mirror of https://github.com/xemu-project/xemu.git
852f0048f3
Some subsystems like VFIO might disable ram block discard, but guest_memfd uses discard operations to implement conversions between private and shared memory. Because of this, sequences like the following can result in stale IOMMU mappings: 1. allocate shared page 2. convert page shared->private 3. discard shared page 4. convert page private->shared 5. allocate shared page 6. issue DMA operations against that shared page This is not a use-after-free, because after step 3 VFIO is still pinning the page. However, DMA operations in step 6 will hit the old mapping that was allocated in step 1. Address this by taking ram_block_discard_is_enabled() into account when deciding whether or not to discard pages. Since kvm_convert_memory()/guest_memfd doesn't implement a RamDiscardManager handler to convey and replay discard operations, this is a case of uncoordinated discard, which is blocked/released by ram_block_discard_require(). Interestingly, this function had no use so far. Alternative approaches would be to block discard of shared pages, but this would cause guests to consume twice the memory if they use VFIO; or to implement a RamDiscardManager and only block uncoordinated discard, i.e. use ram_block_coordinated_discard_require(). [Commit message mostly by Michael Roth <michael.roth@amd.com>] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
||
|---|---|---|
| .. | ||
| arch_init.c | ||
| async-teardown.c | ||
| balloon.c | ||
| bootdevice.c | ||
| cpu-throttle.c | ||
| cpu-timers.c | ||
| cpus.c | ||
| datadir.c | ||
| device_tree.c | ||
| dirtylimit.c | ||
| dma-helpers.c | ||
| globals.c | ||
| ioport.c | ||
| main.c | ||
| memory.c | ||
| memory_ldst.c.inc | ||
| memory_mapping.c | ||
| meson.build | ||
| physmem.c | ||
| qdev-monitor.c | ||
| qemu-seccomp.c | ||
| qtest.c | ||
| rtc.c | ||
| runstate-action.c | ||
| runstate-hmp-cmds.c | ||
| runstate.c | ||
| tpm-hmp-cmds.c | ||
| tpm.c | ||
| trace-events | ||
| trace.h | ||
| vl.c | ||
| watchpoint.c | ||