From nobody Tue Dec 23 14:16:04 2025 Received: from baidu.com (mx24.baidu.com [111.206.215.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41EC3233127 for ; Mon, 13 Jan 2025 08:07:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=111.206.215.185 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736755628; cv=none; b=ETCyD74EcCynu4lJYJGYur3o4VLTacou+TAzuEZFxHws/Ia9yXoS3Jr/NqfrWI2uGKch5le5APwlQV0cpn1YsPFMX4QCuy8LtDAyacqCzMTA0DJiG07ZW7Ft/DS4EyXJkosBgDpmUIGKbVPG4iEyhUU/YPKG+OoTg5KeeMNtfF4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736755628; c=relaxed/simple; bh=gdZYJAnTwt47YHptyhTnN959lvP0CTlYhSpNSAO+5Yc=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=mu1ddBOw5+Fd/CdZ+1FoK7Qh2VXb/dyPSeBBrdvGL6781wYcFm8cDysPaQMwHf0MuhHEFhKvOUlimSa9UeK2viIfA91ExTIMobeu62QxVop/9b6gbaYywQRVxdF18YFmzpf7GvsBD/XaJrrVk1YtPlO9rjcWFghQ92TFn17h1PE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=baidu.com; spf=pass smtp.mailfrom=baidu.com; arc=none smtp.client-ip=111.206.215.185 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=baidu.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=baidu.com From: lirongqing To: , , , , , , , CC: Li RongQing Subject: [PATCH][Resend] virt/coco/sev-guest: Just leak decrypted memory on unrecoverable errors Date: Mon, 13 Jan 2025 16:06:18 +0800 Message-ID: <20250113080618.2693-1-lirongqing@baidu.com> X-Mailer: git-send-email 2.17.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: BC-Mail-EX07.internal.baidu.com (172.31.51.47) To BJHW-Mail-Ex15.internal.baidu.com (10.127.64.38) X-Baidu-BdMsfe-DateCheck: 1_BJHW-Mail-Ex15_2025-01-13 16:06:25:115 X-Baidu-BdMsfe-DateCheck: 1_BJHW-Mail-Ex15_2025-01-13 16:06:25:131 X-FEAS-Client-IP: 10.127.64.38 X-FE-Policy-ID: 52:10:53:SYSTEM Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Li RongQing If set_memory_decrypted() fails, and memory maybe have a mix of pagetable entries, that could be a problem. As Tom explained: As long as the encryption bit hasn't been cleared in any of the guest pagetables for the page range, then there should not be an issue. When the page is referenced it will generate a #NPF and the host will have to make that page a private page in order for forward progress to be made. But, that page will already have been PVALIDATEd previously, so the resulting #VC for the page no longer being PVALIDATEd will allow the guest to detect the malicious hypervisor and terminate. If we fail during the __change_page_attr_set_clr() call and we get a mix of pagetable entries that could be a problem, so leaking the pages would be best in that case. And since the failure reason isn't clear after the call, leaking the pages is probably the safest thing. Fixes: fce96cf04430 ("virt: Add SEV-SNP guest driver") Suggested-by: Tom Lendacky Signed-off-by: Li RongQing --- drivers/virt/coco/sev-guest/sev-guest.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/se= v-guest/sev-guest.c index b699771..ce843a9 100644 --- a/drivers/virt/coco/sev-guest/sev-guest.c +++ b/drivers/virt/coco/sev-guest/sev-guest.c @@ -645,8 +645,7 @@ static void *alloc_shared_pages(struct device *dev, siz= e_t sz) =20 ret =3D set_memory_decrypted((unsigned long)page_address(page), npages); if (ret) { - dev_err(dev, "failed to mark page shared, ret=3D%d\n", ret); - __free_pages(page, get_order(sz)); + dev_err(dev, "failed to mark page shared, leak it, ret=3D%d\n", ret); return NULL; } =20 --=20 2.9.4