[PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer
@ 2025-09-26  2:25 Zhenzhong Duan
  2025-09-26  4:48 ` Markus Armbruster
  2025-09-26 13:19 ` Steven Sistare
  0 siblings, 2 replies; 6+ messages in thread
From: Zhenzhong Duan @ 2025-09-26  2:25 UTC (permalink / raw)
  To: qemu-devel; +Cc: alex.williamson, clg, eric.auger, steven.sistare

After CPR transfer, source QEMU close kvm fd and free kvm_state,
"query-balloon" will check kvm_state->sync_mmu and trigger NULL
pointer reference.

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
---
 accel/kvm/kvm-all.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 9060599cd7..a3e2d11763 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -3479,7 +3479,7 @@ int kvm_device_access(int fd, int group, uint64_t attr,
 
 bool kvm_has_sync_mmu(void)
 {
-    return kvm_state->sync_mmu;
+    return kvm_state && kvm_state->sync_mmu;
 }
 
 int kvm_has_vcpu_events(void)
-- 
2.47.1



^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer
  2025-09-26  2:25 [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer Zhenzhong Duan
@ 2025-09-26  4:48 ` Markus Armbruster
  2025-09-26 13:17   ` Steven Sistare
  2025-09-28  8:13   ` Duan, Zhenzhong
  2025-09-26 13:19 ` Steven Sistare
  1 sibling, 2 replies; 6+ messages in thread
From: Markus Armbruster @ 2025-09-26  4:48 UTC (permalink / raw)
  To: Zhenzhong Duan
  Cc: qemu-devel, alex.williamson, clg, eric.auger, steven.sistare

Zhenzhong Duan <zhenzhong.duan@intel.com> writes:

> After CPR transfer, source QEMU close kvm fd and free kvm_state,
> "query-balloon" will check kvm_state->sync_mmu and trigger NULL
> pointer reference.
>
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
> ---
>  accel/kvm/kvm-all.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> index 9060599cd7..a3e2d11763 100644
> --- a/accel/kvm/kvm-all.c
> +++ b/accel/kvm/kvm-all.c
> @@ -3479,7 +3479,7 @@ int kvm_device_access(int fd, int group, uint64_t attr,
>  
>  bool kvm_has_sync_mmu(void)
>  {
> -    return kvm_state->sync_mmu;
> +    return kvm_state && kvm_state->sync_mmu;
>  }
>  
>  int kvm_has_vcpu_events(void)

This dereference could signify there's a general assumption *kvm_state
is valid, i.e. there might be more dereferences hiding in the code.

Have you checked?

Is freeing @kvm_state after CPR transfer useful?



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer
  2025-09-26  4:48 ` Markus Armbruster
@ 2025-09-26 13:17   ` Steven Sistare
  2025-09-28  8:13   ` Duan, Zhenzhong
  1 sibling, 0 replies; 6+ messages in thread
From: Steven Sistare @ 2025-09-26 13:17 UTC (permalink / raw)
  To: Markus Armbruster, Zhenzhong Duan
  Cc: qemu-devel, alex.williamson, clg, eric.auger

On 9/26/2025 12:48 AM, Markus Armbruster wrote:
> Zhenzhong Duan <zhenzhong.duan@intel.com> writes:
> 
>> After CPR transfer, source QEMU close kvm fd and free kvm_state,
>> "query-balloon" will check kvm_state->sync_mmu and trigger NULL
>> pointer reference.
>>
>> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
>> ---
>>   accel/kvm/kvm-all.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
>> index 9060599cd7..a3e2d11763 100644
>> --- a/accel/kvm/kvm-all.c
>> +++ b/accel/kvm/kvm-all.c
>> @@ -3479,7 +3479,7 @@ int kvm_device_access(int fd, int group, uint64_t attr,
>>   
>>   bool kvm_has_sync_mmu(void)
>>   {
>> -    return kvm_state->sync_mmu;
>> +    return kvm_state && kvm_state->sync_mmu;
>>   }
>>   
>>   int kvm_has_vcpu_events(void)
> 
> This dereference could signify there's a general assumption *kvm_state
> is valid, i.e. there might be more dereferences hiding in the code.
> 
> Have you checked?
> 
> Is freeing @kvm_state after CPR transfer useful?

There are other references to kvm_state which are checked by earlier cpr patches.
The risk/consequence of missing something is low, because this only occurs on source
QEMU after the target is live.

The KVM instance is closed to release KVM page table references and speed execv
during cpr-exec mode.

- Steve



^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer
  2025-09-26  4:48 ` Markus Armbruster
  2025-09-26 13:17   ` Steven Sistare
@ 2025-09-28  8:13   ` Duan, Zhenzhong
  2025-09-29  4:32     ` Markus Armbruster
  1 sibling, 1 reply; 6+ messages in thread
From: Duan, Zhenzhong @ 2025-09-28  8:13 UTC (permalink / raw)
  To: Markus Armbruster
  Cc: qemu-devel@nongnu.org, alex.williamson@redhat.com, clg@redhat.com,
	eric.auger@redhat.com, steven.sistare@oracle.com



>-----Original Message-----
>From: Markus Armbruster <armbru@redhat.com>
>Subject: Re: [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute
>"query-balloon" after CPR transfer
>
>Zhenzhong Duan <zhenzhong.duan@intel.com> writes:
>
>> After CPR transfer, source QEMU close kvm fd and free kvm_state,
>> "query-balloon" will check kvm_state->sync_mmu and trigger NULL
>> pointer reference.
>>
>> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
>> ---
>>  accel/kvm/kvm-all.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
>> index 9060599cd7..a3e2d11763 100644
>> --- a/accel/kvm/kvm-all.c
>> +++ b/accel/kvm/kvm-all.c
>> @@ -3479,7 +3479,7 @@ int kvm_device_access(int fd, int group, uint64_t
>attr,
>>
>>  bool kvm_has_sync_mmu(void)
>>  {
>> -    return kvm_state->sync_mmu;
>> +    return kvm_state && kvm_state->sync_mmu;
>>  }
>>
>>  int kvm_has_vcpu_events(void)
>
>This dereference could signify there's a general assumption *kvm_state
>is valid, i.e. there might be more dereferences hiding in the code.

Yes, agree with your concern, let me pursues other way.
>
>Have you checked?
>
>Is freeing @kvm_state after CPR transfer useful?

kvm_state was NULLed, let me try to keep it for query just like in kernel
task struct is retained when child process exit.

I'd like to add your Suggested-by on this if you don't object.

Thanks
Zhenzhong


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer
  2025-09-28  8:13   ` Duan, Zhenzhong
@ 2025-09-29  4:32     ` Markus Armbruster
  0 siblings, 0 replies; 6+ messages in thread
From: Markus Armbruster @ 2025-09-29  4:32 UTC (permalink / raw)
  To: Duan, Zhenzhong
  Cc: qemu-devel@nongnu.org, alex.williamson@redhat.com, clg@redhat.com,
	eric.auger@redhat.com, steven.sistare@oracle.com

"Duan, Zhenzhong" <zhenzhong.duan@intel.com> writes:

>>-----Original Message-----
>>From: Markus Armbruster <armbru@redhat.com>

[...]

>>Is freeing @kvm_state after CPR transfer useful?
>
> kvm_state was NULLed, let me try to keep it for query just like in kernel
> task struct is retained when child process exit.
>
> I'd like to add your Suggested-by on this if you don't object.

I don't :)



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer
  2025-09-26  2:25 [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer Zhenzhong Duan
  2025-09-26  4:48 ` Markus Armbruster
@ 2025-09-26 13:19 ` Steven Sistare
  1 sibling, 0 replies; 6+ messages in thread
From: Steven Sistare @ 2025-09-26 13:19 UTC (permalink / raw)
  To: Zhenzhong Duan, qemu-devel; +Cc: alex.williamson, clg, eric.auger

On 9/25/2025 10:25 PM, Zhenzhong Duan wrote:
> After CPR transfer, source QEMU close kvm fd and free kvm_state,
> "query-balloon" will check kvm_state->sync_mmu and trigger NULL
> pointer reference.
> 
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>

Reviewed-by: Steve Sistare <steven.sistare@oracle.com>

> ---
>   accel/kvm/kvm-all.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> index 9060599cd7..a3e2d11763 100644
> --- a/accel/kvm/kvm-all.c
> +++ b/accel/kvm/kvm-all.c
> @@ -3479,7 +3479,7 @@ int kvm_device_access(int fd, int group, uint64_t attr,
>   
>   bool kvm_has_sync_mmu(void)
>   {
> -    return kvm_state->sync_mmu;
> +    return kvm_state && kvm_state->sync_mmu;
>   }
>   
>   int kvm_has_vcpu_events(void)



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2025-09-29  6:57 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-26  2:25 [PATCH 5/5] accel/kvm: Fix SIGSEGV when execute "query-balloon" after CPR transfer Zhenzhong Duan
2025-09-26  4:48 ` Markus Armbruster
2025-09-26 13:17   ` Steven Sistare
2025-09-28  8:13   ` Duan, Zhenzhong
2025-09-29  4:32     ` Markus Armbruster
2025-09-26 13:19 ` Steven Sistare

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).