From nobody Mon Feb 9 01:45:43 2026 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48F8713C800 for ; Thu, 4 Apr 2024 23:40:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712274015; cv=none; b=eWONwe4J6azNiDaZpHTVtK5MDeBOCeGNkQi+vSPczzh4vP5+sr8VWbPWF8N3LDvd+4JuBtUPFYsr49NkfDSVASV9hPx5XhbAmncFx6cDy5JPF6jWzBUm5HDH9SMWHWVyOWKlVE/IQs0kSIZ1SX4DrATCX8MvIZG5bPHYzbBzu9I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712274015; c=relaxed/simple; bh=ShNXKTKxsoV1gidL/jCEGh1UXFa8beTlPBREvu3TALk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=o8Tu44bm6S6ViLtoN0fjTW4/HpbIUK318zOkShU8SsJ9hz5y5YO1Ye2ACcDshiApXJGW1ufb5Zn9eOqvG8fVpTF398CLbwIZhNpyjV1rz4FbmZRNmuNER/ubtI1F/lu4iZcfueqnLLegN8Y7UjqgUrfdOIFs5BZredR6nb4c8ic= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=OHR03Hm4; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="OHR03Hm4" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-2a2fec91d48so467184a91.2 for ; Thu, 04 Apr 2024 16:40:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712274013; x=1712878813; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=++a/hvLgm2LFaPeq7sJT2WCGQZL19kelVmxT81YyZ+I=; b=OHR03Hm4Yz6teVrcBEDj7uZYxtI/wK8o3p/VJxPH9QSOOUt441UucrN3CFoJG9ytlh 8Wp2XnVg0rlKEsBzmbVjJx9XVoNcjdo5ZqA/FFlK8QagQeW9y+GucU1zKp/Z+1opadLG oS2vQ8Seofa5U36TUJzSoDqjbKbHld7YeqMGv3XgNF+p/l6eBpq04VfD7pfumuKv/fmp Rv89YUjYDuuR0ORxarFdlWX6/2SNNpTjfb1K/J4PkxeZaYNrqr9alRLOkgunNWw3gCRl m0u14fFC/k3WmbI3ykFb6CV44CyVeSKXM/usj/1iatqCLZkdNB5QZL56a8D3ezMoRi8E p7Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712274013; x=1712878813; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=++a/hvLgm2LFaPeq7sJT2WCGQZL19kelVmxT81YyZ+I=; b=kN0ZmvU8JDJx3gIRuqqldksRbuaD0bhwxa566kd1pP0hE8ruwEPR97ylFDCTJKQ+2A qABGE3gqmlck58rFSJZRixpuw+T3+TpcOpXUjD/USGUQDRykK3bnUDkrcvdZd/TeTjEr 6iB2dlEl4tPnuWeBTd3WUMniTRvNqWyaTigBwdQVdUdh/Oo0no6UixpL7cZp7YN/1oTz FR7uUWm9O1fWBXWubkztLcliinOxg23c0qtAtgEdLfJUaSDSCy6bIggTpNaMKPXetUw4 8RgKUvEkVb9W3fJMadNjKw2UTY7k/qzjW42K9T2ehyBU7VrVOPgVV8wT7PTVdGBNLsOZ r6Dg== X-Forwarded-Encrypted: i=1; AJvYcCVoiylRZodpDPKLTsDo2HA5zrB0+P4stby0h+FbL/xYdpLD+/qJfMpSq5zsi1vqoOzdqOUqkC88p3TKtQje9a1mGusccWWByeFvRzdc X-Gm-Message-State: AOJu0YyXOhjFky7EKdkx1VCKc5V+ovZIYWB6xDE58aFboYj/L4HuOMmD w1v7JpugxmQ3IKrhrAi+BqnAi2manPa5o9KTVUxsSZ5rrP+Nx9yvPn8r4f5zLTtRtF6Mi/Qoj1z P8g== X-Google-Smtp-Source: AGHT+IFXyQGRwEJ/4fWcQaCNTSSexyUuvyDvbAc15+ionqqlW/lDl07k9yVGUcTvt59QeDxRQ5kPXvAaaLQ= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:903:41c9:b0:1e0:bae4:490e with SMTP id u9-20020a17090341c900b001e0bae4490emr38806ple.13.1712274013568; Thu, 04 Apr 2024 16:40:13 -0700 (PDT) Reply-To: Sean Christopherson Date: Thu, 4 Apr 2024 16:40:03 -0700 In-Reply-To: <20240404234004.911293-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240404234004.911293-1-seanjc@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240404234004.911293-2-seanjc@google.com> Subject: [PATCH 5.15 1/2] KVM: x86: Bail to userspace if emulation of atomic user access faults From: Sean Christopherson To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Christopherson , Paolo Bonzini , David Matlack , Pasha Tatashin , Michael Krebs , Jim Mattson Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Upstream commit 5d6c7de6446e9ab3fb41d6f7d82770e50998f3de. Exit to userspace when emulating an atomic guest access if the CMPXCHG on the userspace address faults. Emulating the access as a write and thus likely treating it as emulated MMIO is wrong, as KVM has already confirmed there is a valid, writable memslot. Signed-off-by: Sean Christopherson Message-Id: <20220202004945.2540433-6-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index aa6f700f8c5f..a9c26397dcfd 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -7105,7 +7105,7 @@ static int emulator_cmpxchg_emulated(struct x86_emula= te_ctxt *ctxt, } =20 if (r < 0) - goto emul_write; + return X86EMUL_UNHANDLEABLE; if (r) return X86EMUL_CMPXCHG_FAILED; =20 --=20 2.44.0.478.gd926399ef9-goog From nobody Mon Feb 9 01:45:43 2026 Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AABD13C82D for ; Thu, 4 Apr 2024 23:40:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712274017; cv=none; b=dr/Bp2dXCa9d79ZnbFkYLLGMU/cRfnh9dxiuY4XmISBfc4sZfh7G8pmp08P+O9hn1v0cSiCjy37G7gJGKg4Ehrkm0Vo/AjYgFwjoZT9eLEq9+Q4ISn78ag5vSoaEMpZx94t72YEh8LH/B4hqCNW2tHUTjUUCfBuvP8Q3Lk82h+w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712274017; c=relaxed/simple; bh=dnq5uTOatCrls3JaBY8EL3ud8sd2RV+VYen0Om+cfzA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=EkA7wA3AM8vJfNuK6s8bgiF884tb4UrZ7tQlmrraakNJxTBdLq1nvPPByU+P47DKi9fSopuVFfIda/y6c4iqB8EeNqNBVvrqYh3Irqa0CNHR2gBJw8yM2Hv54Q1oSW6ZUIm8tvaaN6Bd2B1cAbJvb64NXbX2Ii/842zCmDWxDzc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=lVZ5BNiy; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lVZ5BNiy" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-6156cef8098so27714767b3.0 for ; Thu, 04 Apr 2024 16:40:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712274015; x=1712878815; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=ASBumnpATwEIL5UUy/iyu9pk1RBUk9y3GsDAXtyLwC0=; b=lVZ5BNiyEBZdHq/tUJikFT19N8VhxXGGhtyHLJ3S71A7SBbfFHDOxj8lfVbl7iatAA aZKfNQfVbot9NRv/IrBGJMCfkoH3/6uxmklfE4xtwHPAIgNXOsfrpwALYBRASp0BaAaM E95Bp7781HzF3GN6VmcvDR/7ammcHiGnRyN6OJ4nd5ODMiEhuaMha3j2qANtzzNbCuCU LVIgHjaTU/D77CWt7i3riT70PzhnjuKUYnso9n4JCNJJfcgIGoaYCJEAvOl1qPFXbCBW 4i1kBEBXgdrJpO6ut44MOK0do8WHwhGLnPNM9Auj6sqorO/A4pUg2eXFYsgLCwDBycV7 8jHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712274015; x=1712878815; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ASBumnpATwEIL5UUy/iyu9pk1RBUk9y3GsDAXtyLwC0=; b=CIco8By0/51eiEuiYzMJTjNrMz0ojEWbfrpbqhMSlX7qRxW1A6/tvmsrmD5VKbXbwh Giy/SgdFZoBamF7+h4uAOneKx6sr45n28w8wefndJ2TVu+g/Fhp0F78L1BxanmuUToRE Lywyi59l1wLcP8wDeGzr1j+KYpOxKeqgc2eOFmbWgvZZyvW2mtnoQ/pBp3lBha8xGM5u 4JqsCO2B4Z3CJYFjFL25VK7DyDn1YSmwltEP4RN7sCaWf3TRb+GqKWuiUoTEOAnS89rK zt9LveQxg0MNB/zPepK57UiUdTZpJCBBy8W9XoXBBXIfcaK61+RsofBwnOv6JxyUyOSU vOfA== X-Forwarded-Encrypted: i=1; AJvYcCXEaWiSDmDxK/aQqdJbAwraFrLDojdzr5Zq2f42T+PKN1GIcksu+c2POckt9k2QUdiWUAvPnBXFX45t3RzpS0S8X+B2EgAp/f45NOev X-Gm-Message-State: AOJu0YwYC3rCfFBiqlrrhKsVrJegbLMBsG6BQsvkVwa0IYEMRw2mybzV TSpK+kJu4kC83eCB9nWsAXIe1implJjfXxTJz1DEPz/iVjVY1Bj5wAhXFaBoRP0XODftphitnkG pFg== X-Google-Smtp-Source: AGHT+IHVcGzGtkoYE/nA2+uLT99pxp9ic0A3LYA19FxHXeoqMxTP0p5qV3iEyvFi78P0BWvKb0AtUaP9/dY= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a0d:dfd3:0:b0:615:439a:dc3b with SMTP id i202-20020a0ddfd3000000b00615439adc3bmr268726ywe.8.1712274015451; Thu, 04 Apr 2024 16:40:15 -0700 (PDT) Reply-To: Sean Christopherson Date: Thu, 4 Apr 2024 16:40:04 -0700 In-Reply-To: <20240404234004.911293-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240404234004.911293-1-seanjc@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240404234004.911293-3-seanjc@google.com> Subject: [PATCH 5.15 2/2] KVM: x86: Mark target gfn of emulated atomic instruction as dirty From: Sean Christopherson To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Christopherson , Paolo Bonzini , David Matlack , Pasha Tatashin , Michael Krebs , Jim Mattson Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Upstream commit 910c57dfa4d113aae6571c2a8b9ae8c430975902. When emulating an atomic access on behalf of the guest, mark the target gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This fixes a bug where KVM effectively corrupts guest memory during live migration by writing to guest memory without informing userspace that the page is dirty. Marking the page dirty got unintentionally dropped when KVM's emulated CMPXCHG was converted to do a user access. Before that, KVM explicitly mapped the guest page into kernel memory, and marked the page dirty during the unmap phase. Mark the page dirty even if the CMPXCHG fails, as the old data is written back on failure, i.e. the page is still written. The value written is guaranteed to be the same because the operation is atomic, but KVM's ABI is that all writes are dirty logged regardless of the value written. And more importantly, that's what KVM did before the buggy commit. Huge kudos to the folks on the Cc list (and many others), who did all the actual work of triaging and debugging. Fixes: 1c2361f667f3 ("KVM: x86: Use __try_cmpxchg_user() to emulate atomic = accesses") Cc: stable@vger.kernel.org Cc: David Matlack Cc: Pasha Tatashin Cc: Michael Krebs base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64 Reviewed-by: Jim Mattson Link: https://lore.kernel.org/r/20240215010004.1456078-2-seanjc@google.com Signed-off-by: Sean Christopherson --- arch/x86/kvm/x86.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index a9c26397dcfd..dc0a7b9469e3 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -7106,6 +7106,16 @@ static int emulator_cmpxchg_emulated(struct x86_emul= ate_ctxt *ctxt, =20 if (r < 0) return X86EMUL_UNHANDLEABLE; + + /* + * Mark the page dirty _before_ checking whether or not the CMPXCHG was + * successful, as the old value is written back on failure. Note, for + * live migration, this is unnecessarily conservative as CMPXCHG writes + * back the original value and the access is atomic, but KVM's ABI is + * that all writes are dirty logged, regardless of the value written. + */ + kvm_vcpu_mark_page_dirty(vcpu, gpa_to_gfn(gpa)); + if (r) return X86EMUL_CMPXCHG_FAILED; =20 --=20 2.44.0.478.gd926399ef9-goog