| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aL8yMum27Qw_Wkkw@google.com>
Date: Mon, 8 Sep 2025 12:44:50 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Keir Fraser <keirf@...gle.com>
Cc: linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org, Eric Auger <eric.auger@...hat.com>,
Oliver Upton <oliver.upton@...ux.dev>, Marc Zyngier <maz@...nel.org>, Will Deacon <will@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [PATCH v3 4/4] KVM: Avoid synchronize_srcu() in kvm_io_bus_register_dev()
On Tue, Aug 19, 2025, Keir Fraser wrote:
> Device MMIO registration may happen quite frequently during VM boot,
> and the SRCU synchronization each time has a measurable effect
> on VM startup time. In our experiments it can account for around 25%
> of a VM's startup time.
>
> Replace the synchronization with a deferred free of the old kvm_io_bus
> structure.
>
> Signed-off-by: Keir Fraser <keirf@...gle.com>
> ---
> include/linux/kvm_host.h | 1 +
> virt/kvm/kvm_main.c | 10 ++++++++--
> 2 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
> index e7d6111cf254..103be35caf0d 100644
> --- a/include/linux/kvm_host.h
> +++ b/include/linux/kvm_host.h
> @@ -206,6 +206,7 @@ struct kvm_io_range {
> struct kvm_io_bus {
> int dev_count;
> int ioeventfd_count;
> + struct rcu_head rcu;
> struct kvm_io_range range[];
> };
>
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 4f35ae23ee5a..9144a0b4a268 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -5953,6 +5953,13 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
> }
> EXPORT_SYMBOL_GPL(kvm_io_bus_read);
>
> +static void __free_bus(struct rcu_head *rcu)
> +{
> + struct kvm_io_bus *bus = container_of(rcu, struct kvm_io_bus, rcu);
> +
> + kfree(bus);
> +}
> +
> int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
> int len, struct kvm_io_device *dev)
> {
> @@ -5991,8 +5998,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
> memcpy(new_bus->range + i + 1, bus->range + i,
> (bus->dev_count - i) * sizeof(struct kvm_io_range));
> rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
> - synchronize_srcu_expedited(&kvm->srcu);
> - kfree(bus);
> + call_srcu(&kvm->srcu, &bus->rcu, __free_bus);
To address the syzkaller splat, KVM needs to call srcu_barrier() prior to freeing
the structure.
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 9144a0b4a268..62693f18ecf4 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1321,6 +1321,7 @@ static void kvm_destroy_vm(struct kvm *kvm)
kvm_free_memslots(kvm, &kvm->__memslots[i][1]);
}
cleanup_srcu_struct(&kvm->irq_srcu);
+ srcu_barrier(&kvm->srcu);
cleanup_srcu_struct(&kvm->srcu);
#ifdef CONFIG_KVM_GENERIC_MEMORY_ATTRIBUTES
xa_destroy(&kvm->mem_attr_array);
Powered by blists - more mailing lists