| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Apr 2022 14:08:20 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Mingwei Zhang <mizhang@...gle.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>, kvm <kvm@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Ben Gardon <bgardon@...gle.com>,
David Matlack <dmatlack@...gle.com>
Subject: Re: [PATCH] KVM: x86/mmu: add lockdep check before
lookup_address_in_mm()
On Tue, Apr 26, 2022, Mingwei Zhang wrote:
> On Tue, Apr 26, 2022 at 6:30 PM Sean Christopherson <seanjc@...gle.com> wrote:
> >
> > On Tue, Apr 26, 2022, Mingwei Zhang wrote:
> > > On Tue, Apr 26, 2022 at 6:16 PM Sean Christopherson <seanjc@...gle.com> wrote:
> > > >
> > > > On Tue, Apr 26, 2022, Mingwei Zhang wrote:
> > > > > > I completely agree that lookup_address() and friends are unnecessarily fragile,
> > > > > > but I think that attempting to harden them to fix this KVM bug will open a can
> > > > > > of worms and end up delaying getting KVM fixed.
> > > > >
> > > > > So basically, we need to:
> > > > > - choose perf_get_page_size() instead of using any of the
> > > > > lookup_address*() in mm.
> > > > > - add a wrapper layer to adapt: 1) irq disabling/enabling and 2) size
> > > > > -> level translation.
> > > > >
> > > > > Agree?
> > > >
> > > > Drat, I didn't see that it returns the page size, not the level. That's a bit
> > > > unfortunate. It definitely makes me less averse to fixing lookup_address_in_pgd()
> > > >
> > > > Hrm. I guess since we know there's at least one broken user, and in theory
> > > > fixing lookup_address_in_pgd() should do no harm to users that don't need protection,
> > > > it makes sense to just fix lookup_address_in_pgd() and see if the x86 maintainers
> > > > push back.
> > >
> > > Yeah, fixing lookup_address_in_pgd() should be cleaner(), since the
> > > page fault usage case does not need irq save/restore. But the other
> > > one needs it. So, we can easily fix the function with READ_ONCE and
> > > lockless staff. But wrapping the function with irq save/restore from
> > > the KVM side.
> >
> > I think it makes sense to do the save/restore in lookup_address_in_pgd(). The
> > Those helpers are exported, so odds are good there are broken users that will
> > benefit from fixing all paths.
>
> no, lookup_address_in_pgd() is probably just broken for KVM. In other
> call sites, some may already disable IRQ, so doing that again inside
> lookup_address_in_pgd() will be bad.
No, it's not bad. local_irq_save/restore() intended preciesly for cases where
IRQs need to be disabled but IRQs may or may not have already been disabled by
the caller. PUSHF+POPF is not expensive relatively speaking,
> I am looking at here:
> https://elixir.bootlin.com/linux/latest/source/arch/arm/kernel/traps.c#L304
That's arm code, lookup_address_in_pgd() is x86 specific. :-) That said, I'm sure
there exists at least one caller that runs with IRQs disabled. But as above,
it's not a problem.
> so, the save/restore are done in oops_begin() and oops_end(), which is
> wrapping show_fault_oops() that calls lookup_address_in_pgd().
>
> So, I think we need to ensure the READ_ONCE.
>
> hmm, regarding the lockless macros, Paolo is right, for x86 it makes
> no difference. s390 seems to have a different implementation, but
> kvm_mmu_max_mapping_level() as well as host_pfn_mapping_level are both
> functions in x86 mmu.
Yep, all of this is x86 specific.
Powered by blists - more mailing lists