Re: [PATCH v2 5/5] Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted
From: Kuppuswamy Sathyanarayanan
Date: Tue Mar 12 2024 - 11:17:31 EST
On 3/11/24 9:15 AM, mhkelley58@xxxxxxxxx wrote:
> From: Michael Kelley <mhklinux@xxxxxxxxxxx>
>
> In CoCo VMs it is possible for the untrusted host to cause
> set_memory_encrypted() or set_memory_decrypted() to fail such that an
> error is returned and the resulting memory is shared. Callers need to
> take care to handle these errors to avoid returning decrypted (shared)
> memory to the page allocator, which could lead to functional or security
> issues.
>
> The VMBus ring buffer code could free decrypted/shared pages if
> set_memory_decrypted() fails. Check the decrypted field in the struct
> vmbus_gpadl for the ring buffers to decide whether to free the memory.
>
> Signed-off-by: Michael Kelley <mhklinux@xxxxxxxxxxx>
> ---
Looks good to me.
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>
> drivers/hv/channel.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
> index bb5abdcda18f..47e1bd8de9fc 100644
> --- a/drivers/hv/channel.c
> +++ b/drivers/hv/channel.c
> @@ -153,7 +153,9 @@ void vmbus_free_ring(struct vmbus_channel *channel)
> hv_ringbuffer_cleanup(&channel->inbound);
>
> if (channel->ringbuffer_page) {
> - __free_pages(channel->ringbuffer_page,
> + /* In a CoCo VM leak the memory if it didn't get re-encrypted */
> + if (!channel->ringbuffer_gpadlhandle.decrypted)
> + __free_pages(channel->ringbuffer_page,
> get_order(channel->ringbuffer_pagecount
> << PAGE_SHIFT));
> channel->ringbuffer_page = NULL;
--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer