From: sashiko-bot@kernel.org
To: leixiang <leixiang@kylinos.cn>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH] KVM: Nullify irqfd->producer when add_producer() fails
Date: Mon, 22 Jun 2026 08:08:26 +0000 [thread overview]
Message-ID: <20260622080826.EB3431F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260622075103.35164-1-leixiang@kylinos.cn>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] ARM64 completely omits setting `irqfd->producer = prod` in `kvm_arch_irq_bypass_add_producer()`, which breaks vLPI routing updates and renders its `kvm_arch_update_irqfd_routing()` hook dead code.
--
commit 52f3fa02a57237a69e9a84a214e25fb38e380184
Author: leixiang <leixiang@kylinos.cn>
KVM: Nullify irqfd->producer when add_producer() fails
The commit fixes an issue in x86 and powerpc where irqfd->producer is
left dangling after a failed add_producer() setup. It nullifies the
pointer in the error paths to prevent a use-after-free when the vector
is later disabled and routing updates occur.
> diff --git a/arch/x86/kvm/irq.c b/arch/x86/kvm/irq.c
> index 9519fec09ee6f..c5c2f778c6692 100644
> --- a/arch/x86/kvm/irq.c
> +++ b/arch/x86/kvm/irq.c
> @@ -488,8 +488,10 @@ int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *cons,
>
> if (irqfd->irq_entry.type == KVM_IRQ_ROUTING_MSI) {
> ret = kvm_pi_update_irte(irqfd, &irqfd->irq_entry);
> - if (ret)
> + if (ret) {
> kvm->arch.nr_possible_bypass_irqs--;
> + irqfd->producer = NULL;
> + }
> }
> spin_unlock_irq(&kvm->irqfds.lock);
[Severity: High]
This isn't a bug introduced by this patch, but ARM64 suffers from a related
omission where it never initializes irqfd->producer.
Because irqfd->producer is unconditionally NULL on ARM64, the core KVM eventfd
logic silently skips calling the ARM64 hook kvm_arch_update_irqfd_routing(),
rendering it dead code:
arch/arm64/kvm/arm.c:kvm_arch_irq_bypass_add_producer() {
...
if (irq_entry->type != KVM_IRQ_ROUTING_MSI)
return 0;
return kvm_vgic_v4_set_forwarding(irqfd->kvm, prod->irq,
&irqfd->irq_entry);
}
Should irqfd->producer be initialized in kvm_arch_irq_bypass_add_producer()
for ARM64? Any future patch to fix this missing assignment on ARM64 will
immediately require the exact same error-path cleanup (irqfd->producer = NULL)
that this patch implements for x86 and PowerPC.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260622075103.35164-1-leixiang@kylinos.cn?part=1
next prev parent reply other threads:[~2026-06-22 8:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 7:51 [PATCH] KVM: Nullify irqfd->producer when add_producer() fails leixiang
2026-06-22 8:08 ` sashiko-bot [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-06-22 7:51 leixiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622080826.EB3431F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=leixiang@kylinos.cn \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.