From: Sean Christopherson <seanjc@google.com>
To: David Matlack <dmatlack@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
kvm list <kvm@vger.kernel.org>,
Marcelo Tosatti <mtosatti@redhat.com>,
Gleb Natapov <gleb@redhat.com>, Rik van Riel <riel@redhat.com>,
Ben Gardon <bgardon@google.com>,
stable@vger.kernel.org
Subject: Re: [PATCH RESEND 1/2] KVM: Prevent module exit until all VMs are freed
Date: Tue, 8 Mar 2022 23:08:59 +0000 [thread overview]
Message-ID: <YifiC2Gqs98p0Tiy@google.com> (raw)
In-Reply-To: <CALzav=frpbRMkDtVTwii2hJ+trtF0m0p5Y_Rc5KS42rp1KEaNw@mail.gmail.com>
On Tue, Mar 08, 2022, David Matlack wrote:
> On Tue, Mar 8, 2022 at 1:40 PM Sean Christopherson <seanjc@google.com> wrote:
> >
> > On Thu, Mar 03, 2022, David Matlack wrote:
> > > Tie the lifetime the KVM module to the lifetime of each VM via
> > > kvm.users_count. This way anything that grabs a reference to the VM via
> > > kvm_get_kvm() cannot accidentally outlive the KVM module.
> > >
> > > Prior to this commit, the lifetime of the KVM module was tied to the
> > > lifetime of /dev/kvm file descriptors, VM file descriptors, and vCPU
> > > file descriptors by their respective file_operations "owner" field.
> > > This approach is insufficient because references grabbed via
> > > kvm_get_kvm() do not prevent closing any of the aforementioned file
> > > descriptors.
> > >
> > > This fixes a long standing theoretical bug in KVM that at least affects
> > > async page faults. kvm_setup_async_pf() grabs a reference via
> > > kvm_get_kvm(), and drops it in an asynchronous work callback. Nothing
> > > prevents the VM file descriptor from being closed and the KVM module
> > > from being unloaded before this callback runs.
> > >
> > > Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out")
> >
> > And (or)
> >
> > Fixes: 3d3aab1b973b ("KVM: set owner of cpu and vm file operations")
> >
> > because the above is x86-centric, at a glance PPC and maybe s390 have issues
> > beyond async #PF.
> >
> > > Cc: stable@vger.kernel.org
> > > Suggested-by: Ben Gardon <bgardon@google.com>
> > > [ Based on a patch from Ben implemented for Google's kernel. ]
> > > Signed-off-by: David Matlack <dmatlack@google.com>
> > > ---
> > > virt/kvm/kvm_main.c | 8 ++++++++
> > > 1 file changed, 8 insertions(+)
> > >
> > > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> > > index 35ae6d32dae5..b59f0a29dbd5 100644
> > > --- a/virt/kvm/kvm_main.c
> > > +++ b/virt/kvm/kvm_main.c
> > > @@ -117,6 +117,8 @@ EXPORT_SYMBOL_GPL(kvm_debugfs_dir);
> > >
> > > static const struct file_operations stat_fops_per_vm;
> > >
> > > +static struct file_operations kvm_chardev_ops;
> > > +
> > > static long kvm_vcpu_ioctl(struct file *file, unsigned int ioctl,
> > > unsigned long arg);
> > > #ifdef CONFIG_KVM_COMPAT
> > > @@ -1131,6 +1133,11 @@ static struct kvm *kvm_create_vm(unsigned long type)
> > > preempt_notifier_inc();
> > > kvm_init_pm_notifier(kvm);
> > >
> > > + if (!try_module_get(kvm_chardev_ops.owner)) {
> >
> > The "try" aspect is unnecessary. Stealing from Paolo's version,
> >
> > /* KVM is pinned via open("/dev/kvm"), the fd passed to this ioctl(). */
> > __module_get(kvm_chardev_ops.owner);
>
> Right, I did see that and agree we're guaranteed the KVM module has a
> reference at this point. But the KVM module might be in state
> MODULE_STATE_GOING (e.g. if someone ran "rmmod --wait"), which
> try_module_get() checks.
Ah, can you throw that in as a comment? Doesn't have to be much, just enough of
a breadcrumb to connect the dots and to prevent us from "optimizing" this to
__module_get() in the future.
/* Use the "try" variant to play nice with e.g. "rmmod --wait". */
With a comment,
Reviewed-by: Sean Christopherson <seanjc@google.com>
next prev parent reply other threads:[~2022-03-08 23:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-03 18:33 [PATCH RESEND 0/2] KVM: Prevent module exit until all VMs are freed David Matlack
2022-03-03 18:33 ` [PATCH RESEND 1/2] " David Matlack
2022-03-08 21:40 ` Sean Christopherson
2022-03-08 22:28 ` David Matlack
2022-03-08 23:08 ` Sean Christopherson [this message]
2022-03-08 23:44 ` David Matlack
2022-03-08 23:43 ` David Matlack
2022-03-15 15:43 ` Murilo Opsfelder Araújo
2022-03-15 20:45 ` Paolo Bonzini
2022-03-03 18:33 ` [PATCH RESEND 2/2] Revert "KVM: set owner of cpu and vm file operations" David Matlack
2022-03-08 21:40 ` Sean Christopherson
2022-03-15 20:49 ` [PATCH RESEND 0/2] KVM: Prevent module exit until all VMs are freed Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YifiC2Gqs98p0Tiy@google.com \
--to=seanjc@google.com \
--cc=bgardon@google.com \
--cc=dmatlack@google.com \
--cc=gleb@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=riel@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.