From: Marcelo Tosatti <marcelo-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org>
To: Avi Kivity <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
Cc: kvm-devel <kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
Subject: [PATCH] Fix SMP shadow instantiation race
Date: Mon, 10 Dec 2007 11:19:07 -0500 [thread overview]
Message-ID: <20071210161907.GA13917@dmt> (raw)
There is a race where VCPU0 is shadowing a pagetable entry while VCPU1
is updating it, which results in a stale shadow copy.
Fix that by comparing the contents of the cached guest pte with the
current guest pte after write-protecting the guest pagetable.
Attached program kvm_shadow_race.c demonstrates the problem.
Signed-off-by: Marcelo Tosatti <mtosatti-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
diff --git a/drivers/kvm/paging_tmpl.h b/drivers/kvm/paging_tmpl.h
index 72d4816..4fece01 100644
--- a/drivers/kvm/paging_tmpl.h
+++ b/drivers/kvm/paging_tmpl.h
@@ -66,6 +66,7 @@ struct guest_walker {
int level;
gfn_t table_gfn[PT_MAX_FULL_LEVELS];
pt_element_t pte;
+ gpa_t pte_gpa;
unsigned pt_access;
unsigned pte_access;
gfn_t gfn;
@@ -212,6 +213,7 @@ walk:
}
walker->pte = pte;
+ walker->pte_gpa = pte_gpa;
walker->pt_access = pt_access;
walker->pte_access = pte_access;
pgprintk("%s: pte %llx pte_access %x pt_access %x\n",
@@ -267,6 +269,7 @@ static u64 *FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
int level;
u64 *shadow_ent;
unsigned access = walker->pt_access;
+ pt_element_t curr_pte;
if (!is_present_pte(walker->pte))
return NULL;
@@ -316,6 +319,11 @@ static u64 *FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
*shadow_ent = shadow_pte;
}
+ kvm_read_guest(vcpu->kvm, walker->pte_gpa, &curr_pte, sizeof(curr_pte));
+
+ if (curr_pte != walker->pte)
+ return 0;
+
mmu_set_spte(vcpu, shadow_ent, access, walker->pte_access & access,
user_fault, write_fault, walker->pte & PT_DIRTY_MASK,
ptwrite, walker->gfn);
@@ -382,10 +390,11 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
/*
* mmio: emulate if accessible, otherwise its a guest fault.
*/
- if (is_io_pte(*shadow_pte))
+ if (shadow_pte && is_io_pte(*shadow_pte))
return 1;
- ++vcpu->stat.pf_fixed;
+ if (shadow_pte)
+ ++vcpu->stat.pf_fixed;
kvm_mmu_audit(vcpu, "post page fault (fixed)");
return write_pt;
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
next reply other threads:[~2007-12-10 16:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-10 16:19 Marcelo Tosatti [this message]
2007-12-10 17:07 ` [PATCH] Fix SMP shadow instantiation race Avi Kivity
[not found] ` <475D726A.2040901-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
2007-12-10 19:12 ` Marcelo Tosatti
2007-12-10 21:27 ` Avi Kivity
[not found] ` <475DAF51.8060804-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
2007-12-10 22:22 ` Marcelo Tosatti
2007-12-12 0:12 ` Marcelo Tosatti
2007-12-13 8:37 ` Avi Kivity
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071210161907.GA13917@dmt \
--to=marcelo-bw31mazkks3ytjvyw6ydsg@public.gmane.org \
--cc=avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org \
--cc=kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.