[PATCH 0/3] KVM: arm64: nv: Shadow ptdump fixes

[Wei-Lin Chang]

Hi,

This series fixes two bugs regarding the shadow ptdump debugfs files.
It is based on kvmarm/fixes + [1] ("KVM: arm64: Reassign nested_mmus
array behind mmu_lock").

The first is a UAF. A nested mmu can still be accessed when the debugfs
file is being closed, after the nested mmus are freed. I can observe
this by turning on CONFIG_KASAN and closing the file after the VM is
destroyed. To fix this, mmu access is avoided in the .release()
callback.

The second is sleeping in atomic context, found by Itaru [2] (thanks).
Originally the code creates a debugfs file whenever a context gets bound
to an s2 mmu instance, and deletes it when it gets unbound. Problem is
the bind/unbind is done with the mmu_lock held, and debugfs file
creation and deletion can sleep. This is observable by using
CONFIG_DEBUG_ATOMIC_SLEEP. The new approach is just have one debugfs
file for each s2 mmu instance, and show their state + information when
requested, which can be invalid, or VTCR + VTTBR + whether s2 enabled +
ptdump.

The fixes are tested with CONFIG_PROVE_LOCKING,
CONFIG_DEBUG_ATOMIC_SLEEP, and CONFIG_KASAN.

Thanks!
Wei-Lin Chang

[1]: https://lore.kernel.org/kvmarm/aiKIVVeIr1aAB1yp@v4bel/
[2]: https://lore.kernel.org/kvmarm/aiuF0KSvvv-ZozI1@sm-arm-grace07/

Wei-Lin Chang (3):
  KVM: arm64: nv: Print nested mmu info in kvm_ptdump_guest_show()
  KVM: arm64: ptdump: Store both mmu and kvm pointers in
    kvm_ptdump_guest_state
  KVM: arm64: nv: Move to per nested mmu ptdump files

 arch/arm64/kvm/nested.c | 16 +++++++++++-----
 arch/arm64/kvm/ptdump.c | 29 +++++++++++++++++++----------
 2 files changed, 30 insertions(+), 15 deletions(-)

-- 
2.43.0