From: Anthony Liguori <anthony@codemonkey.ws>
To: Glauber Costa <glommer@redhat.com>
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, avi@redhat.com
Subject: Re: [PATCH] always assign userspace_addr
Date: Wed, 19 Nov 2008 09:55:10 -0600 [thread overview]
Message-ID: <492436DE.2080906@codemonkey.ws> (raw)
In-Reply-To: <1226977462-8086-1-git-send-email-glommer@redhat.com>
Glauber Costa wrote:
> Currently, kvm only sets new.userspace_addr in slots
> that were just allocated. This is not the intended behaviour,
> and actually breaks when we try to use the slots to implement
> aliases, for example.
>
> Cirrus VGA aliases maps and address to a userspace address, and
> then keep mapping this same address to different locations
> until the whole screen is filled.
>
> The solution is to assign new.userspace_addr no matter what,
> so we can be sure that whenever the guest changes this field,
> it sees the change being reflected in the code.
>
> Signed-off-by: Glauber Costa <glommer@redhat.com>
>
I think this is masking a much bigger problem.
> ---
> virt/kvm/kvm_main.c | 18 +++++++++---------
> 1 files changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index a87f45e..fc3abf0 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -762,15 +762,6 @@ int __kvm_set_memory_region(struct kvm *kvm,
> memset(new.rmap, 0, npages * sizeof(*new.rmap));
>
> new.user_alloc = user_alloc;
> - /*
> - * hva_to_rmmap() serialzies with the mmu_lock and to be
> - * safe it has to ignore memslots with !user_alloc &&
> - * !userspace_addr.
> - */
> - if (user_alloc)
> - new.userspace_addr = mem->userspace_addr;
> - else
> - new.userspace_addr = 0;
>
This is guarded in:
> if (npages && !new.rmap) {
In this case, npages > 0 but !new.rmap is already allocated. But this
is a new slot? The problem is that when we delete the slot, the rmap
never gets freed. This means that if we delete a slot, then create a
new slot which happens to be a different size, we use the old rmap and
potentially overrun that buffer.
So I think we need a fix that properly frees the rmap when the slot is
destroyed.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2008-11-19 15:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-18 3:04 [PATCH] always assign userspace_addr Glauber Costa
2008-11-19 15:55 ` Anthony Liguori [this message]
2008-11-19 18:43 ` Glauber Costa
2008-11-19 18:51 ` Anthony Liguori
2008-11-19 20:53 ` Glauber Costa
2008-11-19 20:59 ` Anthony Liguori
2008-11-20 11:01 ` Avi Kivity
2008-11-20 11:02 ` Avi Kivity
2008-11-21 18:11 ` Glauber Costa
2008-11-24 13:08 ` Glauber Costa
2008-11-25 14:04 ` Avi Kivity
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=492436DE.2080906@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=glommer@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.