOX7Gg5ABuAzA=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=HsGC5TfAE49U39WOK0rzYXJlPe7vNFqw3iJ7QXbgGZpnudIsGSyN5Qaour3hO6MMHroCs03bpV4DFcCKGx9tgUOWY2BBAkrygkKP73eal18c7bMROKwmLyGywJGkvQ/wKNjB4c44sUHFc7fWmOIvG2z1VpWmd6Q25lAHTbxCrP0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=C+//nitA; arc=none smtp.client-ip=209.85.210.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="C+//nitA"
Received: by mail-pf1-f169.google.com with SMTP id
 d2e1a72fcca58-6e62c65865cso3833734b3a.2;
        Mon, 11 Mar 2024 09:16:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1710173786; x=1710778586;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:from:to:cc:subject
         :date:message-id:reply-to;
        bh=20D2eiTsOiNhaoi07FGlR5nvSdDOWzq78s+lkcJ88X8=;
        b=C+//nitATGWUVrtbYInMnFG9IUwcTNj5zhxS1UZe6KTVDnG/a9CPWvY7oV1VLYH46Z
         J6UKAaIcQFr+iAfc9G4crLH5cuVulzYDeBeUd0H6P7neYnGRbvphIAen2mPrEcHpfDz0
         2+p7JLNiihvbAqICZ71nSyEJqIljLl9wLrxhyJtr9OwBH6cAetIPsMlkodXr1rkCrgry
         /FonD4JOsQoiJXAbbafv3xMes93Y2KuP8PT/zLHOta7hTweBz4nohEPV4zTYZbfRQlBu
         IJhvSQs6e0m1y3OLBo7Eq+jPdp6bLnsEudVVX3daiY6ZKWoDArrSsfeADwp9PwDAaha7
         yqYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710173786; x=1710778586;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=20D2eiTsOiNhaoi07FGlR5nvSdDOWzq78s+lkcJ88X8=;
        b=FchRdDIvHq/M1O+UQLkU8BBqnJMx/oeNEE52+HzVBwCOzO54jF9bZw5WNKOtBUOTIa
         IRKeW6UxAPCrrlziwdWwmsCfbhBIgD6pmGMSyW9qFkVQaKHPpfGD6z0fa/82bbnxQwh1
         9/0ASuCPNpv4SIBrmkilla6cRCk978r6wQtkDuxjwY0OyVgLEgcGgehYKWuuSVZWkczV
         PA7ar9EiENUjUjuT2pTDOB7O3g62cY+/NbUKPEZTpyTZ0ULQk6h8vyVCFiFK9L9mPSUT
         rOOF2leRrfE/EKjNWYaG8jZJ/xEje4SeqBOue+t9mET4NwhvuvYXTRc7vbHK4msUsnci
         pfUg==
X-Forwarded-Encrypted: i=1;
 AJvYcCUeAcCL2QojvjKr1kyhbtRqXdj3HVp8ekRiVLsvldqjpT6llhQJ5hDm8rDr1H+0gbKP8nu5LXxz1ql9eVKtHeeG9a9N7WcoTJCeFjIi2EZabxJF3MpP9iJGieVfcnSZazYXP5H/brkR/OZtFjGK1EZPtkuAb4qusKGWZB109s71JknW
X-Gm-Message-State: AOJu0YyzZkrgwfGUcTD20qBPuoeMrhbNLzop/KeMJ4nAPbMkJui0k5aM
	UNDSW/TT1HtC7D2HB+k1O//2vCjcQ/h0iHXdP9d0c120rrcC5W2w
X-Google-Smtp-Source: 
 AGHT+IF2vJXDdryaGDs2gPPRjXGG1CLRR5XsIg4I5zQeUv325kQS7/K0YCP4qVPoBcCJWSpTKF6eUg==
X-Received: by 2002:a05:6a20:9f06:b0:1a2:ba3f:e530 with SMTP id
 mk6-20020a056a209f0600b001a2ba3fe530mr8003138pzb.50.1710173785444;
        Mon, 11 Mar 2024 09:16:25 -0700 (PDT)
Received: from localhost.localdomain (c-73-254-87-52.hsd1.wa.comcast.net.
 [73.254.87.52])
        by smtp.gmail.com with ESMTPSA id
 m22-20020a056a00081600b006e52ce4ee2fsm4576325pfk.20.2024.03.11.09.16.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 Mar 2024 09:16:25 -0700 (PDT)
From: mhkelley58@gmail.com
X-Google-Original-From: mhklinux@outlook.com
To: rick.p.edgecombe@intel.com,
	kys@microsoft.com,
	haiyangz@microsoft.com,
	wei.liu@kernel.org,
	decui@microsoft.com,
	gregkh@linuxfoundation.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	kirill.shutemov@linux.intel.com,
	dave.hansen@linux.intel.com,
	linux-kernel@vger.kernel.org,
	linux-hyperv@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-coco@lists.linux.dev
Cc: sathyanarayanan.kuppuswamy@linux.intel.com,
	elena.reshetova@intel.com
Subject: [PATCH v2 1/5] Drivers: hv: vmbus: Leak pages if
 set_memory_encrypted() fails
Date: Mon, 11 Mar 2024 09:15:54 -0700
Message-Id: <20240311161558.1310-2-mhklinux@outlook.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20240311161558.1310-1-mhklinux@outlook.com>
References: <20240311161558.1310-1-mhklinux@outlook.com>
Reply-To: mhklinux@outlook.com
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Rick Edgecombe <rick.p.edgecombe@intel.com>

In CoCo VMs it is possible for the untrusted host to cause
set_memory_encrypted() or set_memory_decrypted() to fail such that an
error is returned and the resulting memory is shared. Callers need to
take care to handle these errors to avoid returning decrypted (shared)
memory to the page allocator, which could lead to functional or security
issues.

VMBus code could free decrypted pages if set_memory_encrypted()/decrypted()
fails. Leak the pages if this happens.

Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
---
 drivers/hv/connection.c | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
index 3cabeeabb1ca..f001ae880e1d 100644
--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -237,8 +237,17 @@ int vmbus_connect(void)
 				vmbus_connection.monitor_pages[0], 1);
 	ret |= set_memory_decrypted((unsigned long)
 				vmbus_connection.monitor_pages[1], 1);
-	if (ret)
+	if (ret) {
+		/*
+		 * If set_memory_decrypted() fails, the encryption state
+		 * of the memory is unknown. So leak the memory instead
+		 * of risking returning decrypted memory to the free list.
+		 * For simplicity, always handle both pages the same.
+		 */
+		vmbus_connection.monitor_pages[0] = NULL;
+		vmbus_connection.monitor_pages[1] = NULL;
 		goto cleanup;
+	}
 
 	/*
 	 * Set_memory_decrypted() will change the memory contents if
@@ -337,13 +346,19 @@ void vmbus_disconnect(void)
 		vmbus_connection.int_page = NULL;
 	}
 
-	set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[0], 1);
-	set_memory_encrypted((unsigned long)vmbus_connection.monitor_pages[1], 1);
+	if (vmbus_connection.monitor_pages[0]) {
+		if (!set_memory_encrypted(
+			(unsigned long)vmbus_connection.monitor_pages[0], 1))
+			hv_free_hyperv_page(vmbus_connection.monitor_pages[0]);
+		vmbus_connection.monitor_pages[0] = NULL;
+	}
 
-	hv_free_hyperv_page(vmbus_connection.monitor_pages[0]);
-	hv_free_hyperv_page(vmbus_connection.monitor_pages[1]);
-	vmbus_connection.monitor_pages[0] = NULL;
-	vmbus_connection.monitor_pages[1] = NULL;
+	if (vmbus_connection.monitor_pages[1]) {
+		if (!set_memory_encrypted(
+			(unsigned long)vmbus_connection.monitor_pages[1], 1))
+			hv_free_hyperv_page(vmbus_connection.monitor_pages[1]);
+		vmbus_connection.monitor_pages[1] = NULL;
+	}
 }
 
 /*

From patchwork Mon Mar 11 16:15:55 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Kelley <mhkelley58@gmail.com>
X-Patchwork-Id: 13589020
Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com
 [209.85.215.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF3D3481C7;
	Mon, 11 Mar 2024 16:16:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710173789; cv=none;
 b=Up/nq0//LMDnVie89tKEkwNe5a3HSOF9bZTRIP+bE8PgsabTEMtGC03o2BtLLAPGPrTrB2H9I8Vj3+TN+k/j5F9lgVRfaocLB60u6gME0PjedZumNLGA2eBrd7GUV4HPENqVQl+mUx/YxNwk+Lu0lFQneLe+gwzYE8/ad9jO7bk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710173789; c=relaxed/simple;
	bh=KPYk9JxotgHUynNFnqxGdycQ5ugdp7osOeSdIU/c5rk=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=KXVCtImhD/1Y73UID6gjTjICbiW85IOyTC+Cm4BRWsKtGPYJzbmEOpYBCbcmQOUpiS1UaJdU/utWF9kEtgG1bCwlJJd2MrGkUIcgp9W13A5t1b9Ee31yu11/FgF7zKyjwsMtI05CGfJYnEQp39jUVWWAcRNc7S0c5NYtSJrZQio=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=j0n89fpa; arc=none smtp.client-ip=209.85.215.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="j0n89fpa"
Received: by mail-pg1-f172.google.com with SMTP id
 41be03b00d2f7-5e42b4bbfa4so2229061a12.1;
        Mon, 11 Mar 2024 09:16:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1710173787; x=1710778587;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:from:to:cc:subject
         :date:message-id:reply-to;
        bh=4lQ8bQAzdsnyz/nAyILsXiibH//empkPkLI+o99v2ns=;
        b=j0n89fpawCUkTF1j9vaA2GcxlhpifHRNHry1tcBxEF/Ldc+QWOVibLTodul1ku9mBg
         e/DWEOVGqVLBJbgBZB7oGsleUdtz4ksqzO7o9u+7SkHV9gejmDS9C0UYI/70aeUoVfoc
         50qhMopsSnY2s7FOFZAwyj1qMCB8Owy6KiKAN6ifSQ59ulRdE6IAcimp40G4iVyIfcVq
         07SWFY3hqz6XE6/7UxdmcQx8wlKRKe0fkeIzl5eFPp1nCJlVGmZElpKZTWjhsb1xl8Kb
         xFHTx6Am53awglu0p4Td6lJUmZRSZCw6icJ1B4GC/Vs+OArfPG2+erbaxFtUg8qGHKE1
         5CiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710173787; x=1710778587;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=4lQ8bQAzdsnyz/nAyILsXiibH//empkPkLI+o99v2ns=;
        b=dh88e5Q2BEnelVguANMSHxDBoFassfeMSXBfmzm/2Vy1QdSu2yPZaQxr+onMKMfJj1
         XFhg278M62A9W1txb0lBjalhp9GNh6jazxEP26fasIhqIpQOMzGT2U73xoTO28t0br34
         1E6gozBa2jlr+fLfFUKRLu6fDFIzQVCeO+fWwMsRO8Ge8MbPgITTRQPeIYNv1mJshCK+
         U+qkDNpCISeCA1OyxIVRrmj/QisJR2PFkFSwL1v6RYX84wErSiIuEGkc6sQU8DfSigM2
         CeLYayzbJXQxwGGxR5zQmSqLu+qG4GsrydlGcR256D6Orjn4+Bbm23x1Ez7ZEmXqmFvF
         pHHg==
X-Forwarded-Encrypted: i=1;
 AJvYcCX7TRPAncKtbxK6zZRONRjVkSK6MOvd0E1SwNuG1XGVCgDexj6dTnuc2NKMQSiK97PAVdtKSehCJ+s3vK1Yfpgp6O55iPRJfborMokhd3snewuYkXaeUE3SxgNSYiujaV0c2jS8Xz9sgFsHuAH3cd/IlXPXtMD8M8ywc+wMWKtMmcV3
X-Gm-Message-State: AOJu0Yxaoz0Pdkfpe4p53H5muQdp/ZwECSTL4trhHGJp3FuachVnQmds
	yHPRzfqgcg+sPaNyeF6859XaUUrjNCkvNBfoyZdI4Kx+rrSSkOeg
X-Google-Smtp-Source: 
 AGHT+IGjodke58rrus9B6GEFDDUSlZJWk9z76M96k2TqGgCOmRDPjs6BiylAzmS3N6VxdyT69FyDew==
X-Received: by 2002:a05:6a20:d38c:b0:1a1:57f1:1a01 with SMTP id
 iq12-20020a056a20d38c00b001a157f11a01mr9184678pzb.42.1710173786938;
        Mon, 11 Mar 2024 09:16:26 -0700 (PDT)
Received: from localhost.localdomain (c-73-254-87-52.hsd1.wa.comcast.net.
 [73.254.87.52])
        by smtp.gmail.com with ESMTPSA id
 m22-20020a056a00081600b006e52ce4ee2fsm4576325pfk.20.2024.03.11.09.16.26
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 Mar 2024 09:16:26 -0700 (PDT)
From: mhkelley58@gmail.com
X-Google-Original-From: mhklinux@outlook.com
To: rick.p.edgecombe@intel.com,
	kys@microsoft.com,
	haiyangz@microsoft.com,
	wei.liu@kernel.org,
	decui@microsoft.com,
	gregkh@linuxfoundation.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	kirill.shutemov@linux.intel.com,
	dave.hansen@linux.intel.com,
	linux-kernel@vger.kernel.org,
	linux-hyperv@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-coco@lists.linux.dev
Cc: sathyanarayanan.kuppuswamy@linux.intel.com,
	elena.reshetova@intel.com
Subject: [PATCH v2 2/5] Drivers: hv: vmbus: Track decrypted status in
 vmbus_gpadl
Date: Mon, 11 Mar 2024 09:15:55 -0700
Message-Id: <20240311161558.1310-3-mhklinux@outlook.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20240311161558.1310-1-mhklinux@outlook.com>
References: <20240311161558.1310-1-mhklinux@outlook.com>
Reply-To: mhklinux@outlook.com
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Rick Edgecombe <rick.p.edgecombe@intel.com>

In CoCo VMs it is possible for the untrusted host to cause
set_memory_encrypted() or set_memory_decrypted() to fail such that an
error is returned and the resulting memory is shared. Callers need to
take care to handle these errors to avoid returning decrypted (shared)
memory to the page allocator, which could lead to functional or security
issues.

In order to make sure callers of vmbus_establish_gpadl() and
vmbus_teardown_gpadl() don't return decrypted/shared pages to
allocators, add a field in struct vmbus_gpadl to keep track of the
decryption status of the buffers. This will allow the callers to
know if they should free or leak the pages.

Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
---
 drivers/hv/channel.c   | 25 +++++++++++++++++++++----
 include/linux/hyperv.h |  1 +
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
index 56f7e06c673e..bb5abdcda18f 100644
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -472,9 +472,18 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel,
 		(atomic_inc_return(&vmbus_connection.next_gpadl_handle) - 1);
 
 	ret = create_gpadl_header(type, kbuffer, size, send_offset, &msginfo);
-	if (ret)
+	if (ret) {
+		gpadl->decrypted = false;
 		return ret;
+	}
 
+	/*
+	 * Set the "decrypted" flag to true for the set_memory_decrypted()
+	 * success case. In the failure case, the encryption state of the
+	 * memory is unknown. Leave "decrypted" as true to ensure the
+	 * memory will be leaked instead of going back on the free list.
+	 */
+	gpadl->decrypted = true;
 	ret = set_memory_decrypted((unsigned long)kbuffer,
 				   PFN_UP(size));
 	if (ret) {
@@ -563,9 +572,15 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel,
 
 	kfree(msginfo);
 
-	if (ret)
-		set_memory_encrypted((unsigned long)kbuffer,
-				     PFN_UP(size));
+	if (ret) {
+		/*
+		 * If set_memory_encrypted() fails, the decrypted flag is
+		 * left as true so the memory is leaked instead of being
+		 * put back on the free list.
+		 */
+		if (!set_memory_encrypted((unsigned long)kbuffer, PFN_UP(size)))
+			gpadl->decrypted = false;
+	}
 
 	return ret;
 }
@@ -886,6 +901,8 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, struct vmbus_gpadl *gpad
 	if (ret)
 		pr_warn("Fail to set mem host visibility in GPADL teardown %d.\n", ret);
 
+	gpadl->decrypted = ret;
+
 	return ret;
 }
 EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl);
diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
index 2b00faf98017..5bac136c268c 100644
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -812,6 +812,7 @@ struct vmbus_gpadl {
 	u32 gpadl_handle;
 	u32 size;
 	void *buffer;
+	bool decrypted;
 };
 
 struct vmbus_channel {

From patchwork Mon Mar 11 16:15:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Kelley <mhkelley58@gmail.com>
X-Patchwork-Id: 13589021
X-Patchwork-Delegate: kuba@kernel.org
Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com
 [209.85.210.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D6561482F6;
	Mon, 11 Mar 2024 16:16:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710173790; cv=none;
 b=lL4jE6/6A5ORoWFEpHq2cfNcz2CJd9Nzwk7rNXpgHkIntf14Ls4x5xSUH3oWzpeFqkyOTGPr2BankSgwSACvh2zbMwGnwiAwPZjbqPqY6bQ2im407+BYLnpEqAmvMJRcM+JeQnJzznpLipUwQVSyyQplEzshBBkR3ZgpzUCs2zk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710173790; c=relaxed/simple;
	bh=+2KIvQZzubEuGFm8VhvXKT8vwofQa29dh7mcoeFR1GM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DDXIzi9wnvpQq4U+VNKtBFthDWmQ2VXuCpP27+1HPm6Y0LegoJiczs3MT3KN84a1nh6yryoC58q/Iuft3uwsMT4NngkkyBTsuXht5V1cXUqjWlh1gq5N/xpld6earjaKyyHZ/EnFKs2FttAU4y+cUwGiehnS6bHyMwGAmvPTRfU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=IZctwDME; arc=none smtp.client-ip=209.85.210.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="IZctwDME"
Received: by mail-pf1-f174.google.com with SMTP id
 d2e1a72fcca58-6da202aa138so2910015b3a.2;
        Mon, 11 Mar 2024 09:16:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1710173788; x=1710778588;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:from:to:cc:subject
         :date:message-id:reply-to;
        bh=kId0KpnR3Bb1OkqKYK5w5Z53gK8zkbuePvbtyjE183w=;
        b=IZctwDMElFynF6ZzvF1tlJtCgi0BarWW0TnQvRjKa6Ju2H0ObP5+4uCf0uNS5jTQVP
         +Ajue+hCdc29GaXunurtZxqIgWjxyQWZqxOnetxGO0obce6DPcgUTHHI8jau66TU4eYZ
         +1Vy0qj0+IYXwV+lDwdIS4sPHzIxiNlh/socppc1mcxcdBhPyzOsynslelSwPeWLy/cg
         j0c77Z3NFrHUH8JPmZeGDS7R/g/z/QRIZQg+9+hLnX6a0FQE4FrS7NXE03b+tj7bBjly
         XMtAXrpL1crhO/pAg/BS70/kRoDEP55Xh8CKMYcC2ivQgAbb46XN2hqjvj/48HG1oSVY
         eSKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710173788; x=1710778588;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=kId0KpnR3Bb1OkqKYK5w5Z53gK8zkbuePvbtyjE183w=;
        b=Ct8QPCtfnATIcBCQQoaaaGJJDenuNDuxwUxfBvnBgWnTG+xO6EOa0T9HImrNcxlm9e
         I7VsI8eCJSxdMRowrgS3FDYlSMNWwVnk50PxjSBuDO9KmQ0jHVsl3Yqsgp29F1r91KyX
         6j8LaSGE5+RExS7+DdCYF3/YKJjqHD/vGD0R8jvbtgr6UG/PwL4/YXFyYpYIL/52tDoF
         CeyJqQoTZwtscCoYRdMg0FFEMPidW7F2BRXL9TbSqm025U0a68Jlh++teSxmPvHK69BE
         wWshzewckUeH0j2XOwwYflR3MW3KkiNjHedLbpUFVRx8ECCtKKueP2lKQChYzSwm7hUT
         NH8w==
X-Forwarded-Encrypted: i=1;
 AJvYcCXj8DLxf1el++z7TwkFf2QjTGRqIWZi8ZLwarDw4dqlaJmmC2kywK+YhF2U8TNln+ECybXL/6/jUaTmkoK9JmOR+CoS4igJ1/FWY0/VheEyNG0ya/82ft0Q4gn8N36EwNzhSx1gIKo27uT3dD0ul97QtJKUM3m8aDeLOKqWL6DgY7ps
X-Gm-Message-State: AOJu0YzZZIZ7p9x+8iANGwQUb6epdfqu23I15qc5oy4Ub90qr9+FFzjL
	CJwggD43r7CJ6niECUmVYlBH4m3UUDJXo5qoNIPhAP3OoXMnNd+U
X-Google-Smtp-Source: 
 AGHT+IFXwmvMu8mIEtQPLNF4LE9yE+Q2fMuFXOwJM8gp5UVU39VY1u8SaVJxQRqEQgy8EyINe4adPw==
X-Received: by 2002:a05:6a20:3d01:b0:1a3:1129:9b2 with SMTP id
 y1-20020a056a203d0100b001a3112909b2mr6139316pzi.46.1710173788046;
        Mon, 11 Mar 2024 09:16:28 -0700 (PDT)
Received: from localhost.localdomain (c-73-254-87-52.hsd1.wa.comcast.net.
 [73.254.87.52])
        by smtp.gmail.com with ESMTPSA id
 m22-20020a056a00081600b006e52ce4ee2fsm4576325pfk.20.2024.03.11.09.16.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 Mar 2024 09:16:27 -0700 (PDT)
From: mhkelley58@gmail.com
X-Google-Original-From: mhklinux@outlook.com
To: rick.p.edgecombe@intel.com,
	kys@microsoft.com,
	haiyangz@microsoft.com,
	wei.liu@kernel.org,
	decui@microsoft.com,
	gregkh@linuxfoundation.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	kirill.shutemov@linux.intel.com,
	dave.hansen@linux.intel.com,
	linux-kernel@vger.kernel.org,
	linux-hyperv@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-coco@lists.linux.dev
Cc: sathyanarayanan.kuppuswamy@linux.intel.com,
	elena.reshetova@intel.com
Subject: [PATCH v2 3/5] hv_netvsc: Don't free decrypted memory
Date: Mon, 11 Mar 2024 09:15:56 -0700
Message-Id: <20240311161558.1310-4-mhklinux@outlook.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20240311161558.1310-1-mhklinux@outlook.com>
References: <20240311161558.1310-1-mhklinux@outlook.com>
Reply-To: mhklinux@outlook.com
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: kuba@kernel.org

From: Rick Edgecombe <rick.p.edgecombe@intel.com>

In CoCo VMs it is possible for the untrusted host to cause
set_memory_encrypted() or set_memory_decrypted() to fail such that an
error is returned and the resulting memory is shared. Callers need to
take care to handle these errors to avoid returning decrypted (shared)
memory to the page allocator, which could lead to functional or security
issues.

The netvsc driver could free decrypted/shared pages if
set_memory_decrypted() fails. Check the decrypted field in the gpadl
to decide whether to free the memory.

Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
---
 drivers/net/hyperv/netvsc.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
index 82e9796c8f5e..70b7f91fb96b 100644
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -154,8 +154,11 @@ static void free_netvsc_device(struct rcu_head *head)
 	int i;
 
 	kfree(nvdev->extension);
-	vfree(nvdev->recv_buf);
-	vfree(nvdev->send_buf);
+
+	if (!nvdev->recv_buf_gpadl_handle.decrypted)
+		vfree(nvdev->recv_buf);
+	if (!nvdev->send_buf_gpadl_handle.decrypted)
+		vfree(nvdev->send_buf);
 	bitmap_free(nvdev->send_section_map);
 
 	for (i = 0; i < VRSS_CHANNEL_MAX; i++) {

From patchwork Mon Mar 11 16:15:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Kelley <mhkelley58@gmail.com>
X-Patchwork-Id: 13589022
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B24A24207B;
	Mon, 11 Mar 2024 16:16:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710173791; cv=none;
 b=lxXVK2Xr+Iet9pY6Z9WaTV7LbHcMBvQzIATiaq/+zShMNfrg3Xb0zEvuwWYWt436x0lqGhkXSQFNmJvMOuSi7UcE3l8ieSxv4QDEOy4AHJT9+J/+kGSHCgu8XHXQbPlEvbVf1p2akmerbOVyG5sdKfOVhQ6wa1yF6zM7zudlxlU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710173791; c=relaxed/simple;
	bh=stJGWSegiQhc7Ody3a64Zh+xIaryAD6Z92WIxHEheKs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=U9Lax0k0qE0422BA0Z9iME4mRszAYDG4Om78YFsXjEzR2Uh970zA18W0YTSErx/t0m3JSo65kQY8t02Ereo2OGUrhvVPdG6JSudlYgQDUuRs+3xqjPrNAhGQajt6uaYcZ88nsLPRCDer/Z+5Y9avdFjPJTRR8PEacB2Q2bisVDQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=elzEZk7Y; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="elzEZk7Y"
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6e5760eeb7aso3250921b3a.1;
        Mon, 11 Mar 2024 09:16:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1710173789; x=1710778589;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:from:to:cc:subject
         :date:message-id:reply-to;
        bh=NIwRgw8kRdMYFrUfI8kD4ryRzVUpHboxNK6cHHvDbvA=;
        b=elzEZk7YxSPtFSSO/0CnH8PZMyRaFmF88vb81M1Ri24jMq0s+DmfGc9LGhYUEOt9hn
         fUa1QSzJYR12jWbC+emTB1yX0SW7Hp6UPNsGviscHdOXOUYo4UhxLilZJOR2oh8t0Bsz
         GJbs9FK7RgbGeZLqXfRHveFXnz8loE56gVSMRzaxMY7FoE5D8eObyUH+6W8FVPgmER+s
         nGLvASnIno/DffmVpuzrN9sUTm2c9c59PW+WRUvRnGhjZiMEkKerLnFISvpLwTTAUf77
         FFsaRdsfWXDq3JEfA+yy7ws5Mttkw7OXjX010mvAOoP2IZ7T3s9zPwORgUSEVi5z3gC8
         0RkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710173789; x=1710778589;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=NIwRgw8kRdMYFrUfI8kD4ryRzVUpHboxNK6cHHvDbvA=;
        b=GoImruHRHgJCNTRo9pM8Y4bsHmrd/NGlo3JMNNkvQwVc4pg/dG7NV9zxGwpT8zzimF
         LByfyoyc52HmpV/LeCOvoyVBt+t5wOYtqLcvH84tzPyN3aPu/z6QiSW/hG9HiL/6Q3yQ
         eUZOswnSvzRj7iC2yecqDwNXBsS1hU4Pa/kiMEh7mAVjMII5/8nOgXayqc9dgC8o3yas
         NwCNKTIM0Kdw05Ne2ym4Y13aiz0U7wf7aUljH5nyWccm7xlpL2kQVt6EAt/fOgeAgd+G
         yRuccngwWk8v/TprdDf4bhq50UgTgbTCel1miEDWI+V8cSsJPzlS684OUHNsQUwlteaP
         ZBfg==
X-Forwarded-Encrypted: i=1;
 AJvYcCUd7FGchRZ6sNEFMBjxzL5B7EmFFDJvQ1Tv5IVqRkj5PyWZNkdo9vUkFmIJoH6BKHoXCEs8E/bYpddRZtEVXJvaJ96qh9uaFHS+FJLQ+ZQh+vuyXB83LGfBTr/kSuG2X6lT/9Uk7ccKUKtkY+I97Law/dC5I7DnPmj+iOVcBE1h+lE1
X-Gm-Message-State: AOJu0YytdNDCwb/j9Jdd1ApUhUID1+2nglZ6sljrGzlMqKy4IxCIXmZ5
	+Yf9FAXWrHOdCX5451hrMxvwd7eeMCjD6+w/JpBU2r1MVXNeRCtU
X-Google-Smtp-Source: 
 AGHT+IHJXkyc8/rW8os/YonzW2lIIoxEg+dw8CwCQc3gKfPn2zBsjIBZ5quHxjxhCcbXMpD+u4DtBg==
X-Received: by 2002:a05:6a21:6da2:b0:1a1:4fce:8ee1 with SMTP id
 wl34-20020a056a216da200b001a14fce8ee1mr8357364pzb.8.1710173788984;
        Mon, 11 Mar 2024 09:16:28 -0700 (PDT)
Received: from localhost.localdomain (c-73-254-87-52.hsd1.wa.comcast.net.
 [73.254.87.52])
        by smtp.gmail.com with ESMTPSA id
 m22-20020a056a00081600b006e52ce4ee2fsm4576325pfk.20.2024.03.11.09.16.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 Mar 2024 09:16:28 -0700 (PDT)
From: mhkelley58@gmail.com
X-Google-Original-From: mhklinux@outlook.com
To: rick.p.edgecombe@intel.com,
	kys@microsoft.com,
	haiyangz@microsoft.com,
	wei.liu@kernel.org,
	decui@microsoft.com,
	gregkh@linuxfoundation.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	kirill.shutemov@linux.intel.com,
	dave.hansen@linux.intel.com,
	linux-kernel@vger.kernel.org,
	linux-hyperv@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-coco@lists.linux.dev
Cc: sathyanarayanan.kuppuswamy@linux.intel.com,
	elena.reshetova@intel.com
Subject: [PATCH v2 4/5] uio_hv_generic: Don't free decrypted memory
Date: Mon, 11 Mar 2024 09:15:57 -0700
Message-Id: <20240311161558.1310-5-mhklinux@outlook.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20240311161558.1310-1-mhklinux@outlook.com>
References: <20240311161558.1310-1-mhklinux@outlook.com>
Reply-To: mhklinux@outlook.com
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Rick Edgecombe <rick.p.edgecombe@intel.com>

In CoCo VMs it is possible for the untrusted host to cause
set_memory_encrypted() or set_memory_decrypted() to fail such that an
error is returned and the resulting memory is shared. Callers need to
take care to handle these errors to avoid returning decrypted (shared)
memory to the page allocator, which could lead to functional or security
issues.

The VMBus device UIO driver could free decrypted/shared pages if
set_memory_decrypted() fails. Check the decrypted field in the gpadl
to decide whether to free the memory.

Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
---
 drivers/uio/uio_hv_generic.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
index 20d9762331bd..6be3462b109f 100644
--- a/drivers/uio/uio_hv_generic.c
+++ b/drivers/uio/uio_hv_generic.c
@@ -181,12 +181,14 @@ hv_uio_cleanup(struct hv_device *dev, struct hv_uio_private_data *pdata)
 {
 	if (pdata->send_gpadl.gpadl_handle) {
 		vmbus_teardown_gpadl(dev->channel, &pdata->send_gpadl);
-		vfree(pdata->send_buf);
+		if (!pdata->send_gpadl.decrypted)
+			vfree(pdata->send_buf);
 	}
 
 	if (pdata->recv_gpadl.gpadl_handle) {
 		vmbus_teardown_gpadl(dev->channel, &pdata->recv_gpadl);
-		vfree(pdata->recv_buf);
+		if (!pdata->recv_gpadl.decrypted)
+			vfree(pdata->recv_buf);
 	}
 }
 
@@ -295,7 +297,8 @@ hv_uio_probe(struct hv_device *dev,
 	ret = vmbus_establish_gpadl(channel, pdata->recv_buf,
 				    RECV_BUFFER_SIZE, &pdata->recv_gpadl);
 	if (ret) {
-		vfree(pdata->recv_buf);
+		if (!pdata->recv_gpadl.decrypted)
+			vfree(pdata->recv_buf);
 		goto fail_close;
 	}
 
@@ -317,7 +320,8 @@ hv_uio_probe(struct hv_device *dev,
 	ret = vmbus_establish_gpadl(channel, pdata->send_buf,
 				    SEND_BUFFER_SIZE, &pdata->send_gpadl);
 	if (ret) {
-		vfree(pdata->send_buf);
+		if (!pdata->send_gpadl.decrypted)
+			vfree(pdata->send_buf);
 		goto fail_close;
 	}
 

From patchwork Mon Mar 11 16:15:58 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Kelley <mhkelley58@gmail.com>
X-Patchwork-Id: 13589023
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81F073AC01;
	Mon, 11 Mar 2024 16:16:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710173792; cv=none;
 b=PRe+bg422+GbOin8bSBzX7AphefWK6naJpVUnbo/btwhYifwQuVFFBL9qAJQH3TjE1XFNUzz0n9041JeVl5YFtCWaOm8gyX7ocnLge/pYhJq6n7+DtZTCGHnGhLwRMU6AALThOUf1JXRh8b5Waohy5U2aRRnDCA5Pqx3N5emIxc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710173792; c=relaxed/simple;
	bh=NygHFgsfK9/f07Xn51o7Jdn2t0u6vgatLn5MNtO4zD8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=CPky9wFWTPMyZJBSmu+vNeyf+Jd1tN1+uZvXj/uwn9xANNek9aXkGytLIjNDm8+iTuYUMau129JHSvDfnm8tnIkSYh2Eicb/5GbkpD6XEQqx/qF1/jJTM2dgg2+GJoSQxOFftN0yJ/HorlFBfhn0lsJzSkFENr8L1lfFW9F4G8U=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Vkbp4KIk; arc=none smtp.client-ip=209.85.210.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Vkbp4KIk"
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-6e5c0be115aso2957299b3a.3;
        Mon, 11 Mar 2024 09:16:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1710173790; x=1710778590;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Wigfq/6aRq72xOj/aIlxvJ6fFfc6HnyBCglftePM4e4=;
        b=Vkbp4KIkBADE3+iAjfcgU4BTgvmKzl4WPEixmExZlMIo9VncixUW9ApacJCeiHnmyX
         Wqqju846KUQ7zlWTb5OdmWDm6Q6kIee9E78WCXj2m8aoWIm0rgtWRANx55x9jag0z8lv
         Gjip16FD6UkBC1iavnE9v2Jt55auExDhCC8oMuS4z7A5DdsngN/54MBfCFdY6hb8b6Bf
         1Aby54HmxHeaAJfhnXHQVpHVYCldNNR0GOAUF261iIBEI6p1jF9+PTJa3HC/9XGhQneR
         XQGHncZyxVOyU50MQFcbiL/UgWQkuQ6XB3tfs8wKcd0kHD+bnxkX8tCbH/bOKR1NhPWy
         84+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710173790; x=1710778590;
        h=content-transfer-encoding:mime-version:reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Wigfq/6aRq72xOj/aIlxvJ6fFfc6HnyBCglftePM4e4=;
        b=W9G2ZE2NPikrO+dP+w3QKfEBi7jxLRRSLTIYSjQt2Tq1jNL/NGddFwefhDfoJQOf43
         WrvrMbc/Gf1KQN2EeDzcYPJW6XpsXaJjQAIfteYvZwz5YUiIDukcwpC++0F14LF3eWFK
         X3bgftMOmaHEf6lBQtSIY6ymCa8cjRlYMJ5v2f9Y8DSj4XGxJM2ICjbcHyyCsMzdn18y
         2IDVQaHGrGiclIl3SiZKdi19GG2Qkn0FgKlSQZCj/kp/zj82BlD/HTVfOywbHMg3bpQA
         FAarxh5o+ZY7oKiOkMeLANflHxTAbARmnWbzpjJ6A2IbXNWpkJwxCWlolLIyRwWYRWM6
         M3BA==
X-Forwarded-Encrypted: i=1;
 AJvYcCX3pOYpBSvagUfvjJ6pN+IL+JhqOynySDj2s8SHU96dtWyirBPyTDt1JXXYt9Tcmf8OLMWJb5oa3tdti0c1ECq7PJQ3pWxTbogwEcHmtd2mgYL98JwmflhIDYQJNqeQbKjL72J+rIA5A7znSp00rUE7+dWnVowfzjLt4I+xxKNmmjrj
X-Gm-Message-State: AOJu0Yz6Awex5O/zcfxVneC12tjcjhLHCuW7sbtPdkHEd4Qu4ClOGf+M
	xjbmNXukf2ytXdJoDAZ32f+1K0ETsC3fhIrfQY/R5uPUXRwn4Epp
X-Google-Smtp-Source: 
 AGHT+IGYeEcPUzCbQFJrHGPuOeb50x9Z9GqcTz5epYFi2KgNUbGR2sGlA+8oJcaOvFdPFMhABQHcYQ==
X-Received: by 2002:a05:6a20:3d87:b0:1a1:4848:98af with SMTP id
 s7-20020a056a203d8700b001a1484898afmr5407838pzi.1.1710173789816;
        Mon, 11 Mar 2024 09:16:29 -0700 (PDT)
Received: from localhost.localdomain (c-73-254-87-52.hsd1.wa.comcast.net.
 [73.254.87.52])
        by smtp.gmail.com with ESMTPSA id
 m22-20020a056a00081600b006e52ce4ee2fsm4576325pfk.20.2024.03.11.09.16.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 Mar 2024 09:16:29 -0700 (PDT)
From: mhkelley58@gmail.com
X-Google-Original-From: mhklinux@outlook.com
To: rick.p.edgecombe@intel.com,
	kys@microsoft.com,
	haiyangz@microsoft.com,
	wei.liu@kernel.org,
	decui@microsoft.com,
	gregkh@linuxfoundation.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	kirill.shutemov@linux.intel.com,
	dave.hansen@linux.intel.com,
	linux-kernel@vger.kernel.org,
	linux-hyperv@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-coco@lists.linux.dev
Cc: sathyanarayanan.kuppuswamy@linux.intel.com,
	elena.reshetova@intel.com
Subject: [PATCH v2 5/5] Drivers: hv: vmbus: Don't free ring buffers that
 couldn't be re-encrypted
Date: Mon, 11 Mar 2024 09:15:58 -0700
Message-Id: <20240311161558.1310-6-mhklinux@outlook.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20240311161558.1310-1-mhklinux@outlook.com>
References: <20240311161558.1310-1-mhklinux@outlook.com>
Reply-To: mhklinux@outlook.com
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Michael Kelley <mhklinux@outlook.com>

In CoCo VMs it is possible for the untrusted host to cause
set_memory_encrypted() or set_memory_decrypted() to fail such that an
error is returned and the resulting memory is shared. Callers need to
take care to handle these errors to avoid returning decrypted (shared)
memory to the page allocator, which could lead to functional or security
issues.

The VMBus ring buffer code could free decrypted/shared pages if
set_memory_decrypted() fails. Check the decrypted field in the struct
vmbus_gpadl for the ring buffers to decide whether to free the memory.

Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
---
 drivers/hv/channel.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
index bb5abdcda18f..47e1bd8de9fc 100644
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -153,7 +153,9 @@ void vmbus_free_ring(struct vmbus_channel *channel)
 	hv_ringbuffer_cleanup(&channel->inbound);
 
 	if (channel->ringbuffer_page) {
-		__free_pages(channel->ringbuffer_page,
+		/* In a CoCo VM leak the memory if it didn't get re-encrypted */
+		if (!channel->ringbuffer_gpadlhandle.decrypted)
+			__free_pages(channel->ringbuffer_page,
 			     get_order(channel->ringbuffer_pagecount
 				       << PAGE_SHIFT));
 		channel->ringbuffer_page = NULL;