lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 1 Feb 2016 12:03:18 +0100
From:	Christoffer Dall <christoffer.dall@...aro.org>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	Pavel Fedin <p.fedin@...sung.com>
Subject: Re: [PATCH 4.1 113/127] ARM/arm64: KVM: test properly for a PTEs
 uncachedness

On Wed, Jan 27, 2016 at 10:14:37AM -0800, Greg Kroah-Hartman wrote:
> 4.1-stable review patch.  If anyone has any objections, please let me know.

This patch should not be applied independently without the fix in
mainline:

0de58f852875a0f0dcfb120bb8433e4e73c7803b
(ARM/arm64: KVM: correct PTE uncachedness check, 2015-12-03)

Thanks,
-Christoffer

> 
> ------------------
> 
> From: Ard Biesheuvel <ard.biesheuvel@...aro.org>
> 
> commit e6fab54423450d699a09ec2b899473a541f61971 upstream.
> 
> The open coded tests for checking whether a PTE maps a page as
> uncached use a flawed '(pte_val(xxx) & CONST) != CONST' pattern,
> which is not guaranteed to work since the type of a mapping is
> not a set of mutually exclusive bits
> 
> For HYP mappings, the type is an index into the MAIR table (i.e, the
> index itself does not contain any information whatsoever about the
> type of the mapping), and for stage-2 mappings it is a bit field where
> normal memory and device types are defined as follows:
> 
>     #define MT_S2_NORMAL            0xf
>     #define MT_S2_DEVICE_nGnRE      0x1
> 
> I.e., masking *and* comparing with the latter matches on the former,
> and we have been getting lucky merely because the S2 device mappings
> also have the PTE_UXN bit set, or we would misidentify memory mappings
> as device mappings.
> 
> Since the unmap_range() code path (which contains one instance of the
> flawed test) is used both for HYP mappings and stage-2 mappings, and
> considering the difference between the two, it is non-trivial to fix
> this by rewriting the tests in place, as it would involve passing
> down the type of mapping through all the functions.
> 
> However, since HYP mappings and stage-2 mappings both deal with host
> physical addresses, we can simply check whether the mapping is backed
> by memory that is managed by the host kernel, and only perform the
> D-cache maintenance if this is the case.
> 
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@...aro.org>
> Tested-by: Pavel Fedin <p.fedin@...sung.com>
> Reviewed-by: Christoffer Dall <christoffer.dall@...aro.org>
> Signed-off-by: Christoffer Dall <christoffer.dall@...aro.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> 
> ---
>  arch/arm/kvm/mmu.c |   15 +++++++--------
>  1 file changed, 7 insertions(+), 8 deletions(-)
> 
> --- a/arch/arm/kvm/mmu.c
> +++ b/arch/arm/kvm/mmu.c
> @@ -98,6 +98,11 @@ static void kvm_flush_dcache_pud(pud_t p
>  	__kvm_flush_dcache_pud(pud);
>  }
>  
> +static bool kvm_is_device_pfn(unsigned long pfn)
> +{
> +	return !pfn_valid(pfn);
> +}
> +
>  /**
>   * stage2_dissolve_pmd() - clear and flush huge PMD entry
>   * @kvm:	pointer to kvm structure.
> @@ -213,7 +218,7 @@ static void unmap_ptes(struct kvm *kvm,
>  			kvm_tlb_flush_vmid_ipa(kvm, addr);
>  
>  			/* No need to invalidate the cache for device mappings */
> -			if ((pte_val(old_pte) & PAGE_S2_DEVICE) != PAGE_S2_DEVICE)
> +			if (!kvm_is_device_pfn(__phys_to_pfn(addr)))
>  				kvm_flush_dcache_pte(old_pte);
>  
>  			put_page(virt_to_page(pte));
> @@ -305,8 +310,7 @@ static void stage2_flush_ptes(struct kvm
>  
>  	pte = pte_offset_kernel(pmd, addr);
>  	do {
> -		if (!pte_none(*pte) &&
> -		    (pte_val(*pte) & PAGE_S2_DEVICE) != PAGE_S2_DEVICE)
> +		if (!pte_none(*pte) && !kvm_is_device_pfn(__phys_to_pfn(addr)))
>  			kvm_flush_dcache_pte(*pte);
>  	} while (pte++, addr += PAGE_SIZE, addr != end);
>  }
> @@ -1037,11 +1041,6 @@ static bool kvm_is_write_fault(struct kv
>  	return kvm_vcpu_dabt_iswrite(vcpu);
>  }
>  
> -static bool kvm_is_device_pfn(unsigned long pfn)
> -{
> -	return !pfn_valid(pfn);
> -}
> -
>  /**
>   * stage2_wp_ptes - write protect PMD range
>   * @pmd:	pointer to pmd entry
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ