From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org, pbonzini@redhat.com, imammedo@redhat.com
Cc: maxime.coquelin@redhat.com, mst@redhat.com, groug@kaod.org
Subject: [Qemu-devel] [PATCH v5 1/7] vhost: Build temporary section list and deref after commit
Date: Mon, 18 Dec 2017 20:13:34 +0000 [thread overview]
Message-ID: <20171218201340.27583-2-dgilbert@redhat.com> (raw)
In-Reply-To: <20171218201340.27583-1-dgilbert@redhat.com>
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Igor spotted that there's a race, where a region that's unref'd
in a _del callback might be free'd before the set_mem_table call in
the _commit callback, and thus the vhost might end up using free memory.
Fix this by building a complete temporary sections list, ref'ing every
section (during add and nop) and then unref'ing the whole list right
at the end of commit.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
hw/virtio/vhost.c | 73 ++++++++++++++++++++++++++++++-----------------
include/hw/virtio/vhost.h | 2 ++
2 files changed, 49 insertions(+), 26 deletions(-)
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index e4290ce93d..610bfe6945 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -621,6 +621,8 @@ static void vhost_begin(MemoryListener *listener)
memory_listener);
dev->mem_changed_end_addr = 0;
dev->mem_changed_start_addr = -1;
+ dev->tmp_sections = NULL;
+ dev->n_tmp_sections = 0;
}
static void vhost_commit(MemoryListener *listener)
@@ -629,17 +631,25 @@ static void vhost_commit(MemoryListener *listener)
memory_listener);
hwaddr start_addr = 0;
ram_addr_t size = 0;
+ MemoryRegionSection *old_sections;
+ int n_old_sections;
+
uint64_t log_size;
int r;
+ old_sections = dev->mem_sections;
+ n_old_sections = dev->n_mem_sections;
+ dev->mem_sections = dev->tmp_sections;
+ dev->n_mem_sections = dev->n_tmp_sections;
+
if (!dev->memory_changed) {
- return;
+ goto out;
}
if (!dev->started) {
- return;
+ goto out;
}
if (dev->mem_changed_start_addr > dev->mem_changed_end_addr) {
- return;
+ goto out;
}
if (dev->started) {
@@ -656,7 +666,7 @@ static void vhost_commit(MemoryListener *listener)
VHOST_OPS_DEBUG("vhost_set_mem_table failed");
}
dev->memory_changed = false;
- return;
+ goto out;
}
log_size = vhost_get_log_size(dev);
/* We allocate an extra 4K bytes to log,
@@ -675,6 +685,27 @@ static void vhost_commit(MemoryListener *listener)
vhost_dev_log_resize(dev, log_size);
}
dev->memory_changed = false;
+
+out:
+ /* Deref the old list of sections, this must happen _after_ the
+ * vhost_set_mem_table to ensure the client isn't still using the
+ * section we're about to unref.
+ */
+ while (n_old_sections--) {
+ memory_region_unref(old_sections[n_old_sections].mr);
+ }
+ g_free(old_sections);
+ return;
+}
+
+static void vhost_add_section(struct vhost_dev *dev,
+ MemoryRegionSection *section)
+{
+ ++dev->n_tmp_sections;
+ dev->tmp_sections = g_renew(MemoryRegionSection, dev->tmp_sections,
+ dev->n_tmp_sections);
+ dev->tmp_sections[dev->n_tmp_sections - 1] = *section;
+ memory_region_ref(section->mr);
}
static void vhost_region_add(MemoryListener *listener,
@@ -687,36 +718,31 @@ static void vhost_region_add(MemoryListener *listener,
return;
}
- ++dev->n_mem_sections;
- dev->mem_sections = g_renew(MemoryRegionSection, dev->mem_sections,
- dev->n_mem_sections);
- dev->mem_sections[dev->n_mem_sections - 1] = *section;
- memory_region_ref(section->mr);
+ vhost_add_section(dev, section);
vhost_set_memory(listener, section, true);
}
-static void vhost_region_del(MemoryListener *listener,
+static void vhost_region_nop(MemoryListener *listener,
MemoryRegionSection *section)
{
struct vhost_dev *dev = container_of(listener, struct vhost_dev,
memory_listener);
- int i;
if (!vhost_section(section)) {
return;
}
- vhost_set_memory(listener, section, false);
- memory_region_unref(section->mr);
- for (i = 0; i < dev->n_mem_sections; ++i) {
- if (dev->mem_sections[i].offset_within_address_space
- == section->offset_within_address_space) {
- --dev->n_mem_sections;
- memmove(&dev->mem_sections[i], &dev->mem_sections[i+1],
- (dev->n_mem_sections - i) * sizeof(*dev->mem_sections));
- break;
- }
+ vhost_add_section(dev, section);
+}
+
+static void vhost_region_del(MemoryListener *listener,
+ MemoryRegionSection *section)
+{
+ if (!vhost_section(section)) {
+ return;
}
+
+ vhost_set_memory(listener, section, false);
}
static void vhost_iommu_unmap_notify(IOMMUNotifier *n, IOMMUTLBEntry *iotlb)
@@ -783,11 +809,6 @@ static void vhost_iommu_region_del(MemoryListener *listener,
}
}
-static void vhost_region_nop(MemoryListener *listener,
- MemoryRegionSection *section)
-{
-}
-
static int vhost_virtqueue_set_addr(struct vhost_dev *dev,
struct vhost_virtqueue *vq,
unsigned idx, bool enable_log)
diff --git a/include/hw/virtio/vhost.h b/include/hw/virtio/vhost.h
index 467dc7794b..21f3022499 100644
--- a/include/hw/virtio/vhost.h
+++ b/include/hw/virtio/vhost.h
@@ -54,6 +54,8 @@ struct vhost_dev {
struct vhost_memory *mem;
int n_mem_sections;
MemoryRegionSection *mem_sections;
+ int n_tmp_sections;
+ MemoryRegionSection *tmp_sections;
struct vhost_virtqueue *vqs;
int nvqs;
/* the first virtqueue which would be used by this vhost dev */
--
2.14.3
next prev parent reply other threads:[~2017-12-18 20:13 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-18 20:13 [Qemu-devel] [PATCH v5 0/7] Rework vhost memory region updates Dr. David Alan Gilbert (git)
2017-12-18 20:13 ` Dr. David Alan Gilbert (git) [this message]
2017-12-27 11:56 ` [Qemu-devel] [PATCH v5 1/7] vhost: Build temporary section list and deref after commit Igor Mammedov
2018-01-08 17:48 ` Dr. David Alan Gilbert
2017-12-18 20:13 ` [Qemu-devel] [PATCH v5 2/7] vhost: Move log_dirty check Dr. David Alan Gilbert (git)
2017-12-18 20:13 ` [Qemu-devel] [PATCH v5 3/7] vhost: Simplify ring verification checks Dr. David Alan Gilbert (git)
2017-12-27 12:20 ` Igor Mammedov
2017-12-27 14:06 ` Igor Mammedov
2018-01-08 17:54 ` Dr. David Alan Gilbert
2018-01-10 10:23 ` Igor Mammedov
2018-01-11 3:29 ` Jason Wang
2018-01-16 16:48 ` Dr. David Alan Gilbert
2017-12-18 20:13 ` [Qemu-devel] [PATCH v5 4/7] vhost: Merge sections added to temporary list Dr. David Alan Gilbert (git)
2017-12-27 12:34 ` Igor Mammedov
2018-01-08 18:07 ` Dr. David Alan Gilbert
2018-01-16 3:20 ` Michael S. Tsirkin
2017-12-18 20:13 ` [Qemu-devel] [PATCH v5 5/7] vhost: Regenerate region list from changed sections list Dr. David Alan Gilbert (git)
2017-12-27 13:19 ` Igor Mammedov
2017-12-28 13:03 ` Igor Mammedov
2018-01-09 16:41 ` Dr. David Alan Gilbert
2017-12-18 20:13 ` [Qemu-devel] [PATCH v5 6/7] vhost: Clean out old vhost_set_memory and friends Dr. David Alan Gilbert (git)
2017-12-22 19:14 ` Igor Mammedov
2018-01-09 15:54 ` Dr. David Alan Gilbert
2017-12-18 20:13 ` [Qemu-devel] [PATCH v5 7/7] vhost: Merge and delete unused callbacks Dr. David Alan Gilbert (git)
2017-12-27 13:27 ` Igor Mammedov
2018-01-08 18:43 ` Dr. David Alan Gilbert
2017-12-27 13:44 ` [Qemu-devel] [PATCH v5 0/7] Rework vhost memory region updates Igor Mammedov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171218201340.27583-2-dgilbert@redhat.com \
--to=dgilbert@redhat.com \
--cc=groug@kaod.org \
--cc=imammedo@redhat.com \
--cc=maxime.coquelin@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.