From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21471C4332F for ; Wed, 23 Nov 2022 11:41:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8B0A16B0073; Wed, 23 Nov 2022 06:41:12 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 838636B0074; Wed, 23 Nov 2022 06:41:12 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6DA696B0075; Wed, 23 Nov 2022 06:41:12 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 59CC56B0073 for ; Wed, 23 Nov 2022 06:41:12 -0500 (EST) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 31DCF140A33 for ; Wed, 23 Nov 2022 11:41:12 +0000 (UTC) X-FDA: 80164515984.29.29D1EE4 Received: from mail.skyhub.de (mail.skyhub.de [5.9.137.197]) by imf05.hostedemail.com (Postfix) with ESMTP id B010610000D for ; Wed, 23 Nov 2022 11:41:03 +0000 (UTC) Received: from zn.tnic (p200300ea9733e747329c23fffea6a903.dip0.t-ipconnect.de [IPv6:2003:ea:9733:e747:329c:23ff:fea6:a903]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id DF82D1EC0409; Wed, 23 Nov 2022 12:40:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1669203645; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=sSCQP9l7EhlMRg+/Nb1FBm7eXGpDbXJPkykAqRekjL8=; b=XChS0OLbpDpwYCthmECg64pzeg2wuaUGEsH7mVtaY8AyG9TAyxZJ2z8EseMsdi8ctBUmFD JHK+Ue4N3Z1Miq7lXAZGQZpIJEeOKOffGTstEdq2e1h76z7sIfdz11x9l/WSGmiR4HMI+x T9jayzgCDzwQxtJAQVGE3G5IjeSHWWE= Date: Wed, 23 Nov 2022 12:40:40 +0100 From: Borislav Petkov To: "Kalra, Ashish" Cc: x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, jroedel@suse.de, thomas.lendacky@amd.com, hpa@zytor.com, ardb@kernel.org, pbonzini@redhat.com, seanjc@google.com, vkuznets@redhat.com, jmattson@google.com, luto@kernel.org, dave.hansen@linux.intel.com, slp@redhat.com, pgonda@google.com, peterz@infradead.org, srinivas.pandruvada@linux.intel.com, rientjes@google.com, dovmurik@linux.ibm.com, tobin@ibm.com, michael.roth@amd.com, vbabka@suse.cz, kirill@shutemov.name, ak@linux.intel.com, tony.luck@intel.com, marcorr@google.com, sathyanarayanan.kuppuswamy@linux.intel.com, alpergun@google.com, dgilbert@redhat.com, jarkko@kernel.org Subject: Re: [PATCH Part2 v6 14/49] crypto: ccp: Handle the legacy TMR allocation when SNP is enabled Message-ID: References: <3a51840f6a80c87b39632dc728dbd9b5dd444cd7.1655761627.git.ashish.kalra@amd.com> <380c9748-1c86-4763-ea18-b884280a3b60@amd.com> <13bd73b6-592c-66c4-cd42-0913380da745@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <13bd73b6-592c-66c4-cd42-0913380da745@amd.com> X-Rspam-User: Authentication-Results: imf05.hostedemail.com; dkim=temperror ("DNS error when getting key") header.d=alien8.de header.s=dkim header.b=XChS0OLb; spf=temperror (imf05.hostedemail.com: error in processing during lookup of bp@alien8.de: DNS error) smtp.mailfrom=bp@alien8.de; dmarc=temperror reason="query timed out" header.from=alien8.de (policy=temperror) X-Stat-Signature: tbruwo7eu8bhau41fh8s977ncfaezyes X-Rspamd-Queue-Id: B010610000D X-Rspamd-Server: rspam09 X-HE-Tag: 1669203663-66895 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Nov 22, 2022 at 05:44:47AM -0600, Kalra, Ashish wrote: > It is important to note that if invalid address/len are supplied, the > failure will happen at the initial stage itself of transitioning these pages > to firmware state. /me goes and checks out your v6 tree based on 5.18. Lemme choose one: static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp) { ... inpages = sev_pin_memory(kvm, params.uaddr, params.len, &npages, 1); ... for (i = 0; i < npages; i++) { pfn = page_to_pfn(inpages[i]); ... ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_LAUNCH_UPDATE, &data, error); if (ret) { /* * If the command failed then need to reclaim the page. */ snp_page_reclaim(pfn); and here it would leak the pages if it cannot reclaim them. Now how did you get those? Through params.uaddr and params.len which come from userspace: if (copy_from_user(¶ms, (void __user *)(uintptr_t)argp->data, sizeof(params))) return -EFAULT; Now, think about it, can userspace be trusted? Exactly. Yeah, yeah, I see it does is_hva_registered() but userspace can just as well supply the wrong region which fits. > In such a case the kernel panic is justifiable, So userspace can supply whatever it wants and you'd panic? You surely don't mean that. > but again if incorrect addresses are supplied, the failure will happen > at the initial stage of transitioning these pages to firmware state > and there is no need to reclaim. See above. > Or, otherwise dump a warning and let the pages not be freed/returned > back to the page allocator. > > It is either innocent pages or kernel panic or an innocent host > process crash (these are the choices to make). No, it is make the kernel as resilient as possible. Which means, no panic, add the pages to a not-to-be-used-anymore list and scream loudly with warning messages when it must leak pages so that people can fix the issue. Ok? -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette