|
 |
9bac43 |
From 7de5d186bd03511cd5fa4dcd32876efb034f1dd0 Mon Sep 17 00:00:00 2001
|
|
|
9bac43 |
From: David Gibson <dgibson@redhat.com>
|
|
|
9bac43 |
Date: Thu, 16 Nov 2017 03:07:13 +0100
|
|
|
9bac43 |
Subject: [PATCH 09/30] memory: avoid "resurrection" of dead FlatViews
|
|
|
9bac43 |
|
|
|
9bac43 |
RH-Author: David Gibson <dgibson@redhat.com>
|
|
|
9bac43 |
Message-id: <20171116030732.8560-4-dgibson@redhat.com>
|
|
|
9bac43 |
Patchwork-id: 77691
|
|
|
9bac43 |
O-Subject: [PATCH 03/22] memory: avoid "resurrection" of dead FlatViews
|
|
|
9bac43 |
Bugzilla: 1481593
|
|
|
9bac43 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
|
|
|
9bac43 |
|
|
|
9bac43 |
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9bac43 |
|
|
|
9bac43 |
It's possible for address_space_get_flatview() as it currently stands
|
|
|
9bac43 |
to cause a use-after-free for the returned FlatView, if the reference
|
|
|
9bac43 |
count is incremented after the FlatView has been replaced by a writer:
|
|
|
9bac43 |
|
|
|
9bac43 |
thread 1 thread 2 RCU thread
|
|
|
9bac43 |
-------------------------------------------------------------
|
|
|
9bac43 |
rcu_read_lock
|
|
|
9bac43 |
read as->current_map
|
|
|
9bac43 |
set as->current_map
|
|
|
9bac43 |
flatview_unref
|
|
|
9bac43 |
'--> call_rcu
|
|
|
9bac43 |
flatview_ref
|
|
|
9bac43 |
[ref=1]
|
|
|
9bac43 |
rcu_read_unlock
|
|
|
9bac43 |
flatview_destroy
|
|
|
9bac43 |
<badness>
|
|
|
9bac43 |
|
|
|
9bac43 |
Since FlatViews are not updated very often, we can just detect the
|
|
|
9bac43 |
situation using a new atomic op atomic_fetch_inc_nonzero, similar to
|
|
|
9bac43 |
Linux's atomic_inc_not_zero, which performs the refcount increment only if
|
|
|
9bac43 |
it hasn't already hit zero. This is similar to Linux commit de09a9771a53
|
|
|
9bac43 |
("CRED: Fix get_task_cred() and task_state() to not resurrect dead
|
|
|
9bac43 |
credentials", 2010-07-29).
|
|
|
9bac43 |
|
|
|
9bac43 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9bac43 |
(cherry picked from commit 447b0d0b9ee8a0ac216c3186e0f3c427a1001f0c)
|
|
|
9bac43 |
|
|
|
9bac43 |
Signed-off-by: David Gibson <dgibson@redhat.com>
|
|
|
9bac43 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9bac43 |
---
|
|
|
9bac43 |
docs/devel/atomics.txt | 1 +
|
|
|
9bac43 |
include/qemu/atomic.h | 8 ++++++++
|
|
|
9bac43 |
memory.c | 12 ++++++++----
|
|
|
9bac43 |
3 files changed, 17 insertions(+), 4 deletions(-)
|
|
|
9bac43 |
|
|
|
9bac43 |
diff --git a/docs/devel/atomics.txt b/docs/devel/atomics.txt
|
|
|
9bac43 |
index 048e5f2..10c5fa3 100644
|
|
|
9bac43 |
--- a/docs/devel/atomics.txt
|
|
|
9bac43 |
+++ b/docs/devel/atomics.txt
|
|
|
9bac43 |
@@ -64,6 +64,7 @@ operations:
|
|
|
9bac43 |
typeof(*ptr) atomic_fetch_and(ptr, val)
|
|
|
9bac43 |
typeof(*ptr) atomic_fetch_or(ptr, val)
|
|
|
9bac43 |
typeof(*ptr) atomic_fetch_xor(ptr, val)
|
|
|
9bac43 |
+ typeof(*ptr) atomic_fetch_inc_nonzero(ptr)
|
|
|
9bac43 |
typeof(*ptr) atomic_xchg(ptr, val)
|
|
|
9bac43 |
typeof(*ptr) atomic_cmpxchg(ptr, old, new)
|
|
|
9bac43 |
|
|
|
9bac43 |
diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
|
|
|
9bac43 |
index b6b62fb..d73c9e1 100644
|
|
|
9bac43 |
--- a/include/qemu/atomic.h
|
|
|
9bac43 |
+++ b/include/qemu/atomic.h
|
|
|
9bac43 |
@@ -442,4 +442,12 @@
|
|
|
9bac43 |
} while(0)
|
|
|
9bac43 |
#endif
|
|
|
9bac43 |
|
|
|
9bac43 |
+#define atomic_fetch_inc_nonzero(ptr) ({ \
|
|
|
9bac43 |
+ typeof_strip_qual(*ptr) _oldn = atomic_read(ptr); \
|
|
|
9bac43 |
+ while (_oldn && atomic_cmpxchg(ptr, _oldn, _oldn + 1) != _oldn) { \
|
|
|
9bac43 |
+ _oldn = atomic_read(ptr); \
|
|
|
9bac43 |
+ } \
|
|
|
9bac43 |
+ _oldn; \
|
|
|
9bac43 |
+})
|
|
|
9bac43 |
+
|
|
|
9bac43 |
#endif /* QEMU_ATOMIC_H */
|
|
|
9bac43 |
diff --git a/memory.c b/memory.c
|
|
|
9bac43 |
index c0adc35..ca160de 100644
|
|
|
9bac43 |
--- a/memory.c
|
|
|
9bac43 |
+++ b/memory.c
|
|
|
9bac43 |
@@ -294,9 +294,9 @@ static void flatview_destroy(FlatView *view)
|
|
|
9bac43 |
g_free(view);
|
|
|
9bac43 |
}
|
|
|
9bac43 |
|
|
|
9bac43 |
-static void flatview_ref(FlatView *view)
|
|
|
9bac43 |
+static bool flatview_ref(FlatView *view)
|
|
|
9bac43 |
{
|
|
|
9bac43 |
- atomic_inc(&view->ref);
|
|
|
9bac43 |
+ return atomic_fetch_inc_nonzero(&view->ref) > 0;
|
|
|
9bac43 |
}
|
|
|
9bac43 |
|
|
|
9bac43 |
static void flatview_unref(FlatView *view)
|
|
|
9bac43 |
@@ -772,8 +772,12 @@ static FlatView *address_space_get_flatview(AddressSpace *as)
|
|
|
9bac43 |
FlatView *view;
|
|
|
9bac43 |
|
|
|
9bac43 |
rcu_read_lock();
|
|
|
9bac43 |
- view = atomic_rcu_read(&as->current_map);
|
|
|
9bac43 |
- flatview_ref(view);
|
|
|
9bac43 |
+ do {
|
|
|
9bac43 |
+ view = atomic_rcu_read(&as->current_map);
|
|
|
9bac43 |
+ /* If somebody has replaced as->current_map concurrently,
|
|
|
9bac43 |
+ * flatview_ref returns false.
|
|
|
9bac43 |
+ */
|
|
|
9bac43 |
+ } while (!flatview_ref(view));
|
|
|
9bac43 |
rcu_read_unlock();
|
|
|
9bac43 |
return view;
|
|
|
9bac43 |
}
|
|
|
9bac43 |
--
|
|
|
9bac43 |
1.8.3.1
|
|
|
9bac43 |
|