Changeset 90486 in vbox for trunk/src

Timestamp:

Aug 2, 2021 8:40:40 PM (4 years ago)

Author:

vboxsync

Message:

VMM/PDM: Tighten read/write critical section code a bit. bugref:6695

Location:

trunk/src/VBox/VMM

Files:

• VMMAll/PDMAllCritSect.cpp (modified) (1 diff)
• VMMAll/PDMAllCritSectRw.cpp (modified) (23 diffs)
• include/PDMInternal.h (modified) (1 diff)

trunk/src/VBox/VMM/VMMAll/PDMAllCritSect.cpp

@@ -881 +881 @@
         LogFlow(("PDMCritSectLeave: [%d]=%p => R3\n", i, pCritSect));
         AssertFatal(i < RT_ELEMENTS(pVCpu->pdm.s.apQueuedCritSectLeaves));
+/** @todo This doesn't work any more for devices. */
         pVCpu->pdm.s.apQueuedCritSectLeaves[i] = MMHyperCCToR3(pVM, pCritSect);
         VMCPU_FF_SET(pVCpu, VMCPU_FF_PDM_CRITSECT);

trunk/src/VBox/VMM/VMMAll/PDMAllCritSectRw.cpp

@@ -46 +46 @@
 *********************************************************************************************************************************/
 /** The number loops to spin for shared access in ring-3. */
-#define PDMCRITSECTRW_SHRD_SPIN_COUNT_R3       20
+#define PDMCRITSECTRW_SHRD_SPIN_COUNT_R3        20
 /** The number loops to spin for shared access in ring-0. */
-#define PDMCRITSECTRW_SHRD_SPIN_COUNT_R0       128
+#define PDMCRITSECTRW_SHRD_SPIN_COUNT_R0        128
 /** The number loops to spin for shared access in the raw-mode context. */
-#define PDMCRITSECTRW_SHRD_SPIN_COUNT_RC       128
+#define PDMCRITSECTRW_SHRD_SPIN_COUNT_RC        128
 
 /** The number loops to spin for exclusive access in ring-3. */
-#define PDMCRITSECTRW_EXCL_SPIN_COUNT_R3       20
+#define PDMCRITSECTRW_EXCL_SPIN_COUNT_R3        20
 /** The number loops to spin for exclusive access in ring-0. */
-#define PDMCRITSECTRW_EXCL_SPIN_COUNT_R0       256
+#define PDMCRITSECTRW_EXCL_SPIN_COUNT_R0        256
 /** The number loops to spin for exclusive access in the raw-mode context. */
-#define PDMCRITSECTRW_EXCL_SPIN_COUNT_RC       256
-
+#define PDMCRITSECTRW_EXCL_SPIN_COUNT_RC        256
+
+/** Max number of write or write/read recursions. */
+#define PDM_CRITSECTRW_MAX_RECURSIONS           _1M
 
 /* Undefine the automatic VBOX_STRICT API mappings. */
@@ -91 +93 @@
 
 
+DECL_NO_INLINE(static, int) pdmCritSectRwCorrupted(PPDMCRITSECTRW pThis)
+{
+    ASMAtomicWriteU32(&pThis->s.Core.u32Magic, PDMCRITSECTRW_MAGIC_CORRUPT);
+    return VERR_PDM_CRITSECTRW_IPE;
+}
 
 
@@ -198 +205 @@
             uint64_t c = (u64State & RTCSRW_CNT_RD_MASK) >> RTCSRW_CNT_RD_SHIFT;
             c++;
-            Assert(c < RTCSRW_CNT_MASK / 2);
+            Assert(c < RTCSRW_CNT_MASK / 4);
+            AssertReturn(c < RTCSRW_CNT_MASK, VERR_PDM_CRITSECTRW_TOO_MANY_READERS);
             u64State &= ~RTCSRW_CNT_RD_MASK;
             u64State |= c << RTCSRW_CNT_RD_SHIFT;
@@ -228 +236 @@
         {
             /* Is the writer perhaps doing a read recursion? */
-            RTNATIVETHREAD hNativeSelf = pdmCritSectRwGetNativeSelf(pVM, pThis);
             RTNATIVETHREAD hNativeWriter;
             ASMAtomicUoReadHandle(&pThis->s.Core.hNativeWriter, &hNativeWriter);
-            if (hNativeSelf == hNativeWriter)
+            if (hNativeWriter != NIL_RTNATIVETHREAD)
             {
+                RTNATIVETHREAD hNativeSelf = pdmCritSectRwGetNativeSelf(pVM, pThis);
+                if (hNativeSelf == hNativeWriter)
+                {
 #if defined(PDMCRITSECTRW_STRICT) && defined(IN_RING3)
-                if (!fNoVal)
-                {
-                    int rc9 = RTLockValidatorRecExclRecursionMixed(pThis->s.Core.pValidatorWrite, &pThis->s.Core.pValidatorRead->Core, pSrcPos);
-                    if (RT_FAILURE(rc9))
-                        return rc9;
+                    if (!fNoVal)
+                    {
+                        int rc9 = RTLockValidatorRecExclRecursionMixed(pThis->s.Core.pValidatorWrite, &pThis->s.Core.pValidatorRead->Core, pSrcPos);
+                        if (RT_FAILURE(rc9))
+                            return rc9;
+                    }
+#endif
+                    uint32_t const cReads = ASMAtomicIncU32(&pThis->s.Core.cWriterReads);
+                    Assert(cReads < _16K);
+                    AssertReturnStmt(cReads < PDM_CRITSECTRW_MAX_RECURSIONS, ASMAtomicDecU32(&pThis->s.Core.cWriterReads),
+                                     VERR_PDM_CRITSECTRW_TOO_MANY_RECURSIONS);
+                    STAM_REL_COUNTER_INC(&pThis->s.CTX_MID_Z(Stat,EnterShared));
+                    return VINF_SUCCESS; /* don't break! */
                 }
-#endif
-                Assert(pThis->s.Core.cWriterReads < UINT32_MAX / 2);
-                ASMAtomicIncU32(&pThis->s.Core.cWriterReads);
-                STAM_REL_COUNTER_INC(&pThis->s.CTX_MID_Z(Stat,EnterShared));
-                return VINF_SUCCESS; /* don't break! */
             }
 
@@ -268 +281 @@
                 c++;
                 Assert(c < RTCSRW_CNT_MASK / 2);
+                AssertReturn(c < RTCSRW_CNT_MASK, VERR_PDM_CRITSECTRW_TOO_MANY_READERS);
 
                 uint64_t cWait = (u64State & RTCSRW_WAIT_CNT_RD_MASK) >> RTCSRW_WAIT_CNT_RD_SHIFT;
@@ -273 +287 @@
                 Assert(cWait <= c);
                 Assert(cWait < RTCSRW_CNT_MASK / 2);
+                AssertReturn(cWait < RTCSRW_CNT_MASK, VERR_PDM_CRITSECTRW_TOO_MANY_READERS);
 
                 u64State &= ~(RTCSRW_CNT_RD_MASK | RTCSRW_WAIT_CNT_RD_MASK);
@@ -317 +332 @@
                             {
                                 u64OldState = u64State = ASMAtomicReadU64(&pThis->s.Core.u64State);
-                                c = (u64State & RTCSRW_CNT_RD_MASK) >> RTCSRW_CNT_RD_SHIFT; Assert(c > 0);
+                                c = (u64State & RTCSRW_CNT_RD_MASK) >> RTCSRW_CNT_RD_SHIFT;
+                                AssertReturn(c > 0, pdmCritSectRwCorrupted(pThis));
                                 c--;
-                                cWait = (u64State & RTCSRW_WAIT_CNT_RD_MASK) >> RTCSRW_WAIT_CNT_RD_SHIFT; Assert(cWait > 0);
+                                cWait = (u64State & RTCSRW_WAIT_CNT_RD_MASK) >> RTCSRW_WAIT_CNT_RD_SHIFT;
+                                AssertReturn(cWait > 0, pdmCritSectRwCorrupted(pThis));
                                 cWait--;
                                 u64State &= ~(RTCSRW_CNT_RD_MASK | RTCSRW_WAIT_CNT_RD_MASK);
@@ -342 +359 @@
 
                         cWait = (u64State & RTCSRW_WAIT_CNT_RD_MASK) >> RTCSRW_WAIT_CNT_RD_SHIFT;
-                        Assert(cWait > 0);
+                        AssertReturn(cWait > 0, pdmCritSectRwCorrupted(pThis));
                         cWait--;
                         u64State &= ~RTCSRW_WAIT_CNT_RD_MASK;
@@ -633 +650 @@
                     LogFlow(("PDMCritSectRwLeaveShared: [%d]=%p => R3 c=%d (%#llx)\n", i, pThis, c, u64State));
                     AssertFatal(i < RT_ELEMENTS(pVCpu->pdm.s.apQueuedCritSectRwShrdLeaves));
+/** @todo This doesn't work any more for devices. */
                     pVCpu->pdm.s.apQueuedCritSectRwShrdLeaves[i] = MMHyperCCToR3(pVM, pThis);
                     VMCPU_FF_SET(pVCpu, VMCPU_FF_PDM_CRITSECT);
@@ -650 +668 @@
     else
     {
+        /*
+         * Write direction. Check that it's the owner calling and that it has reads to undo.
+         */
         RTNATIVETHREAD hNativeSelf = pdmCritSectRwGetNativeSelf(pVM, pThis);
+        AssertReturn(hNativeSelf != NIL_RTNATIVETHREAD, VERR_VM_THREAD_NOT_EMT);
+
         RTNATIVETHREAD hNativeWriter;
         ASMAtomicUoReadHandle(&pThis->s.Core.hNativeWriter, &hNativeWriter);
@@ -663 +686 @@
         }
 #endif
-        ASMAtomicDecU32(&pThis->s.Core.cWriterReads);
+        uint32_t cDepth = ASMAtomicDecU32(&pThis->s.Core.cWriterReads);
+        AssertReturn(cDepth < PDM_CRITSECTRW_MAX_RECURSIONS, pdmCritSectRwCorrupted(pThis));
     }
 
     return VINF_SUCCESS;
 }
+
 
 /**
@@ -744 +769 @@
      * Check if we're already the owner and just recursing.
      */
-    RTNATIVETHREAD hNativeSelf = pdmCritSectRwGetNativeSelf(pVM, pThis);
+    RTNATIVETHREAD const hNativeSelf = pdmCritSectRwGetNativeSelf(pVM, pThis);
+    AssertReturn(hNativeSelf != NIL_RTNATIVETHREAD, VERR_VM_THREAD_NOT_EMT);
     RTNATIVETHREAD hNativeWriter;
     ASMAtomicUoReadHandle(&pThis->s.Core.hNativeWriter, &hNativeWriter);
@@ -758 +784 @@
         }
 #endif
-        Assert(pThis->s.Core.cWriteRecursions < UINT32_MAX / 2);
         STAM_REL_COUNTER_INC(&pThis->s.CTX_MID_Z(Stat,EnterExcl));
-        ASMAtomicIncU32(&pThis->s.Core.cWriteRecursions);
+        uint32_t const cDepth = ASMAtomicIncU32(&pThis->s.Core.cWriteRecursions);
+        AssertReturnStmt(cDepth > 1 && cDepth <= PDM_CRITSECTRW_MAX_RECURSIONS,
+                         ASMAtomicDecU32(&pThis->s.Core.cWriteRecursions),
+                         VERR_PDM_CRITSECTRW_TOO_MANY_RECURSIONS);
         return VINF_SUCCESS;
     }
@@ -777 +805 @@
             /* It flows in the right direction, try follow it before it changes. */
             uint64_t c = (u64State & RTCSRW_CNT_WR_MASK) >> RTCSRW_CNT_WR_SHIFT;
+            AssertReturn(c < RTCSRW_CNT_MASK, VERR_PDM_CRITSECTRW_TOO_MANY_WRITERS);
             c++;
-            Assert(c < RTCSRW_CNT_MASK / 2);
+            Assert(c < RTCSRW_CNT_WR_MASK / 4);
             u64State &= ~RTCSRW_CNT_WR_MASK;
             u64State |= c << RTCSRW_CNT_WR_SHIFT;
@@ -802 +831 @@
             /* Add ourselves to the write count and break out to do the wait. */
             uint64_t c = (u64State & RTCSRW_CNT_WR_MASK) >> RTCSRW_CNT_WR_SHIFT;
+            AssertReturn(c < RTCSRW_CNT_MASK, VERR_PDM_CRITSECTRW_TOO_MANY_WRITERS);
             c++;
-            Assert(c < RTCSRW_CNT_MASK / 2);
+            Assert(c < RTCSRW_CNT_WR_MASK / 4);
             u64State &= ~RTCSRW_CNT_WR_MASK;
             u64State |= c << RTCSRW_CNT_WR_SHIFT;
@@ -820 +850 @@
     /*
      * If we're in write mode now try grab the ownership. Play fair if there
-     * are threads already waiting.
+     * are threads already waiting, unless we're in ring-0.
      */
     bool fDone = (u64State & RTCSRW_DIR_MASK) == (RTCSRW_DIR_WRITE << RTCSRW_DIR_SHIFT)
@@ -886 +916 @@
                     {
                         u64OldState = u64State = ASMAtomicReadU64(&pThis->s.Core.u64State);
-                        uint64_t c = (u64State & RTCSRW_CNT_WR_MASK) >> RTCSRW_CNT_WR_SHIFT; Assert(c > 0);
+                        uint64_t c = (u64State & RTCSRW_CNT_WR_MASK) >> RTCSRW_CNT_WR_SHIFT;
+                        AssertReturn(c > 0, pdmCritSectRwCorrupted(pThis));
                         c--;
                         u64State &= ~RTCSRW_CNT_WR_MASK;
@@ -920 +951 @@
             {
                 u64OldState = u64State = ASMAtomicReadU64(&pThis->s.Core.u64State);
-                uint64_t c = (u64State & RTCSRW_CNT_WR_MASK) >> RTCSRW_CNT_WR_SHIFT; Assert(c > 0);
+                uint64_t c = (u64State & RTCSRW_CNT_WR_MASK) >> RTCSRW_CNT_WR_SHIFT;
+                AssertReturn(c > 0, pdmCritSectRwCorrupted(pThis));
                 c--;
                 u64State &= ~RTCSRW_CNT_WR_MASK;
@@ -1125 +1157 @@
 #endif
 
+    /*
+     * Check ownership.
+     */
     RTNATIVETHREAD hNativeSelf = pdmCritSectRwGetNativeSelf(pVM, pThis);
+    AssertReturn(hNativeSelf != NIL_RTNATIVETHREAD, VERR_VM_THREAD_NOT_EMT);
+
     RTNATIVETHREAD hNativeWriter;
     ASMAtomicUoReadHandle(&pThis->s.Core.hNativeWriter, &hNativeWriter);
@@ -1165 +1202 @@
 
                 uint64_t c = (u64State & RTCSRW_CNT_WR_MASK) >> RTCSRW_CNT_WR_SHIFT;
-                Assert(c > 0);
+                AssertReturn(c > 0, pdmCritSectRwCorrupted(pThis));
                 c--;
 
@@ -1217 +1254 @@
             uint32_t    i     = pVCpu->pdm.s.cQueuedCritSectRwExclLeaves++;
             LogFlow(("PDMCritSectRwLeaveShared: [%d]=%p => R3\n", i, pThis));
-            AssertFatal(i < RT_ELEMENTS(pVCpu->pdm.s.apQueuedCritSectLeaves));
+            AssertFatal(i < RT_ELEMENTS(pVCpu->pdm.s.apQueuedCritSectRwExclLeaves));
+/** @todo This doesn't work anymore for devices. */
             pVCpu->pdm.s.apQueuedCritSectRwExclLeaves[i] = MMHyperCCToR3(pVM, pThis);
             VMCPU_FF_SET(pVCpu, VMCPU_FF_PDM_CRITSECT);
@@ -1231 +1269 @@
          * Not the final recursion.
          */
-        Assert(pThis->s.Core.cWriteRecursions != 0);
 #if defined(PDMCRITSECTRW_STRICT) && defined(IN_RING3)
         if (fNoVal)
@@ -1242 +1279 @@
         }
 #endif
-        ASMAtomicDecU32(&pThis->s.Core.cWriteRecursions);
+        uint32_t const cDepth = ASMAtomicDecU32(&pThis->s.Core.cWriteRecursions);
+        AssertReturn(cDepth != 0 && cDepth < UINT32_MAX, pdmCritSectRwCorrupted(pThis));
     }
 

trunk/src/VBox/VMM/include/PDMInternal.h

@@ -508 +508 @@
 typedef PDMCRITSECTRWINT *PPDMCRITSECTRWINT;
 
+/** Special magic value we set the structure has become corrupted. */
+#define PDMCRITSECTRW_MAGIC_CORRUPT     UINT32_C(0x0bad0620)