Re: [PATCH V4 2/4] kvm: fix double free for fast mmio eventfd

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Wang <jasowang@redhat.com>
To: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: gleb@kernel.org, pbonzini@redhat.com, kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org, mst@redhat.com
Subject: Re: [PATCH V4 2/4] kvm: fix double free for fast mmio eventfd
Date: Fri, 11 Sep 2015 17:25:45 +0800	[thread overview]
Message-ID: <55F29E19.8010506@redhat.com> (raw)
In-Reply-To: <20150911094631.107a4435.cornelia.huck@de.ibm.com>



On 09/11/2015 03:46 PM, Cornelia Huck wrote:
> On Fri, 11 Sep 2015 11:17:35 +0800
> Jason Wang <jasowang@redhat.com> wrote:
>
>> We register wildcard mmio eventfd on two buses, one for KVM_MMIO_BUS
>> and another is KVM_FAST_MMIO_BUS but with a single iodev
>> instance. This will lead an issue: kvm_io_bus_destroy() knows nothing
>> about the devices on two buses points to a single dev. Which will lead
> s/points/pointing/

Will fix this in V5.

>> double free[1] during exit. Fixing this by using allocate two
> s/using allocate/allocating/

Will fix this in V5.

>
>> instances of iodevs then register one on KVM_MMIO_BUS and another on
>> KVM_FAST_MMIO_BUS.
>>
> (...)
>
>> @@ -929,8 +878,66 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx,
>>  static int kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
>>  {
>>  	enum kvm_bus bus_idx = ioeventfd_bus_from_flags(args->flags);
>> +	int ret = kvm_deassign_ioeventfd_idx(kvm, bus_idx, args);
>> +
>> +	if (!args->len)
>> +		kvm_deassign_ioeventfd_idx(kvm, KVM_FAST_MMIO_BUS, args);
> I think it would be good to explicitly check for bus_idx ==
> KVM_MMIO_BUS here.

Ok.

>
>> +
>> +	return ret;
>> +}
>>
>> -	return kvm_deassign_ioeventfd_idx(kvm, bus_idx, args);
>> +static int
>> +kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
>> +{
>> +	enum kvm_bus              bus_idx;
>> +	int ret;
>> +
>> +	bus_idx = ioeventfd_bus_from_flags(args->flags);
>> +	/* must be natural-word sized, or 0 to ignore length */
>> +	switch (args->len) {
>> +	case 0:
>> +	case 1:
>> +	case 2:
>> +	case 4:
>> +	case 8:
>> +		break;
>> +	default:
>> +		return -EINVAL;
>> +	}
>> +
>> +	/* check for range overflow */
>> +	if (args->addr + args->len < args->addr)
>> +		return -EINVAL;
>> +
>> +	/* check for extra flags that we don't understand */
>> +	if (args->flags & ~KVM_IOEVENTFD_VALID_FLAG_MASK)
>> +		return -EINVAL;
>> +
>> +	/* ioeventfd with no length can't be combined with DATAMATCH */
>> +	if (!args->len &&
>> +	    args->flags & (KVM_IOEVENTFD_FLAG_PIO |
>> +			   KVM_IOEVENTFD_FLAG_DATAMATCH))
>> +		return -EINVAL;
>> +
>> +	ret = kvm_assign_ioeventfd_idx(kvm, bus_idx, args);
>> +	if (ret)
>> +		goto fail;
>> +
>> +	/* When length is ignored, MMIO is also put on a separate bus, for
>> +	 * faster lookups.
>> +	 */
>> +	if (!args->len && !(args->flags & KVM_IOEVENTFD_FLAG_PIO)) {
> Dito on a positive check for bus_idx == KVM_MMIO_BUS.

I was thinking maybe this should be done in a separate patch on top.
What's your opinion?

>> +		ret = kvm_assign_ioeventfd_idx(kvm, KVM_FAST_MMIO_BUS, args);
>> +		if (ret < 0)
>> +			goto fast_fail;
>> +	}
>> +
>> +	return 0;
>> +
>> +fast_fail:
>> +	kvm_deassign_ioeventfd(kvm, args);
> Shouldn't you use kvm_deassign_ioeventfd(kvm, bus_idx, args) here?

Actually, it's the same. (the deassign of fast mmio will return -ENOENT
and will be ignored.) But I admit do what you suggested here is better.
Will do this.

Thanks

next prev parent reply	other threads:[~2015-09-11  9:25 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-11  3:17 [PATCH V4 0/4] Fast MMIO eventfd fixes Jason Wang
2015-09-11  3:17 ` [PATCH V4 1/4] kvm: factor out core eventfd assign/deassign logic Jason Wang
2015-09-11  7:39   ` Cornelia Huck
2015-09-11  8:17     ` Paolo Bonzini
2015-09-11  9:14     ` Jason Wang
2015-09-11  3:17 ` [PATCH V4 2/4] kvm: fix double free for fast mmio eventfd Jason Wang
2015-09-11  7:46   ` Cornelia Huck
2015-09-11  9:25     ` Jason Wang [this message]
2015-09-11 10:19       ` Cornelia Huck
2015-09-11  3:17 ` [PATCH V4 3/4] kvm: fix zero length mmio searching Jason Wang
2015-09-11  8:26   ` Paolo Bonzini
2015-09-11  8:31     ` Cornelia Huck
2015-09-11  9:26       ` Jason Wang
2015-09-11  3:17 ` [PATCH V4 4/4] kvm: add tracepoint for fast mmio Jason Wang
2015-09-11  8:15 ` [PATCH V4 0/4] Fast MMIO eventfd fixes Michael S. Tsirkin
2015-09-11  8:33   ` Paolo Bonzini
2015-09-11  9:28     ` Jason Wang
2015-09-13  8:51       ` Michael S. Tsirkin
2015-09-13  8:52     ` Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55F29E19.8010506@redhat.com \
    --to=jasowang@redhat.com \
    --cc=cornelia.huck@de.ibm.com \
    --cc=gleb@kernel.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.