• Suzuki K Poulose's avatar
    kvm: arm/arm64: Fix use after free of stage2 page table · f93cbcb9
    Suzuki K Poulose authored
    commit 0c428a6a upstream.
    
    We yield the kvm->mmu_lock occassionaly while performing an operation
    (e.g, unmap or permission changes) on a large area of stage2 mappings.
    However this could possibly cause another thread to clear and free up
    the stage2 page tables while we were waiting for regaining the lock and
    thus the original thread could end up in accessing memory that was
    freed. This patch fixes the problem by making sure that the stage2
    pagetable is still valid after we regain the lock. The fact that
    mmu_notifer->release() could be called twice (via __mmu_notifier_release
    and mmu_notifier_unregsister) enhances the possibility of hitting
    this race where there are two threads trying to unmap the entire guest
    shadow pages.
    
    While at it, cleanup the redudant checks around cond_resched_lock in
    stage2_wp_range(), as cond_resched_lock already does the same checks.
    
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Radim Krčmář <rkrcmar@redhat.com>
    Cc: andreyknvl@google.com
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
    Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
    Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
    [bwh: Backported to 3.16:
     - unmap_range() is also used for hypervisor page tables, so make the check
       condition on kvm != NULL
     - s/READ_ONCE/ACCESS_ONCE/
     - Drop change to stage2_wp_range()
     - Adjust filename]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    f93cbcb9
mmu.c 33 KB