From nobody Wed Nov 27 14:34:27 2024 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8319F1CACDC for ; Wed, 9 Oct 2024 15:05:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486303; cv=none; b=EMtt3SrSbUk/pneayUgm11wmZcJ0SrzOj/V+BzUD8APMqjtYqt4qFd/ubzJgHgHwBiMERRqzfQCnsxffXCWtqwIWVYqXaqFp6luXRI8aDeKK0AsgdS6NCZzR2ln0u4RSo8pIAJw1UEkMi8Oc1cIIbYYwQ8eU40QpjnOApFF1F/c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486303; c=relaxed/simple; bh=+oj5QjgRYUWlQPTdUOSdE9zuunwSy+1gZhbpvg1B0rU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=QszylGaRE1wMG0q3Z5lod8u1hDf2ZphOjmkiN5gnLHL0dqLe0nbivF4gscpk4y/JvztaEPhk0r2JqFnBIPMOBfbYwQWpYrKjwyQvPodr4I52QsqeaRgAlHtcucgYupmm67UrXx5anZj4Arb+QVMScy1Ipn+BdY6pLMQQ0hUO0/Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=B7pVMymw; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="B7pVMymw" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-71df07ac9faso933893b3a.1 for ; Wed, 09 Oct 2024 08:05:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486300; x=1729091100; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=482l0fwpXLeH5fAxMtu97517+8ynn9/0BPprPVE2Acc=; b=B7pVMymwrmZZhcwKI/5/w4QjeSxguDheGjlVlOy0c953GNMi3SIWMSmFfwXagTmizF xVTlN2Fs2vDPZdAgAfpJ/GJ9i5Q6oXcG41+aXiDi6Qs8epMF2kLJc4j1hkBHv8m21TQk jRF6rwbL7xEcWZ4tSeYAKYE2tMA7F/7BjKRTYZWFKkcsTo/a53u72pyNoGSDLC0Es4Zx +bUwNEJMk8pIoDwkApbx7oMApbCWgtWG6jcbTgaD1VKivQk1NSTB8MJ2ons1VKd1gYjD 2x+M0nsDb0IMRzext/d1mwUia2cpphnC6FyVT/JijFrGbz+diqkL6T8aVIVFiziB44jH 31aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486300; x=1729091100; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=482l0fwpXLeH5fAxMtu97517+8ynn9/0BPprPVE2Acc=; b=d+wOkMKHwPj81H3Z0sbnG1o0VTY9XHla/RssER7dKeEtoNWeUB0uKeVg2MiWijeV9c AZ9YjmIMY2pkv/GRT+uDhRcpuzaH9Ycz+jGZW389L4CKy+gG9MvkhdvJbhudP5xGDVrG EIIKC9Fz6B0PAjq0Cn1JRUh1UP8waxAGOkJ3mAYlg13aS8mTrWXRn0KcSKPNeZQznEko qjUcJcLazaFn62OPWoABvK4+2Mk85TqGeQMN5ByZBIXuiACxNnDzX9hZuWmt6moDRo69 gdkp9oXpMXop3vB3WX02hnx4nUzIl5GKxhPrP6BbaOKwOCPA8U3pBGM8YoNpPKvnMKuj ep5Q== X-Forwarded-Encrypted: i=1; AJvYcCURtbFO4+8UgL4PG1a1/kSM+mpC4BIyVp5GJpi1lxefTVKP+Gl2Lruv2EQupedzx2g76N7eHLX74fa7+Q4=@vger.kernel.org X-Gm-Message-State: AOJu0Yxbddzv3ENwEjLxHWaKT7xZxl4fLS1QiDbx8ObHusLxfLNBN9op tgp5wHgOHXDJlZi2FSwZlzj7lPU7kqAYFMIvdwoMFClPgcWAQt9wHs9l9Mfrg04iuk3jrh4VRC2 Kuw== X-Google-Smtp-Source: AGHT+IGbHyxhG0VOrj443QjPk8zcAmuh38MdDz+1jWmIwKpnngvhIPQUBQZPCKoH5loilolLVOXuqiMDmF8= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a05:6a00:91c5:b0:71d:f744:6e with SMTP id d2e1a72fcca58-71e1d6a9ee5mr18504b3a.2.1728486299695; Wed, 09 Oct 2024 08:04:59 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:50 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-2-seanjc@google.com> Subject: [PATCH 1/6] KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race. Fixes: 1d487e9bf8ba ("KVM: fix spectrev1 gadgets") Cc: stable@vger.kernel.org Cc: Will Deacon Cc: Michal Luczaj Signed-off-by: Sean Christopherson Acked-by: Will Deacon Reviewed-by: Pankaj Gupta --- include/linux/kvm_host.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index db567d26f7b9..450dd0444a92 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -969,6 +969,15 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kv= m *kvm, enum kvm_bus idx) static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) { int num_vcpus =3D atomic_read(&kvm->online_vcpus); + + /* + * Explicitly verify the target vCPU is online, as the anti-speculation + * logic only limits the CPU's ability to speculate, e.g. given a "bad" + * index, clamping the index to 0 would return vCPU0, not NULL. + */ + if (i >=3D num_vcpus) + return NULL; + i =3D array_index_nospec(i, num_vcpus); =20 /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ --=20 2.47.0.rc0.187.ge670bccf7e-goog From nobody Wed Nov 27 14:34:27 2024 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FC561DD86A for ; Wed, 9 Oct 2024 15:05:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486303; cv=none; b=h6MlI9raLhj6VU7FwJWXCeeD4nPSI27n7an9ANVrIO3ZbPxTp6X6dfSExraP4a5WmZ2HzK8eT7XefjhJllrDLImwBOGxKA9Uz/pv3102RJ42vNPQrhWzkBYtwh3URqwgeVuRCoGQ50CcbMlkrBwI9ihYr7HnsXlLyG0d6HCcQjM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486303; c=relaxed/simple; bh=joP1gyCPe+hwOJUfhGfPr0n9jMYIyiFIDeC9OZBymQg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=aVgOXADKvPH8doxsH/yXCrOX6ZoTNPRpZlwQWmubA544wHICQbHBsMWOGOfiHG1ivuTmcDdkIi0bmIkIQVvYY/yO4i4Hlm2frR774mnI61KQsC5U2I0CH5Zg+x1z2BdePqWQbGt2cz77EZyXD+HhGpk0oQD5V4HW23GfqroFPtA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=CRzJwMuW; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="CRzJwMuW" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-7e6cc094c2fso808652a12.1 for ; Wed, 09 Oct 2024 08:05:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486302; x=1729091102; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=/RsDegA7EWZeVtL+/24jQ2r/aKoJnN7q7/C9Z+6EiSU=; b=CRzJwMuWtc3wpumgCbjGwmOtbdA7MjeQKSed4nO7Zh63YFFx6csYGczkzuUmGgpKI2 YqhteQ9cjLDe4auqI9I8enpQCpyW45brCSydLpwsQIAa+KMFR6WxJajFH6NFXIDGfywL H1rvLb+7+RLO1cDwkpLJHWvJFtT9SDE7kWJsRshhQSoHNOZSg20ejzwgNUmPMeDwvp0C B1pVXUFfQdnMxFhLNJJg78MjqX5+O///+a9rJblkrgJryFOnY8pQfaJktgwv95FRt1BY 4Dn/Jz2Gua8pDIr6z51OxTTKsrLrDwwo3y3wW8I6nX7i9jVgjPBXsomMA50NMNUYPuHX ov+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486302; x=1729091102; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/RsDegA7EWZeVtL+/24jQ2r/aKoJnN7q7/C9Z+6EiSU=; b=rg1t/O2hFINb20VAN2Csee13o5Lqw6y3PWMRIpd0Ubx6s3A44+bmWuQEhk2+3qGgns mOjjPFD8+X3EVVlw0dINigt/rILNQi9Gpju/IfSMMGCYlHdp2rZcX/vtZk+6emapBOec wrvKSkNIOIHV70b7VWlSG1Iq9ZKVlA5uCYCcS7FC5fn/VoRF5inBK5eWnIzBY3VUZbKE apDOyWkMsVpeNX6H6eRUmUjKonkheyzKzC3iI6rEknI2c5qC8d4GG3EaerT40VPyReeo sy1tJ/2uTSkPIY3diPTAnOI5hxaHrDVhn8zfntcsW2QyjBo7MvOyGE+dsUybxJAtWmFY a1cw== X-Forwarded-Encrypted: i=1; AJvYcCUSJC2FESLuapm6AcDXjEddDW1nsG0lJIIL5CzzgCtTnHNyoVRsHhXGc5ejQj9wdwLfrPt8NbG/pFqOlQ0=@vger.kernel.org X-Gm-Message-State: AOJu0YwyHBWzstkhiBWvPy6WJ+KNGrgirhngBo0g2D7dLhIYAZg0wSob DYa3oswkEDGzs25LRShqMdH0tH8a70hj8SESPIj6UOeT6uuJ1RfrhbkjsSrqs6mkhftbyZrxh3M TOg== X-Google-Smtp-Source: AGHT+IGXEo6jBIzb0et6Z+0Bgl35nZ3qw5fx0ehgX+u+72GQ6GGS5KT3St9rZ3gVnOUrSzXWlGjg9Rucm8E= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a17:90a:bd93:b0:2e2:8f4d:457 with SMTP id 98e67ed59e1d1-2e28f4d04cdmr10803a91.2.1728486301403; Wed, 09 Oct 2024 08:05:01 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:51 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-3-seanjc@google.com> Subject: [PATCH 2/6] KVM: Verify there's at least one online vCPU when iterating over all vCPUs From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Explicitly check that there is at least online vCPU before iterating over all vCPUs. Because the max index is an unsigned long, passing "0 - 1" in the online_vcpus=3D=3D0 case results in xa_for_each_range() using an unlimi= ted max, i.e. allows it to access vCPU0 when it shouldn't. This will allow KVM to safely _erase_ from vcpu_array if the last stages of vCPU creation fail, i.e. without generating a use-after-free if a different task happens to be concurrently iterating over all vCPUs. Note, because xa_for_each_range() is a macro, kvm_for_each_vcpu() subtly reloads online_vcpus after each iteration, i.e. adding an extra load doesn't meaningfully impact the total cost of iterating over all vCPUs. And because online_vcpus is never decremented, there is no risk of a reload triggering a walk of the entire xarray. Cc: Will Deacon Cc: Michal Luczaj Signed-off-by: Sean Christopherson Acked-by: Will Deacon --- include/linux/kvm_host.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 450dd0444a92..5fe3b0c28fb3 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -985,9 +985,10 @@ static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm= *kvm, int i) return xa_load(&kvm->vcpu_array, i); } =20 -#define kvm_for_each_vcpu(idx, vcpup, kvm) \ - xa_for_each_range(&kvm->vcpu_array, idx, vcpup, 0, \ - (atomic_read(&kvm->online_vcpus) - 1)) +#define kvm_for_each_vcpu(idx, vcpup, kvm) \ + if (atomic_read(&kvm->online_vcpus)) \ + xa_for_each_range(&kvm->vcpu_array, idx, vcpup, 0, \ + (atomic_read(&kvm->online_vcpus) - 1)) =20 static inline struct kvm_vcpu *kvm_get_vcpu_by_id(struct kvm *kvm, int id) { --=20 2.47.0.rc0.187.ge670bccf7e-goog From nobody Wed Nov 27 14:34:27 2024 Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C0B11DFD84 for ; Wed, 9 Oct 2024 15:05:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486306; cv=none; b=exJuKGExaFuyEhHRKz7rHjgr6gam1edHg00cHlOaGp970p8xvac6ZWQ81X5eufBbDdaMT2N1hASpuD86DinyS2dlk5IH2dGQwLGvlmSY+g9fRyBi0/wHIUkKkVKIfhxcJNj+TswhNjFbMHdbi5UalwqwvMqqwyA5xS9UolHRaV8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486306; c=relaxed/simple; bh=UUOuALX/8jUEKOE5MK93z/TIwR6ptoN4Q45Bp2t7r80=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=r0p04UXrhHx5WBMUjZi6dKXJg4DPZp6BhEeJAMHt2i0CssldSn9Eu7yFeAr4alHB/eg+avs2/fB0Ukoe1Y5LMti+ATBNDLoq7nWrk23r9aDyDgf4MyjN6/QbLSBW0NbKLoxpkihSVEy8rqvfgm4k9T38Fr+1meDKLFgIOQv6rh8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TGgDgmb7; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TGgDgmb7" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-6e23ee3110fso128334157b3.1 for ; Wed, 09 Oct 2024 08:05:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486303; x=1729091103; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=5SrGD6ntAFoOH+8A+yPE5xRGZ7AhTh5r8ioRJwoyvss=; b=TGgDgmb7U4/+O8I6VcHU5l+lNX8QJ3BOyKQJQzXZ5+KIainT0W0kcJcZ92lXRPmAv6 ew33grIfQl7wTGIgJ8z7RXF4FrMWmW1qF2XX+/Bps4RPAyM3C3T63ynEI+jauCeWCLPH MDudM0l6sf1Wtr1fOBVbhJfnebNaUkdqWD6V8+jj1CYu5OYzSz5PmM1ODOQjn3aq6BwV Pb/oMvBRaYPLLpkHoPg27+CI9sQYdgbcgTNdw4HIHZwPtWpl3SzCvYe3Z9W5ka1RhJZz vbikjorCUyAz5tmYN1TGSNdu6F3OQF5sEN48aA3cEki27gLCB5sfis+jC/JOWl4VUQ6f bPMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486303; x=1729091103; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5SrGD6ntAFoOH+8A+yPE5xRGZ7AhTh5r8ioRJwoyvss=; b=CdOt1tvo3zcL5sMRu8rDDP/dB+tdo8fXD4mDjVUEBGM+wIomYnBB+pNX3TZtHtDsDk NeA+r5OQYnF4VKVW/k2KqRmbJqTO+WzX14x8AzP1ACqSuNa7JteZnl8X0Pi5QYFqEPxb EPZbZZD01yg8m/oV53QcA1oWxo0vjQqUZKK0wUisaoxHhJ228FxrhExOEtc5wWrukb11 ylsURH87f6rU9tgAxmRgerH2/QzliNA5MR2OfbnhZiVYFIQ5oroFDU61eR7Ga0nUoHdu AqRDbHL4LaPHsHoYIIkyoDrE0lSeE+Ya6ESaplPCtMF7YGaqc4M6Nky5UsXAjtuYIle2 iGmg== X-Forwarded-Encrypted: i=1; AJvYcCXJJGzRcGJ0b1APElthL2/M31y81n3dl2eXZlMvd3FGVVA3F35rTMXKPJGbSKXeVdV7dB1Z9y6sfmME18E=@vger.kernel.org X-Gm-Message-State: AOJu0Yz/Uc1DLtCa47qXN9yHUx8WjAZJT6IjUsZSrsrhr9DE1iMOQa4J GwxvXMwnbvZFhuf3PQUB+2t1iFiEHtKFkxEkwYF2nTFM/w7RVvNBdu0tXA1CFVyNYGw0EVQYjo8 swA== X-Google-Smtp-Source: AGHT+IFedXDgPxwolm1IOTnRjA9oTcL70vgsBXdT7cV8n0QPoljgzOxfYmHoJ/QpWjSoaCiWMtRKhm2aykA= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a05:690c:3382:b0:6e2:4b3:ee22 with SMTP id 00721157ae682-6e32216166cmr582417b3.6.1728486303499; Wed, 09 Oct 2024 08:05:03 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:52 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-4-seanjc@google.com> Subject: [PATCH 3/6] KVM: Grab vcpu->mutex across installing the vCPU's fd and bumping online_vcpus From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" During vCPU creation, acquire vcpu->mutex prior to exposing the vCPU to userspace, and hold the mutex until online_vcpus is bumped, i.e. until the vCPU is fully online from KVM's perspective. To ensure asynchronous vCPU ioctls also wait for the vCPU to come online, explicitly check online_vcpus at the start of kvm_vcpu_ioctl(), and take the vCPU's mutex to wait if necessary (having to wait for any ioctl should be exceedingly rare, i.e. not worth optimizing). Reported-by: Will Deacon Reported-by: Michal Luczaj Link: https://lore.kernel.org/all/20240730155646.1687-1-will@kernel.org Signed-off-by: Sean Christopherson Acked-by: Will Deacon --- virt/kvm/kvm_main.c | 47 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 05cbb2548d99..fca9f74e9544 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4287,7 +4287,14 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm,= unsigned long id) if (r) goto unlock_vcpu_destroy; =20 - /* Now it's all set up, let userspace reach it */ + /* + * Now it's all set up, let userspace reach it. Grab the vCPU's mutex + * so that userspace can't invoke vCPU ioctl()s until the vCPU is fully + * visible (per online_vcpus), e.g. so that KVM doesn't get tricked + * into a NULL-pointer dereference because KVM thinks the _current_ + * vCPU doesn't exist. + */ + mutex_lock(&vcpu->mutex); kvm_get_kvm(kvm); r =3D create_vcpu_fd(vcpu); if (r < 0) @@ -4304,6 +4311,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, = unsigned long id) */ smp_wmb(); atomic_inc(&kvm->online_vcpus); + mutex_unlock(&vcpu->mutex); =20 mutex_unlock(&kvm->lock); kvm_arch_vcpu_postcreate(vcpu); @@ -4311,6 +4319,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, = unsigned long id) return r; =20 kvm_put_xa_release: + mutex_unlock(&vcpu->mutex); kvm_put_kvm_no_destroy(kvm); xa_release(&kvm->vcpu_array, vcpu->vcpu_idx); unlock_vcpu_destroy: @@ -4437,6 +4446,33 @@ static int kvm_vcpu_pre_fault_memory(struct kvm_vcpu= *vcpu, } #endif =20 +static int kvm_wait_for_vcpu_online(struct kvm_vcpu *vcpu) +{ + struct kvm *kvm =3D vcpu->kvm; + + /* + * In practice, this happy path will always be taken, as a well-behaved + * VMM will never invoke a vCPU ioctl() before KVM_CREATE_VCPU returns. + */ + if (likely(vcpu->vcpu_idx < atomic_read(&kvm->online_vcpus))) + return 0; + + /* + * Acquire and release the vCPU's mutex to wait for vCPU creation to + * complete (kvm_vm_ioctl_create_vcpu() holds the mutex until the vCPU + * is fully online). + */ + if (mutex_lock_killable(&vcpu->mutex)) + return -EINTR; + + mutex_unlock(&vcpu->mutex); + + if (WARN_ON_ONCE(!kvm_get_vcpu(kvm, vcpu->vcpu_idx))) + return -EIO; + + return 0; +} + static long kvm_vcpu_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg) { @@ -4452,6 +4488,15 @@ static long kvm_vcpu_ioctl(struct file *filp, if (unlikely(_IOC_TYPE(ioctl) !=3D KVMIO)) return -EINVAL; =20 + /* + * Wait for the vCPU to be online before handling the ioctl(), as KVM + * assumes the vCPU is reachable via vcpu_array, i.e. may dereference + * a NULL pointer if userspace invokes an ioctl() before KVM is ready. + */ + r =3D kvm_wait_for_vcpu_online(vcpu); + if (r) + return r; + /* * Some architectures have vcpu ioctls that are asynchronous to vcpu * execution; mutex_lock() would break them. --=20 2.47.0.rc0.187.ge670bccf7e-goog From nobody Wed Nov 27 14:34:27 2024 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6015A1E0DA7 for ; Wed, 9 Oct 2024 15:05:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486307; cv=none; b=HhSN6osz/w7HM619jO9/moqS1WKttCh2hjI58MVohbn0pDVrLjpf5MKJXwIiL09u59BkEOCR+lbglQivPXGYoaZ1m0aI0XjOLvM1THzCGafVwcBQWw7jRsEYyv2nbcggWX/S5fqceiM9NIo1GuVGz7COcAb93zMkBT7aofQdmCQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486307; c=relaxed/simple; bh=tVLsRpJbZXDe+kzv+FAqKCNsZbBglsLvMCPd+8nr58w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=BAW+O8D2JOphZoTxeVRYpj2YLb0riBFHxPxpwezfa5aw9dIvU0K2WyaLTof+5r2DUmz5wudFhaKWxx20qZOXCLkPkulP1RfvDbd+eQtyQ7kM9lEtPl4GNgbFxsumWXqjoinj6cIg6IbCRSqNB+RqNF+k8Tvq1nCp097p1m6xQX8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=MjSjx6RX; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="MjSjx6RX" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-20c45296b3fso30867685ad.0 for ; Wed, 09 Oct 2024 08:05:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486306; x=1729091106; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=l2sEte6w0yql7C3jUnlweM/OP/SrvH1RtBMyVo9Nnx0=; b=MjSjx6RXx3hFf6Lt7uwt8NMX1Y1V1mDExzzxVZNAqwQO8gXvfvqb4wwVCxpbkgoaWp 0cFUjy1wcgDzaHvzdlpCbTwbwD6m8TfH3P4QWRHz+aTMjQF7WRo0EaVAnSbhKquM76cQ tyALs1ee/WJQ92q9gnFBI0YZn0SZr/aXZPBqFUsmceDfIg/DiAPpfpvBYLqlTCmv7IV+ iH7JaIwIu5hphxxIY19sYjCWL2ol4rp0aH2hwxKCJ9vvyimCXkpu3lD27dteh2x7na0H C6GWZEBoA7EHYgaFWMTxTryr8jHbyBig+FBYgazpQetE3rWiq48Fd0fB1W25emSloKbB XBYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486306; x=1729091106; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=l2sEte6w0yql7C3jUnlweM/OP/SrvH1RtBMyVo9Nnx0=; b=HYl355Mv+tWfpJ1USNXib++abVmQiAM098FjStrVmSS5ulcm433DE4mfeJ2KjqgqUd 0lZ4aLE5AD2NpIRM1tobHqP1/+EQLPZ+l4diu1FEdQyMQVg0u6IaIAvlXlYx9G+vxex7 kSzylkbxlLGDPOK/wAKZB13D9cnV0UKmXdufGJnqQ20EURpnmEMtWzStW0CeY0WQJv5G 0r9fGzLbKZqiiFwGt9j+IJU8xpG87+g30w7jNtgXksXA3aWENXBjVTsIZAFFVhICmSSj 58skROnnxmw2YBENRSsNBMusVaRkwf+XeMG5tOPzDclFKN+gA/4lI2bgTkczGjm4hGeF hsgw== X-Forwarded-Encrypted: i=1; AJvYcCUULEZzQYGqxLxz74vJbaeLtm3lZNBtKg4Um2HPdZO5xt+Rzr8BwxwGjQsBOnGD9xx+JLSy4I56lHmnA+k=@vger.kernel.org X-Gm-Message-State: AOJu0YyzhfKNgqKtmgCeWcN7O3rMPgRna4hU+KL58HRIuf50NU+ODXyU /oveuF0vYiB+n4ajKjAAhsQzFwCz3jv+VgMzcTV+yMqNDAKFo4ryDU87TrX5XlmvHVNHas7E+bu eFQ== X-Google-Smtp-Source: AGHT+IELCX1qYO/0MUAuBAKQDNuzkJraNga4+zHZoKeuBnW8kE0C0ViynAYb38PizCcjLvDCYymXpEx60MI= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a17:902:c40f:b0:20c:510:f81b with SMTP id d9443c01a7336-20c6371d90bmr223375ad.4.1728486305490; Wed, 09 Oct 2024 08:05:05 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:53 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-5-seanjc@google.com> Subject: [PATCH 4/6] Revert "KVM: Fix vcpu_array[0] races" From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that KVM loads from vcpu_array if and only if the target index is valid with respect to online_vcpus, i.e. now that it is safe to erase a not-fully-onlined vCPU entry, revert to storing into vcpu_array before success is guaranteed. If xa_store() fails, which _should_ be impossible, then putting the vCPU's reference to 'struct kvm' results in a refcounting bug as the vCPU fd has been installed and owns the vCPU's reference. This was found by inspection, but forcing the xa_store() to fail confirms the problem: | Unable to handle kernel paging request at virtual address ffff800080ecd9= 60 | Call trace: | _raw_spin_lock_irq+0x2c/0x70 | kvm_irqfd_release+0x24/0xa0 | kvm_vm_release+0x1c/0x38 | __fput+0x88/0x2ec | ____fput+0x10/0x1c | task_work_run+0xb0/0xd4 | do_exit+0x210/0x854 | do_group_exit+0x70/0x98 | get_signal+0x6b0/0x73c | do_signal+0xa4/0x11e8 | do_notify_resume+0x60/0x12c | el0_svc+0x64/0x68 | el0t_64_sync_handler+0x84/0xfc | el0t_64_sync+0x190/0x194 | Code: b9000909 d503201f 2a1f03e1 52800028 (88e17c08) Practically speaking, this is a non-issue as xa_store() can't fail, absent a nasty kernel bug. But the code is visually jarring and technically broken. This reverts commit afb2acb2e3a32e4d56f7fbd819769b98ed1b7520. Cc: Paolo Bonzini Cc: Michal Luczaj Cc: Alexander Potapenko Cc: Marc Zyngier Reported-by: Will Deacon Signed-off-by: Sean Christopherson Acked-by: Will Deacon --- virt/kvm/kvm_main.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index fca9f74e9544..f081839521ef 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4283,7 +4283,8 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, = unsigned long id) } =20 vcpu->vcpu_idx =3D atomic_read(&kvm->online_vcpus); - r =3D xa_reserve(&kvm->vcpu_array, vcpu->vcpu_idx, GFP_KERNEL_ACCOUNT); + r =3D xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUN= T); + BUG_ON(r =3D=3D -EBUSY); if (r) goto unlock_vcpu_destroy; =20 @@ -4298,12 +4299,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm,= unsigned long id) kvm_get_kvm(kvm); r =3D create_vcpu_fd(vcpu); if (r < 0) - goto kvm_put_xa_release; - - if (KVM_BUG_ON(xa_store(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, 0), kvm))= { - r =3D -EINVAL; - goto kvm_put_xa_release; - } + goto kvm_put_xa_erase; =20 /* * Pairs with smp_rmb() in kvm_get_vcpu. Store the vcpu @@ -4318,10 +4314,10 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm= , unsigned long id) kvm_create_vcpu_debugfs(vcpu); return r; =20 -kvm_put_xa_release: +kvm_put_xa_erase: mutex_unlock(&vcpu->mutex); kvm_put_kvm_no_destroy(kvm); - xa_release(&kvm->vcpu_array, vcpu->vcpu_idx); + xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx); unlock_vcpu_destroy: mutex_unlock(&kvm->lock); kvm_dirty_ring_free(&vcpu->dirty_ring); --=20 2.47.0.rc0.187.ge670bccf7e-goog From nobody Wed Nov 27 14:34:27 2024 Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73CCE1E1024 for ; Wed, 9 Oct 2024 15:05:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486309; cv=none; b=iat6w7+DCXNW7tC62xchBhWfQvnGrtxmvybCWjFG+zoPsLr+G3htLGElIgmUeHb2c3qNNRZeupfOvGdh2wleTEUOX701ilJx3jUAxXso2Ms0BpmKdPdUH6pYVFdcoLMedZttDX4QIwO9S2O5UAhyNR8A21X44euvy7zUspW9GD0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486309; c=relaxed/simple; bh=kwo0uSuKY7476PfjqvG5TtQzMdHfogujCrHGNVPo1T8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=TPxh3bO35+MIL5z7KYf+MpbK21TSuQM2nuC2U5tlZpVcLGEXrw8bWBg9kIqkjJOE2dbHZCrMsCnGPm1uwHJIqPCEq17I2JpfXSC77L/mFFuAnF3f62ut5dh4ktpICh+SGd36ZVAE0H+06QNsZphfE1iTau2HOV3Z+a4XODxMd+k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=U0P9BZ1x; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="U0P9BZ1x" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e290947f6f8so370834276.2 for ; Wed, 09 Oct 2024 08:05:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486307; x=1729091107; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=MsHXMuXqSSPEjUvJamNyym976rxmSNlIq8VvuH3KZEA=; b=U0P9BZ1xLeGJyLYwRb95PMmrHSzDtIsaoRiL+/6xDhZRE0TMFdPdIDIB4Lxhl9qhc+ Er1cb87wW0XA0YKMBwKumXOzBEF/LxqzjtdeeygxesSVYAw9f3Q2ql+ukcPE2gIw706j zTxkkYmrinXhnN/NL+Q8ueU6dYkB+kFWSZi99hsf1YtuIjy/WEzfIAu5hB+c/LTjDGGe R22avY7RwR+dM81cbPelK5zSeSiOZswjbgYmD2xtfyZsRTdyZWEgCZMQxEpf5BxHQtjq R5I+3G2k9LIA0PZsF/i0Va9EJj3cD2+y4udZabHCl17mojTCEuTrC/4iQ5RjjoT5HvYs Plpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486307; x=1729091107; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MsHXMuXqSSPEjUvJamNyym976rxmSNlIq8VvuH3KZEA=; b=q8yThCDUhlKQ23gXCmgBIIzjYfCnfWf5NyxjoN4ZrXu7yAbuq1v+7ypTLcdigQdj10 OLNNPvwps2dHC6B8GOeYHRa9mWIr27Qh+eBDEDn1/b7MtJoKwWJrWbRBL+520W6eKAZs ZasmFh+B/kUxnBkenYU4a1LxcAdVFGpn5HAsXnC5O8wTES4fEyI1N9CgObTiCDfYa2OK qIBtskKWByS5YAfSz4YUy6ADLnFvVG1n/z+/wM0iZDeh41W+LC0mxi60mKqh5eZN+S7b 7oUIRhWIbhkWgjskS0MvBo1yJ+LyTyRVzqjCiqAkmH/SqtADvSf29QGkI2O8vdkzH9Jc P3ww== X-Forwarded-Encrypted: i=1; AJvYcCWFBahmAYpQCRJaKRI9M5zfSsm0zWr6oGV3tVTV/7rmxD2LHuDkZ8k9tIdoRIIK9Qldkv9n/miPn+/w6o4=@vger.kernel.org X-Gm-Message-State: AOJu0YxKUVbcM5Vkt1hOgVcNkj7pxMgNGSBp+6M5jryodoaZ3GbCHZez irOsO3+CCU1CekwGPae5zz4BCTyZ5VEzVvGFk5uBMTP1w/mAbkdat73tpiLg7CtrwLnEUZH6ta8 m6g== X-Google-Smtp-Source: AGHT+IGRGVQGlUZhucVNLnR0VbMgf818PFYAsq4h2foZBXfftxDdMGYHMQR3T60F+hTMqx6ttjl2hkd9Yn8= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a25:b205:0:b0:e27:3e6a:345 with SMTP id 3f1490d57ef6-e28fe6935c6mr2016276.10.1728486307464; Wed, 09 Oct 2024 08:05:07 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:54 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-6-seanjc@google.com> Subject: [PATCH 5/6] KVM: Don't BUG() the kernel if xa_insert() fails with -EBUSY From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" WARN once instead of triggering a BUG if xa_insert() fails because it encountered an existing entry. While KVM guarantees there should be no existing entry, there's no reason to BUG the kernel, as KVM needs to gracefully handle failure anyways. Signed-off-by: Sean Christopherson Acked-by: Will Deacon Reviewed-by: Pankaj Gupta --- virt/kvm/kvm_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index f081839521ef..ae216256ee9d 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4284,7 +4284,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, = unsigned long id) =20 vcpu->vcpu_idx =3D atomic_read(&kvm->online_vcpus); r =3D xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUN= T); - BUG_ON(r =3D=3D -EBUSY); + WARN_ON_ONCE(r =3D=3D -EBUSY); if (r) goto unlock_vcpu_destroy; =20 --=20 2.47.0.rc0.187.ge670bccf7e-goog From nobody Wed Nov 27 14:34:27 2024 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 082D01E1052 for ; Wed, 9 Oct 2024 15:05:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486311; cv=none; b=uLm5m9vy9MALd864b6tmnEFu/Dh5/8rxQdeG589nXsRzoWlkBwTEUtqGHmvWr7m5YZF0dCcxY0ENbPPReXxhIgey+ZxDtxw8gVVx3BJBYruZU/Us/lNLPIoeWXHrbKexf9j6rVKdqmmBv5/G/RP+Hr2N4fz78djDOjxMzw09Bo4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486311; c=relaxed/simple; bh=ak9GgtEL5YTd9uZb24jF2orHXaja+Om0+voynGktgcg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=HSs0bnGWNCR9AmlJndFEWDozhNhpi8hinSaYBE8OGSSWRv/8xpYQW8yC7mgJArIgiXHSxpgPrYomlXk6Lrrwdi0j8D+5N9I4YlByjxU+FqRNagsgoVY6M4FNODwviV/p9qRO8JTpNSRUNAhX9tL4/fBl5nRW+nbzEMsF9uL+ZYI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=yJ7oY2sW; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="yJ7oY2sW" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-7db4c1a55f5so5329142a12.3 for ; Wed, 09 Oct 2024 08:05:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486309; x=1729091109; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=Rk7120SY/ZXFV3eahCprGvAPNvey5dvtQWWwk6TE9OY=; b=yJ7oY2sWGvj6azg9FXzdMfs7r8z2p3Nnj8IEh8PmelCuggwnetM8dKORAnrkRW7C+O 4ZFBcpRdCeOmAHSVhNtFovgUvMA7j8DRCkQETMhlyjdzCsgjS89R023+LTJ1DS3gfbL6 3OWB94j2wXPnjegXrF35VuFuB1Fe6BhXjzLduiOBto63bFDjoZ5x4Now1w18VxcCrJKb bn14yvdy0j3TsHzn13KXMfMe6Jo5HoVjKpqNA5T/cu/zQJBg6EgzWCO30aIWqWd7Mhec P4cX/1wDQNYWij3kXWvVJmoAGT8cpOFj+1FyRnVNqz7faZM61IDkOtQwasxaJ3IY7MnR qGjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486309; x=1729091109; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Rk7120SY/ZXFV3eahCprGvAPNvey5dvtQWWwk6TE9OY=; b=Irips0S5zmAR6ZxauFJpMGx6OaPQlF+x8AH/4Vp9IorJ4ntkTVw9xJ9+yAT99Ck2k9 VOSzetCpKb3pTa9ISCqMpQpTo9P+c8bnHK6gDpLA1M2/yknnB8h2LeReSwgd8gfH+TOr nkf4W9MzZTT/aSug/g2K9J8xRUxABzpd6KPNuiJ5MFFZXyexnZmUVRSMaHu/R6WXXdHr SbUTzng1k5vS2rauJ5cerWHjOxlC1EfogMlEbUL7TeIV+AGHo6j1gk6xSL0rki7Nj6wR vyobT4h02Jjvxlfru7uJRNmJ+ceQrhqnBI3YweZmizDuvzpdiSTIZYadqMPUC0d4ino7 oENw== X-Forwarded-Encrypted: i=1; AJvYcCVxARdgS90Fx8VKw1rx/dlBEOzUtPMtZIo6Gkr6/Fl7P5jDcTmtZEGX7dd1TIgRqiMauSJp9szLgDbR4JA=@vger.kernel.org X-Gm-Message-State: AOJu0YzfVaw1MuBfKaPuGKs4fzTVb9iI/xZRNsTuf09Z5mMjNGaXCMN2 jbWdw/QFyD0O81lALLpEbd/Kj74AB/T3xtADozUPVKCnFsbr3ghiyW9Gbz9uOYLlGyvQ8oFuPD5 3sw== X-Google-Smtp-Source: AGHT+IFu77cfGVVA2WGcrcN5nHTM+fZs3XRvNPGo5S0nSGXPoQt6AXHZRLCBGgSJNwiABPBpygvF2QiDHAc= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a63:1401:0:b0:7db:1a9c:d850 with SMTP id 41be03b00d2f7-7ea3207ceedmr3010a12.1.1728486309256; Wed, 09 Oct 2024 08:05:09 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:55 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-7-seanjc@google.com> Subject: [PATCH 6/6] KVM: Drop hack that "manually" informs lockdep of kvm->lock vs. vcpu->mutex From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that KVM takes vcpu->mutex inside kvm->lock when creating a vCPU, drop the hack to manually inform lockdep of the kvm->lock =3D> vcpu->mutex ordering. This effectively reverts commit 42a90008f890 ("KVM: Ensure lockdep knows about kvm->lock vs. vcpu->mutex ordering rule"). Cc: Oliver Upton Signed-off-by: Sean Christopherson Acked-by: Will Deacon --- virt/kvm/kvm_main.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index ae216256ee9d..2dd3ff8764da 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4271,12 +4271,6 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm,= unsigned long id) =20 mutex_lock(&kvm->lock); =20 -#ifdef CONFIG_LOCKDEP - /* Ensure that lockdep knows vcpu->mutex is taken *inside* kvm->lock */ - mutex_lock(&vcpu->mutex); - mutex_unlock(&vcpu->mutex); -#endif - if (kvm_get_vcpu_by_id(kvm, id)) { r =3D -EEXIST; goto unlock_vcpu_destroy; @@ -4293,7 +4287,8 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, = unsigned long id) * so that userspace can't invoke vCPU ioctl()s until the vCPU is fully * visible (per online_vcpus), e.g. so that KVM doesn't get tricked * into a NULL-pointer dereference because KVM thinks the _current_ - * vCPU doesn't exist. + * vCPU doesn't exist. As a bonus, taking vcpu->mutex ensures lockdep + * knows it's taken *inside* kvm->lock. */ mutex_lock(&vcpu->mutex); kvm_get_kvm(kvm); --=20 2.47.0.rc0.187.ge670bccf7e-goog