From: Avi Kivity <avi@redhat.com>
To: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>,
KVM list <kvm@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/4] KVM MMU: fix race in invlpg code
Date: Fri, 30 Apr 2010 12:52:31 +0300 [thread overview]
Message-ID: <4BDAA85F.3020501@redhat.com> (raw)
In-Reply-To: <4BDA9C37.9070602@cn.fujitsu.com>
On 04/30/2010 12:00 PM, Xiao Guangrong wrote:
> It has race in invlpg code, like below sequences:
>
> A: hold mmu_lock and get 'sp'
> B: release mmu_lock and do other things
> C: hold mmu_lock and continue use 'sp'
>
> if other path freed 'sp' in stage B, then kernel will crash
>
> This patch checks 'sp' whether lived before use 'sp' in stage C
>
> Signed-off-by: Xiao Guangrong<xiaoguangrong@cn.fujitsu.com>
> ---
> arch/x86/kvm/paging_tmpl.h | 18 +++++++++++++++++-
> 1 files changed, 17 insertions(+), 1 deletions(-)
>
> diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
> index 624b38f..641d844 100644
> --- a/arch/x86/kvm/paging_tmpl.h
> +++ b/arch/x86/kvm/paging_tmpl.h
> @@ -462,11 +462,15 @@ out_unlock:
>
> static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva)
> {
> - struct kvm_mmu_page *sp = NULL;
> + struct kvm_mmu_page *sp = NULL, *s;
> struct kvm_shadow_walk_iterator iterator;
> + struct hlist_head *bucket;
> + struct hlist_node *node, *tmp;
> gfn_t gfn = -1;
> u64 *sptep = NULL, gentry;
> int invlpg_counter, level, offset = 0, need_flush = 0;
> + unsigned index;
> + bool live = false;
>
> spin_lock(&vcpu->kvm->mmu_lock);
>
> @@ -519,10 +523,22 @@ static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva)
>
> mmu_guess_page_from_pte_write(vcpu, gfn_to_gpa(gfn) + offset, gentry);
> spin_lock(&vcpu->kvm->mmu_lock);
> + index = kvm_page_table_hashfn(gfn);
> + bucket =&vcpu->kvm->arch.mmu_page_hash[index];
> + hlist_for_each_entry_safe(s, node, tmp, bucket, hash_link)
> + if (s == sp) {
>
At this point, sp might have been freed and re-allocated, now pointing
at something completely different. So need to check role etc.
Alternatively, increase root_count. Then sp is guaranteed to be live
(though it may have role.invalid set).
> + live = true;
> + break;
> + }
> +
> + if (!live)
> + goto unlock_exit;
> +
> if (atomic_read(&vcpu->kvm->arch.invlpg_counter) == invlpg_counter) {
> ++vcpu->kvm->stat.mmu_pte_updated;
> FNAME(update_pte)(vcpu, sp, sptep,&gentry);
> }
> +unlock_exit:
> spin_unlock(&vcpu->kvm->mmu_lock);
> mmu_release_page_from_pte_write(vcpu);
> }
>
--
Do not meddle in the internals of kernels, for they are subtle and quick to panic.
next parent reply other threads:[~2010-04-30 17:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4BDA9C37.9070602@cn.fujitsu.com>
2010-04-30 9:52 ` Avi Kivity [this message]
[not found] ` <4BDA9C86.8080204@cn.fujitsu.com>
[not found] ` <4BDA9CD0.6070501@cn.fujitsu.com>
2010-04-30 9:54 ` [PATCH 3/4] KVM MMU: allow shadow page become unsync at creating time Avi Kivity
[not found] ` <4BDA9D58.6030407@cn.fujitsu.com>
2010-04-30 9:56 ` [PATCH 4/4] KVM MMU: do not intercept invlpg if 'oos_shadow' is disabled Avi Kivity
2010-05-05 12:54 ` Xiao Guangrong
2010-05-05 14:26 ` Avi Kivity
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BDAA85F.3020501@redhat.com \
--to=avi@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=xiaoguangrong@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.