virt: sev-guest: Do not use host-controlled page order in cleanup path

When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),
get_ext_report() allocates a buffer to retrieve a certificate blob from the
host, keeping track of its size in report_req->certs_len.

However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating
an invalid buffer size, as well as the expected length of such buffer.
get_ext_report() subsequently updates report_req->certs_len with the
host-controlled value, and cleans up the buffer by computing a page order
from such value. This is incorrect, as the host-provided length may not
match the page order of the original allocation, potentially resulting
in corruption in the page allocator.

Fix this by using alloc_pages_exact() instead, and reusing @npages to
compute the size passed to free_pages_exact(). For consistency, also
use @npages to compute the size when allocating the pages, even though
this last change has no functional effect.

Fixes: 3e385c0d6ce8 ("virt: sev-guest: Move SNP Guest Request data pages handling under snp_cmd_mutex")
Signed-off-by: Carlos López <clopez@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Michael Roth <michael.roth@amd.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
index e001e6769a43fc891db9c2e1f71c36e4bf7f6951..910a1de0d5a72f2e96200543c12ce4a4f5d67acc 100644 (file)
--- a/drivers/virt/coco/sev-guest/sev-guest.c
+++ b/drivers/virt/coco/sev-guest/sev-guest.c
@@ -176,7 +176,6 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques
        struct snp_guest_req req = {};
        int ret, npages = 0, resp_len;
        sockptr_t certs_address;
-       struct page *page;
 
        if (sockptr_is_null(io->req_data) || sockptr_is_null(io->resp_data))
                return -EINVAL;
@@ -211,16 +210,15 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques
         * zeros to indicate that certificate data was not provided.
         */
        npages = report_req->certs_len >> PAGE_SHIFT;
-       page = alloc_pages(GFP_KERNEL_ACCOUNT | __GFP_ZERO,
-                          get_order(report_req->certs_len));
-       if (!page)
+       req.certs_data = alloc_pages_exact(npages << PAGE_SHIFT,
+                                          GFP_KERNEL_ACCOUNT | __GFP_ZERO);
+       if (!req.certs_data)
                return -ENOMEM;
 
-       req.certs_data = page_address(page);
        ret = set_memory_decrypted((unsigned long)req.certs_data, npages);
        if (ret) {
                pr_err("failed to mark page shared, ret=%d\n", ret);
-               __free_pages(page, get_order(report_req->certs_len));
+               free_pages_exact(req.certs_data, npages << PAGE_SHIFT);
                return -EFAULT;
        }
 
@@ -277,7 +275,7 @@ e_free_data:
                if (set_memory_encrypted((unsigned long)req.certs_data, npages))
                        WARN_ONCE(ret, "failed to restore encryption mask (leak it)\n");
                else
-                       __free_pages(page, get_order(report_req->certs_len));
+                       free_pages_exact(req.certs_data, npages << PAGE_SHIFT);
        }
        return ret;
 }