From: Igor Mammedov <imammedo@redhat.com>
To: Alexander Bulekov <alxndr@bu.edu>
Cc: qemu-devel@nongnu.org, "Stefan Hajnoczi" <stefanha@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Mauro Matteo Cascella" <mcascell@redhat.com>,
"Peter Xu" <peterx@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"David Hildenbrand" <david@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Laurent Vivier" <lvivier@redhat.com>,
"Bandan Das" <bsd@redhat.com>,
"Edgar E . Iglesias" <edgar.iglesias@gmail.com>,
"Darren Kenny" <darren.kenny@oracle.com>,
"Bin Meng" <bin.meng@windriver.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Daniel P . Berrangé" <berrange@redhat.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Jon Maloy" <jmaloy@redhat.com>, "Siqi Chen" <coc.cyqh@gmail.com>,
"Michael Tokarev" <mjt@tls.msk.ru>
Subject: Re: [PATCH v10 1/8] memory: prevent dma-reentracy issues
Date: Wed, 21 Aug 2024 15:25:18 +0200 [thread overview]
Message-ID: <20240821152518.1a973a7b@imammedo.users.ipa.redhat.com> (raw)
In-Reply-To: <20230427211013.2994127-2-alxndr@bu.edu>
On Thu, 27 Apr 2023 17:10:06 -0400
Alexander Bulekov <alxndr@bu.edu> wrote:
> Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> This flag is set/checked prior to calling a device's MemoryRegion
> handlers, and set when device code initiates DMA. The purpose of this
> flag is to prevent two types of DMA-based reentrancy issues:
>
> 1.) mmio -> dma -> mmio case
> 2.) bh -> dma write -> mmio case
Alexander, with 9.0
we are getting
warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0
during CPU hot-unplug, to my knowledge there shouldn't be any DMA involved
there.
The only access should be either from guest kernel or firmware(this one is under SMM mode)).
Question is how this could happen on MMIO access which should be guarded by BQL?
And where to start digging to find out if it's a genuine issue,
or whether it's safe to use big hammer and disable reentrancy guard?
> These issues have led to problems such as stack-exhaustion and
> use-after-frees.
>
> Summary of the problem from Peter Maydell:
> https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
> Resolves: CVE-2023-0330
>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> Reviewed-by: Thomas Huth <thuth@redhat.com>
> ---
> include/exec/memory.h | 5 +++++
> include/hw/qdev-core.h | 7 +++++++
> softmmu/memory.c | 16 ++++++++++++++++
> 3 files changed, 28 insertions(+)
>
> diff --git a/include/exec/memory.h b/include/exec/memory.h
> index 15ade918ba..e45ce6061f 100644
> --- a/include/exec/memory.h
> +++ b/include/exec/memory.h
> @@ -767,6 +767,8 @@ struct MemoryRegion {
> bool is_iommu;
> RAMBlock *ram_block;
> Object *owner;
> + /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */
> + DeviceState *dev;
>
> const MemoryRegionOps *ops;
> void *opaque;
> @@ -791,6 +793,9 @@ struct MemoryRegion {
> unsigned ioeventfd_nb;
> MemoryRegionIoeventfd *ioeventfds;
> RamDiscardManager *rdm; /* Only for RAM */
> +
> + /* For devices designed to perform re-entrant IO into their own IO MRs */
> + bool disable_reentrancy_guard;
> };
>
> struct IOMMUMemoryRegion {
> diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
> index bd50ad5ee1..7623703943 100644
> --- a/include/hw/qdev-core.h
> +++ b/include/hw/qdev-core.h
> @@ -162,6 +162,10 @@ struct NamedClockList {
> QLIST_ENTRY(NamedClockList) node;
> };
>
> +typedef struct {
> + bool engaged_in_io;
> +} MemReentrancyGuard;
> +
> /**
> * DeviceState:
> * @realized: Indicates whether the device has been fully constructed.
> @@ -194,6 +198,9 @@ struct DeviceState {
> int alias_required_for_version;
> ResettableState reset;
> GSList *unplug_blockers;
> +
> + /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
> + MemReentrancyGuard mem_reentrancy_guard;
> };
>
> struct DeviceListener {
> diff --git a/softmmu/memory.c b/softmmu/memory.c
> index b1a6cae6f5..fe23f0e5ce 100644
> --- a/softmmu/memory.c
> +++ b/softmmu/memory.c
> @@ -542,6 +542,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
> access_size_max = 4;
> }
>
> + /* Do not allow more than one simultaneous access to a device's IO Regions */
> + if (mr->dev && !mr->disable_reentrancy_guard &&
> + !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
> + if (mr->dev->mem_reentrancy_guard.engaged_in_io) {
> + warn_report("Blocked re-entrant IO on "
> + "MemoryRegion: %s at addr: 0x%" HWADDR_PRIX,
> + memory_region_name(mr), addr);
> + return MEMTX_ACCESS_ERROR;
> + }
> + mr->dev->mem_reentrancy_guard.engaged_in_io = true;
> + }
> +
> /* FIXME: support unaligned access? */
> access_size = MAX(MIN(size, access_size_max), access_size_min);
> access_mask = MAKE_64BIT_MASK(0, access_size * 8);
> @@ -556,6 +568,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
> access_mask, attrs);
> }
> }
> + if (mr->dev) {
> + mr->dev->mem_reentrancy_guard.engaged_in_io = false;
> + }
> return r;
> }
>
> @@ -1170,6 +1185,7 @@ static void memory_region_do_init(MemoryRegion *mr,
> }
> mr->name = g_strdup(name);
> mr->owner = owner;
> + mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
> mr->ram_block = NULL;
>
> if (name) {
next prev parent reply other threads:[~2024-08-21 13:26 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-27 21:10 [PATCH v10 0/8] memory: prevent dma-reentracy issues Alexander Bulekov
2023-04-27 21:10 ` [PATCH v10 1/8] " Alexander Bulekov
2023-04-28 6:09 ` Thomas Huth
2023-04-28 8:12 ` Daniel P. Berrangé
2023-04-28 8:15 ` Thomas Huth
2023-04-28 9:11 ` Alexander Bulekov
2023-04-28 9:14 ` Thomas Huth
2023-05-06 9:25 ` Song Gao
2023-05-08 9:33 ` Thomas Huth
2023-05-08 13:03 ` Song Gao
2023-05-08 13:12 ` Thomas Huth
2023-05-09 2:13 ` Song Gao
2023-05-10 9:02 ` Song Gao
2023-05-10 12:21 ` Thomas Huth
2023-05-11 8:53 ` Song Gao
2023-05-11 8:58 ` Thomas Huth
2023-05-11 9:08 ` Song Gao
2024-08-21 13:25 ` Igor Mammedov [this message]
2024-08-27 15:49 ` Igor Mammedov
2024-08-28 7:55 ` Gerd Hoffmann
2023-04-27 21:10 ` [PATCH v10 2/8] async: Add an optional reentrancy guard to the BH API Alexander Bulekov
2023-04-27 21:10 ` [PATCH v10 3/8] checkpatch: add qemu_bh_new/aio_bh_new checks Alexander Bulekov
2023-04-27 21:10 ` [PATCH v10 4/8] hw: replace most qemu_bh_new calls with qemu_bh_new_guarded Alexander Bulekov
2023-04-27 21:10 ` [PATCH v10 5/8] lsi53c895a: disable reentrancy detection for script RAM Alexander Bulekov
2023-04-27 21:10 ` [PATCH v10 6/8] bcm2835_property: disable reentrancy detection for iomem Alexander Bulekov
2023-04-27 21:10 ` [PATCH v10 7/8] raven: " Alexander Bulekov
2023-05-04 12:03 ` Darren Kenny
2023-04-27 21:10 ` [PATCH v10 8/8] apic: disable reentrancy detection for apic-msi Alexander Bulekov
2023-05-18 20:22 ` Michael S. Tsirkin
2023-05-18 20:33 ` Michael Tokarev
2023-05-04 14:08 ` [PATCH v10 0/8] memory: prevent dma-reentracy issues Michael Tokarev
2024-11-08 19:56 ` Alexander Bulekov
2024-11-09 10:14 ` Akihiko Odaki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240821152518.1a973a7b@imammedo.users.ipa.redhat.com \
--to=imammedo@redhat.com \
--cc=alxndr@bu.edu \
--cc=berrange@redhat.com \
--cc=bin.meng@windriver.com \
--cc=bsd@redhat.com \
--cc=coc.cyqh@gmail.com \
--cc=darren.kenny@oracle.com \
--cc=david@redhat.com \
--cc=edgar.iglesias@gmail.com \
--cc=eduardo@habkost.net \
--cc=jasowang@redhat.com \
--cc=jmaloy@redhat.com \
--cc=kraxel@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mcascell@redhat.com \
--cc=mjt@tls.msk.ru \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).