From 19424168db55715a7ba3f00505ac9b9f19fd3705 Mon Sep 17 00:00:00 2001 From: Quentin Perret Date: Fri, 14 Oct 2022 14:25:43 +0000 Subject: [PATCH] ANDROID: KVM: arm64: Force CMOs with FWB when reclaiming guest pages __clean_dcache_guest_page() is optimized to elide cache maintenance operations on CPUs with FWB. The underlying assumption is that FWB is always used by KVM when available. Although correct in the normal KVM world, pKVM actively disables FWB for the host stage-2. As such, omitting CMOs when guest memory is being reclaimed may provide a malicious host with the ability to read the content of the recently reclaimed pages. Fix this by using the lower level kvm_flush_dcache_to_poc() helper directly from the reclaim path. Bug: 243501419 Reported-by: Will Deacon Signed-off-by: Quentin Perret Change-Id: I8e96ef7a8ccab2a59d3df46cd4d1a73190a2f457 --- arch/arm64/kvm/hyp/nvhe/mem_protect.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c index 6ca172ac3445..810436d85608 100644 --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c @@ -1915,7 +1915,14 @@ static int hyp_zero_page(phys_addr_t phys) if (!addr) return -EINVAL; memset(addr, 0, PAGE_SIZE); - __clean_dcache_guest_page(addr, PAGE_SIZE); + /* + * Prefer kvm_flush_dcache_to_poc() over __clean_dcache_guest_page() + * here as the latter may elide the CMO under the assumption that FWB + * will be enabled on CPUs that support it. This is incorrect for the + * host stage-2 and would otherwise lead to a malicious host potentially + * being able to read the content of newly reclaimed guest pages. + */ + kvm_flush_dcache_to_poc(addr, PAGE_SIZE); return hyp_fixmap_unmap(); }