[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ioreq: cope with server disappearing while I/O is pending

Hi Paul,

On 05/10/2020 15:08, Paul Durrant wrote:
From: Paul Durrant <pdurrant@xxxxxxxxxx>

Currently, in the event of an ioreq server being destroyed while I/O is
pending in the attached emulator, it is possible that hvm_wait_for_io() will
dereference a pointer to a 'struct hvm_ioreq_vcpu' or the ioreq server's
shared page after it has been freed.

So the IOREQ code will call domain_pause() before destroying the IOREQ.

A vCPU can only be descheduled in hvm_wait_for_io() from wait_on_xen_event_channel(). AFAIK, we would schedule a new vCPU (or idle) when this happens.

On x86, the schedule() function will not return after context switch. Therefore...

This will only occur if the emulator (which is necessarily running in a
service domain with some degree of privilege) does not complete pending I/O
during tear-down and is not directly exploitable by a guest domain.

... I am not sure how this can happen on x86. Do you mind providing an example?

Note that on Arm, the schedule() function will return after context switch. So the problem you describe is there from an arch-agnostic PoV.


Julien Grall



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.