Re: [PATCH] KVM: Add separate helper for putting borrowed reference to kvm
From: Leonardo Bras
Date: Wed Nov 27 2019 - 16:57:35 EST
On Wed, 2019-11-27 at 17:15 -0300, Leonardo Bras wrote:
> > > > > So, suppose these threads, where:
> > > > > - T1 uses a borrowed reference, and
> > > > > - T2 is releasing the reference (close, release):
> > > >
> > > > Nit: T2 is releasing the *last* reference (as implied by your reference
> > > > to close/release).
> > >
> > > Correct.
> > >
> > > > > T1 | T2
> > > > > kvm_get_kvm() |
> > > > > ... | kvm_put_kvm()
> > > > > kvm_put_kvm_no_destroy() |
> > > > >
> > > > > The above would not trigger a use-after-free bug, but will cause a
> > > > > memory leak. Is my above understanding right?
> > > >
> > > > Yes, this is correct.
> > > >
> > >
> > > Then, what would not be a bug before (using kvm_put_kvm()) now is a
> > > memory leak (using kvm_put_kvm_no_destroy()).
> >
Sorry, I missed some information on above example.
Suppose on that example that the reorder changes take place so that
kvm_put_kvm{,_no_destroy}() always happens after the last usage of kvm
(in the same syscall, let's say).
Before T1 and T2, refcount = 1;
If T1 uses kvm_put_kvm_no_destroy():
- T1 increases refcount (=2)
- T2 decreases refcount (=1)
- T1 decreases refcount, (=0) don't free kvm (memleak)
If T1 uses kvm_put_kvm():
- T1 increases refcount (= 2)
- T2 decreases refcount (= 1)
- T1 decreases refcount, (= 0) frees kvm.
So using kvm_put_kvm_no_destroy() would introduce a memleak where it
would have no bug.
> > No, using kvm_put_kvm_no_destroy() changes how a bug would manifest, as
> > you note below. Replacing kvm_put_kvm() with kvm_put_kvm_no_destroy()
> > when the refcount is _guaranteed_ to be >1 has no impact on correctness.
Yes, you are correct.
But on the above case, kvm_put_kvm{,_no_destroy}() would be called
with refcount == 1, and if reorder patch is applied, it would not cause
any use-after-free error, even on kvm_put_kvm() case.
Is the above correct?
Best regards,
Leonardo
Attachment:
signature.asc
Description: This is a digitally signed message part