From patchwork Wed Oct 9 15:04:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 13828594 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 831491C9B77 for ; Wed, 9 Oct 2024 15:05:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486302; cv=none; b=XT7RIT3WEif9iFZfy2ngbCGJAInhf+qxzYWrgyAVQszOIdcNHMKPb4EiMMlohNOBUf2pUkdznuD6O43pGRq9JuVvnj8j/Dmkm4XRcQ7l8jNukcnX2VVWZlmLBtTbc1oN5Gdm1OyeaWKhmpatGbILAyJvoad2EUm1csNg/tIELrA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486302; c=relaxed/simple; bh=+oj5QjgRYUWlQPTdUOSdE9zuunwSy+1gZhbpvg1B0rU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=r9bVTErpftUa3ZKYIDYFpCsJTvJRcFY8wtyh5THJjA/Fd4bzIAFagOhw977igN/eUNYicKDgvEeKPmHXgCtBfr45iBXUsMqxDjAdBL/O/jQL8gT2Gbg4GinTc7jofR4j1V5eWTQ/8w2kZlaAZB0HY4P6TPx50nqEX0bWnaQQjrI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=B7pVMymw; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="B7pVMymw" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-71e04c42fecso985137b3a.0 for ; Wed, 09 Oct 2024 08:05:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486300; x=1729091100; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=482l0fwpXLeH5fAxMtu97517+8ynn9/0BPprPVE2Acc=; b=B7pVMymwrmZZhcwKI/5/w4QjeSxguDheGjlVlOy0c953GNMi3SIWMSmFfwXagTmizF xVTlN2Fs2vDPZdAgAfpJ/GJ9i5Q6oXcG41+aXiDi6Qs8epMF2kLJc4j1hkBHv8m21TQk jRF6rwbL7xEcWZ4tSeYAKYE2tMA7F/7BjKRTYZWFKkcsTo/a53u72pyNoGSDLC0Es4Zx +bUwNEJMk8pIoDwkApbx7oMApbCWgtWG6jcbTgaD1VKivQk1NSTB8MJ2ons1VKd1gYjD 2x+M0nsDb0IMRzext/d1mwUia2cpphnC6FyVT/JijFrGbz+diqkL6T8aVIVFiziB44jH 31aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486300; x=1729091100; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=482l0fwpXLeH5fAxMtu97517+8ynn9/0BPprPVE2Acc=; b=RbOjoWB0BouxzeTfRH9RhqLHktRj1Oupud/UIYfHR/pgQUfPFkXD/mjwYSu2KpY0UM 8FCJ5SUE279Qn7Chx6zW/qTWu3EoLvqngZghbwFtGry2Z9ovQ/dHkTUFyXw910BilrSq k9ZC+jKX14DRsTA/BKp9538UVnS5eaWXB1Qo57Lu5Mqy8/tfijhwPTfeTUVOcUM0ewZY ZF1cIljJDaiuXcjA+OaUg+5Y1rKvqgudTF/kPb5ARRkI9TuS39fcxMu459/+4o7iQuS0 tpNO6t1GMV18/THIrXEg+9V2NhgxIwn8LgyPPCuOjZvcLyOCO4Nx8vs8kJ87WCTSuhyl VPfg== X-Gm-Message-State: AOJu0YzCanPhMIRWok9ksA46TkFFTEBEz3+pcmfNnvDolys9Waf9cKKQ ESHbsbSULQjApUWoXv14Pd+LnLXMDMNcS6p25964JpPjHXwlcNT5tk7V3/GlQtr6KqAuVTppjTU 5Xg== X-Google-Smtp-Source: AGHT+IGbHyxhG0VOrj443QjPk8zcAmuh38MdDz+1jWmIwKpnngvhIPQUBQZPCKoH5loilolLVOXuqiMDmF8= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a05:6a00:91c5:b0:71d:f744:6e with SMTP id d2e1a72fcca58-71e1d6a9ee5mr18504b3a.2.1728486299695; Wed, 09 Oct 2024 08:04:59 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:50 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-2-seanjc@google.com> Subject: [PATCH 1/6] KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race. Fixes: 1d487e9bf8ba ("KVM: fix spectrev1 gadgets") Cc: stable@vger.kernel.org Cc: Will Deacon Cc: Michal Luczaj Signed-off-by: Sean Christopherson Reviewed-by: Pankaj Gupta --- include/linux/kvm_host.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index db567d26f7b9..450dd0444a92 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -969,6 +969,15 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) { int num_vcpus = atomic_read(&kvm->online_vcpus); + + /* + * Explicitly verify the target vCPU is online, as the anti-speculation + * logic only limits the CPU's ability to speculate, e.g. given a "bad" + * index, clamping the index to 0 would return vCPU0, not NULL. + */ + if (i >= num_vcpus) + return NULL; + i = array_index_nospec(i, num_vcpus); /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ From patchwork Wed Oct 9 15:04:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 13828595 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A3DA1DD545 for ; Wed, 9 Oct 2024 15:05:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486304; cv=none; b=UXizX9GOud99ZFDk+QnRatpQolAWjd1Dz6AT47MeMdk3NanJqpe1tAG4v6FeClbQpVRUqPGyeq44KzC3hEZJwGcXnW954wv/pl/3l/+XTb04efqdAC6UgTkU4Ds25B9p0wZCwyZCjnWHBjy03yn+x0BfqTHgdvr8G8Jg7TYj/jM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486304; c=relaxed/simple; bh=joP1gyCPe+hwOJUfhGfPr0n9jMYIyiFIDeC9OZBymQg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=QQPKEse8N/g8UAqSSk52nbqT4tQyIVPLQunI5FmAUJjbooJiYlGFTN73EE6zRkO6yYQHSi0Dcsnjs+nqGBJXr2kH+LDHs7xHmMSxONc8ZEbij/mpCUk6vYFJa9aCkNN8OL4FtpHcVfyB19CjMu/ixKrnEQg/w5vm134rXceiJjk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=CRzJwMuW; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="CRzJwMuW" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-7ea0dbb7cc1so842852a12.0 for ; Wed, 09 Oct 2024 08:05:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486302; x=1729091102; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=/RsDegA7EWZeVtL+/24jQ2r/aKoJnN7q7/C9Z+6EiSU=; b=CRzJwMuWtc3wpumgCbjGwmOtbdA7MjeQKSed4nO7Zh63YFFx6csYGczkzuUmGgpKI2 YqhteQ9cjLDe4auqI9I8enpQCpyW45brCSydLpwsQIAa+KMFR6WxJajFH6NFXIDGfywL H1rvLb+7+RLO1cDwkpLJHWvJFtT9SDE7kWJsRshhQSoHNOZSg20ejzwgNUmPMeDwvp0C B1pVXUFfQdnMxFhLNJJg78MjqX5+O///+a9rJblkrgJryFOnY8pQfaJktgwv95FRt1BY 4Dn/Jz2Gua8pDIr6z51OxTTKsrLrDwwo3y3wW8I6nX7i9jVgjPBXsomMA50NMNUYPuHX ov+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486302; x=1729091102; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/RsDegA7EWZeVtL+/24jQ2r/aKoJnN7q7/C9Z+6EiSU=; b=Kb1dNr4WIfdPUSyTBqbQZuzUb4Tq8dWmkszapwrgjPfE/MLJvMRO171uenSXNvj7AU 9QlzmYlWDe3ZD7axM5akTPtP+TyWEDSLWI0PoLbcC7tO/fXR+MF1iezyEFN+K1VhbnT1 ff4ExbnkCoudsoWoaTLFuFE6uqUpkfk+u3nKCoopTwxlIN7UlMf9QmL3k5VmE/KFCcae SfEEAArBk6A0+SghbC4e1baFGDivOULTgEqJ3jEIz3UvQbNf9Gd5acX8XydTjXVY0wug 9LN8ngqC9uCpbkwJ4MqE8dpkWFGwhEz+N0iMB2EWZqbdHyAVzmegwwAua1Lumy0S7eRj 58nw== X-Gm-Message-State: AOJu0Yw9dHb/e1+DeZi7aaCnEHg4a/JMZBkU1EbdFpTXgFuNqZzeZGXL gFL4gBOI48YhyBGToYd8pruNlRljq16FC94HqBMNKvDf6bY1iZDeh+avuF51s/01XaccR27PHR3 1Fg== X-Google-Smtp-Source: AGHT+IGXEo6jBIzb0et6Z+0Bgl35nZ3qw5fx0ehgX+u+72GQ6GGS5KT3St9rZ3gVnOUrSzXWlGjg9Rucm8E= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a17:90a:bd93:b0:2e2:8f4d:457 with SMTP id 98e67ed59e1d1-2e28f4d04cdmr10803a91.2.1728486301403; Wed, 09 Oct 2024 08:05:01 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:51 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-3-seanjc@google.com> Subject: [PATCH 2/6] KVM: Verify there's at least one online vCPU when iterating over all vCPUs From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Explicitly check that there is at least online vCPU before iterating over all vCPUs. Because the max index is an unsigned long, passing "0 - 1" in the online_vcpus==0 case results in xa_for_each_range() using an unlimited max, i.e. allows it to access vCPU0 when it shouldn't. This will allow KVM to safely _erase_ from vcpu_array if the last stages of vCPU creation fail, i.e. without generating a use-after-free if a different task happens to be concurrently iterating over all vCPUs. Note, because xa_for_each_range() is a macro, kvm_for_each_vcpu() subtly reloads online_vcpus after each iteration, i.e. adding an extra load doesn't meaningfully impact the total cost of iterating over all vCPUs. And because online_vcpus is never decremented, there is no risk of a reload triggering a walk of the entire xarray. Cc: Will Deacon Cc: Michal Luczaj Signed-off-by: Sean Christopherson --- include/linux/kvm_host.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 450dd0444a92..5fe3b0c28fb3 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -985,9 +985,10 @@ static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) return xa_load(&kvm->vcpu_array, i); } -#define kvm_for_each_vcpu(idx, vcpup, kvm) \ - xa_for_each_range(&kvm->vcpu_array, idx, vcpup, 0, \ - (atomic_read(&kvm->online_vcpus) - 1)) +#define kvm_for_each_vcpu(idx, vcpup, kvm) \ + if (atomic_read(&kvm->online_vcpus)) \ + xa_for_each_range(&kvm->vcpu_array, idx, vcpup, 0, \ + (atomic_read(&kvm->online_vcpus) - 1)) static inline struct kvm_vcpu *kvm_get_vcpu_by_id(struct kvm *kvm, int id) { From patchwork Wed Oct 9 15:04:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 13828609 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F0D61DFD85 for ; Wed, 9 Oct 2024 15:05:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486307; cv=none; b=sNm3BBLOai4RuDe2liQHgWiG7LB/Hw7+nb1/8DPU+8CmFC3WFBlC1GssbKVij4+lWAJEkhvBsAln2J78yBIqi1jcZJd4qMnhXDZUUuhgjFimFWzWLn3z38oDtfr0SLYMw7WAZAreJ1vtSaEGr+9odi62TdGMA/Nbiqp376q/skA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486307; c=relaxed/simple; bh=UUOuALX/8jUEKOE5MK93z/TIwR6ptoN4Q45Bp2t7r80=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=EssHnnCQLgsKkxUn4Tl1jqF+DfQvC5CFFY1QCvE8wrMdhkH4eOCE9d/R133YG4iu7mU/tjtqW7PP8UBKfK+qRUhopxcNw9tedzXF5JgnjUVjnKX4QqrZ+fdOBAKBID+AMAQj0UrGZ2Xgc4ORLcFOr9d23ysFZ5PftC3F9eqH2y0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TGgDgmb7; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TGgDgmb7" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-6e23ee3110fso128334147b3.1 for ; Wed, 09 Oct 2024 08:05:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486303; x=1729091103; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=5SrGD6ntAFoOH+8A+yPE5xRGZ7AhTh5r8ioRJwoyvss=; b=TGgDgmb7U4/+O8I6VcHU5l+lNX8QJ3BOyKQJQzXZ5+KIainT0W0kcJcZ92lXRPmAv6 ew33grIfQl7wTGIgJ8z7RXF4FrMWmW1qF2XX+/Bps4RPAyM3C3T63ynEI+jauCeWCLPH MDudM0l6sf1Wtr1fOBVbhJfnebNaUkdqWD6V8+jj1CYu5OYzSz5PmM1ODOQjn3aq6BwV Pb/oMvBRaYPLLpkHoPg27+CI9sQYdgbcgTNdw4HIHZwPtWpl3SzCvYe3Z9W5ka1RhJZz vbikjorCUyAz5tmYN1TGSNdu6F3OQF5sEN48aA3cEki27gLCB5sfis+jC/JOWl4VUQ6f bPMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486303; x=1729091103; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5SrGD6ntAFoOH+8A+yPE5xRGZ7AhTh5r8ioRJwoyvss=; b=L+rf1zwbWvHmXu+nF74YXbmzVTy4XPofF3NR/kjOgJBxssyHXifbroGdxt03IYl9GL OS6iT4YocKIX3ga+v9Logl9npTAeyRKwj2g545qa3Dzhl6N2LWJImpjVMX4/l6C68UXu /7pHBHP7qwDq+WfyCwVUu1+KzT7tPEIvKKjMB/zhNu2Ygo8SQkr/t/QVClCN1TLLohYr Ysa5I+kJUnuwCwAaeJYM0dlkRk3sMmCK9NRpG0liZbebLKsACwG/W0R1Kri5kYgqPnOj N5ewADCDcEgzM6BJfonELlQevPg1YSxud7e0Fktk37ZCAr6TJAG0GHV1wLyglGLYctfr dDSw== X-Gm-Message-State: AOJu0YxyAb7oW+4jrSELfYrIrxsaoJ+BYFcAUWVZXJ2xtqR9GYvw4MUA JUlOeUNewvx8P9w9mtHWMB2VMIQ1i7UXBcJupmSrl+tPITv6v/+jMiS9ASoSw6ml21Vcw48Y7Zv qWw== X-Google-Smtp-Source: AGHT+IFedXDgPxwolm1IOTnRjA9oTcL70vgsBXdT7cV8n0QPoljgzOxfYmHoJ/QpWjSoaCiWMtRKhm2aykA= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a05:690c:3382:b0:6e2:4b3:ee22 with SMTP id 00721157ae682-6e32216166cmr582417b3.6.1728486303499; Wed, 09 Oct 2024 08:05:03 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:52 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-4-seanjc@google.com> Subject: [PATCH 3/6] KVM: Grab vcpu->mutex across installing the vCPU's fd and bumping online_vcpus From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton During vCPU creation, acquire vcpu->mutex prior to exposing the vCPU to userspace, and hold the mutex until online_vcpus is bumped, i.e. until the vCPU is fully online from KVM's perspective. To ensure asynchronous vCPU ioctls also wait for the vCPU to come online, explicitly check online_vcpus at the start of kvm_vcpu_ioctl(), and take the vCPU's mutex to wait if necessary (having to wait for any ioctl should be exceedingly rare, i.e. not worth optimizing). Reported-by: Will Deacon Reported-by: Michal Luczaj Link: https://lore.kernel.org/all/20240730155646.1687-1-will@kernel.org Signed-off-by: Sean Christopherson --- virt/kvm/kvm_main.c | 47 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 05cbb2548d99..fca9f74e9544 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4287,7 +4287,14 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) if (r) goto unlock_vcpu_destroy; - /* Now it's all set up, let userspace reach it */ + /* + * Now it's all set up, let userspace reach it. Grab the vCPU's mutex + * so that userspace can't invoke vCPU ioctl()s until the vCPU is fully + * visible (per online_vcpus), e.g. so that KVM doesn't get tricked + * into a NULL-pointer dereference because KVM thinks the _current_ + * vCPU doesn't exist. + */ + mutex_lock(&vcpu->mutex); kvm_get_kvm(kvm); r = create_vcpu_fd(vcpu); if (r < 0) @@ -4304,6 +4311,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) */ smp_wmb(); atomic_inc(&kvm->online_vcpus); + mutex_unlock(&vcpu->mutex); mutex_unlock(&kvm->lock); kvm_arch_vcpu_postcreate(vcpu); @@ -4311,6 +4319,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) return r; kvm_put_xa_release: + mutex_unlock(&vcpu->mutex); kvm_put_kvm_no_destroy(kvm); xa_release(&kvm->vcpu_array, vcpu->vcpu_idx); unlock_vcpu_destroy: @@ -4437,6 +4446,33 @@ static int kvm_vcpu_pre_fault_memory(struct kvm_vcpu *vcpu, } #endif +static int kvm_wait_for_vcpu_online(struct kvm_vcpu *vcpu) +{ + struct kvm *kvm = vcpu->kvm; + + /* + * In practice, this happy path will always be taken, as a well-behaved + * VMM will never invoke a vCPU ioctl() before KVM_CREATE_VCPU returns. + */ + if (likely(vcpu->vcpu_idx < atomic_read(&kvm->online_vcpus))) + return 0; + + /* + * Acquire and release the vCPU's mutex to wait for vCPU creation to + * complete (kvm_vm_ioctl_create_vcpu() holds the mutex until the vCPU + * is fully online). + */ + if (mutex_lock_killable(&vcpu->mutex)) + return -EINTR; + + mutex_unlock(&vcpu->mutex); + + if (WARN_ON_ONCE(!kvm_get_vcpu(kvm, vcpu->vcpu_idx))) + return -EIO; + + return 0; +} + static long kvm_vcpu_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg) { @@ -4452,6 +4488,15 @@ static long kvm_vcpu_ioctl(struct file *filp, if (unlikely(_IOC_TYPE(ioctl) != KVMIO)) return -EINVAL; + /* + * Wait for the vCPU to be online before handling the ioctl(), as KVM + * assumes the vCPU is reachable via vcpu_array, i.e. may dereference + * a NULL pointer if userspace invokes an ioctl() before KVM is ready. + */ + r = kvm_wait_for_vcpu_online(vcpu); + if (r) + return r; + /* * Some architectures have vcpu ioctls that are asynchronous to vcpu * execution; mutex_lock() would break them. From patchwork Wed Oct 9 15:04:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 13828610 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64E9B1E0DAB for ; Wed, 9 Oct 2024 15:05:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486307; cv=none; b=c4hUlO2WMqlMxLDhU51XE0ivksAzULdtqp60HrYMc1n9xE+dqKrF1hF2sqBSpTUWAc+rS/rICnk9y4RVB/hPEyQlkiYliD3np0tDdQuUknUYWVeOdTErvPdJD/ZMo7ThAwjadcvdsLtR10Tq8cPZ/aPcd2EDr4UW1QZoxHjOvkQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486307; c=relaxed/simple; bh=tVLsRpJbZXDe+kzv+FAqKCNsZbBglsLvMCPd+8nr58w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=BAW+O8D2JOphZoTxeVRYpj2YLb0riBFHxPxpwezfa5aw9dIvU0K2WyaLTof+5r2DUmz5wudFhaKWxx20qZOXCLkPkulP1RfvDbd+eQtyQ7kM9lEtPl4GNgbFxsumWXqjoinj6cIg6IbCRSqNB+RqNF+k8Tvq1nCp097p1m6xQX8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=MjSjx6RX; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="MjSjx6RX" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-20afe0063e0so63025515ad.3 for ; Wed, 09 Oct 2024 08:05:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486306; x=1729091106; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=l2sEte6w0yql7C3jUnlweM/OP/SrvH1RtBMyVo9Nnx0=; b=MjSjx6RXx3hFf6Lt7uwt8NMX1Y1V1mDExzzxVZNAqwQO8gXvfvqb4wwVCxpbkgoaWp 0cFUjy1wcgDzaHvzdlpCbTwbwD6m8TfH3P4QWRHz+aTMjQF7WRo0EaVAnSbhKquM76cQ tyALs1ee/WJQ92q9gnFBI0YZn0SZr/aXZPBqFUsmceDfIg/DiAPpfpvBYLqlTCmv7IV+ iH7JaIwIu5hphxxIY19sYjCWL2ol4rp0aH2hwxKCJ9vvyimCXkpu3lD27dteh2x7na0H C6GWZEBoA7EHYgaFWMTxTryr8jHbyBig+FBYgazpQetE3rWiq48Fd0fB1W25emSloKbB XBYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486306; x=1729091106; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=l2sEte6w0yql7C3jUnlweM/OP/SrvH1RtBMyVo9Nnx0=; b=YQkQbLjgu1Ki+n4uXYyCINidwEKhzoieVGkuen62ek9kf9TB12QtQZ5tPG/6ncM8SP z9SODIkbzvJYr0JvwHhbg9l/EJEj8/z9Pm0kGXCMdPhGMyov8CD6np4TaLE+bRcO7jIQ qOyXdEX6myn5q9y0K8YfXeolokb6kHIJtw+vhxAYi1HQNJW1rwQYqtMRZmnnvqCPzGm0 ocGPOrIHVxZtA7ZQQakOcFSt6zMQPtcgdDTPShJ7Cp4Smmqdd0mVDuxaL6uqXM8OP1kv DckoeTnVDpVFolW973M2AbIyzkToGM5XZPmG5ppdilkqRcKlGxsz+EmM+8BQU9X4FFTu cM4g== X-Gm-Message-State: AOJu0Yzl7NiQN8xM50PLsdqeQmaOOuV8I9UwsF+g6Xv3BUxeh2dZ3PEO BgzlevJ5lvlQrrG265/Gw1s3UaYlZ3Mx3PchTL5kkS9qnTqEJD/lxdgTI60xZGYsLdrQz+didL8 D6Q== X-Google-Smtp-Source: AGHT+IELCX1qYO/0MUAuBAKQDNuzkJraNga4+zHZoKeuBnW8kE0C0ViynAYb38PizCcjLvDCYymXpEx60MI= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a17:902:c40f:b0:20c:510:f81b with SMTP id d9443c01a7336-20c6371d90bmr223375ad.4.1728486305490; Wed, 09 Oct 2024 08:05:05 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:53 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-5-seanjc@google.com> Subject: [PATCH 4/6] Revert "KVM: Fix vcpu_array[0] races" From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Now that KVM loads from vcpu_array if and only if the target index is valid with respect to online_vcpus, i.e. now that it is safe to erase a not-fully-onlined vCPU entry, revert to storing into vcpu_array before success is guaranteed. If xa_store() fails, which _should_ be impossible, then putting the vCPU's reference to 'struct kvm' results in a refcounting bug as the vCPU fd has been installed and owns the vCPU's reference. This was found by inspection, but forcing the xa_store() to fail confirms the problem: | Unable to handle kernel paging request at virtual address ffff800080ecd960 | Call trace: | _raw_spin_lock_irq+0x2c/0x70 | kvm_irqfd_release+0x24/0xa0 | kvm_vm_release+0x1c/0x38 | __fput+0x88/0x2ec | ____fput+0x10/0x1c | task_work_run+0xb0/0xd4 | do_exit+0x210/0x854 | do_group_exit+0x70/0x98 | get_signal+0x6b0/0x73c | do_signal+0xa4/0x11e8 | do_notify_resume+0x60/0x12c | el0_svc+0x64/0x68 | el0t_64_sync_handler+0x84/0xfc | el0t_64_sync+0x190/0x194 | Code: b9000909 d503201f 2a1f03e1 52800028 (88e17c08) Practically speaking, this is a non-issue as xa_store() can't fail, absent a nasty kernel bug. But the code is visually jarring and technically broken. This reverts commit afb2acb2e3a32e4d56f7fbd819769b98ed1b7520. Cc: Paolo Bonzini Cc: Michal Luczaj Cc: Alexander Potapenko Cc: Marc Zyngier Reported-by: Will Deacon Signed-off-by: Sean Christopherson --- virt/kvm/kvm_main.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index fca9f74e9544..f081839521ef 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4283,7 +4283,8 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) } vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus); - r = xa_reserve(&kvm->vcpu_array, vcpu->vcpu_idx, GFP_KERNEL_ACCOUNT); + r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT); + BUG_ON(r == -EBUSY); if (r) goto unlock_vcpu_destroy; @@ -4298,12 +4299,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) kvm_get_kvm(kvm); r = create_vcpu_fd(vcpu); if (r < 0) - goto kvm_put_xa_release; - - if (KVM_BUG_ON(xa_store(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, 0), kvm)) { - r = -EINVAL; - goto kvm_put_xa_release; - } + goto kvm_put_xa_erase; /* * Pairs with smp_rmb() in kvm_get_vcpu. Store the vcpu @@ -4318,10 +4314,10 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) kvm_create_vcpu_debugfs(vcpu); return r; -kvm_put_xa_release: +kvm_put_xa_erase: mutex_unlock(&vcpu->mutex); kvm_put_kvm_no_destroy(kvm); - xa_release(&kvm->vcpu_array, vcpu->vcpu_idx); + xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx); unlock_vcpu_destroy: mutex_unlock(&kvm->lock); kvm_dirty_ring_free(&vcpu->dirty_ring); From patchwork Wed Oct 9 15:04:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 13828611 Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73D221E1025 for ; Wed, 9 Oct 2024 15:05:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486309; cv=none; b=iat6w7+DCXNW7tC62xchBhWfQvnGrtxmvybCWjFG+zoPsLr+G3htLGElIgmUeHb2c3qNNRZeupfOvGdh2wleTEUOX701ilJx3jUAxXso2Ms0BpmKdPdUH6pYVFdcoLMedZttDX4QIwO9S2O5UAhyNR8A21X44euvy7zUspW9GD0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486309; c=relaxed/simple; bh=kwo0uSuKY7476PfjqvG5TtQzMdHfogujCrHGNVPo1T8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=TPxh3bO35+MIL5z7KYf+MpbK21TSuQM2nuC2U5tlZpVcLGEXrw8bWBg9kIqkjJOE2dbHZCrMsCnGPm1uwHJIqPCEq17I2JpfXSC77L/mFFuAnF3f62ut5dh4ktpICh+SGd36ZVAE0H+06QNsZphfE1iTau2HOV3Z+a4XODxMd+k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=U0P9BZ1x; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="U0P9BZ1x" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e24a31ad88aso7978829276.1 for ; Wed, 09 Oct 2024 08:05:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486307; x=1729091107; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=MsHXMuXqSSPEjUvJamNyym976rxmSNlIq8VvuH3KZEA=; b=U0P9BZ1xLeGJyLYwRb95PMmrHSzDtIsaoRiL+/6xDhZRE0TMFdPdIDIB4Lxhl9qhc+ Er1cb87wW0XA0YKMBwKumXOzBEF/LxqzjtdeeygxesSVYAw9f3Q2ql+ukcPE2gIw706j zTxkkYmrinXhnN/NL+Q8ueU6dYkB+kFWSZi99hsf1YtuIjy/WEzfIAu5hB+c/LTjDGGe R22avY7RwR+dM81cbPelK5zSeSiOZswjbgYmD2xtfyZsRTdyZWEgCZMQxEpf5BxHQtjq R5I+3G2k9LIA0PZsF/i0Va9EJj3cD2+y4udZabHCl17mojTCEuTrC/4iQ5RjjoT5HvYs Plpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486307; x=1729091107; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MsHXMuXqSSPEjUvJamNyym976rxmSNlIq8VvuH3KZEA=; b=hwEWXJQG7IJTZO4BvajcbTm9xJ7QODFVqt2EEnP+92qeo3OLf/6aYUp42LT9RSAbHk f68x6Dkb8BUwFa8ww3+3G8+dhbFrvqT8f9ibpqZhZAn2XgSloRAcBZBPkPMORJ7xA6Pz ViihmSGknVqQKshpi/tN38eMiZlP2d34Pwe7xDf7oy6T1U9BXA9dx7uMDLDvaV1DrFvK 18jqUQTnzSoW455j3J+hr1L9O2Ozs0db8wZ7WFkQLPp/Oxs+iyerI/2rdhnw7k17aRhY ooBrbLAWKnkom1DL8V00Qpq9yxQoQFHL38dATNBUkcG9AzkEvPlXP3kSPGL8CZAhJyGu cx4A== X-Gm-Message-State: AOJu0YwnlJnyL+zg/OHgGhNEfXEGixeHXPoyVVBlpDxVwKwZcxi/0jY8 vyni4aJUL2zTuVSU7VArvVf5mntV6RazEJL5M2rynG4cVcRIblJOytt5toTnuExnviJClV9kU+/ 2vQ== X-Google-Smtp-Source: AGHT+IGRGVQGlUZhucVNLnR0VbMgf818PFYAsq4h2foZBXfftxDdMGYHMQR3T60F+hTMqx6ttjl2hkd9Yn8= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a25:b205:0:b0:e27:3e6a:345 with SMTP id 3f1490d57ef6-e28fe6935c6mr2016276.10.1728486307464; Wed, 09 Oct 2024 08:05:07 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:54 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-6-seanjc@google.com> Subject: [PATCH 5/6] KVM: Don't BUG() the kernel if xa_insert() fails with -EBUSY From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton WARN once instead of triggering a BUG if xa_insert() fails because it encountered an existing entry. While KVM guarantees there should be no existing entry, there's no reason to BUG the kernel, as KVM needs to gracefully handle failure anyways. Signed-off-by: Sean Christopherson Reviewed-by: Pankaj Gupta --- virt/kvm/kvm_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index f081839521ef..ae216256ee9d 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4284,7 +4284,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus); r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT); - BUG_ON(r == -EBUSY); + WARN_ON_ONCE(r == -EBUSY); if (r) goto unlock_vcpu_destroy; From patchwork Wed Oct 9 15:04:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 13828612 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B7641E105C for ; Wed, 9 Oct 2024 15:05:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486311; cv=none; b=uLm5m9vy9MALd864b6tmnEFu/Dh5/8rxQdeG589nXsRzoWlkBwTEUtqGHmvWr7m5YZF0dCcxY0ENbPPReXxhIgey+ZxDtxw8gVVx3BJBYruZU/Us/lNLPIoeWXHrbKexf9j6rVKdqmmBv5/G/RP+Hr2N4fz78djDOjxMzw09Bo4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728486311; c=relaxed/simple; bh=ak9GgtEL5YTd9uZb24jF2orHXaja+Om0+voynGktgcg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=HSs0bnGWNCR9AmlJndFEWDozhNhpi8hinSaYBE8OGSSWRv/8xpYQW8yC7mgJArIgiXHSxpgPrYomlXk6Lrrwdi0j8D+5N9I4YlByjxU+FqRNagsgoVY6M4FNODwviV/p9qRO8JTpNSRUNAhX9tL4/fBl5nRW+nbzEMsF9uL+ZYI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=yJ7oY2sW; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="yJ7oY2sW" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-7e9a3e3ec4fso5285575a12.2 for ; Wed, 09 Oct 2024 08:05:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1728486309; x=1729091109; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=Rk7120SY/ZXFV3eahCprGvAPNvey5dvtQWWwk6TE9OY=; b=yJ7oY2sWGvj6azg9FXzdMfs7r8z2p3Nnj8IEh8PmelCuggwnetM8dKORAnrkRW7C+O 4ZFBcpRdCeOmAHSVhNtFovgUvMA7j8DRCkQETMhlyjdzCsgjS89R023+LTJ1DS3gfbL6 3OWB94j2wXPnjegXrF35VuFuB1Fe6BhXjzLduiOBto63bFDjoZ5x4Now1w18VxcCrJKb bn14yvdy0j3TsHzn13KXMfMe6Jo5HoVjKpqNA5T/cu/zQJBg6EgzWCO30aIWqWd7Mhec P4cX/1wDQNYWij3kXWvVJmoAGT8cpOFj+1FyRnVNqz7faZM61IDkOtQwasxaJ3IY7MnR qGjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728486309; x=1729091109; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Rk7120SY/ZXFV3eahCprGvAPNvey5dvtQWWwk6TE9OY=; b=dUk4E+yoJmTGGkxFqldeF+72TMnm1Dv+BOUSosB8jYUsDZlUQbHqxdZf40X4FCTf9l O4QvKs3/8XB6d85PNcXhNeqFHoW6c9mvpA6KE2U1AX7sQXvgrHtyOM4WA7tWoXHoiqoE pEz26h8E2kl17D21lbrK/IovUnoha7MSRUlrzUhyvnapiWmdJ8NIxsmIzk6BicGfgDjs X6T5V8QJhzpqeAwrNoP0y1vseW+s+jJuydxVi6n1NYxLVfJxnx+5hJm4/RxGht7JpLhl /5I3vKpC69o+OSdJZ5ghLrfTPDN3nF6foHpU189yRSVw2UqBJfCTXXdm+CSm0Km2iNdA 7DBw== X-Gm-Message-State: AOJu0YyUJHi9tpUfQ4iQc/SNmqEUwre3DTDhlbxRc0uI8DQefY4NWCqx B2Fc0sPBMKJPMEciGOu1Ylb5yU8UJs1ecbTvevbVEG2meCoP0esJID6wKfDS1O4K9vZP08aOgNZ +JQ== X-Google-Smtp-Source: AGHT+IFu77cfGVVA2WGcrcN5nHTM+fZs3XRvNPGo5S0nSGXPoQt6AXHZRLCBGgSJNwiABPBpygvF2QiDHAc= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:9d:3983:ac13:c240]) (user=seanjc job=sendgmr) by 2002:a63:1401:0:b0:7db:1a9c:d850 with SMTP id 41be03b00d2f7-7ea3207ceedmr3010a12.1.1728486309256; Wed, 09 Oct 2024 08:05:09 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Oct 2024 08:04:55 -0700 In-Reply-To: <20241009150455.1057573-1-seanjc@google.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20241009150455.1057573-1-seanjc@google.com> X-Mailer: git-send-email 2.47.0.rc0.187.ge670bccf7e-goog Message-ID: <20241009150455.1057573-7-seanjc@google.com> Subject: [PATCH 6/6] KVM: Drop hack that "manually" informs lockdep of kvm->lock vs. vcpu->mutex From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Will Deacon , Michal Luczaj , Sean Christopherson , Alexander Potapenko , Marc Zyngier , Oliver Upton Now that KVM takes vcpu->mutex inside kvm->lock when creating a vCPU, drop the hack to manually inform lockdep of the kvm->lock => vcpu->mutex ordering. This effectively reverts commit 42a90008f890 ("KVM: Ensure lockdep knows about kvm->lock vs. vcpu->mutex ordering rule"). Cc: Oliver Upton Signed-off-by: Sean Christopherson --- virt/kvm/kvm_main.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index ae216256ee9d..2dd3ff8764da 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4271,12 +4271,6 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) mutex_lock(&kvm->lock); -#ifdef CONFIG_LOCKDEP - /* Ensure that lockdep knows vcpu->mutex is taken *inside* kvm->lock */ - mutex_lock(&vcpu->mutex); - mutex_unlock(&vcpu->mutex); -#endif - if (kvm_get_vcpu_by_id(kvm, id)) { r = -EEXIST; goto unlock_vcpu_destroy; @@ -4293,7 +4287,8 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id) * so that userspace can't invoke vCPU ioctl()s until the vCPU is fully * visible (per online_vcpus), e.g. so that KVM doesn't get tricked * into a NULL-pointer dereference because KVM thinks the _current_ - * vCPU doesn't exist. + * vCPU doesn't exist. As a bonus, taking vcpu->mutex ensures lockdep + * knows it's taken *inside* kvm->lock. */ mutex_lock(&vcpu->mutex); kvm_get_kvm(kvm);