Received: by 2002:a05:7208:3003:b0:81:def:69cd with SMTP id f3csp822598rba; Wed, 27 Mar 2024 12:53:03 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVZEMd8rToJVNGy92L3Fc8VNRJM8WwwOvc4hzNL6XsS49HF8lugTuL4XyZF8UJHy12BuQqKPD64TQ0Cpfn2EcvnyZ6sYCtgdLIXhKIflg== X-Google-Smtp-Source: AGHT+IHfCkH57Dor0YnSzOMFsTRkrZJg754IOra5sgs2yNJ/6K3T8j1/+GZjKov+Z6NPoRX7Dy0P X-Received: by 2002:a05:620a:4554:b0:78a:a157:c59d with SMTP id u20-20020a05620a455400b0078aa157c59dmr701482qkp.72.1711569183126; Wed, 27 Mar 2024 12:53:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711569183; cv=pass; d=google.com; s=arc-20160816; b=hqz4qWW67oa1PqRyEagA76BdFtGSpRa5Ba+hNZ+FXmOFB3+e8ET9cFGMusfq3ENkIR NUO0edz99Yn/d/9HG1eRTMqNSyqfq+B6icwHGHUHMgIRHoybs5wzxpjZRpOI6RA3CCn+ AqgD0vBtNLuRChpgTiZqbhmmcgQwuOWBm9WUXpLOwKQq+ncZzbmnSSK0oQqe/eULxJYA Ls2HFftTRJisyXZ8JNLXhgfv94NMZYS0P8cj5aJtre5Tsl8ETtmkhUKheaJ9ypAS0Gmy 804XT9RWzqIl0ro/5x26KH0dl/S1KsksmbNBpjCe/bv4yc27W3Kji0GiG95ASqvI7z46 0zMQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date:dkim-signature; bh=x8G7KOpz164y5Y5cKfjcBdHiXS8QBCe41BiBcWgpxj8=; fh=vnMFD0XKAEg0lwgaOqByv2e+/cVsc8pzHw/NI4rH/Gg=; b=b0LZM5f37fDk0lkCKaZewJppf0YIU784WJN1scfx3QMt1g7wnaGccg9RXp38lEzOXm cutKF/lAvAQn8Amlidx8w3UCR/Vrs7f+DLtHwVWOXzLFuwWupuNAk6Bp2QGJtqLwOdue 8+nfjAptXi9ZrYSISro3LuR0EFxDrlA3nw1fErju3JTt6K2I4nwH3BeRMRHaDOT5eNO3 rq4Ua6p3AaTceWa8cSDielZPUHCNHPp4nWtYZyK+dBYVW8UmilJEtbNi0dm3Aiy9Djix adYTSCkrDKZdF7EkCVvMkMUb64ZifIIaAiY3/idmbfMRzRs+TAneiKW2FL5ECgsZbISt DbKg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KASVTbbY; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-121927-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-121927-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id h23-20020ae9ec17000000b0078a678f2389si3743972qkg.56.2024.03.27.12.53.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Mar 2024 12:53:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-121927-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KASVTbbY; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-121927-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-121927-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id ECD031C34FA8 for ; Wed, 27 Mar 2024 19:52:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B1D27152525; Wed, 27 Mar 2024 19:52:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KASVTbbY" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF6B5152526; Wed, 27 Mar 2024 19:52:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711569128; cv=none; b=Q5+Fu07WB9YTrHz0Xt6tu6ETQG0PFpaphRDhxZVM3iUSfiBzr9xmAW/E1X604X6DMpqgDVfeS58l9x9Qt/7gGJIe+B/64IUzoRm4jtsuy3s5iMLu8hnx6y8WP6nk1fsumcUsLhaqJKFhuLakFMrEXR2/hJ5wbel0Uz1+lt8VJHc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711569128; c=relaxed/simple; bh=NW/plT/lkw+bj9qL/voWkJkmE88rQnUU6wEQcKQY0HE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=eONAc9XS9I9MxjP71jwuJ3hgo8ZWiJzf0Zz7bLDW1Wu+MBxeXKFJAo+tKESFcygYSZ7CbndqkSa7uCVSOlGI3lekEpqk8bocna9U+pPxIZjEWWH63xvoeR/VGHCSHKuuVVAhiIjSFyCe59qPio3NEacgnIaN9GUvWpvQ6xrmJWs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KASVTbbY; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 235A0C433C7; Wed, 27 Mar 2024 19:52:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711569128; bh=NW/plT/lkw+bj9qL/voWkJkmE88rQnUU6wEQcKQY0HE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KASVTbbYdrxm95eqZVmCFpnLknJBDKYPdDamEQvTLthvPNOmRTdm47trn8eYWdN/T brLftUfBJD4RKutIOC2d2WZN52a33/sMjKZW56z9vj+U8CV/nhi0bHaDOk3RBCU7oa WzK2VOtcZ9sU2NPwoHINwlSOB94oflPngQS6nDfeF7iahMDXOFs2q/Loy66rDVcJoj ylq2GULbNPQnko8sVJwURfcalqYZ/PK8FSqT3Pld5CTvT4CKC96k0c4FU7IY3BGXyY xrbwHV+YPtuFxNvvJJWp/PFaQTVfQhVOubC+JPmOW0hjpxfRrPkwP/i1FMaSE+bXQZ BuJI+CL8aoJBw== Date: Wed, 27 Mar 2024 19:52:02 +0000 From: Will Deacon To: "Michael S. Tsirkin" Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Gavin Shan , Jason Wang , Stefano Garzarella , Eugenio =?iso-8859-1?Q?P=E9rez?= , Stefan Hajnoczi , "David S. Miller" , kvm@vger.kernel.org, virtualization@lists.linux.dev, netdev@vger.kernel.org Subject: Re: [PATCH untested] vhost: order avail ring reads after index updates Message-ID: <20240327195202.GB12000@willie-the-truck> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) On Wed, Mar 27, 2024 at 01:26:23PM -0400, Michael S. Tsirkin wrote: > vhost_get_vq_desc (correctly) uses smp_rmb to order > avail ring reads after index reads. > However, over time we added two more places that read the > index and do not bother with barriers. > Since vhost_get_vq_desc when it was written assumed it is the > only reader when it sees a new index value is cached > it does not bother with a barrier either, as a result, > on the nvidia-gracehopper platform (arm64) available ring > entry reads have been observed bypassing ring reads, causing > a ring corruption. > > To fix, factor out the correct index access code from vhost_get_vq_desc. > As a side benefit, we also validate the index on all paths now, which > will hopefully help catch future errors earlier. > > Note: current code is inconsistent in how it handles errors: > some places treat it as an empty ring, others - non empty. > This patch does not attempt to change the existing behaviour. > > Cc: stable@vger.kernel.org > Reported-by: Gavin Shan > Reported-by: Will Deacon > Suggested-by: Will Deacon > Fixes: 275bf960ac69 ("vhost: better detection of available buffers") > Cc: "Jason Wang" > Fixes: d3bb267bbdcb ("vhost: cache avail index in vhost_enable_notify()") > Cc: "Stefano Garzarella" > Signed-off-by: Michael S. Tsirkin > --- > > I think it's better to bite the bullet and clean up the code. > Note: this is still only built, not tested. > Gavin could you help test please? > Especially on the arm platform you have? > > Will thanks so much for finding this race! No problem, and I was also hoping that the smp_rmb() could be consolidated into a single helper like you've done here. One minor comment below: > drivers/vhost/vhost.c | 80 +++++++++++++++++++++++-------------------- > 1 file changed, 42 insertions(+), 38 deletions(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 045f666b4f12..26b70b1fd9ff 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -1290,10 +1290,38 @@ static void vhost_dev_unlock_vqs(struct vhost_dev *d) > mutex_unlock(&d->vqs[i]->mutex); > } > > -static inline int vhost_get_avail_idx(struct vhost_virtqueue *vq, > - __virtio16 *idx) > +static inline int vhost_get_avail_idx(struct vhost_virtqueue *vq) > { > - return vhost_get_avail(vq, *idx, &vq->avail->idx); > + __virtio16 idx; > + u16 avail_idx; > + int r = vhost_get_avail(vq, idx, &vq->avail->idx); > + > + if (unlikely(r < 0)) { > + vq_err(vq, "Failed to access avail idx at %p: %d\n", > + &vq->avail->idx, r); > + return -EFAULT; > + } > + > + avail_idx = vhost16_to_cpu(vq, idx); > + > + /* Check it isn't doing very strange things with descriptor numbers. */ > + if (unlikely((u16)(avail_idx - vq->last_avail_idx) > vq->num)) { > + vq_err(vq, "Guest moved used index from %u to %u", > + vq->last_avail_idx, vq->avail_idx); > + return -EFAULT; > + } > + > + /* Nothing new? We are done. */ > + if (avail_idx == vq->avail_idx) > + return 0; > + > + vq->avail_idx = avail_idx; > + > + /* We updated vq->avail_idx so we need a memory barrier between > + * the index read above and the caller reading avail ring entries. > + */ > + smp_rmb(); I think you could use smp_acquire__after_ctrl_dep() if you're feeling brave, but to be honest I'd prefer we went in the opposite direction and used READ/WRITE_ONCE + smp_load_acquire()/smp_store_release() across the board. It's just a thankless, error-prone task to get there :( So, for the patch as-is: Acked-by: Will Deacon (I've not tested it either though, so definitely wait for Gavin on that!) Cheers, Will