Re: [PATCH v6 04/12] Add memory slot versioning and use it to provide fast guest write interface

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Marcelo Tosatti

Subject: Re: [PATCH v6 04/12] Add memory slot versioning and use it to provide fast guest write interface

Date: Wednesday, October 6, 2010 - 7:38 am

On Wed, Oct 06, 2010 at 01:14:17PM +0200, Gleb Natapov wrote:
quoted text> > > +int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
> > > +			      gpa_t gpa)
> > > +{
> > > +	struct kvm_memslots *slots = kvm_memslots(kvm);
> > > +	int offset = offset_in_page(gpa);
> > > +	gfn_t gfn = gpa >> PAGE_SHIFT;
> > > +
> > > +	ghc->gpa = gpa;
> > > +	ghc->generation = slots->generation;

kvm->memslots can change here.

quoted text> > > +	ghc->memslot = gfn_to_memslot(kvm, gfn);
> > > +	ghc->hva = gfn_to_hva(kvm, gfn);

And if so, gfn_to_memslot / gfn_to_hva will use new memslots pointer.

Should dereference all values from one copy of kvm->memslots pointer.
 
quoted text> > > +	if (!kvm_is_error_hva(ghc->hva))
> > > +		ghc->hva += offset;
> > > +	else
> > > +		return -EFAULT;
> > > +
> > > +	return 0;
> > > +}
> > 
> > Should use a unique kvm_memslots structure for the cache entry, since it
> > can change in between (use gfn_to_hva_memslot, etc on "slots" pointer).
> > 
> I do not understand what do you mean here. kvm_memslots structure itself
> is not cached only various translation that use it are cached. Translation
> result are never used if kvm_memslots was changed.

quoted text> > Also should zap any cached entries on overflow, otherwise malicious
> > userspace could make use of stale slots:
> > 
> There is only one cached entry at each given time. User who wants to
> write into guest memory often defines gfn_to_hva_cache variable
> somewhere. Init it with kvm_gfn_to_hva_cache_init() and then calls
> kvm_write_guest_cached() on it. If there was no slot changes in between
> cached translation are used. Otherwise cache is recalculated.

Malicious userspace can cause entry to be cached, ioctl
SET_USER_MEMORY_REGION 2^32 times, generation number will match,
mark_page_dirty_in_slot will be called with pointer to freed memory.

--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH v6 04/12] Add memory slot versioning and use it to ..., Gleb Natapov, (Mon Oct 4, 8:56 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Rik van Riel, (Mon Oct 4, 6:29 pm)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Marcelo Tosatti, (Tue Oct 5, 9:57 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Gleb Natapov, (Wed Oct 6, 4:14 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Marcelo Tosatti, (Wed Oct 6, 7:38 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Gleb Natapov, (Wed Oct 6, 1:08 pm)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Avi Kivity, (Thu Oct 7, 3:00 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Avi Kivity, (Thu Oct 7, 5:31 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Marcelo Tosatti, (Thu Oct 7, 8:42 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Gleb Natapov, (Thu Oct 7, 9:03 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Avi Kivity, (Thu Oct 7, 9:20 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Gleb Natapov, (Thu Oct 7, 10:23 am)

Re: [PATCH v6 04/12] Add memory slot versioning and use it ..., Avi Kivity, (Sun Oct 10, 5:48 am)

Navigation

Popular discussions


linux-kernel:
Greg KH	Og dreams of kernels
Jens Axboe	[PATCH 31/33] Fusion: sg chaining support
Arnd Bergmann	Re: finding your own dead "CONFIG_" variables
Mark Brown	[PATCH 2/2] Subject: natsemi: Allow users to disable workaround for DspCfg reset
Tony Breeds	[LGUEST] Look in object dir for .config
git:
Brian Downing	Re: Git in a Nutshell guide
John Benes	Re: master has some toys
Matthias Lederhofer	[PATCH 4/7] introduce GIT_WORK_TREE to specify the work tree
Alexander Sulfrian	[RFC/PATCH] RE: git calls SSH_ASKPASS even if DISPLAY is not set
Junio C Hamano	Re: Rss produced by git is not valid xml?
git-commits-head:
Linux Kernel Mailing List	iSeries: fix section mismatch in iseries_veth
Linux Kernel Mailing List	ixbge: remove TX lock and redo TX accounting.
Linux Kernel Mailing List	ixgbe: fix several counter register errata
Linux Kernel Mailing List	b43: fix build with CONFIG_SSB_PCIHOST=n
Linux Kernel Mailing List	9p: block-based virtio client
linux-netdev:
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()
David Daney	[PATCH 5/7] Staging: Octeon Ethernet: Convert to NAPI.
Wolfgang Grandegger	[PATCH net-next v4 1/3] can: mscan: fix improper return if dlc < 8 in start_xmi...
Amit Kumar Salecha	[PATCHv3 NEXT 2/2] NET: Add Qlogic ethernet driver for CNA devices
openbsd-misc:
Theo de Raadt	Re: Old IPSEC bug
Tomáš Bodžár	Problem with vpnc connection - check group password !
Insan Praja SW	Mandoc Compiling Error
Carl Roberso	Re: Cannot change MTU of carp interface?
Richard Daemon	Re: booting openbsd on eee without cd-rom

Colocation donated by:

Syndicate