Patch "KVM: s390: pv: fix asynchronous teardown for small VMs" has been added to the 6.2-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    KVM: s390: pv: fix asynchronous teardown for small VMs

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-s390-pv-fix-asynchronous-teardown-for-small-vms.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit eb6e78a53015a4472443e4c6379d8ef6c5400ceb
Author: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxx>
Date:   Fri Apr 21 10:50:36 2023 +0200

    KVM: s390: pv: fix asynchronous teardown for small VMs
    
    [ Upstream commit 292a7d6fca33df70ca4b8e9b0d0e74adf87582dc ]
    
    On machines without the Destroy Secure Configuration Fast UVC, the
    topmost level of page tables is set aside and freed asynchronously
    as last step of the asynchronous teardown.
    
    Each gmap has a host_to_guest radix tree mapping host (userspace)
    addresses (with 1M granularity) to gmap segment table entries (pmds).
    
    If a guest is smaller than 2GB, the topmost level of page tables is the
    segment table (i.e. there are only 2 levels). Replacing it means that
    the pointers in the host_to_guest mapping would become stale and cause
    all kinds of nasty issues.
    
    This patch fixes the issue by disallowing asynchronous teardown for
    guests with only 2 levels of page tables. Userspace should (and already
    does) try using the normal destroy if the asynchronous one fails.
    
    Update s390_replace_asce so it refuses to replace segment type ASCEs.
    This is still needed in case the normal destroy VM fails.
    
    Fixes: fb491d5500a7 ("KVM: s390: pv: asynchronous destroy for reboot")
    Reviewed-by: Marc Hartmayer <mhartmay@xxxxxxxxxxxxx>
    Reviewed-by: Janosch Frank <frankja@xxxxxxxxxxxxx>
    Signed-off-by: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxx>
    Message-Id: <20230421085036.52511-2-imbrenda@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/s390/kvm/pv.c b/arch/s390/kvm/pv.c
index e032ebbf51b97..3ce5f4351156a 100644
--- a/arch/s390/kvm/pv.c
+++ b/arch/s390/kvm/pv.c
@@ -314,6 +314,11 @@ int kvm_s390_pv_set_aside(struct kvm *kvm, u16 *rc, u16 *rrc)
 	 */
 	if (kvm->arch.pv.set_aside)
 		return -EINVAL;
+
+	/* Guest with segment type ASCE, refuse to destroy asynchronously */
+	if ((kvm->arch.gmap->asce & _ASCE_TYPE_MASK) == _ASCE_TYPE_SEGMENT)
+		return -EINVAL;
+
 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
index 74e1d873dce05..784fc6cbddb1a 100644
--- a/arch/s390/mm/gmap.c
+++ b/arch/s390/mm/gmap.c
@@ -2830,6 +2830,9 @@ EXPORT_SYMBOL_GPL(s390_unlist_old_asce);
  * s390_replace_asce - Try to replace the current ASCE of a gmap with a copy
  * @gmap: the gmap whose ASCE needs to be replaced
  *
+ * If the ASCE is a SEGMENT type then this function will return -EINVAL,
+ * otherwise the pointers in the host_to_guest radix tree will keep pointing
+ * to the wrong pages, causing use-after-free and memory corruption.
  * If the allocation of the new top level page table fails, the ASCE is not
  * replaced.
  * In any case, the old ASCE is always removed from the gmap CRST list.
@@ -2844,6 +2847,10 @@ int s390_replace_asce(struct gmap *gmap)
 
 	s390_unlist_old_asce(gmap);
 
+	/* Replacing segment type ASCEs would cause serious issues */
+	if ((gmap->asce & _ASCE_TYPE_MASK) == _ASCE_TYPE_SEGMENT)
+		return -EINVAL;
+
 	page = alloc_pages(GFP_KERNEL_ACCOUNT, CRST_ALLOC_ORDER);
 	if (!page)
 		return -ENOMEM;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux