kernel - Fix SMP race in VMM/VMX vmclear() call
authorMatthew Dillon <dillon@apollo.backplane.com>
Thu, 27 Feb 2014 01:14:39 +0000 (17:14 -0800)
committerMatthew Dillon <dillon@apollo.backplane.com>
Thu, 27 Feb 2014 01:14:39 +0000 (17:14 -0800)
* Fix an SMP race.  The pcpu vti field is used to trigger cpusync's from
  other cpus and cannot be cleared by the owning cpu until after it has
  vmclear'd and stopped using the structure.

Reported-by: tuxillo
sys/platform/pc64/vmm/vmx.c

index d42739a..f7d0d5b 100644 (file)
@@ -516,12 +516,19 @@ execute_vmclear(void *data)
                /*
                 * Must set vti->launched to zero after vmclear'ing to
                 * force a vmlaunch the next time.
+                *
+                * Must not clear the loaded_vmx field until after we call
+                * vmclear on the region.  This field triggers the interlocked
+                * cpusync from another cpu trying to destroy or reuse
+                * the vti.  If we clear the field first, the other cpu will
+                * not interlock and may race our vmclear() on the underlying
+                * memory.
                 */
+               ERROR_IF(vmclear(vti->vmcs_region));
+error:
                pcpu_info[gd->gd_cpuid].loaded_vmx = NULL;
                vti->launched = 0;
-               ERROR_IF(vmclear(vti->vmcs_region));
        }
-error:
        return;
 }