RE: [PATCH] virt: acrn: obtain pa from VMA with PFNMAP flag

From: Huang, Yonghua
Date: Wed Sep 21 2022 - 08:24:05 EST


Hi Daniel,

Thank you for this info, we will fix this issue.

Almost miss this mail, sorry!

-Yonghua

> -----Original Message-----
> From: Daniel Vetter <daniel@xxxxxxxx>
> Sent: Wednesday, August 10, 2022 20:20
> To: Huang, Yonghua <yonghua.huang@xxxxxxxxx>
> Cc: gregkh@xxxxxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
> stable@xxxxxxxxxxxxxxx; Chatre, Reinette <reinette.chatre@xxxxxxxxx>; Wang,
> Zhi A <zhi.a.wang@xxxxxxxxx>; Wang, Yu1 <yu1.wang@xxxxxxxxx>; Li, Fei1
> <fei1.li@xxxxxxxxx>; Linux MM <linux-mm@xxxxxxxxx>; DRI Development <dri-
> devel@xxxxxxxxxxxxxxxxxxxxx>
> Subject: Re: [PATCH] virt: acrn: obtain pa from VMA with PFNMAP flag
>
> On Mon, Feb 28, 2022 at 05:22:12AM +0300, Yonghua Huang wrote:
> > acrn_vm_ram_map can't pin the user pages with VM_PFNMAP flag by
> > calling get_user_pages_fast(), the PA(physical pages) may be mapped
> > by kernel driver and set PFNMAP flag.
> >
> > This patch fixes logic to setup EPT mapping for PFN mapped RAM region
> > by checking the memory attribute before adding EPT mapping for them.
> >
> > Fixes: 88f537d5e8dd ("virt: acrn: Introduce EPT mapping management")
> > Signed-off-by: Yonghua Huang <yonghua.huang@xxxxxxxxx>
> > Signed-off-by: Fei Li <fei1.li@xxxxxxxxx>
> > ---
> > drivers/virt/acrn/mm.c | 24 ++++++++++++++++++++++++
> > 1 file changed, 24 insertions(+)
> >
> > diff --git a/drivers/virt/acrn/mm.c b/drivers/virt/acrn/mm.c index
> > c4f2e15c8a2b..3b1b1e7a844b 100644
> > --- a/drivers/virt/acrn/mm.c
> > +++ b/drivers/virt/acrn/mm.c
> > @@ -162,10 +162,34 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct
> acrn_vm_memmap *memmap)
> > void *remap_vaddr;
> > int ret, pinned;
> > u64 user_vm_pa;
> > + unsigned long pfn;
> > + struct vm_area_struct *vma;
> >
> > if (!vm || !memmap)
> > return -EINVAL;
> >
> > + mmap_read_lock(current->mm);
> > + vma = vma_lookup(current->mm, memmap->vma_base);
> > + if (vma && ((vma->vm_flags & VM_PFNMAP) != 0)) {
> > + if ((memmap->vma_base + memmap->len) > vma->vm_end) {
> > + mmap_read_unlock(current->mm);
> > + return -EINVAL;
> > + }
> > +
> > + ret = follow_pfn(vma, memmap->vma_base, &pfn);
>
> This races, don't use follow_pfn() and most definitely don't add new users. In
> some cases follow_pte, but the pte/pfn is still only valid for as long as you hold
> the pte spinlock.
>
> > + mmap_read_unlock(current->mm);
>
> Definitely after here there's zero guarantees about this pfn and it could point at
> anything.
>
> Please fix, I tried pretty hard to get rid of follow_pfn(), but some of them are
> just too hard to fix (e.g. kvm needs a pretty hug rewrite to get it all sorted).
>
> Cheers, Daniel
>
> > + if (ret < 0) {
> > + dev_dbg(acrn_dev.this_device,
> > + "Failed to lookup PFN at VMA:%pK.\n", (void
> *)memmap->vma_base);
> > + return ret;
> > + }
> > +
> > + return acrn_mm_region_add(vm, memmap->user_vm_pa,
> > + PFN_PHYS(pfn), memmap->len,
> > + ACRN_MEM_TYPE_WB, memmap->attr);
> > + }
> > + mmap_read_unlock(current->mm);
> > +
> > /* Get the page number of the map region */
> > nr_pages = memmap->len >> PAGE_SHIFT;
> > pages = vzalloc(nr_pages * sizeof(struct page *));
> >
> > base-commit: 73878e5eb1bd3c9656685ca60bc3a49d17311e0c
> > --
> > 2.25.1
> >
>
> --
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch