From patchwork Thu Jul 26 05:44:34 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Mackerras <paulus@ozlabs.org>
X-Patchwork-Id: 10545231
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C30649093
	for <patchwork-kvm@patchwork.kernel.org>;
 Thu, 26 Jul 2018 05:44:48 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ABA252A944
	for <patchwork-kvm@patchwork.kernel.org>;
 Thu, 26 Jul 2018 05:44:48 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9DD0D2A96A; Thu, 26 Jul 2018 05:44:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 278FD2A944
	for <patchwork-kvm@patchwork.kernel.org>;
 Thu, 26 Jul 2018 05:44:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728808AbeGZG7z (ORCPT
        <rfc822;patchwork-kvm@patchwork.kernel.org>);
        Thu, 26 Jul 2018 02:59:55 -0400
Received: from ozlabs.org ([203.11.71.1]:54165 "EHLO ozlabs.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727070AbeGZG7z (ORCPT <rfc822;kvm@vger.kernel.org>);
        Thu, 26 Jul 2018 02:59:55 -0400
Received: by ozlabs.org (Postfix, from userid 1003)
        id 41bgz0687fz9s21; Thu, 26 Jul 2018 15:44:44 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ozlabs.org; s=201707;
        t=1532583884; bh=2Y6qB/dcU7qsza1Bpiw+I2J00uTnDdFjbrruS8INHFo=;
        h=Date:From:To:Cc:Subject:From;
        b=iKgbvBKcpF+kqEhV7Eq5HL/yv09bwFesn986y/0czYJ9OddDdRo6pGNCWexe7ZEup
         ZcoauEMUKdPUuGF6M5vIVVVae5b2tE1Uv2x2ocanrA8Ka+wpFRaQBNg+6khMPBfvGq
         gSB5A01c7//szv/wJAGE5djKBWM2baPg+JNvLY9YyZSQ4IxQIya2tsLZy4JyTUriUy
         i7I6i4BWDlcmD0BWCls3q9SLetrqXjkokfhtSxzZyaGmlJ6MNv0yyHI9t7jeeBzGPv
         oJUgfGtOErrquP/9bHo0519ecZYkd44pz3Oj+pN9rYuegZbLQrVxzDH7jm5LgMwfQK
         5dWqbpr28FFhQ==
Date: Thu, 26 Jul 2018 15:44:34 +1000
From: Paul Mackerras <paulus@ozlabs.org>
To: kvm@vger.kernel.org, kvm-ppc@vger.kernel.org,
        linuxppc-dev@lists.ozlabs.org
Cc: Sam Bobroff <sbobroff@linux.ibm.com>,
        David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH 2/2] KVM: PPC: Book3S HV: Read kvm->arch.emul_smt_mode under
 kvm->lock
Message-ID: <20180726054434.GC1672@fergus>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit 1e175d2 ("KVM: PPC: Book3S HV: Pack VCORE IDs to access full
VCPU ID space", 2018-07-25) added code that uses kvm->arch.emul_smt_mode
before any VCPUs are created.  However, userspace can change
kvm->arch.emul_smt_mode at any time up until the first VCPU is created.
Hence it is (theoretically) possible for the check in
kvmppc_core_vcpu_create_hv() to race with another userspace thread
changing kvm->arch.emul_smt_mode.

This fixes it by moving the test that uses kvm->arch.emul_smt_mode into
the block where kvm->lock is held.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---
 arch/powerpc/kvm/book3s_hv.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index 785245e..113f815 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -1989,16 +1989,10 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_hv(struct kvm *kvm,
 						   unsigned int id)
 {
 	struct kvm_vcpu *vcpu;
-	int err = -EINVAL;
+	int err;
 	int core;
 	struct kvmppc_vcore *vcore;
 
-	if (id >= (KVM_MAX_VCPUS * kvm->arch.emul_smt_mode) &&
-	    cpu_has_feature(CPU_FTR_ARCH_300)) {
-		pr_devel("DNCI: VCPU ID too high\n");
-		goto out;
-	}
-
 	err = -ENOMEM;
 	vcpu = kmem_cache_zalloc(kvm_vcpu_cache, GFP_KERNEL);
 	if (!vcpu)
@@ -2055,8 +2049,13 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_hv(struct kvm *kvm,
 	vcore = NULL;
 	err = -EINVAL;
 	if (cpu_has_feature(CPU_FTR_ARCH_300)) {
-		BUG_ON(kvm->arch.smt_mode != 1);
-		core = kvmppc_pack_vcpu_id(kvm, id);
+		if (id >= (KVM_MAX_VCPUS * kvm->arch.emul_smt_mode)) {
+			pr_devel("KVM: VCPU ID too high\n");
+			core = KVM_MAX_VCORES;
+		} else {
+			BUG_ON(kvm->arch.smt_mode != 1);
+			core = kvmppc_pack_vcpu_id(kvm, id);
+		}
 	} else {
 		core = id / kvm->arch.smt_mode;
 	}