From: bugzilla-daemon@kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 217562] kernel NULL pointer dereference on deletion of guest physical memory slot
Date: Thu, 22 Jun 2023 17:51:41 +0000 [thread overview]
Message-ID: <bug-217562-28872-nbfYtxtk57@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-217562-28872@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=217562
--- Comment #2 from Arnaud Lefebvre (arnaud.lefebvre@clever-cloud.com) ---
Thanks a lot for that very detailed reply!
> TL;DR: I'm 99% certain you're hitting a race that results in KVM doing a
> list_del()
> before a list_add(). I am planning on sending a patch for v5.15 to disable
> the
> TDP MMU by default, which will "fix" this bug, but I have an extra long
> weekend
> and won't get to that before next Thursday or so.
> In the meantime, you can effect the same fix by disabling the TDP MMU via
> module
> param, i.e. add kvm.tdp_mmu=false to your kernel/KVM command line.
Alright, thanks for the tip. We'll probably just upgrade to the 6.1 LTS, this
was planned but we weren't sure if the bug were there too.
> If you're feeling particularly masochistic, I bet you could reproduce this
> more
> easily by introducing a delay between setting the SPTE and linking the page,
> e.g.
> diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
> index 6c2bb60ccd88..1fb10d4156aa 100644
> --- a/arch/x86/kvm/mmu/tdp_mmu.c
> +++ b/arch/x86/kvm/mmu/tdp_mmu.c
> @@ -1071,6 +1071,7 @@ int kvm_tdp_mmu_map(struct kvm_vcpu *vcpu, gpa_t gpa,
> u32 error_code,
> !shadow_accessed_mask);
>
> if (tdp_mmu_set_spte_atomic_no_dirty_log(vcpu->kvm,
> &iter, new_spte)) {
> + udelay(100);
> tdp_mmu_link_page(vcpu->kvm, sp,
> huge_page_disallowed &&
> req_level >= iter.level);
We might try that if we can find some time in the upcoming weeks, just to be
sure that we can actually reproduce the bug and put this behind us.
Regarding this bug report, how do we proceed from now on? Should we close it?
Keep it open for a few weeks until we can confirm that we don't have this issue
in 6.1 anymore? Let you handle it once you disable TDP MMU by default on the
v5.15 LTS?
Thanks for your advice.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
prev parent reply other threads:[~2023-06-22 17:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-16 16:02 [Bug 217562] New: kernel NULL pointer dereference on deletion of guest physical memory slot bugzilla-daemon
2023-06-16 23:53 ` Sean Christopherson
2023-06-16 23:53 ` [Bug 217562] " bugzilla-daemon
2023-06-22 17:51 ` bugzilla-daemon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-217562-28872-nbfYtxtk57@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox