All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Peter Xu <peterx@redhat.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>,
	Janosch Frank <frankja@linux.ibm.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	David Hildenbrand <david@redhat.com>,
	Cornelia Huck <cohuck@redhat.com>,
	kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Qian Cai <cai@lca.pw>
Subject: Re: [PATCH 1/7] KVM: Fix out of range accesses to memslots
Date: Fri, 20 Mar 2020 16:07:58 -0700	[thread overview]
Message-ID: <20200320230758.GA8418@linux.intel.com> (raw)
In-Reply-To: <20200320225802.GH127076@xz-x1>

On Fri, Mar 20, 2020 at 06:58:02PM -0400, Peter Xu wrote:
> On Fri, Mar 20, 2020 at 03:40:41PM -0700, Sean Christopherson wrote:
 > > I thought resetting lru_slot to zero would be good enough when
> > > duplicating the slots... however if we want to do finer grained reset,
> > > maybe even better to reset also those invalidated ones (since we know
> > > this information)?
> > > 
> > >    	if (slots->lru_slot >= slots->id_to_index[memslot->id])
> > >    		slots->lru_slot = 0;
> > 
> > I'd prefer to go with the more obviously correct version.  This code will
> > rarely trigger, e.g. larger slots have lower indices and are more likely to
> > be the LRU (by virtue of being the biggest), and dynamic memslot deletion
> > is usually for relatively small ranges that are being remapped by the guest.
> 
> IMHO the more obvious correct version could be unconditionally setting
> lru_slot to something invalid (e.g. -1) in kvm_dup_memslots(), then in
> the two search_memslots() skip the cache if lru_slot is invalid.
> That's IMHO easier to understand than the "!slots->used_slots" checks.
> But I've no strong opinion.

We'd still need the !slots->used_slots check.  I considered adding an
explicit check on @slot for the cache lookup, e.g.

static inline struct kvm_memory_slot *
search_memslots(struct kvm_memslots *slots, gfn_t gfn)
{
	int start = 0, end = slots->used_slots;
	int slot = atomic_read(&slots->lru_slot);
	struct kvm_memory_slot *memslots = slots->memslots;

	if (likely(slot < slots->used_slots) &&
	    gfn >= memslots[slot].base_gfn &&
	    gfn < memslots[slot].base_gfn + memslots[slot].npages)
		return &memslots[slot];


But then the back half of the function still ends up with an out-of-bounds
bug.  E.g. if used_slots == 0, then start==0, and memslots[start].base_gfn
accesses garbage.

	while (start < end) {
		slot = start + (end - start) / 2;

		if (gfn >= memslots[slot].base_gfn)
			end = slot;
		else
			start = slot + 1;
	}

	if (gfn >= memslots[start].base_gfn &&
	    gfn < memslots[start].base_gfn + memslots[start].npages) {
		atomic_set(&slots->lru_slot, start);
		return &memslots[start];
	}

	return NULL;
}

I also didn't want to invalidate the lru_slot any more than is necessary,
not that I'd expect it to make a noticeable difference even in a
pathalogical scenario, but it seemed prudent.

  reply	other threads:[~2020-03-20 23:08 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-20 20:55 [PATCH 0/7] KVM: Fix memslot use-after-free bug Sean Christopherson
2020-03-20 20:55 ` [PATCH 1/7] KVM: Fix out of range accesses to memslots Sean Christopherson
2020-03-20 22:17   ` Peter Xu
2020-03-20 22:40     ` Sean Christopherson
2020-03-20 22:58       ` Peter Xu
2020-03-20 23:07         ` Sean Christopherson [this message]
2020-03-24  7:12   ` Christian Borntraeger
2020-03-24 10:12     ` Claudio Imbrenda
2020-03-20 20:55 ` [PATCH 2/7] KVM: selftests: Fix cosmetic copy-paste error in vm_mem_region_move() Sean Christopherson
2020-03-20 20:55 ` [PATCH 3/7] KVM: selftests: Take vcpu pointer instead of id in vm_vcpu_rm() Sean Christopherson
2020-03-20 20:55 ` [PATCH 4/7] KVM: selftests: Add helpers to consolidate open coded list operations Sean Christopherson
2020-03-20 22:47   ` Peter Xu
2020-03-24 11:28     ` Paolo Bonzini
2020-03-20 20:55 ` [PATCH 5/7] KVM: selftests: Add util to delete memory region Sean Christopherson
2020-03-20 20:55 ` [PATCH 6/7] KVM: selftests: Expose the primary memslot number to tests Sean Christopherson
2020-03-23 19:12   ` Peter Xu
2020-03-23 21:28     ` Sean Christopherson
2020-03-20 20:55 ` [PATCH 7/7] KVM: selftests: Add "delete" testcase to set_memory_region_test Sean Christopherson
2020-03-23 19:06   ` Peter Xu
2020-03-23 21:43     ` Sean Christopherson
2020-03-23 21:58       ` Peter Xu
2020-03-24 11:30 ` [PATCH 0/7] KVM: Fix memslot use-after-free bug Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200320230758.GA8418@linux.intel.com \
    --to=sean.j.christopherson@intel.com \
    --cc=borntraeger@de.ibm.com \
    --cc=cai@lca.pw \
    --cc=cohuck@redhat.com \
    --cc=david@redhat.com \
    --cc=frankja@linux.ibm.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=peterx@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.