aboutsummaryrefslogtreecommitdiffstats
path: root/arch
diff options
context:
space:
mode:
authorXiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>2012-09-07 02:14:20 -0400
committerAvi Kivity <avi@redhat.com>2012-09-10 04:34:11 -0400
commit4484141a94f4a5afea6ebc0b2abba0aa1b0ae9d1 (patch)
tree8618326f0e327bf06973e25333e1682f1fb7a8b5 /arch
parent4f97704555672f9ab48ca623561e96a9430bec9a (diff)
KVM: fix error paths for failed gfn_to_page() calls
This bug was triggered: [ 4220.198458] BUG: unable to handle kernel paging request at fffffffffffffffe [ 4220.203907] IP: [<ffffffff81104d85>] put_page+0xf/0x34 ...... [ 4220.237326] Call Trace: [ 4220.237361] [<ffffffffa03830d0>] kvm_arch_destroy_vm+0xf9/0x101 [kvm] [ 4220.237382] [<ffffffffa036fe53>] kvm_put_kvm+0xcc/0x127 [kvm] [ 4220.237401] [<ffffffffa03702bc>] kvm_vcpu_release+0x18/0x1c [kvm] [ 4220.237407] [<ffffffff81145425>] __fput+0x111/0x1ed [ 4220.237411] [<ffffffff8114550f>] ____fput+0xe/0x10 [ 4220.237418] [<ffffffff81063511>] task_work_run+0x5d/0x88 [ 4220.237424] [<ffffffff8104c3f7>] do_exit+0x2bf/0x7ca The test case: printf(fmt, ##args); \ exit(-1);} while (0) static int create_vm(void) { int sys_fd, vm_fd; sys_fd = open("/dev/kvm", O_RDWR); if (sys_fd < 0) die("open /dev/kvm fail.\n"); vm_fd = ioctl(sys_fd, KVM_CREATE_VM, 0); if (vm_fd < 0) die("KVM_CREATE_VM fail.\n"); return vm_fd; } static int create_vcpu(int vm_fd) { int vcpu_fd; vcpu_fd = ioctl(vm_fd, KVM_CREATE_VCPU, 0); if (vcpu_fd < 0) die("KVM_CREATE_VCPU ioctl.\n"); printf("Create vcpu.\n"); return vcpu_fd; } static void *vcpu_thread(void *arg) { int vm_fd = (int)(long)arg; create_vcpu(vm_fd); return NULL; } int main(int argc, char *argv[]) { pthread_t thread; int vm_fd; (void)argc; (void)argv; vm_fd = create_vm(); pthread_create(&thread, NULL, vcpu_thread, (void *)(long)vm_fd); printf("Exit.\n"); return 0; } It caused by release kvm->arch.ept_identity_map_addr which is the error page. The parent thread can send KILL signal to the vcpu thread when it was exiting which stops faulting pages and potentially allocating memory. So gfn_to_pfn/gfn_to_page may fail at this time Fixed by checking the page before it is used Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com> Signed-off-by: Avi Kivity <avi@redhat.com>
Diffstat (limited to 'arch')
-rw-r--r--arch/x86/kvm/vmx.c19
-rw-r--r--arch/x86/kvm/x86.c13
2 files changed, 26 insertions, 6 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 002b4a566e2..b1eb202ee76 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -3619,6 +3619,7 @@ static void seg_setup(int seg)
3619 3619
3620static int alloc_apic_access_page(struct kvm *kvm) 3620static int alloc_apic_access_page(struct kvm *kvm)
3621{ 3621{
3622 struct page *page;
3622 struct kvm_userspace_memory_region kvm_userspace_mem; 3623 struct kvm_userspace_memory_region kvm_userspace_mem;
3623 int r = 0; 3624 int r = 0;
3624 3625
@@ -3633,7 +3634,13 @@ static int alloc_apic_access_page(struct kvm *kvm)
3633 if (r) 3634 if (r)
3634 goto out; 3635 goto out;
3635 3636
3636 kvm->arch.apic_access_page = gfn_to_page(kvm, 0xfee00); 3637 page = gfn_to_page(kvm, 0xfee00);
3638 if (is_error_page(page)) {
3639 r = -EFAULT;
3640 goto out;
3641 }
3642
3643 kvm->arch.apic_access_page = page;
3637out: 3644out:
3638 mutex_unlock(&kvm->slots_lock); 3645 mutex_unlock(&kvm->slots_lock);
3639 return r; 3646 return r;
@@ -3641,6 +3648,7 @@ out:
3641 3648
3642static int alloc_identity_pagetable(struct kvm *kvm) 3649static int alloc_identity_pagetable(struct kvm *kvm)
3643{ 3650{
3651 struct page *page;
3644 struct kvm_userspace_memory_region kvm_userspace_mem; 3652 struct kvm_userspace_memory_region kvm_userspace_mem;
3645 int r = 0; 3653 int r = 0;
3646 3654
@@ -3656,8 +3664,13 @@ static int alloc_identity_pagetable(struct kvm *kvm)
3656 if (r) 3664 if (r)
3657 goto out; 3665 goto out;
3658 3666
3659 kvm->arch.ept_identity_pagetable = gfn_to_page(kvm, 3667 page = gfn_to_page(kvm, kvm->arch.ept_identity_map_addr >> PAGE_SHIFT);
3660 kvm->arch.ept_identity_map_addr >> PAGE_SHIFT); 3668 if (is_error_page(page)) {
3669 r = -EFAULT;
3670 goto out;
3671 }
3672
3673 kvm->arch.ept_identity_pagetable = page;
3661out: 3674out:
3662 mutex_unlock(&kvm->slots_lock); 3675 mutex_unlock(&kvm->slots_lock);
3663 return r; 3676 return r;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 148ed666e31..2966c847d48 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5113,17 +5113,20 @@ static void post_kvm_run_save(struct kvm_vcpu *vcpu)
5113 !kvm_event_needs_reinjection(vcpu); 5113 !kvm_event_needs_reinjection(vcpu);
5114} 5114}
5115 5115
5116static void vapic_enter(struct kvm_vcpu *vcpu) 5116static int vapic_enter(struct kvm_vcpu *vcpu)
5117{ 5117{
5118 struct kvm_lapic *apic = vcpu->arch.apic; 5118 struct kvm_lapic *apic = vcpu->arch.apic;
5119 struct page *page; 5119 struct page *page;
5120 5120
5121 if (!apic || !apic->vapic_addr) 5121 if (!apic || !apic->vapic_addr)
5122 return; 5122 return 0;
5123 5123
5124 page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); 5124 page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
5125 if (is_error_page(page))
5126 return -EFAULT;
5125 5127
5126 vcpu->arch.apic->vapic_page = page; 5128 vcpu->arch.apic->vapic_page = page;
5129 return 0;
5127} 5130}
5128 5131
5129static void vapic_exit(struct kvm_vcpu *vcpu) 5132static void vapic_exit(struct kvm_vcpu *vcpu)
@@ -5430,7 +5433,11 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
5430 } 5433 }
5431 5434
5432 vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); 5435 vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
5433 vapic_enter(vcpu); 5436 r = vapic_enter(vcpu);
5437 if (r) {
5438 srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
5439 return r;
5440 }
5434 5441
5435 r = 1; 5442 r = 1;
5436 while (r > 0) { 5443 while (r > 0) {