Re: [PATCH 4/6] Revert "KVM: Fix vcpu_array[0] races"

[Sean Christopherson <seanjc@google.com>]

On Sun, Oct 20, 2024, Paolo Bonzini wrote:
> On 10/10/24 19:48, Sean Christopherson wrote:
> > On Thu, Oct 10, 2024, Paolo Bonzini wrote:

...

> > > > @@ -4298,12 +4299,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id)
> > > >    	kvm_get_kvm(kvm);
> > > >    	r = create_vcpu_fd(vcpu);
> > > >    	if (r < 0)
> > > > -		goto kvm_put_xa_release;
> > > > -
> > > > -	if (KVM_BUG_ON(xa_store(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, 0), kvm)) {
> > > > -		r = -EINVAL;
> > > > -		goto kvm_put_xa_release;
> > > > -	}
> > > > +		goto kvm_put_xa_erase;
> > > 
> > > I also find it a bit jarring though that we have to undo the insertion. This
> > > is a chicken-and-egg situation where you are pick one operation B that will
> > > have to undo operation A if it fails.  But what xa_store is doing, is
> > > breaking this deadlock.
> > > 
> > > The code is a bit longer, sure, but I don't see the point in complicating
> > > the vcpu_array invariants and letting an entry disappear.
> > 
> > But we only need one rule: vcpu_array[x] is valid if and only if 'x' is less than
> > online_vcpus.  And that rule is necessary regardless of whether or not vcpu_array[x]
> > is filled before success is guaranteed.
> 
> Even if the invariant is explainable I still find xa_erase to be uglier than
> xa_release, but maybe it's just me.

It's uglier, but has the distinct advantage of not being broken :-D

And while uglier, IMO there's value in having a way for fuzzers to test KVM's
online_vcpus logic.  As evidenced by patches 1-3, accessing vcpu_array[] without
first checking online_vcpus is dangerous regardless of how vcpu_array[] is populated.

Allowing fuzzers to trigger removal vcpu_array[] in KASAN kernels provides meaningful
coverage for that code (see Michal's original bug report).   While well-intentioned,
Michal's change in afb2acb2e3a3 simply blamed the wrong code.  Denying ourselves that
coverage and carrying flawed code just because the correct code isn't the prettiest
doesn't seem like a good tradeoff.

> The reason I'm not fully convinced by the explanation is that...
> 
> > I'm not concerned about the code length, it's that we need to do _something_ if
> > xa_store() fails.  Yeah, it should never happen, but knowingly doing nothing feels
> > all kinds of wrong.
> 
> ... it seems to me that this is not just an issue in KVM code; it should
> apply to other uses of xa_reserve()/xa_store() as well.  If xa_store() fails
> after xa_reserve(), you're pretty much using the xarray API incorrectly...
> and then, just make it a BUG()?  I know that BUG() is frowned upon, but if
> the API causes invalid memory accesses when used incorrectly, one might as
> well fail as early as possible and before the invalid memory access becomes
> exploitable.
> 
> > I don't like BUG(), because it's obviously very doable to
> > gracefully handle failure.	
> 
> Yes, you can by using a different API.  But the point is that in the
> reserve/store case the insert failure becomes a reserve failure, never a
> store failure.
> 
> Maybe there should be an xa_store_reserved() that BUGs on failure, I don't
> know.

I agree a version of xa_store() that guarantees success would be nice to have,
but I'm not exactly eager to potentially start a fight Willy *and* Linus :-)