From: Wei Yang <richard.weiyang@huawei.com>
To: Greg Kurz <gkurz@linux.vnet.ibm.com>
Cc: Wei Yang <richard.weiyang@huawei.com>,
Paolo Bonzini <pbonzini@redhat.com>, <james.hogan@imgtec.com>,
<mingo@redhat.com>, <linux-mips@linux-mips.org>,
<kvm@vger.kernel.org>, <rkrcmar@redhat.com>,
<linux-kernel@vger.kernel.org>,
David Hildenbrand <dahi@linux.vnet.ibm.com>,
<qemu-ppc@nongnu.org>, Cornelia Huck <cornelia.huck@de.ibm.com>,
"Paul Mackerras" <paulus@samba.org>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v4 2/2] KVM: move vcpu id checking to archs
Date: Sat, 23 Apr 2016 08:51:24 +0800 [thread overview]
Message-ID: <20160423005124.GB1718@linux-gk3p> (raw)
In-Reply-To: <20160422113045.14560b66@bahia.huguette.org>
On Fri, Apr 22, 2016 at 11:30:45AM +0200, Greg Kurz wrote:
>On Fri, 22 Apr 2016 17:21:03 +0800
>Wei Yang <richard.weiyang@huawei.com> wrote:
>
>> Hi, Greg
>>
>
>Hi Wei !
>
>> One confusion.
>>
>> There are 5 kvm_arch_vcpu_create() while in this patch you changed 2 of them.
>> Some particular reason?
>>
>
>Yes and the reason is given in the changelog:
>- ARM and s390 already have such a check
>- PowerPC can live without this check
>- this patch simply moves the check to MIPS and x86
>
>Does it clarify ?
>
Sure, thanks :-)
>Cheers.
>
>--
>Greg
>
>> On Thu, Apr 21, 2016 at 04:20:53PM +0200, Greg Kurz wrote:
>> >Commit 338c7dbadd26 ("KVM: Improve create VCPU parameter (CVE-2013-4587)")
>> >introduced a check to prevent potential kernel memory corruption in case
>> >the vcpu id is too great.
>> >
>> >Unfortunately this check assumes vcpu ids grow in sequence with a common
>> >difference of 1, which is wrong: archs are free to use vcpu id as they fit.
>> >For example, QEMU originated vcpu ids for PowerPC cpus running in boot3s_hv
>> >mode, can grow with a common difference of 2, 4 or 8: if KVM_MAX_VCPUS is
>> >1024, guests may be limited down to 128 vcpus on POWER8.
>> >
>> >This means the check does not belong here and should be moved to some arch
>> >specific function: kvm_arch_vcpu_create() looks like a good candidate.
>> >
>> >ARM and s390 already have such a check.
>> >
>> >I could not spot any path in the PowerPC or common KVM code where a vcpu
>> >id is used as described in the above commit: I believe PowerPC can live
>> >without this check.
>> >
>> >In the end, this patch simply moves the check to MIPS and x86. While here,
>> >we also update the documentation to dissociate vcpu ids from the maximum
>> >number of vcpus per virtual machine.
>> >
>> >Acked-by: James Hogan <james.hogan@imgtec.com>
>> >Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
>> >Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
>> >---
>> >v4: - updated subject for more clarity on what the patch does
>> > - added James's and Connie's A-b tags
>> > - updated documentation
>> >
>> > Documentation/virtual/kvm/api.txt | 7 +++----
>> > arch/mips/kvm/mips.c | 7 ++++++-
>> > arch/x86/kvm/x86.c | 3 +++
>> > virt/kvm/kvm_main.c | 3 ---
>> > 4 files changed, 12 insertions(+), 8 deletions(-)
>> >
>> >diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
>> >index 4d0542c5206b..486a1d783b82 100644
>> >--- a/Documentation/virtual/kvm/api.txt
>> >+++ b/Documentation/virtual/kvm/api.txt
>> >@@ -199,11 +199,10 @@ Type: vm ioctl
>> > Parameters: vcpu id (apic id on x86)
>> > Returns: vcpu fd on success, -1 on error
>> >
>> >-This API adds a vcpu to a virtual machine. The vcpu id is a small integer
>> >-in the range [0, max_vcpus).
>> >+This API adds a vcpu to a virtual machine. The vcpu id is a positive integer.
>> >
>> >-The recommended max_vcpus value can be retrieved using the KVM_CAP_NR_VCPUS of
>> >-the KVM_CHECK_EXTENSION ioctl() at run-time.
>> >+The recommended maximum number of vcpus (max_vcpus) can be retrieved using the
>> >+KVM_CAP_NR_VCPUS of the KVM_CHECK_EXTENSION ioctl() at run-time.
>> > The maximum possible value for max_vcpus can be retrieved using the
>> > KVM_CAP_MAX_VCPUS of the KVM_CHECK_EXTENSION ioctl() at run-time.
>> >
>> >diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
>> >index 70ef1a43c114..0278ea146db5 100644
>> >--- a/arch/mips/kvm/mips.c
>> >+++ b/arch/mips/kvm/mips.c
>> >@@ -248,9 +248,14 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
>> > int err, size, offset;
>> > void *gebase;
>> > int i;
>> >+ struct kvm_vcpu *vcpu;
>> >
>> >- struct kvm_vcpu *vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
>> >+ if (id >= KVM_MAX_VCPUS) {
>> >+ err = -EINVAL;
>> >+ goto out;
>> >+ }
>> >
>> >+ vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
>> > if (!vcpu) {
>> > err = -ENOMEM;
>> > goto out;
>> >diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>> >index 9b7798c7b210..7738202edcce 100644
>> >--- a/arch/x86/kvm/x86.c
>> >+++ b/arch/x86/kvm/x86.c
>> >@@ -7358,6 +7358,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
>> > {
>> > struct kvm_vcpu *vcpu;
>> >
>> >+ if (id >= KVM_MAX_VCPUS)
>> >+ return ERR_PTR(-EINVAL);
>> >+
>> > if (check_tsc_unstable() && atomic_read(&kvm->online_vcpus) != 0)
>> > printk_once(KERN_WARNING
>> > "kvm: SMP vm created on host with unstable TSC; "
>> >diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
>> >index 4fd482fb9260..6b6cca3cb488 100644
>> >--- a/virt/kvm/kvm_main.c
>> >+++ b/virt/kvm/kvm_main.c
>> >@@ -2272,9 +2272,6 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
>> > int r;
>> > struct kvm_vcpu *vcpu;
>> >
>> >- if (id >= KVM_MAX_VCPUS)
>> >- return -EINVAL;
>> >-
>> > vcpu = kvm_arch_vcpu_create(kvm, id);
>> > if (IS_ERR(vcpu))
>> > return PTR_ERR(vcpu);
>> >
>> >--
>> >To unsubscribe from this list: send the line "unsubscribe kvm" in
>> >the body of a message to majordomo@vger.kernel.org
>> >More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
--
Richard Yang\nHelp you, Help me
WARNING: multiple messages have this Message-ID (diff)
From: Wei Yang <richard.weiyang@huawei.com>
To: Greg Kurz <gkurz@linux.vnet.ibm.com>
Cc: Wei Yang <richard.weiyang@huawei.com>,
Paolo Bonzini <pbonzini@redhat.com>,
james.hogan@imgtec.com, mingo@redhat.com,
linux-mips@linux-mips.org, kvm@vger.kernel.org,
rkrcmar@redhat.com, linux-kernel@vger.kernel.org,
David Hildenbrand <dahi@linux.vnet.ibm.com>,
qemu-ppc@nongnu.org, Cornelia Huck <cornelia.huck@de.ibm.com>,
Paul Mackerras <paulus@samba.org>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v4 2/2] KVM: move vcpu id checking to archs
Date: Sat, 23 Apr 2016 08:51:24 +0800 [thread overview]
Message-ID: <20160423005124.GB1718@linux-gk3p> (raw)
Message-ID: <20160423005124.bq_ub8OMNV7c55xvgOgn3NqRgSTsGP6hmVIPDXZ8OEc@z> (raw)
In-Reply-To: <20160422113045.14560b66@bahia.huguette.org>
On Fri, Apr 22, 2016 at 11:30:45AM +0200, Greg Kurz wrote:
>On Fri, 22 Apr 2016 17:21:03 +0800
>Wei Yang <richard.weiyang@huawei.com> wrote:
>
>> Hi, Greg
>>
>
>Hi Wei !
>
>> One confusion.
>>
>> There are 5 kvm_arch_vcpu_create() while in this patch you changed 2 of them.
>> Some particular reason?
>>
>
>Yes and the reason is given in the changelog:
>- ARM and s390 already have such a check
>- PowerPC can live without this check
>- this patch simply moves the check to MIPS and x86
>
>Does it clarify ?
>
Sure, thanks :-)
>Cheers.
>
>--
>Greg
>
>> On Thu, Apr 21, 2016 at 04:20:53PM +0200, Greg Kurz wrote:
>> >Commit 338c7dbadd26 ("KVM: Improve create VCPU parameter (CVE-2013-4587)")
>> >introduced a check to prevent potential kernel memory corruption in case
>> >the vcpu id is too great.
>> >
>> >Unfortunately this check assumes vcpu ids grow in sequence with a common
>> >difference of 1, which is wrong: archs are free to use vcpu id as they fit.
>> >For example, QEMU originated vcpu ids for PowerPC cpus running in boot3s_hv
>> >mode, can grow with a common difference of 2, 4 or 8: if KVM_MAX_VCPUS is
>> >1024, guests may be limited down to 128 vcpus on POWER8.
>> >
>> >This means the check does not belong here and should be moved to some arch
>> >specific function: kvm_arch_vcpu_create() looks like a good candidate.
>> >
>> >ARM and s390 already have such a check.
>> >
>> >I could not spot any path in the PowerPC or common KVM code where a vcpu
>> >id is used as described in the above commit: I believe PowerPC can live
>> >without this check.
>> >
>> >In the end, this patch simply moves the check to MIPS and x86. While here,
>> >we also update the documentation to dissociate vcpu ids from the maximum
>> >number of vcpus per virtual machine.
>> >
>> >Acked-by: James Hogan <james.hogan@imgtec.com>
>> >Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
>> >Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
>> >---
>> >v4: - updated subject for more clarity on what the patch does
>> > - added James's and Connie's A-b tags
>> > - updated documentation
>> >
>> > Documentation/virtual/kvm/api.txt | 7 +++----
>> > arch/mips/kvm/mips.c | 7 ++++++-
>> > arch/x86/kvm/x86.c | 3 +++
>> > virt/kvm/kvm_main.c | 3 ---
>> > 4 files changed, 12 insertions(+), 8 deletions(-)
>> >
>> >diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
>> >index 4d0542c5206b..486a1d783b82 100644
>> >--- a/Documentation/virtual/kvm/api.txt
>> >+++ b/Documentation/virtual/kvm/api.txt
>> >@@ -199,11 +199,10 @@ Type: vm ioctl
>> > Parameters: vcpu id (apic id on x86)
>> > Returns: vcpu fd on success, -1 on error
>> >
>> >-This API adds a vcpu to a virtual machine. The vcpu id is a small integer
>> >-in the range [0, max_vcpus).
>> >+This API adds a vcpu to a virtual machine. The vcpu id is a positive integer.
>> >
>> >-The recommended max_vcpus value can be retrieved using the KVM_CAP_NR_VCPUS of
>> >-the KVM_CHECK_EXTENSION ioctl() at run-time.
>> >+The recommended maximum number of vcpus (max_vcpus) can be retrieved using the
>> >+KVM_CAP_NR_VCPUS of the KVM_CHECK_EXTENSION ioctl() at run-time.
>> > The maximum possible value for max_vcpus can be retrieved using the
>> > KVM_CAP_MAX_VCPUS of the KVM_CHECK_EXTENSION ioctl() at run-time.
>> >
>> >diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
>> >index 70ef1a43c114..0278ea146db5 100644
>> >--- a/arch/mips/kvm/mips.c
>> >+++ b/arch/mips/kvm/mips.c
>> >@@ -248,9 +248,14 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
>> > int err, size, offset;
>> > void *gebase;
>> > int i;
>> >+ struct kvm_vcpu *vcpu;
>> >
>> >- struct kvm_vcpu *vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
>> >+ if (id >= KVM_MAX_VCPUS) {
>> >+ err = -EINVAL;
>> >+ goto out;
>> >+ }
>> >
>> >+ vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
>> > if (!vcpu) {
>> > err = -ENOMEM;
>> > goto out;
>> >diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>> >index 9b7798c7b210..7738202edcce 100644
>> >--- a/arch/x86/kvm/x86.c
>> >+++ b/arch/x86/kvm/x86.c
>> >@@ -7358,6 +7358,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
>> > {
>> > struct kvm_vcpu *vcpu;
>> >
>> >+ if (id >= KVM_MAX_VCPUS)
>> >+ return ERR_PTR(-EINVAL);
>> >+
>> > if (check_tsc_unstable() && atomic_read(&kvm->online_vcpus) != 0)
>> > printk_once(KERN_WARNING
>> > "kvm: SMP vm created on host with unstable TSC; "
>> >diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
>> >index 4fd482fb9260..6b6cca3cb488 100644
>> >--- a/virt/kvm/kvm_main.c
>> >+++ b/virt/kvm/kvm_main.c
>> >@@ -2272,9 +2272,6 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
>> > int r;
>> > struct kvm_vcpu *vcpu;
>> >
>> >- if (id >= KVM_MAX_VCPUS)
>> >- return -EINVAL;
>> >-
>> > vcpu = kvm_arch_vcpu_create(kvm, id);
>> > if (IS_ERR(vcpu))
>> > return PTR_ERR(vcpu);
>> >
>> >--
>> >To unsubscribe from this list: send the line "unsubscribe kvm" in
>> >the body of a message to majordomo@vger.kernel.org
>> >More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
--
Richard Yang\nHelp you, Help me
next prev parent reply other threads:[~2016-04-23 0:55 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-21 14:14 [PATCH v4 0/2] let archs decide for vcpu ids Greg Kurz
2016-04-21 14:14 ` Greg Kurz
2016-04-21 14:15 ` [PATCH v4 1/2] KVM: remove NULL return path for vcpu ids >= KVM_MAX_VCPUS Greg Kurz
2016-04-21 14:17 ` David Hildenbrand
2016-04-21 14:30 ` Greg Kurz
2016-04-26 7:44 ` Cornelia Huck
2016-04-27 9:40 ` Gerg Kurz
2016-04-27 9:40 ` Gerg Kurz
2016-04-27 14:40 ` Radim Krčmář
2016-04-21 14:20 ` [PATCH v4 2/2] KVM: move vcpu id checking to archs Greg Kurz
2016-04-21 16:00 ` Radim Krčmář
2016-04-21 16:45 ` Greg Kurz
2016-04-21 17:36 ` Radim Krčmář
2016-04-22 9:25 ` Greg Kurz
2016-04-22 9:25 ` Greg Kurz
2016-04-22 10:22 ` Cornelia Huck
2016-04-22 11:19 ` Igor Mammedov
2016-04-22 13:48 ` Radim Krčmář
2016-04-22 13:40 ` Radim Krčmář
2016-04-22 14:50 ` Greg Kurz
2016-04-25 14:15 ` Radim Krčmář
2016-04-25 14:30 ` Greg Kurz
2016-04-22 9:21 ` Wei Yang
2016-04-22 9:21 ` Wei Yang
2016-04-22 9:30 ` Greg Kurz
2016-04-22 9:30 ` Greg Kurz
2016-04-23 0:51 ` Wei Yang [this message]
2016-04-23 0:51 ` Wei Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160423005124.GB1718@linux-gk3p \
--to=richard.weiyang@huawei.com \
--cc=cornelia.huck@de.ibm.com \
--cc=dahi@linux.vnet.ibm.com \
--cc=david@gibson.dropbear.id.au \
--cc=gkurz@linux.vnet.ibm.com \
--cc=james.hogan@imgtec.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=mingo@redhat.com \
--cc=paulus@samba.org \
--cc=pbonzini@redhat.com \
--cc=qemu-ppc@nongnu.org \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.