On 5/17/21 3:10 PM, Halil Pasic wrote:
On Mon, 17 May 2021 09:37:42 -0400 Tony Krowiak akrowiak@linux.ibm.com wrote:
Because of this, I don't think the rest of your argument is valid.
Okay, so your concern is that between the point in time the vcpu->kvm->arch.crypto.pqap_hook pointer is checked in priv.c and the point in time the handle_pqap() function in vfio_ap_ops.c is called, the memory allocated for the matrix_mdev containing the struct kvm_s390_module_hook may get freed, thus rendering the function pointer invalid. While not impossible, that seems extremely unlikely to happen. Can you articulate a scenario where that could even occur?
Malicious userspace. We tend to do the pqap aqic just once in the guest right after the queue is detected. I do agree it ain't very likely to happen during normal operation. But why are you asking?
I'm just trying to wrap my head around how this can happen given the incredibly small window between access to the pointer to the structure containing the function pointer and access to the function pointer itself.
I'm not sure I understood correctly what kind of a scenario are you asking for. PQAP AQIC and mdev remove are independent events originated in userspace, so AFAIK we may not assume that the execution of two won't overlap, nor are we allowed to make assumptions on how does the execution of these two overlap (except for the things we explicitly ensure -- e.g. some parts are made mutually exclusive using the matrix_dev->lock lock).
It looks like we need a way to control access to the struct kvm_s390_module_hook. I'm looking into Christian's suggestion for using RCU as well as other solutions.
Regards, Halil