From: Gleb Natapov <gleb@minantech.com>
To: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>,
kvm@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, avi@redhat.com, mingo@elte.hu,
a.p.zijlstra@chello.nl, tglx@linutronix.de, hpa@zytor.com,
riel@redhat.com, cl@linux-foundation.org
Subject: Re: [PATCH v6 04/12] Add memory slot versioning and use it to provide fast guest write interface
Date: Wed, 6 Oct 2010 22:08:36 +0200 [thread overview]
Message-ID: <20101006200836.GC4120@minantech.com> (raw)
In-Reply-To: <20101006143847.GB31423@amt.cnet>
On Wed, Oct 06, 2010 at 11:38:47AM -0300, Marcelo Tosatti wrote:
> On Wed, Oct 06, 2010 at 01:14:17PM +0200, Gleb Natapov wrote:
> > > > +int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
> > > > + gpa_t gpa)
> > > > +{
> > > > + struct kvm_memslots *slots = kvm_memslots(kvm);
> > > > + int offset = offset_in_page(gpa);
> > > > + gfn_t gfn = gpa >> PAGE_SHIFT;
> > > > +
> > > > + ghc->gpa = gpa;
> > > > + ghc->generation = slots->generation;
>
> kvm->memslots can change here.
>
> > > > + ghc->memslot = gfn_to_memslot(kvm, gfn);
> > > > + ghc->hva = gfn_to_hva(kvm, gfn);
>
> And if so, gfn_to_memslot / gfn_to_hva will use new memslots pointer.
>
> Should dereference all values from one copy of kvm->memslots pointer.
>
Ah, I see now. Thanks! Will fix.
> > > > + if (!kvm_is_error_hva(ghc->hva))
> > > > + ghc->hva += offset;
> > > > + else
> > > > + return -EFAULT;
> > > > +
> > > > + return 0;
> > > > +}
> > >
> > > Should use a unique kvm_memslots structure for the cache entry, since it
> > > can change in between (use gfn_to_hva_memslot, etc on "slots" pointer).
> > >
> > I do not understand what do you mean here. kvm_memslots structure itself
> > is not cached only various translation that use it are cached. Translation
> > result are never used if kvm_memslots was changed.
>
> > > Also should zap any cached entries on overflow, otherwise malicious
> > > userspace could make use of stale slots:
> > >
> > There is only one cached entry at each given time. User who wants to
> > write into guest memory often defines gfn_to_hva_cache variable
> > somewhere. Init it with kvm_gfn_to_hva_cache_init() and then calls
> > kvm_write_guest_cached() on it. If there was no slot changes in between
> > cached translation are used. Otherwise cache is recalculated.
>
> Malicious userspace can cause entry to be cached, ioctl
> SET_USER_MEMORY_REGION 2^32 times, generation number will match,
> mark_page_dirty_in_slot will be called with pointer to freed memory.
>
Hmm. To zap all cached entires on overflow we need to track them. If we
will track then we can zap them on each slot update and drop "generation"
entirely.
--
Gleb.
WARNING: multiple messages have this Message-ID (diff)
From: Gleb Natapov <gleb@minantech.com>
To: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>,
kvm@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, avi@redhat.com, mingo@elte.hu,
a.p.zijlstra@chello.nl, tglx@linutronix.de, hpa@zytor.com,
riel@redhat.com, cl@linux-foundation.org
Subject: Re: [PATCH v6 04/12] Add memory slot versioning and use it to provide fast guest write interface
Date: Wed, 6 Oct 2010 22:08:36 +0200 [thread overview]
Message-ID: <20101006200836.GC4120@minantech.com> (raw)
In-Reply-To: <20101006143847.GB31423@amt.cnet>
On Wed, Oct 06, 2010 at 11:38:47AM -0300, Marcelo Tosatti wrote:
> On Wed, Oct 06, 2010 at 01:14:17PM +0200, Gleb Natapov wrote:
> > > > +int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
> > > > + gpa_t gpa)
> > > > +{
> > > > + struct kvm_memslots *slots = kvm_memslots(kvm);
> > > > + int offset = offset_in_page(gpa);
> > > > + gfn_t gfn = gpa >> PAGE_SHIFT;
> > > > +
> > > > + ghc->gpa = gpa;
> > > > + ghc->generation = slots->generation;
>
> kvm->memslots can change here.
>
> > > > + ghc->memslot = gfn_to_memslot(kvm, gfn);
> > > > + ghc->hva = gfn_to_hva(kvm, gfn);
>
> And if so, gfn_to_memslot / gfn_to_hva will use new memslots pointer.
>
> Should dereference all values from one copy of kvm->memslots pointer.
>
Ah, I see now. Thanks! Will fix.
> > > > + if (!kvm_is_error_hva(ghc->hva))
> > > > + ghc->hva += offset;
> > > > + else
> > > > + return -EFAULT;
> > > > +
> > > > + return 0;
> > > > +}
> > >
> > > Should use a unique kvm_memslots structure for the cache entry, since it
> > > can change in between (use gfn_to_hva_memslot, etc on "slots" pointer).
> > >
> > I do not understand what do you mean here. kvm_memslots structure itself
> > is not cached only various translation that use it are cached. Translation
> > result are never used if kvm_memslots was changed.
>
> > > Also should zap any cached entries on overflow, otherwise malicious
> > > userspace could make use of stale slots:
> > >
> > There is only one cached entry at each given time. User who wants to
> > write into guest memory often defines gfn_to_hva_cache variable
> > somewhere. Init it with kvm_gfn_to_hva_cache_init() and then calls
> > kvm_write_guest_cached() on it. If there was no slot changes in between
> > cached translation are used. Otherwise cache is recalculated.
>
> Malicious userspace can cause entry to be cached, ioctl
> SET_USER_MEMORY_REGION 2^32 times, generation number will match,
> mark_page_dirty_in_slot will be called with pointer to freed memory.
>
Hmm. To zap all cached entires on overflow we need to track them. If we
will track then we can zap them on each slot update and drop "generation"
entirely.
--
Gleb.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2010-10-06 20:08 UTC|newest]
Thread overview: 176+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-04 15:56 [PATCH v6 00/12] KVM: Add host swap event notifications for PV guest Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-04 15:56 ` [PATCH v6 01/12] Add get_user_pages() variant that fails if major fault is required Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-04 15:56 ` [PATCH v6 02/12] Halt vcpu if page it tries to access is swapped out Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-05 1:20 ` Rik van Riel
2010-10-05 1:20 ` Rik van Riel
2010-10-05 14:59 ` Marcelo Tosatti
2010-10-05 14:59 ` Marcelo Tosatti
2010-10-06 10:50 ` Avi Kivity
2010-10-06 10:50 ` Avi Kivity
2010-10-06 10:52 ` Gleb Natapov
2010-10-06 10:52 ` Gleb Natapov
2010-10-07 9:54 ` Avi Kivity
2010-10-07 9:54 ` Avi Kivity
2010-10-07 17:48 ` Gleb Natapov
2010-10-07 17:48 ` Gleb Natapov
2010-10-06 11:15 ` Gleb Natapov
2010-10-06 11:15 ` Gleb Natapov
2010-10-07 9:50 ` Avi Kivity
2010-10-07 9:50 ` Avi Kivity
2010-10-07 9:52 ` Avi Kivity
2010-10-07 9:52 ` Avi Kivity
2010-10-07 13:24 ` Rik van Riel
2010-10-07 13:24 ` Rik van Riel
2010-10-07 13:29 ` Avi Kivity
2010-10-07 13:29 ` Avi Kivity
2010-10-07 17:47 ` Gleb Natapov
2010-10-07 17:47 ` Gleb Natapov
2010-10-09 18:30 ` Avi Kivity
2010-10-09 18:30 ` Avi Kivity
2010-10-09 18:32 ` Avi Kivity
2010-10-09 18:32 ` Avi Kivity
2010-10-10 7:30 ` Gleb Natapov
2010-10-10 7:30 ` Gleb Natapov
2010-10-10 7:29 ` Gleb Natapov
2010-10-10 7:29 ` Gleb Natapov
2010-10-10 15:55 ` Avi Kivity
2010-10-10 15:55 ` Avi Kivity
2010-10-10 15:56 ` Avi Kivity
2010-10-10 15:56 ` Avi Kivity
2010-10-10 16:17 ` Gleb Natapov
2010-10-10 16:17 ` Gleb Natapov
2010-10-10 16:16 ` Gleb Natapov
2010-10-10 16:16 ` Gleb Natapov
2010-10-04 15:56 ` [PATCH v6 03/12] Retry fault before vmentry Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-05 15:54 ` Marcelo Tosatti
2010-10-05 15:54 ` Marcelo Tosatti
2010-10-06 11:07 ` Gleb Natapov
2010-10-06 11:07 ` Gleb Natapov
2010-10-06 14:20 ` Marcelo Tosatti
2010-10-06 14:20 ` Marcelo Tosatti
2010-10-07 18:44 ` Gleb Natapov
2010-10-07 18:44 ` Gleb Natapov
2010-10-08 16:07 ` Marcelo Tosatti
2010-10-08 16:07 ` Marcelo Tosatti
2010-10-07 12:29 ` Avi Kivity
2010-10-07 12:29 ` Avi Kivity
2010-10-07 17:21 ` Gleb Natapov
2010-10-07 17:21 ` Gleb Natapov
2010-10-09 18:42 ` Avi Kivity
2010-10-09 18:42 ` Avi Kivity
2010-10-10 7:35 ` Gleb Natapov
2010-10-10 7:35 ` Gleb Natapov
2010-10-04 15:56 ` [PATCH v6 04/12] Add memory slot versioning and use it to provide fast guest write interface Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-05 1:29 ` Rik van Riel
2010-10-05 1:29 ` Rik van Riel
2010-10-05 16:57 ` Marcelo Tosatti
2010-10-05 16:57 ` Marcelo Tosatti
2010-10-06 11:14 ` Gleb Natapov
2010-10-06 11:14 ` Gleb Natapov
2010-10-06 14:38 ` Marcelo Tosatti
2010-10-06 14:38 ` Marcelo Tosatti
2010-10-06 20:08 ` Gleb Natapov [this message]
2010-10-06 20:08 ` Gleb Natapov
2010-10-07 10:00 ` Avi Kivity
2010-10-07 10:00 ` Avi Kivity
2010-10-07 15:42 ` Marcelo Tosatti
2010-10-07 15:42 ` Marcelo Tosatti
2010-10-07 16:03 ` Gleb Natapov
2010-10-07 16:03 ` Gleb Natapov
2010-10-07 16:20 ` Avi Kivity
2010-10-07 16:20 ` Avi Kivity
2010-10-07 17:23 ` Gleb Natapov
2010-10-07 17:23 ` Gleb Natapov
2010-10-10 12:48 ` Avi Kivity
2010-10-10 12:48 ` Avi Kivity
2010-10-07 12:31 ` Avi Kivity
2010-10-07 12:31 ` Avi Kivity
2010-10-04 15:56 ` [PATCH v6 05/12] Move kvm_smp_prepare_boot_cpu() from kvmclock.c to kvm.c Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-04 15:56 ` [PATCH v6 06/12] Add PV MSR to enable asynchronous page faults delivery Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-07 12:42 ` Avi Kivity
2010-10-07 12:42 ` Avi Kivity
2010-10-07 17:53 ` Gleb Natapov
2010-10-07 17:53 ` Gleb Natapov
2010-10-10 12:47 ` Avi Kivity
2010-10-10 12:47 ` Avi Kivity
2010-10-10 13:27 ` Gleb Natapov
2010-10-10 13:27 ` Gleb Natapov
2010-10-07 12:58 ` Avi Kivity
2010-10-07 12:58 ` Avi Kivity
2010-10-07 17:59 ` Gleb Natapov
2010-10-07 17:59 ` Gleb Natapov
2010-10-09 18:43 ` Avi Kivity
2010-10-09 18:43 ` Avi Kivity
2010-10-04 15:56 ` [PATCH v6 07/12] Add async PF initialization to PV guest Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-05 2:34 ` Rik van Riel
2010-10-05 2:34 ` Rik van Riel
2010-10-05 18:25 ` Marcelo Tosatti
2010-10-05 18:25 ` Marcelo Tosatti
2010-10-06 10:55 ` Gleb Natapov
2010-10-06 10:55 ` Gleb Natapov
2010-10-06 14:45 ` Marcelo Tosatti
2010-10-06 14:45 ` Marcelo Tosatti
2010-10-06 20:05 ` Gleb Natapov
2010-10-06 20:05 ` Gleb Natapov
2010-10-07 12:50 ` Avi Kivity
2010-10-07 12:50 ` Avi Kivity
2010-10-08 7:54 ` Gleb Natapov
2010-10-08 7:54 ` Gleb Natapov
2010-10-09 18:44 ` Avi Kivity
2010-10-09 18:44 ` Avi Kivity
2010-10-04 15:56 ` [PATCH v6 08/12] Handle async PF in a guest Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-07 13:10 ` Avi Kivity
2010-10-07 13:10 ` Avi Kivity
2010-10-07 17:14 ` Gleb Natapov
2010-10-07 17:14 ` Gleb Natapov
2010-10-07 17:18 ` Avi Kivity
2010-10-07 17:18 ` Avi Kivity
2010-10-07 17:48 ` Rik van Riel
2010-10-07 17:48 ` Rik van Riel
2010-10-07 18:03 ` Gleb Natapov
2010-10-07 18:03 ` Gleb Natapov
2010-10-09 18:48 ` Avi Kivity
2010-10-09 18:48 ` Avi Kivity
2010-10-10 7:56 ` Gleb Natapov
2010-10-10 7:56 ` Gleb Natapov
2010-10-10 12:40 ` Avi Kivity
2010-10-10 12:40 ` Avi Kivity
2010-10-10 12:32 ` Gleb Natapov
2010-10-10 12:32 ` Gleb Natapov
2010-10-10 12:38 ` Avi Kivity
2010-10-10 12:38 ` Avi Kivity
2010-10-10 13:22 ` Gleb Natapov
2010-10-10 13:22 ` Gleb Natapov
2010-10-04 15:56 ` [PATCH v6 09/12] Inject asynchronous page fault into a PV guest if page is swapped out Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-05 2:36 ` Rik van Riel
2010-10-05 2:36 ` Rik van Riel
2010-10-05 19:00 ` Marcelo Tosatti
2010-10-05 19:00 ` Marcelo Tosatti
2010-10-06 10:42 ` Gleb Natapov
2010-10-06 10:42 ` Gleb Natapov
2010-10-04 15:56 ` [PATCH v6 10/12] Handle async PF in non preemptable context Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-05 19:51 ` Marcelo Tosatti
2010-10-05 19:51 ` Marcelo Tosatti
2010-10-06 10:41 ` Gleb Natapov
2010-10-06 10:41 ` Gleb Natapov
2010-10-10 14:25 ` Gleb Natapov
2010-10-10 14:25 ` Gleb Natapov
2010-10-04 15:56 ` [PATCH v6 11/12] Let host know whether the guest can handle async PF in non-userspace context Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-07 13:36 ` Avi Kivity
2010-10-07 13:36 ` Avi Kivity
2010-10-04 15:56 ` [PATCH v6 12/12] Send async PF when guest is not in userspace too Gleb Natapov
2010-10-04 15:56 ` Gleb Natapov
2010-10-05 2:37 ` Rik van Riel
2010-10-05 2:37 ` Rik van Riel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101006200836.GC4120@minantech.com \
--to=gleb@minantech.com \
--cc=a.p.zijlstra@chello.nl \
--cc=avi@redhat.com \
--cc=cl@linux-foundation.org \
--cc=gleb@redhat.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@elte.hu \
--cc=mtosatti@redhat.com \
--cc=riel@redhat.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.