From nobody Thu Dec 18 17:12:55 2025 Received: from njjs-sys-mailin01.njjs.baidu.com (mx310.baidu.com [180.101.52.44]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BDF274D8B2 for ; Wed, 19 Jun 2024 11:18:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=180.101.52.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718795895; cv=none; b=XCl/nLQz6PzkbhBhvzQGVxCxmmtFTGz8XDzaMCtYv2GMYA0ucZI/sQl54n84fnectTW0kC/JDBn41C8aUyHeiwHT9e1h2Vxtff4NA8b9gULcwOWEHqwi9s8P4vtcJj5awAb2ve9CEGTLvO3iUaAttWj4SsYKaJY7kmXPByesRx4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718795895; c=relaxed/simple; bh=/uzSBEejCZP3ZuvUlQ+maBnaKGLioRrgetYx6SzumfA=; h=From:To:Cc:Subject:Date:Message-Id; b=IwjdH7ei/myASvjbWNzqZhRt5i9DMCrwIluHRF3BxwhImusEcdx0OS5tKYOqN6tbeyTqtnMj/ABfz8L0L0QMiLFpC1hlXCrKrk+TV+rPi9Orsa8Txx/gw/+w3FAcvrhIgcQUkhZ7o0kgjpBP56jR9SaxsBwsVHQF0DgQDs1Cnv8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=baidu.com; spf=pass smtp.mailfrom=baidu.com; arc=none smtp.client-ip=180.101.52.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=baidu.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=baidu.com Received: from localhost (bjhw-sys-rpm015653cc5.bjhw.baidu.com [10.227.53.39]) by njjs-sys-mailin01.njjs.baidu.com (Postfix) with ESMTP id 81AFF7F00057; Wed, 19 Jun 2024 19:18:03 +0800 (CST) From: Li RongQing To: kirill.shutemov@linux.intel.com, dave.hansen@linux.intel.com, x86@kernel.org, linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org, rick.p.edgecombe@intel.com Cc: Li RongQing Subject: [PATCH][v4] virt: tdx-guest: Don't free decrypted memory Date: Wed, 19 Jun 2024 19:18:01 +0800 Message-Id: <20240619111801.25630-1-lirongqing@baidu.com> X-Mailer: git-send-email 2.9.4 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" In CoCo VMs it is possible for the untrusted host to cause set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Leak the decrypted memory when set_memory_decrypted() fails, and don't need to print an error since set_memory_decrypted() will call WARN_ONCE(). Reviewed-by: Rick Edgecombe Reviewed-by: Kirill A. Shutemov Signed-off-by: Li RongQing --- diff with v3: modify the commit log as suggested by Kirill diff with v2: remove print error diff with v1: leak the page, and print error drivers/virt/coco/tdx-guest/tdx-guest.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/td= x-guest/tdx-guest.c index 1253bf7..8575d98 100644 --- a/drivers/virt/coco/tdx-guest/tdx-guest.c +++ b/drivers/virt/coco/tdx-guest/tdx-guest.c @@ -124,10 +124,8 @@ static void *alloc_quote_buf(void) if (!addr) return NULL; =20 - if (set_memory_decrypted((unsigned long)addr, count)) { - free_pages_exact(addr, len); + if (set_memory_decrypted((unsigned long)addr, count)) return NULL; - } =20 return addr; } --=20 2.9.4