* [PATCH] KVM: Nullify irqfd->producer when add_producer() fails
@ 2026-06-22 7:51 leixiang
2026-06-22 8:08 ` sashiko-bot
0 siblings, 1 reply; 3+ messages in thread
From: leixiang @ 2026-06-22 7:51 UTC (permalink / raw)
Cc: leixiang, stable, Madhavan Srinivasan, Nicholas Piggin,
Michael Ellerman, Christophe Leroy (CS GROUP),
Sean Christopherson, Paolo Bonzini, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Dave Hansen, x86, H. Peter Anvin, Paul Mackerras,
Suresh Warrier, linuxppc-dev, kvm, linux-kernel
The x86 and powerpc add_producer() callbacks set irqfd->producer before the
fallible setup and never clear it on error. The bypass manager doesn't
register a producer whose add_producer() failed -- producer->eventfd is
left NULL, so the later unregister early-returns and del_producer() is
never called -- so nothing ever drops the pointer.
For VFIO PCI the producer is embedded in struct vfio_pci_irq_ctx and freed
when the vector is disabled, after which a routing update dereferences the
dangling pointer via kvm_arch_update_irqfd_routing().
Nullify irqfd->producer on the error paths.
Fixes: 77e1b8332d1d ("KVM: x86: Decouple device assignment from IRQ bypass")
Fixes: c57875f5f9be ("KVM: PPC: Book3S HV: Enable IRQ bypass")
Cc: stable@vger.kernel.org
Signed-off-by: leixiang <leixiang@kylinos.cn>
---
arch/powerpc/kvm/book3s_hv.c | 4 +++-
arch/x86/kvm/irq.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index 61dbeea317f3..14919b76fb32 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -6114,9 +6114,11 @@ static int kvmppc_irq_bypass_add_producer_hv(struct irq_bypass_consumer *cons,
irqfd->producer = prod;
ret = kvmppc_set_passthru_irq(irqfd->kvm, prod->irq, irqfd->gsi);
- if (ret)
+ if (ret) {
pr_info("kvmppc_set_passthru_irq (irq %d, gsi %d) fails: %d\n",
prod->irq, irqfd->gsi, ret);
+ irqfd->producer = NULL;
+ }
return ret;
}
diff --git a/arch/x86/kvm/irq.c b/arch/x86/kvm/irq.c
index 8c62c6d4d5c1..cb8ac4b9b0d7 100644
--- a/arch/x86/kvm/irq.c
+++ b/arch/x86/kvm/irq.c
@@ -488,8 +488,10 @@ int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *cons,
if (irqfd->irq_entry.type == KVM_IRQ_ROUTING_MSI) {
ret = kvm_pi_update_irte(irqfd, &irqfd->irq_entry);
- if (ret)
+ if (ret) {
kvm->arch.nr_possible_bypass_irqs--;
+ irqfd->producer = NULL;
+ }
}
spin_unlock_irq(&kvm->irqfds.lock);
--
2.45.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] KVM: Nullify irqfd->producer when add_producer() fails
2026-06-22 7:51 [PATCH] KVM: Nullify irqfd->producer when add_producer() fails leixiang
@ 2026-06-22 8:08 ` sashiko-bot
0 siblings, 0 replies; 3+ messages in thread
From: sashiko-bot @ 2026-06-22 8:08 UTC (permalink / raw)
To: leixiang; +Cc: kvm
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] ARM64 completely omits setting `irqfd->producer = prod` in `kvm_arch_irq_bypass_add_producer()`, which breaks vLPI routing updates and renders its `kvm_arch_update_irqfd_routing()` hook dead code.
--
commit 52f3fa02a57237a69e9a84a214e25fb38e380184
Author: leixiang <leixiang@kylinos.cn>
KVM: Nullify irqfd->producer when add_producer() fails
The commit fixes an issue in x86 and powerpc where irqfd->producer is
left dangling after a failed add_producer() setup. It nullifies the
pointer in the error paths to prevent a use-after-free when the vector
is later disabled and routing updates occur.
> diff --git a/arch/x86/kvm/irq.c b/arch/x86/kvm/irq.c
> index 9519fec09ee6f..c5c2f778c6692 100644
> --- a/arch/x86/kvm/irq.c
> +++ b/arch/x86/kvm/irq.c
> @@ -488,8 +488,10 @@ int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *cons,
>
> if (irqfd->irq_entry.type == KVM_IRQ_ROUTING_MSI) {
> ret = kvm_pi_update_irte(irqfd, &irqfd->irq_entry);
> - if (ret)
> + if (ret) {
> kvm->arch.nr_possible_bypass_irqs--;
> + irqfd->producer = NULL;
> + }
> }
> spin_unlock_irq(&kvm->irqfds.lock);
[Severity: High]
This isn't a bug introduced by this patch, but ARM64 suffers from a related
omission where it never initializes irqfd->producer.
Because irqfd->producer is unconditionally NULL on ARM64, the core KVM eventfd
logic silently skips calling the ARM64 hook kvm_arch_update_irqfd_routing(),
rendering it dead code:
arch/arm64/kvm/arm.c:kvm_arch_irq_bypass_add_producer() {
...
if (irq_entry->type != KVM_IRQ_ROUTING_MSI)
return 0;
return kvm_vgic_v4_set_forwarding(irqfd->kvm, prod->irq,
&irqfd->irq_entry);
}
Should irqfd->producer be initialized in kvm_arch_irq_bypass_add_producer()
for ARM64? Any future patch to fix this missing assignment on ARM64 will
immediately require the exact same error-path cleanup (irqfd->producer = NULL)
that this patch implements for x86 and PowerPC.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260622075103.35164-1-leixiang@kylinos.cn?part=1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] KVM: Nullify irqfd->producer when add_producer() fails
@ 2026-06-22 7:51 leixiang
0 siblings, 0 replies; 3+ messages in thread
From: leixiang @ 2026-06-22 7:51 UTC (permalink / raw)
Cc: leixiang, stable, Madhavan Srinivasan, Nicholas Piggin,
Michael Ellerman, Christophe Leroy (CS GROUP),
Sean Christopherson, Paolo Bonzini, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Dave Hansen, x86, H. Peter Anvin, Paul Mackerras,
Suresh Warrier, linuxppc-dev, kvm, linux-kernel
The x86 and powerpc add_producer() callbacks set irqfd->producer before the
fallible setup and never clear it on error. The bypass manager doesn't
register a producer whose add_producer() failed -- producer->eventfd is
left NULL, so the later unregister early-returns and del_producer() is
never called -- so nothing ever drops the pointer.
For VFIO PCI the producer is embedded in struct vfio_pci_irq_ctx and freed
when the vector is disabled, after which a routing update dereferences the
dangling pointer via kvm_arch_update_irqfd_routing().
Nullify irqfd->producer on the error paths.
Fixes: 77e1b8332d1d ("KVM: x86: Decouple device assignment from IRQ bypass")
Fixes: c57875f5f9be ("KVM: PPC: Book3S HV: Enable IRQ bypass")
Cc: stable@vger.kernel.org
Signed-off-by: leixiang <leixiang@kylinos.cn>
---
arch/powerpc/kvm/book3s_hv.c | 4 +++-
arch/x86/kvm/irq.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index 61dbeea317f3..14919b76fb32 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -6114,9 +6114,11 @@ static int kvmppc_irq_bypass_add_producer_hv(struct irq_bypass_consumer *cons,
irqfd->producer = prod;
ret = kvmppc_set_passthru_irq(irqfd->kvm, prod->irq, irqfd->gsi);
- if (ret)
+ if (ret) {
pr_info("kvmppc_set_passthru_irq (irq %d, gsi %d) fails: %d\n",
prod->irq, irqfd->gsi, ret);
+ irqfd->producer = NULL;
+ }
return ret;
}
diff --git a/arch/x86/kvm/irq.c b/arch/x86/kvm/irq.c
index 8c62c6d4d5c1..cb8ac4b9b0d7 100644
--- a/arch/x86/kvm/irq.c
+++ b/arch/x86/kvm/irq.c
@@ -488,8 +488,10 @@ int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *cons,
if (irqfd->irq_entry.type == KVM_IRQ_ROUTING_MSI) {
ret = kvm_pi_update_irte(irqfd, &irqfd->irq_entry);
- if (ret)
+ if (ret) {
kvm->arch.nr_possible_bypass_irqs--;
+ irqfd->producer = NULL;
+ }
}
spin_unlock_irq(&kvm->irqfds.lock);
--
2.45.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-22 9:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-22 7:51 [PATCH] KVM: Nullify irqfd->producer when add_producer() fails leixiang
2026-06-22 8:08 ` sashiko-bot
-- strict thread matches above, loose matches on Subject: below --
2026-06-22 7:51 leixiang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox