Commit e4b5a7c5 authored Jul 28, 2023 by Sean Christopherson Committed by Yu Zhang May 28, 2024

KVM: x86/mmu: Harden TDP MMU iteration against root w/o shadow page

mainline inclusion
from mainline-v6.5-rc1
commit 2c6d4c27
category: feature
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I9HH9U
CVE: N/A
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2c6d4c27b92d729a2831df2a873ba6b5f682f435

-------------------------------------

Explicitly check that tdp_iter_start() is handed a valid shadow page
to harden KVM against bugs, e.g. if KVM calls into the TDP MMU with an
invalid or shadow MMU root (which would be a fatal KVM bug), the shadow
page pointer will be NULL.

Opportunistically stop the TDP MMU iteration instead of continuing on
with garbage if the incoming root is bogus.  Attempting to walk a garbage
root is more likely to caused major problems than doing nothing.

Cc: Yu Zhang <yu.c.zhang@linux.intel.com>
Link: https://lore.kernel.org/r/20230729005200.1057358-4-seanjc@google.com


Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Conflicts:
	arch/x86/kvm/mmu/tdp_iter.c
Signed-off-by: Yu Zhang <yu.c.zhang@linux.intel.com>

parent 2a8c0ebd

arch/x86/kvm/mmu/tdp_iter.c

+6 −5

Original line number	Diff line number	Diff line
		@@ -38,13 +38,14 @@ void tdp_iter_restart(struct tdp_iter *iter)
		void tdp_iter_start(struct tdp_iter iter, struct kvm_mmu_page root,
		int min_level, gfn_t next_last_level_gfn)
		{
		int root_level = root->role.level;

		WARN_ON(root_level < 1);
		WARN_ON(root_level > PT64_ROOT_MAX_LEVEL);
		if (WARN_ON_ONCE(!root \|\| (root->role.level < 1) \|\|
		(root->role.level > PT64_ROOT_MAX_LEVEL))) {
		iter->valid = false;
		return;
		}

		iter->next_last_level_gfn = next_last_level_gfn;
		iter->root_level = root_level;
		iter->root_level = root->role.level;
		iter->min_level = min_level;
		iter->pt_path[iter->root_level - 1] = (tdp_ptep_t)root->spt;
		iter->as_id = kvm_mmu_page_as_id(root);