On 12.02.20 13:22, Christian Borntraeger wrote: > > > On 12.02.20 13:16, David Hildenbrand wrote: >> >>> + /* >>> + * We resolve the gpa to hva when setting the IRQ routing. If userspace >>> + * decides to mess with the memslots it better also updates the irq >>> + * routing. Otherwise we will write to the wrong userspace address. >>> + */ >> >> I guess this is just as old handling, where a page was pinned. But >> slightly better :) So the pages are definitely part of guest memory. >> >> Fun stuff: If (a nasty) guest (in current code) zappes this page using >> balloon inflation and the page is re-accessed (e.g., by the guest or by >> the host), a new page will be faulted in, and there will be an >> inconsistency between what the guest/user space sees and what this code >> sees. Going via the user space address looks cleaner. >> >> Now, with postcopy live migration, we will also zap all guest memory >> before starting the guest, I do wonder if that produces a similar >> inconsistency ... usually, when pages are pinned in the kernel, we >> inhibit the balloon and implicitly also postcopy. >> >> If so, this actually fixes an issue. But might depend on the order >> things are initialized in user space. Or I am messing up things :) > > Yes, the current code has some corner cases where a guest can shoot himself > in the foot. This variant could actually be safer. At least with postcopy it would be a silent migration issue, not guest triggered. But I am not sure if it can trigger. Anyhow, this is safer :) -- Thanks, David / dhildenb
