From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Peter Xu <peterx@redhat.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>,
Janosch Frank <frankja@linux.ibm.com>,
Paolo Bonzini <pbonzini@redhat.com>,
David Hildenbrand <david@redhat.com>,
Cornelia Huck <cohuck@redhat.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Qian Cai <cai@lca.pw>
Subject: Re: [PATCH 1/7] KVM: Fix out of range accesses to memslots
Date: Fri, 20 Mar 2020 16:07:58 -0700 [thread overview]
Message-ID: <20200320230758.GA8418@linux.intel.com> (raw)
In-Reply-To: <20200320225802.GH127076@xz-x1>
On Fri, Mar 20, 2020 at 06:58:02PM -0400, Peter Xu wrote:
> On Fri, Mar 20, 2020 at 03:40:41PM -0700, Sean Christopherson wrote:
> > I thought resetting lru_slot to zero would be good enough when
> > > duplicating the slots... however if we want to do finer grained reset,
> > > maybe even better to reset also those invalidated ones (since we know
> > > this information)?
> > >
> > > if (slots->lru_slot >= slots->id_to_index[memslot->id])
> > > slots->lru_slot = 0;
> >
> > I'd prefer to go with the more obviously correct version. This code will
> > rarely trigger, e.g. larger slots have lower indices and are more likely to
> > be the LRU (by virtue of being the biggest), and dynamic memslot deletion
> > is usually for relatively small ranges that are being remapped by the guest.
>
> IMHO the more obvious correct version could be unconditionally setting
> lru_slot to something invalid (e.g. -1) in kvm_dup_memslots(), then in
> the two search_memslots() skip the cache if lru_slot is invalid.
> That's IMHO easier to understand than the "!slots->used_slots" checks.
> But I've no strong opinion.
We'd still need the !slots->used_slots check. I considered adding an
explicit check on @slot for the cache lookup, e.g.
static inline struct kvm_memory_slot *
search_memslots(struct kvm_memslots *slots, gfn_t gfn)
{
int start = 0, end = slots->used_slots;
int slot = atomic_read(&slots->lru_slot);
struct kvm_memory_slot *memslots = slots->memslots;
if (likely(slot < slots->used_slots) &&
gfn >= memslots[slot].base_gfn &&
gfn < memslots[slot].base_gfn + memslots[slot].npages)
return &memslots[slot];
But then the back half of the function still ends up with an out-of-bounds
bug. E.g. if used_slots == 0, then start==0, and memslots[start].base_gfn
accesses garbage.
while (start < end) {
slot = start + (end - start) / 2;
if (gfn >= memslots[slot].base_gfn)
end = slot;
else
start = slot + 1;
}
if (gfn >= memslots[start].base_gfn &&
gfn < memslots[start].base_gfn + memslots[start].npages) {
atomic_set(&slots->lru_slot, start);
return &memslots[start];
}
return NULL;
}
I also didn't want to invalidate the lru_slot any more than is necessary,
not that I'd expect it to make a noticeable difference even in a
pathalogical scenario, but it seemed prudent.
next prev parent reply other threads:[~2020-03-20 23:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-20 20:55 [PATCH 0/7] KVM: Fix memslot use-after-free bug Sean Christopherson
2020-03-20 20:55 ` [PATCH 1/7] KVM: Fix out of range accesses to memslots Sean Christopherson
2020-03-20 22:17 ` Peter Xu
2020-03-20 22:40 ` Sean Christopherson
2020-03-20 22:58 ` Peter Xu
2020-03-20 23:07 ` Sean Christopherson [this message]
2020-03-24 7:12 ` Christian Borntraeger
2020-03-24 10:12 ` Claudio Imbrenda
2020-03-20 20:55 ` [PATCH 2/7] KVM: selftests: Fix cosmetic copy-paste error in vm_mem_region_move() Sean Christopherson
2020-03-20 20:55 ` [PATCH 3/7] KVM: selftests: Take vcpu pointer instead of id in vm_vcpu_rm() Sean Christopherson
2020-03-20 20:55 ` [PATCH 4/7] KVM: selftests: Add helpers to consolidate open coded list operations Sean Christopherson
2020-03-20 22:47 ` Peter Xu
2020-03-24 11:28 ` Paolo Bonzini
2020-03-20 20:55 ` [PATCH 5/7] KVM: selftests: Add util to delete memory region Sean Christopherson
2020-03-20 20:55 ` [PATCH 6/7] KVM: selftests: Expose the primary memslot number to tests Sean Christopherson
2020-03-23 19:12 ` Peter Xu
2020-03-23 21:28 ` Sean Christopherson
2020-03-20 20:55 ` [PATCH 7/7] KVM: selftests: Add "delete" testcase to set_memory_region_test Sean Christopherson
2020-03-23 19:06 ` Peter Xu
2020-03-23 21:43 ` Sean Christopherson
2020-03-23 21:58 ` Peter Xu
2020-03-24 11:30 ` [PATCH 0/7] KVM: Fix memslot use-after-free bug Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200320230758.GA8418@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=borntraeger@de.ibm.com \
--cc=cai@lca.pw \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox