Re: [PATCH] irqchip/gic-v4: Don't allow a VMOVP on a dying VPE

[Zenghui Yu <yuzenghui@huawei.com>]

Hi Marc,

On 2024/10/3 4:49, Marc Zyngier wrote:
> Kunkun Jiang reports that there is a small window of opportunity for
> userspace to force a change of affinity for a VPE while the VPE has
> already been unmapped, but the corresponding doorbell interrupt still
> visible in /proc/irq/.
> 
> Plug the race by checking the value of vmapp_count, which tracks whether
> the VPE is mapped ot not, and returning an error in this case.
> 
> This involves making vmapp_count common to both GICv4.1 and its v4.0
> ancestor.
> 
> Reported-by: Kunkun Jiang <jiangkunkun@huawei.com>
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> Link: https://lore.kernel.org/r/c182ece6-2ba0-ce4f-3404-dba7a3ab6c52@huawei.com
> ---
>  drivers/irqchip/irq-gic-v3-its.c   | 18 ++++++++++++------
>  include/linux/irqchip/arm-gic-v4.h |  4 +++-
>  2 files changed, 15 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
> index fdec478ba5e7..ab597e74ba08 100644
> --- a/drivers/irqchip/irq-gic-v3-its.c
> +++ b/drivers/irqchip/irq-gic-v3-its.c
> @@ -797,8 +797,8 @@ static struct its_vpe *its_build_vmapp_cmd(struct its_node *its,
>  	its_encode_valid(cmd, desc->its_vmapp_cmd.valid);
>  
>  	if (!desc->its_vmapp_cmd.valid) {
> +		alloc = !atomic_dec_return(&desc->its_vmapp_cmd.vpe->vmapp_count);
>  		if (is_v4_1(its)) {
> -			alloc = !atomic_dec_return(&desc->its_vmapp_cmd.vpe->vmapp_count);
>  			its_encode_alloc(cmd, alloc);
>  			/*
>  			 * Unmapping a VPE is self-synchronizing on GICv4.1,
> @@ -817,13 +817,13 @@ static struct its_vpe *its_build_vmapp_cmd(struct its_node *its,
>  	its_encode_vpt_addr(cmd, vpt_addr);
>  	its_encode_vpt_size(cmd, LPI_NRBITS - 1);
>  
> +	alloc = !atomic_fetch_inc(&desc->its_vmapp_cmd.vpe->vmapp_count);
> +
>  	if (!is_v4_1(its))
>  		goto out;
>  
>  	vconf_addr = virt_to_phys(page_address(desc->its_vmapp_cmd.vpe->its_vm->vprop_page));
>  
> -	alloc = !atomic_fetch_inc(&desc->its_vmapp_cmd.vpe->vmapp_count);
> -
>  	its_encode_alloc(cmd, alloc);
>  
>  	/*
> @@ -3806,6 +3806,13 @@ static int its_vpe_set_affinity(struct irq_data *d,
>  	struct cpumask *table_mask;
>  	unsigned long flags;
>  
> +	/*
> +	 * Check if we're racing against a VPE being destroyed, for
> +	 * which we don't want to allow a VMOVP.
> +	 */
> +	if (!atomic_read(&vpe->vmapp_count))
> +		return -EINVAL;

We lazily map the vPE so that vmapp_count is likely to be 0 on GICv4.0
implementations with the ITSList feature. Seems that that implementation
is not affected by the reported race and we don't need to check
vmapp_count for that.

Testing rc4 on my 920 server triggers the WARN_ON() in vgic_v3_load().

void vgic_v3_load(struct kvm_vcpu *vcpu)
{
	WARN_ON(vgic_v4_load(vcpu));

Thanks,
Zenghui