From: Avi Kivity <avi@redhat.com>
To: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>,
KVM list <kvm@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] KVM MMU: fix race in invlpg code
Date: Wed, 05 May 2010 15:31:07 +0300 [thread overview]
Message-ID: <4BE1650B.7080809@redhat.com> (raw)
In-Reply-To: <4BE162B9.201@cn.fujitsu.com>
On 05/05/2010 03:21 PM, Xiao Guangrong wrote:
> It has race in invlpg code, like below sequences:
>
> A: hold mmu_lock and get 'sp'
> B: release mmu_lock and do other things
> C: hold mmu_lock and continue use 'sp'
>
> if other path freed 'sp' in stage B, then kernel will crash
>
> This patch checks 'sp' whether lived before use 'sp' in stage C
>
> Signed-off-by: Xiao Guangrong<xiaoguangrong@cn.fujitsu.com>
> ---
> arch/x86/kvm/paging_tmpl.h | 22 ++++++++++++++++++++--
> 1 files changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
> index 624b38f..13ea675 100644
> --- a/arch/x86/kvm/paging_tmpl.h
> +++ b/arch/x86/kvm/paging_tmpl.h
> @@ -462,11 +462,16 @@ out_unlock:
>
> static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva)
> {
> - struct kvm_mmu_page *sp = NULL;
> + struct kvm_mmu_page *sp = NULL, *s;
> struct kvm_shadow_walk_iterator iterator;
> + struct hlist_head *bucket;
> + struct hlist_node *node, *tmp;
> gfn_t gfn = -1;
> u64 *sptep = NULL, gentry;
> int invlpg_counter, level, offset = 0, need_flush = 0;
> + unsigned index;
> + bool live = false;
> + union kvm_mmu_page_role role;
>
> spin_lock(&vcpu->kvm->mmu_lock);
>
> @@ -480,7 +485,7 @@ static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva)
>
> if (!sp->unsync)
> break;
> -
> + role = sp->role;
> WARN_ON(level != PT_PAGE_TABLE_LEVEL);
> shift = PAGE_SHIFT -
> (PT_LEVEL_BITS - PT64_LEVEL_BITS) * level;
> @@ -519,10 +524,23 @@ static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva)
>
> mmu_guess_page_from_pte_write(vcpu, gfn_to_gpa(gfn) + offset, gentry);
> spin_lock(&vcpu->kvm->mmu_lock);
> + index = kvm_page_table_hashfn(gfn);
> + bucket =&vcpu->kvm->arch.mmu_page_hash[index];
> + hlist_for_each_entry_safe(s, node, tmp, bucket, hash_link)
> + if (s == sp) {
> + if (s->gfn == gfn&& s->role.word == role.word)
> + live = true;
> + break;
> + }
> +
> + if (!live)
> + goto unlock_exit;
> +
>
Did you try the root_count method? I think it's cleaner.
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2010-05-05 12:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-05 12:19 [PATCH 1/2] KVM MMU: fix for forgot mark parent->unsync_children bit Xiao Guangrong
2010-05-05 12:21 ` [PATCH 2/2] KVM MMU: fix race in invlpg code Xiao Guangrong
2010-05-05 12:31 ` Avi Kivity [this message]
2010-05-05 12:45 ` Xiao Guangrong
2010-05-05 12:52 ` Avi Kivity
2010-05-05 12:30 ` [PATCH 1/2] KVM MMU: fix for forgot mark parent->unsync_children bit Avi Kivity
2010-05-05 12:35 ` Xiao Guangrong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BE1650B.7080809@redhat.com \
--to=avi@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=xiaoguangrong@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.