Re: [PATCH] kvm: fix irqfd assign/deassign race

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

* Re: [PATCH] kvm: fix irqfd assign/deassign race
       [not found] <20100919170231.GA12620@redhat.com>
@ 2010-09-19 20:02 ` Gregory Haskins
  2010-09-20 18:35 ` Marcelo Tosatti
  1 sibling, 0 replies; 3+ messages in thread
From: Gregory Haskins @ 2010-09-19 20:02 UTC (permalink / raw)
  To: Tejun Heo, Avi Kivity, Michael S. Tsirkin, Marcelo Tosatti, kvm,
	linux-kernel

>>> On 9/19/2010 at 01:02 PM, in message <20100919170231.GA12620@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com> wrote: 
> I think I see the following (theoretical) race:
> 
> During irqfd assign, we drop irqfds lock before we
> schedule inject work. Therefore, deassign running
> on another CPU could cause shutdown and flush to run
> before inject, causing user after free in inject.
> 
> A simple fix it to schedule inject under the lock.

I swear there was some reason why the schedule_work() was done outside of the lock, but I can't for the life of me remember why anymore (it obviously was a failing on my part to _comment_ why if there was such a reason).  So, short of recalling what that reason was, and the fact that Michael's theory seems rational and legit... 

Acked-by: Gregory Haskins <ghaskins@novell.com>

> 
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> 
> If the issue is real, this might be a 2.6.36 and -stable
> candidate. Comments?
> 
>  virt/kvm/eventfd.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
> index 66cf65b..c1f1e3c 100644
> --- a/virt/kvm/eventfd.c
> +++ b/virt/kvm/eventfd.c
> @@ -218,7 +218,6 @@ kvm_irqfd_assign(struct kvm *kvm, int fd, int gsi)
>  	events = file->f_op->poll(file, &irqfd->pt);
>  
>  	list_add_tail(&irqfd->list, &kvm->irqfds.items);
> -	spin_unlock_irq(&kvm->irqfds.lock);
>  
>  	/*
>  	 * Check if there was an event already pending on the eventfd
> @@ -227,6 +226,8 @@ kvm_irqfd_assign(struct kvm *kvm, int fd, int gsi)
>  	if (events & POLLIN)
>  		schedule_work(&irqfd->inject);
>  
> +	spin_unlock_irq(&kvm->irqfds.lock);
> +
>  	/*
>  	 * do not drop the file until the irqfd is fully initialized, otherwise
>  	 * we might race against the POLLHUP

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] kvm: fix irqfd assign/deassign race
       [not found] <20100919170231.GA12620@redhat.com>
  2010-09-19 20:02 ` [PATCH] kvm: fix irqfd assign/deassign race Gregory Haskins
@ 2010-09-20 18:35 ` Marcelo Tosatti
  1 sibling, 0 replies; 3+ messages in thread
From: Marcelo Tosatti @ 2010-09-20 18:35 UTC (permalink / raw)
  To: Michael S. Tsirkin
  Cc: Avi Kivity, Tejun Heo, Gregory Haskins, kvm, linux-kernel

On Sun, Sep 19, 2010 at 07:02:31PM +0200, Michael S. Tsirkin wrote:
> I think I see the following (theoretical) race:
> 
> During irqfd assign, we drop irqfds lock before we
> schedule inject work. Therefore, deassign running
> on another CPU could cause shutdown and flush to run
> before inject, causing user after free in inject.
> 
> A simple fix it to schedule inject under the lock.
> 
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---

Applied, thanks.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH] kvm: fix irqfd assign/deassign race
@ 2010-09-19 17:02 Michael S. Tsirkin
  0 siblings, 0 replies; 3+ messages in thread
From: Michael S. Tsirkin @ 2010-09-19 17:02 UTC (permalink / raw)
  To: Avi Kivity, Marcelo Tosatti, Michael S. Tsirkin, Tejun Heo,
	Gregory Haskins, kvm

I think I see the following (theoretical) race:

During irqfd assign, we drop irqfds lock before we
schedule inject work. Therefore, deassign running
on another CPU could cause shutdown and flush to run
before inject, causing user after free in inject.

A simple fix it to schedule inject under the lock.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

If the issue is real, this might be a 2.6.36 and -stable
candidate. Comments?

 virt/kvm/eventfd.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
index 66cf65b..c1f1e3c 100644
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -218,7 +218,6 @@ kvm_irqfd_assign(struct kvm *kvm, int fd, int gsi)
 	events = file->f_op->poll(file, &irqfd->pt);
 
 	list_add_tail(&irqfd->list, &kvm->irqfds.items);
-	spin_unlock_irq(&kvm->irqfds.lock);
 
 	/*
 	 * Check if there was an event already pending on the eventfd
@@ -227,6 +226,8 @@ kvm_irqfd_assign(struct kvm *kvm, int fd, int gsi)
 	if (events & POLLIN)
 		schedule_work(&irqfd->inject);
 
+	spin_unlock_irq(&kvm->irqfds.lock);
+
 	/*
 	 * do not drop the file until the irqfd is fully initialized, otherwise
 	 * we might race against the POLLHUP
-- 
1.7.2.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-09-20 19:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20100919170231.GA12620@redhat.com>
2010-09-19 20:02 ` [PATCH] kvm: fix irqfd assign/deassign race Gregory Haskins
2010-09-20 18:35 ` Marcelo Tosatti
2010-09-19 17:02 Michael S. Tsirkin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox