Re: [PATCH v6 4/6] LoongArch: KVM: Inject interrupt with batch method

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Bibo Mao" <maobibo@loongson.cn>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v6 4/6] LoongArch: KVM: Inject interrupt with batch method
Date: Thu, 11 Jun 2026 07:17:21 +0000	[thread overview]
Message-ID: <20260611071722.41BF31F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260611065815.1439154-5-maobibo@loongson.cn>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Uninitialized stack array `vector` is accessed conditionally in `dmsintc_inject_irq`, potentially leading to hardware state corruption.
--

commit 1bbf844f12dc29aa2ddec056c816e1245e63e5fb
Author: Bibo Mao <maobibo@loongson.cn>

    LoongArch: KVM: Inject interrupt with batch method

This commit converts interrupt injection and clearing to process multiple
interrupts simultaneously using a bitmask instead of one-by-one based on
priorities. It also removes the unused priority_to_irq array.

> diff --git a/arch/loongarch/kvm/interrupt.c b/arch/loongarch/kvm/interrupt.c
> index 48dd56aa4dc56..c1afeb058c5b3 100644
> --- a/arch/loongarch/kvm/interrupt.c
> +++ b/arch/loongarch/kvm/interrupt.c
[ ... ]
> -static int kvm_irq_deliver(struct kvm_vcpu *vcpu, unsigned int priority)
> +static void kvm_irq_deliver(struct kvm_vcpu *vcpu, unsigned long mask)
>  {
> -	unsigned int irq = 0;
> +	unsigned long irq;
>  	unsigned long old, new;
>  
> -	clear_bit(priority, &vcpu->arch.irq_pending);
> -	if (priority < EXCCODE_INT_NUM)
> -		irq = priority_to_irq[priority];
> -
> -	switch (priority) {
> -	case INT_AVEC:
> -		dmsintc_inject_irq(vcpu);
> -		fallthrough;
> -	case INT_TI:
> -	case INT_IPI:
> -	case INT_SWI0:
> -	case INT_SWI1:
> +	irq = mask & KVM_ESTAT_INTI_MASK;
> +	if (irq) {
> +		if (irq & CPU_AVEC)
> +			dmsintc_inject_irq(vcpu);

[Severity: High]
This is a pre-existing issue, but does dmsintc_inject_irq() use an
uninitialized stack array?

Looking at dmsintc_inject_irq() in arch/loongarch/kvm/intc/dmsintc.c, the
array vector is declared without initialization:

arch/loongarch/kvm/intc/dmsintc.c:dmsintc_inject_irq() {
	unsigned int i;
	unsigned long vector[4], old;
	...
	for (i = 0; i < 4; i++) {
		old = atomic64_read(&(ds->vector_map[i]));
		if (old)
			vector[i] = atomic64_xchg(&(ds->vector_map[i]), 0);
	}

If old is zero, vector[i] is left uninitialized. Then later the
uninitialized memory is evaluated:

	if (vector[0]) {
		old = kvm_read_hw_gcsr(LOONGARCH_CSR_ISR0);
		kvm_write_hw_gcsr(LOONGARCH_CSR_ISR0, vector[0] | old);
	}
	...

Can this unpredictably corrupt the guest's interrupt state machine and
potentially cause guest kernel panics by writing garbage values to the
hardware CSR?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260611065815.1439154-1-maobibo@loongson.cn?part=4

next prev parent reply	other threads:[~2026-06-11  7:17 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11  6:58 [PATCH v6 0/6] LoongArch: KVM: Small enhancement about interrupt injection Bibo Mao
2026-06-11  6:58 ` [PATCH v6 1/6] LoongArch: KVM: Check irq validility in kvm_vcpu_ioctl_interrupt() Bibo Mao
2026-06-11  7:08   ` sashiko-bot
2026-06-11  6:58 ` [PATCH v6 2/6] LoongArch: KVM: Check msgint feature in interrupt post Bibo Mao
2026-06-11  7:13   ` sashiko-bot
2026-06-11  6:58 ` [PATCH v6 3/6] LoongArch: KVM: Use existing macro about interrupt bit mask Bibo Mao
2026-06-11  6:58 ` [PATCH v6 4/6] LoongArch: KVM: Inject interrupt with batch method Bibo Mao
2026-06-11  7:17   ` sashiko-bot [this message]
2026-06-11  6:58 ` [PATCH v6 5/6] LoongArch: KVM: Add valid bit check when set ESTAT CSR register Bibo Mao
2026-06-11 10:10   ` Huacai Chen
2026-06-11 12:52     ` Bibo Mao
2026-06-11 13:01       ` Huacai Chen
2026-06-12  8:39         ` Huacai Chen
2026-06-11  6:58 ` [PATCH v6 6/6] LoongArch: KVM: Deliver interrupt after IN_GUEST_MODE is set Bibo Mao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260611071722.41BF31F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=kvm@vger.kernel.org \
    --cc=maobibo@loongson.cn \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.