diff mbox series

[v4,16/19] KVM: Ensure validity of memslot with respect to kvm_get_dirty_log()

Message ID 20191217204041.10815-17-sean.j.christopherson@intel.com (mailing list archive)
State New, archived
Headers show
Series KVM: Dynamically size memslot arrays | expand

Commit Message

Sean Christopherson Dec. 17, 2019, 8:40 p.m. UTC
Rework kvm_get_dirty_log() so that it "returns" the associated memslot
on success.  A future patch will rework memslot handling such that
id_to_memslot() can return NULL, returning the memslot makes it more
obvious that the validity of the memslot has been verified, i.e.
precludes the need to add validity checks in the arch code that are
technically unnecessary.

Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
---
 arch/powerpc/kvm/book3s_pr.c |  6 +-----
 arch/s390/kvm/kvm-s390.c     | 12 ++----------
 include/linux/kvm_host.h     |  2 +-
 virt/kvm/kvm_main.c          | 27 +++++++++++++++++++--------
 4 files changed, 23 insertions(+), 24 deletions(-)

Comments

Peter Xu Dec. 24, 2019, 6:19 p.m. UTC | #1
On Tue, Dec 17, 2019 at 12:40:38PM -0800, Sean Christopherson wrote:
> +int kvm_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log,
> +		      int *is_dirty, struct kvm_memory_slot **memslot)
>  {
>  	struct kvm_memslots *slots;
> -	struct kvm_memory_slot *memslot;
>  	int i, as_id, id;
>  	unsigned long n;
>  	unsigned long any = 0;
>  
> +	*memslot = NULL;
> +	*is_dirty = 0;
> +
>  	as_id = log->slot >> 16;
>  	id = (u16)log->slot;
>  	if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)
>  		return -EINVAL;
>  
>  	slots = __kvm_memslots(kvm, as_id);
> -	memslot = id_to_memslot(slots, id);
> -	if (!memslot->dirty_bitmap)
> +	*memslot = id_to_memslot(slots, id);
> +	if (!(*memslot)->dirty_bitmap)
>  		return -ENOENT;
>  
> -	n = kvm_dirty_bitmap_bytes(memslot);
> +	kvm_arch_sync_dirty_log(kvm, *memslot);

Should this line belong to previous patch?

> +
> +	n = kvm_dirty_bitmap_bytes(*memslot);
>  
>  	for (i = 0; !any && i < n/sizeof(long); ++i)
> -		any = memslot->dirty_bitmap[i];
> +		any = (*memslot)->dirty_bitmap[i];
>  
> -	if (copy_to_user(log->dirty_bitmap, memslot->dirty_bitmap, n))
> +	if (copy_to_user(log->dirty_bitmap, (*memslot)->dirty_bitmap, n))
>  		return -EFAULT;
>  
>  	if (any)
> -- 
> 2.24.1
Sean Christopherson Jan. 14, 2020, 6:25 p.m. UTC | #2
On Tue, Dec 24, 2019 at 01:19:30PM -0500, Peter Xu wrote:
> On Tue, Dec 17, 2019 at 12:40:38PM -0800, Sean Christopherson wrote:
> > +int kvm_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log,
> > +		      int *is_dirty, struct kvm_memory_slot **memslot)
> >  {
> >  	struct kvm_memslots *slots;
> > -	struct kvm_memory_slot *memslot;
> >  	int i, as_id, id;
> >  	unsigned long n;
> >  	unsigned long any = 0;
> >  
> > +	*memslot = NULL;
> > +	*is_dirty = 0;
> > +
> >  	as_id = log->slot >> 16;
> >  	id = (u16)log->slot;
> >  	if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)
> >  		return -EINVAL;
> >  
> >  	slots = __kvm_memslots(kvm, as_id);
> > -	memslot = id_to_memslot(slots, id);
> > -	if (!memslot->dirty_bitmap)
> > +	*memslot = id_to_memslot(slots, id);
> > +	if (!(*memslot)->dirty_bitmap)
> >  		return -ENOENT;
> >  
> > -	n = kvm_dirty_bitmap_bytes(memslot);
> > +	kvm_arch_sync_dirty_log(kvm, *memslot);
> 
> Should this line belong to previous patch?

No.

The previous patch, "KVM: Provide common implementation for generic dirty
log functions", is consolidating the implementation of dirty log functions
for architectures with CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y.

This code is being moved from s390's kvm_vm_ioctl_get_dirty_log(), as s390
doesn't select KVM_GENERIC_DIRTYLOG_READ_PROTECT.  It's functionally a nop
as kvm_arch_sync_dirty_log() is empty for PowerPC, the only other arch that
doesn't select KVM_GENERIC_DIRTYLOG_READ_PROTECT.

Arguably, the call to kvm_arch_sync_dirty_log() should be moved in a
separate prep patch.  It can't be a follow-on patch as that would swap the
ordering of kvm_arch_sync_dirty_log() and kvm_dirty_bitmap_bytes(), etc...

My reasoning for not splitting it to a separate patch is that prior to this
patch, the common code and arch specific code are doing separate memslot
lookups via id_to_memslot(), i.e. moving the kvm_arch_sync_dirty_log() call
would operate on a "different" memslot.   It can't actually be a different
memslot because slots_lock is held, it just felt weird.

All that being said, I don't have a strong opinion on moving the call to
kvm_arch_sync_dirty_log() in a separate patch; IIRC, I vascillated between
the two options when writing the code.  If anyone wants it to be a separate
patch I'll happily split it out.

> 
> > +
> > +	n = kvm_dirty_bitmap_bytes(*memslot);
> >  
> >  	for (i = 0; !any && i < n/sizeof(long); ++i)
> > -		any = memslot->dirty_bitmap[i];
> > +		any = (*memslot)->dirty_bitmap[i];
> >  
> > -	if (copy_to_user(log->dirty_bitmap, memslot->dirty_bitmap, n))
> > +	if (copy_to_user(log->dirty_bitmap, (*memslot)->dirty_bitmap, n))
> >  		return -EFAULT;
> >  
> >  	if (any)
> > -- 
> > 2.24.1
> 
> -- 
> Peter Xu
>
Peter Xu Feb. 6, 2020, 10:03 p.m. UTC | #3
On Tue, Jan 14, 2020 at 10:25:07AM -0800, Sean Christopherson wrote:
> On Tue, Dec 24, 2019 at 01:19:30PM -0500, Peter Xu wrote:
> > On Tue, Dec 17, 2019 at 12:40:38PM -0800, Sean Christopherson wrote:
> > > +int kvm_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log,
> > > +		      int *is_dirty, struct kvm_memory_slot **memslot)
> > >  {
> > >  	struct kvm_memslots *slots;
> > > -	struct kvm_memory_slot *memslot;
> > >  	int i, as_id, id;
> > >  	unsigned long n;
> > >  	unsigned long any = 0;
> > >  
> > > +	*memslot = NULL;
> > > +	*is_dirty = 0;
> > > +
> > >  	as_id = log->slot >> 16;
> > >  	id = (u16)log->slot;
> > >  	if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)
> > >  		return -EINVAL;
> > >  
> > >  	slots = __kvm_memslots(kvm, as_id);
> > > -	memslot = id_to_memslot(slots, id);
> > > -	if (!memslot->dirty_bitmap)
> > > +	*memslot = id_to_memslot(slots, id);
> > > +	if (!(*memslot)->dirty_bitmap)
> > >  		return -ENOENT;
> > >  
> > > -	n = kvm_dirty_bitmap_bytes(memslot);
> > > +	kvm_arch_sync_dirty_log(kvm, *memslot);
> > 
> > Should this line belong to previous patch?
> 
> No.
> 
> The previous patch, "KVM: Provide common implementation for generic dirty
> log functions", is consolidating the implementation of dirty log functions
> for architectures with CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y.
> 
> This code is being moved from s390's kvm_vm_ioctl_get_dirty_log(), as s390
> doesn't select KVM_GENERIC_DIRTYLOG_READ_PROTECT.  It's functionally a nop
> as kvm_arch_sync_dirty_log() is empty for PowerPC, the only other arch that
> doesn't select KVM_GENERIC_DIRTYLOG_READ_PROTECT.
> 
> Arguably, the call to kvm_arch_sync_dirty_log() should be moved in a
> separate prep patch.  It can't be a follow-on patch as that would swap the
> ordering of kvm_arch_sync_dirty_log() and kvm_dirty_bitmap_bytes(), etc...
> 
> My reasoning for not splitting it to a separate patch is that prior to this
> patch, the common code and arch specific code are doing separate memslot
> lookups via id_to_memslot(), i.e. moving the kvm_arch_sync_dirty_log() call
> would operate on a "different" memslot.   It can't actually be a different
> memslot because slots_lock is held, it just felt weird.
> 
> All that being said, I don't have a strong opinion on moving the call to
> kvm_arch_sync_dirty_log() in a separate patch; IIRC, I vascillated between
> the two options when writing the code.  If anyone wants it to be a separate
> patch I'll happily split it out.

(Sorry to respond so late)

I think the confusing part is the subject, where you only mentioned
the memslot change.  IMHO you can split the change to make it clearer,
or at least would you mind mention that kvm_arch_sync_dirty_log() move
in the commit message?  Thanks,
Sean Christopherson Feb. 7, 2020, 6:52 p.m. UTC | #4
On Thu, Feb 06, 2020 at 05:03:55PM -0500, Peter Xu wrote:
> On Tue, Jan 14, 2020 at 10:25:07AM -0800, Sean Christopherson wrote:
> > On Tue, Dec 24, 2019 at 01:19:30PM -0500, Peter Xu wrote:
> > > On Tue, Dec 17, 2019 at 12:40:38PM -0800, Sean Christopherson wrote:
> > > > +int kvm_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log,
> > > > +		      int *is_dirty, struct kvm_memory_slot **memslot)
> > > >  {
> > > >  	struct kvm_memslots *slots;
> > > > -	struct kvm_memory_slot *memslot;
> > > >  	int i, as_id, id;
> > > >  	unsigned long n;
> > > >  	unsigned long any = 0;
> > > >  
> > > > +	*memslot = NULL;
> > > > +	*is_dirty = 0;
> > > > +
> > > >  	as_id = log->slot >> 16;
> > > >  	id = (u16)log->slot;
> > > >  	if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)
> > > >  		return -EINVAL;
> > > >  
> > > >  	slots = __kvm_memslots(kvm, as_id);
> > > > -	memslot = id_to_memslot(slots, id);
> > > > -	if (!memslot->dirty_bitmap)
> > > > +	*memslot = id_to_memslot(slots, id);
> > > > +	if (!(*memslot)->dirty_bitmap)
> > > >  		return -ENOENT;
> > > >  
> > > > -	n = kvm_dirty_bitmap_bytes(memslot);
> > > > +	kvm_arch_sync_dirty_log(kvm, *memslot);
> > > 
> > > Should this line belong to previous patch?
> > 
> > No.
> > 
> > The previous patch, "KVM: Provide common implementation for generic dirty
> > log functions", is consolidating the implementation of dirty log functions
> > for architectures with CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y.
> > 
> > This code is being moved from s390's kvm_vm_ioctl_get_dirty_log(), as s390
> > doesn't select KVM_GENERIC_DIRTYLOG_READ_PROTECT.  It's functionally a nop
> > as kvm_arch_sync_dirty_log() is empty for PowerPC, the only other arch that
> > doesn't select KVM_GENERIC_DIRTYLOG_READ_PROTECT.
> > 
> > Arguably, the call to kvm_arch_sync_dirty_log() should be moved in a
> > separate prep patch.  It can't be a follow-on patch as that would swap the
> > ordering of kvm_arch_sync_dirty_log() and kvm_dirty_bitmap_bytes(), etc...
> > 
> > My reasoning for not splitting it to a separate patch is that prior to this
> > patch, the common code and arch specific code are doing separate memslot
> > lookups via id_to_memslot(), i.e. moving the kvm_arch_sync_dirty_log() call
> > would operate on a "different" memslot.   It can't actually be a different
> > memslot because slots_lock is held, it just felt weird.
> > 
> > All that being said, I don't have a strong opinion on moving the call to
> > kvm_arch_sync_dirty_log() in a separate patch; IIRC, I vascillated between
> > the two options when writing the code.  If anyone wants it to be a separate
> > patch I'll happily split it out.
> 
> (Sorry to respond so late)
> 
> I think the confusing part is the subject, where you only mentioned
> the memslot change.  IMHO you can split the change to make it clearer,
> or at least would you mind mention that kvm_arch_sync_dirty_log() move
> in the commit message?  Thanks,

I'll add a few paragraphs to the changelog.  Splitting it out still feels
weird.
diff mbox series

Patch

diff --git a/arch/powerpc/kvm/book3s_pr.c b/arch/powerpc/kvm/book3s_pr.c
index d2ee00bc7077..485ca134a949 100644
--- a/arch/powerpc/kvm/book3s_pr.c
+++ b/arch/powerpc/kvm/book3s_pr.c
@@ -1897,7 +1897,6 @@  static int kvmppc_vcpu_run_pr(struct kvm_run *kvm_run, struct kvm_vcpu *vcpu)
 static int kvm_vm_ioctl_get_dirty_log_pr(struct kvm *kvm,
 					 struct kvm_dirty_log *log)
 {
-	struct kvm_memslots *slots;
 	struct kvm_memory_slot *memslot;
 	struct kvm_vcpu *vcpu;
 	ulong ga, ga_end;
@@ -1907,15 +1906,12 @@  static int kvm_vm_ioctl_get_dirty_log_pr(struct kvm *kvm,
 
 	mutex_lock(&kvm->slots_lock);
 
-	r = kvm_get_dirty_log(kvm, log, &is_dirty);
+	r = kvm_get_dirty_log(kvm, log, &is_dirty, &memslot);
 	if (r)
 		goto out;
 
 	/* If nothing is dirty, don't bother messing with page tables. */
 	if (is_dirty) {
-		slots = kvm_memslots(kvm);
-		memslot = id_to_memslot(slots, log->slot);
-
 		ga = memslot->base_gfn << PAGE_SHIFT;
 		ga_end = ga + (memslot->npages << PAGE_SHIFT);
 
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 9e38973fd2cc..b0f5a3b7cb01 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -610,9 +610,8 @@  int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,
 {
 	int r;
 	unsigned long n;
-	struct kvm_memslots *slots;
 	struct kvm_memory_slot *memslot;
-	int is_dirty = 0;
+	int is_dirty;
 
 	if (kvm_is_ucontrol(kvm))
 		return -EINVAL;
@@ -623,14 +622,7 @@  int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,
 	if (log->slot >= KVM_USER_MEM_SLOTS)
 		goto out;
 
-	slots = kvm_memslots(kvm);
-	memslot = id_to_memslot(slots, log->slot);
-	r = -ENOENT;
-	if (!memslot->dirty_bitmap)
-		goto out;
-
-	kvm_arch_sync_dirty_log(kvm, memslot);
-	r = kvm_get_dirty_log(kvm, log, &is_dirty);
+	r = kvm_get_dirty_log(kvm, log, &is_dirty, &memslot);
 	if (r)
 		goto out;
 
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index eb54d196c0cb..7d666eedd203 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -828,7 +828,7 @@  void kvm_arch_dirty_log_tlb_flush(struct kvm *kvm,
 #else /* !CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT */
 int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log);
 int kvm_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log,
-		      int *is_dirty);
+		      int *is_dirty, struct kvm_memory_slot **memslot);
 #endif
 
 int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level,
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 4a4b5339f229..999a2a0c83f5 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1202,31 +1202,42 @@  static int kvm_vm_ioctl_set_memory_region(struct kvm *kvm,
 }
 
 #ifndef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT
-int kvm_get_dirty_log(struct kvm *kvm,
-			struct kvm_dirty_log *log, int *is_dirty)
+/**
+ * kvm_get_dirty_log - get a snapshot of dirty pages
+ * @kvm:	pointer to kvm instance
+ * @log:	slot id and address to which we copy the log
+ * @is_dirty:	set to '1' if any dirty pages were found
+ * @memslot:	set to the associated memslot, always valid on success
+ */
+int kvm_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log,
+		      int *is_dirty, struct kvm_memory_slot **memslot)
 {
 	struct kvm_memslots *slots;
-	struct kvm_memory_slot *memslot;
 	int i, as_id, id;
 	unsigned long n;
 	unsigned long any = 0;
 
+	*memslot = NULL;
+	*is_dirty = 0;
+
 	as_id = log->slot >> 16;
 	id = (u16)log->slot;
 	if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)
 		return -EINVAL;
 
 	slots = __kvm_memslots(kvm, as_id);
-	memslot = id_to_memslot(slots, id);
-	if (!memslot->dirty_bitmap)
+	*memslot = id_to_memslot(slots, id);
+	if (!(*memslot)->dirty_bitmap)
 		return -ENOENT;
 
-	n = kvm_dirty_bitmap_bytes(memslot);
+	kvm_arch_sync_dirty_log(kvm, *memslot);
+
+	n = kvm_dirty_bitmap_bytes(*memslot);
 
 	for (i = 0; !any && i < n/sizeof(long); ++i)
-		any = memslot->dirty_bitmap[i];
+		any = (*memslot)->dirty_bitmap[i];
 
-	if (copy_to_user(log->dirty_bitmap, memslot->dirty_bitmap, n))
+	if (copy_to_user(log->dirty_bitmap, (*memslot)->dirty_bitmap, n))
 		return -EFAULT;
 
 	if (any)