1. 09 6月, 2020 1 次提交
  2. 07 6月, 2020 1 次提交
  3. 05 6月, 2020 3 次提交
  4. 02 6月, 2020 1 次提交
    • M
      virtio: force spec specified alignment on types · a865e420
      Michael S. Tsirkin 提交于
      The ring element addresses are passed between components with different
      alignments assumptions. Thus, if guest/userspace selects a pointer and
      host then gets and dereferences it, we might need to decrease the
      compiler-selected alignment to prevent compiler on the host from
      assuming pointer is aligned.
      
      This actually triggers on ARM with -mabi=apcs-gnu - which is a
      deprecated configuration, but it seems safer to handle this
      generally.
      
      Note that userspace that allocates the memory is actually OK and does
      not need to be fixed, but userspace that gets it from guest or another
      process does need to be fixed. The later doesn't generally talk to the
      kernel so while it might be buggy it's not talking to the kernel in the
      buggy way - it's just using the header in the buggy way - so fixing
      header and asking userspace to recompile is the best we can do.
      
      I verified that the produced kernel binary on x86 is exactly identical
      before and after the change.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NJason Wang <jasowang@redhat.com>
      a865e420
  5. 15 5月, 2020 1 次提交
  6. 02 4月, 2020 2 次提交
  7. 05 12月, 2019 1 次提交
  8. 15 9月, 2019 1 次提交
  9. 12 9月, 2019 2 次提交
  10. 04 9月, 2019 2 次提交
  11. 19 6月, 2019 1 次提交
  12. 09 6月, 2019 1 次提交
  13. 06 6月, 2019 6 次提交
    • J
      vhost: access vq metadata through kernel virtual address · 7f466032
      Jason Wang 提交于
      It was noticed that the copy_to/from_user() friends that was used to
      access virtqueue metdata tends to be very expensive for dataplane
      implementation like vhost since it involves lots of software checks,
      speculation barriers, hardware feature toggling (e.g SMAP). The
      extra cost will be more obvious when transferring small packets since
      the time spent on metadata accessing become more significant.
      
      This patch tries to eliminate those overheads by accessing them
      through direct mapping of those pages. Invalidation callbacks is
      implemented for co-operation with general VM management (swap, KSM,
      THP or NUMA balancing). We will try to get the direct mapping of vq
      metadata before each round of packet processing if it doesn't
      exist. If we fail, we will simplely fallback to copy_to/from_user()
      friends.
      
      This invalidation and direct mapping access are synchronized through
      spinlock and RCU. All matedata accessing through direct map is
      protected by RCU, and the setup or invalidation are done under
      spinlock.
      
      This method might does not work for high mem page which requires
      temporary mapping so we just fallback to normal
      copy_to/from_user() and may not for arch that has virtual tagged cache
      since extra cache flushing is needed to eliminate the alias. This will
      result complex logic and bad performance. For those archs, this patch
      simply go for copy_to/from_user() friends. This is done by ruling out
      kernel mapping codes through ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE.
      
      Note that this is only done when device IOTLB is not enabled. We
      could use similar method to optimize IOTLB in the future.
      
      Tests shows at most about 23% improvement on TX PPS when using
      virtio-user + vhost_net + xdp1 + TAP on 2.6GHz Broadwell:
      
              SMAP on | SMAP off
      Before: 5.2Mpps | 7.1Mpps
      After:  6.4Mpps | 8.2Mpps
      
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: James Bottomley <James.Bottomley@hansenpartnership.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: David Miller <davem@davemloft.net>
      Cc: Jerome Glisse <jglisse@redhat.com>
      Cc: linux-mm@kvack.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-parisc@vger.kernel.org
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      7f466032
    • J
      vhost: factor out setting vring addr and num · feebcaea
      Jason Wang 提交于
      Factoring vring address and num setting which needs special care for
      accelerating vq metadata accessing.
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      feebcaea
    • J
      vhost: introduce helpers to get the size of metadata area · 4942e825
      Jason Wang 提交于
      To avoid code duplication since it will be used by kernel VA prefetching.
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      4942e825
    • J
      vhost: rename vq_iotlb_prefetch() to vq_meta_prefetch() · 9b5e830b
      Jason Wang 提交于
      Rename the function to be more accurate since it actually tries to
      prefetch vq metadata address in IOTLB. And this will be used by
      following patch to prefetch metadata virtual addresses.
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      9b5e830b
    • J
      vhost: fine grain userspace memory accessors · 7b5d753e
      Jason Wang 提交于
      This is used to hide the metadata address from virtqueue helpers. This
      will allow to implement a vmap based fast accessing to metadata.
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      7b5d753e
    • J
      vhost: generalize adding used elem · 1ab5d138
      Jason Wang 提交于
      Use one generic vhost_copy_to_user() instead of two dedicated
      accessor. This will simplify the conversion to fine grain
      accessors. About 2% improvement of PPS were seen during vitio-user
      txonly test.
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      1ab5d138
  14. 27 5月, 2019 1 次提交
  15. 15 5月, 2019 1 次提交
    • I
      mm/gup: change GUP fast to use flags rather than a write 'bool' · 73b0140b
      Ira Weiny 提交于
      To facilitate additional options to get_user_pages_fast() change the
      singular write parameter to be gup_flags.
      
      This patch does not change any functionality.  New functionality will
      follow in subsequent patches.
      
      Some of the get_user_pages_fast() call sites were unchanged because they
      already passed FOLL_WRITE or 0 for the write parameter.
      
      NOTE: It was suggested to change the ordering of the get_user_pages_fast()
      arguments to ensure that callers were converted.  This breaks the current
      GUP call site convention of having the returned pages be the final
      parameter.  So the suggestion was rejected.
      
      Link: http://lkml.kernel.org/r/20190328084422.29911-4-ira.weiny@intel.com
      Link: http://lkml.kernel.org/r/20190317183438.2057-4-ira.weiny@intel.comSigned-off-by: NIra Weiny <ira.weiny@intel.com>
      Reviewed-by: NMike Marshall <hubcap@omnibond.com>
      Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Jason Gunthorpe <jgg@ziepe.ca>
      Cc: John Hubbard <jhubbard@nvidia.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Rich Felker <dalias@libc.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      73b0140b
  16. 11 4月, 2019 1 次提交
  17. 09 3月, 2019 1 次提交
  18. 07 3月, 2019 1 次提交
    • A
      vhost: silence an unused-variable warning · cfdbb4ed
      Arnd Bergmann 提交于
      On some architectures, the MMU can be disabled, leading to access_ok()
      becoming an empty macro that does not evaluate its size argument,
      which in turn produces an unused-variable warning:
      
      drivers/vhost/vhost.c:1191:9: error: unused variable 's' [-Werror,-Wunused-variable]
              size_t s = vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX) ? 2 : 0;
      
      Mark the variable as __maybe_unused to shut up that warning.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      cfdbb4ed
  19. 20 2月, 2019 1 次提交
  20. 29 1月, 2019 1 次提交
    • J
      vhost: fix OOB in get_rx_bufs() · b46a0bf7
      Jason Wang 提交于
      After batched used ring updating was introduced in commit e2b3b35e
      ("vhost_net: batch used ring update in rx"). We tend to batch heads in
      vq->heads for more than one packet. But the quota passed to
      get_rx_bufs() was not correctly limited, which can result a OOB write
      in vq->heads.
      
              headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
                          vhost_len, &in, vq_log, &log,
                          likely(mergeable) ? UIO_MAXIOV : 1);
      
      UIO_MAXIOV was still used which is wrong since we could have batched
      used in vq->heads, this will cause OOB if the next buffer needs more
      than 960 (1024 (UIO_MAXIOV) - 64 (VHOST_NET_BATCH)) heads after we've
      batched 64 (VHOST_NET_BATCH) heads:
      Acked-by: NStefan Hajnoczi <stefanha@redhat.com>
      
      =============================================================================
      BUG kmalloc-8k (Tainted: G    B            ): Redzone overwritten
      -----------------------------------------------------------------------------
      
      INFO: 0x00000000fd93b7a2-0x00000000f0713384. First byte 0xa9 instead of 0xcc
      INFO: Allocated in alloc_pd+0x22/0x60 age=3933677 cpu=2 pid=2674
          kmem_cache_alloc_trace+0xbb/0x140
          alloc_pd+0x22/0x60
          gen8_ppgtt_create+0x11d/0x5f0
          i915_ppgtt_create+0x16/0x80
          i915_gem_create_context+0x248/0x390
          i915_gem_context_create_ioctl+0x4b/0xe0
          drm_ioctl_kernel+0xa5/0xf0
          drm_ioctl+0x2ed/0x3a0
          do_vfs_ioctl+0x9f/0x620
          ksys_ioctl+0x6b/0x80
          __x64_sys_ioctl+0x11/0x20
          do_syscall_64+0x43/0xf0
          entry_SYSCALL_64_after_hwframe+0x44/0xa9
      INFO: Slab 0x00000000d13e87af objects=3 used=3 fp=0x          (null) flags=0x200000000010201
      INFO: Object 0x0000000003278802 @offset=17064 fp=0x00000000e2e6652b
      
      Fixing this by allocating UIO_MAXIOV + VHOST_NET_BATCH iovs for
      vhost-net. This is done through set the limitation through
      vhost_dev_init(), then set_owner can allocate the number of iov in a
      per device manner.
      
      This fixes CVE-2018-16880.
      
      Fixes: e2b3b35e ("vhost_net: batch used ring update in rx")
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b46a0bf7
  21. 18 1月, 2019 1 次提交
    • J
      vhost: log dirty page correctly · cc5e7107
      Jason Wang 提交于
      Vhost dirty page logging API is designed to sync through GPA. But we
      try to log GIOVA when device IOTLB is enabled. This is wrong and may
      lead to missing data after migration.
      
      To solve this issue, when logging with device IOTLB enabled, we will:
      
      1) reuse the device IOTLB translation result of GIOVA->HVA mapping to
         get HVA, for writable descriptor, get HVA through iovec. For used
         ring update, translate its GIOVA to HVA
      2) traverse the GPA->HVA mapping to get the possible GPA and log
         through GPA. Pay attention this reverse mapping is not guaranteed
         to be unique, so we should log each possible GPA in this case.
      
      This fix the failure of scp to guest during migration. In -next, we
      will probably support passing GIOVA->GPA instead of GIOVA->HVA.
      
      Fixes: 6b1e6cc7 ("vhost: new device IOTLB API")
      Reported-by: NJintack Lim <jintack@cs.columbia.edu>
      Cc: Jintack Lim <jintack@cs.columbia.edu>
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Acked-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cc5e7107
  22. 15 1月, 2019 1 次提交
  23. 04 1月, 2019 1 次提交
    • L
      Remove 'type' argument from access_ok() function · 96d4f267
      Linus Torvalds 提交于
      Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
      of the user address range verification function since we got rid of the
      old racy i386-only code to walk page tables by hand.
      
      It existed because the original 80386 would not honor the write protect
      bit when in kernel mode, so you had to do COW by hand before doing any
      user access.  But we haven't supported that in a long time, and these
      days the 'type' argument is a purely historical artifact.
      
      A discussion about extending 'user_access_begin()' to do the range
      checking resulted this patch, because there is no way we're going to
      move the old VERIFY_xyz interface to that model.  And it's best done at
      the end of the merge window when I've done most of my merges, so let's
      just get this done once and for all.
      
      This patch was mostly done with a sed-script, with manual fix-ups for
      the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
      
      There were a couple of notable cases:
      
       - csky still had the old "verify_area()" name as an alias.
      
       - the iter_iov code had magical hardcoded knowledge of the actual
         values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
         really used it)
      
       - microblaze used the type argument for a debug printout
      
      but other than those oddities this should be a total no-op patch.
      
      I tried to fix up all architectures, did fairly extensive grepping for
      access_ok() uses, and the changes are trivial, but I may have missed
      something.  Any missed conversion should be trivially fixable, though.
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      96d4f267
  24. 13 12月, 2018 2 次提交
  25. 04 12月, 2018 1 次提交
  26. 01 11月, 2018 1 次提交
  27. 27 9月, 2018 1 次提交
  28. 26 8月, 2018 1 次提交
  29. 09 8月, 2018 1 次提交