From: Will Deacon <will@kernel.org>
To: kvm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Will Deacon <will@kernel.org>,
Paolo Bonzini <pbonzini@redhat.com>, Michal Luczaj <mhal@rbox.co>,
Alexander Potapenko <glider@google.com>,
Marc Zyngier <maz@kernel.org>
Subject: [PATCH] KVM: Fix error path in kvm_vm_ioctl_create_vcpu() on xa_store() failure
Date: Tue, 30 Jul 2024 16:56:46 +0100 [thread overview]
Message-ID: <20240730155646.1687-1-will@kernel.org> (raw)
If the xa_store() fails in kvm_vm_ioctl_create_vcpu() then we shouldn't
drop the reference to the 'struct kvm' because the vCPU fd has been
installed and will take care of the refcounting.
This was found by inspection, but forcing the xa_store() to fail
confirms the problem:
| Unable to handle kernel paging request at virtual address ffff800080ecd960
| Call trace:
| _raw_spin_lock_irq+0x2c/0x70
| kvm_irqfd_release+0x24/0xa0
| kvm_vm_release+0x1c/0x38
| __fput+0x88/0x2ec
| ____fput+0x10/0x1c
| task_work_run+0xb0/0xd4
| do_exit+0x210/0x854
| do_group_exit+0x70/0x98
| get_signal+0x6b0/0x73c
| do_signal+0xa4/0x11e8
| do_notify_resume+0x60/0x12c
| el0_svc+0x64/0x68
| el0t_64_sync_handler+0x84/0xfc
| el0t_64_sync+0x190/0x194
| Code: b9000909 d503201f 2a1f03e1 52800028 (88e17c08)
Add a new label to the error path so that we can branch directly to the
xa_release() if the xa_store() fails.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Michal Luczaj <mhal@rbox.co>
Cc: Alexander Potapenko <glider@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
---
virt/kvm/kvm_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index d0788d0a72cc..b80dd8cead8c 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -4293,7 +4293,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id)
if (KVM_BUG_ON(xa_store(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, 0), kvm)) {
r = -EINVAL;
- goto kvm_put_xa_release;
+ goto err_xa_release;
}
/*
@@ -4310,6 +4310,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id)
kvm_put_xa_release:
kvm_put_kvm_no_destroy(kvm);
+err_xa_release:
xa_release(&kvm->vcpu_array, vcpu->vcpu_idx);
unlock_vcpu_destroy:
mutex_unlock(&kvm->lock);
--
2.46.0.rc1.232.g9752f9e123-goog
next reply other threads:[~2024-07-30 15:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-30 15:56 Will Deacon [this message]
2024-07-30 18:55 ` [PATCH] KVM: Fix error path in kvm_vm_ioctl_create_vcpu() on xa_store() failure Michal Luczaj
2024-07-30 23:31 ` Sean Christopherson
2024-07-31 13:31 ` Will Deacon
2024-07-31 15:49 ` Michal Luczaj
2024-07-31 16:18 ` Sean Christopherson
2024-07-31 19:27 ` Michal Luczaj
2024-08-01 12:41 ` Will Deacon
2024-08-04 21:05 ` Michal Luczaj
2024-08-05 22:56 ` Sean Christopherson
2024-08-05 23:02 ` Paolo Bonzini
2024-08-06 16:59 ` Michal Luczaj
2024-08-07 21:58 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240730155646.1687-1-will@kernel.org \
--to=will@kernel.org \
--cc=glider@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=mhal@rbox.co \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox