From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@qumranet.com>
Subject: Re: [patch 2/2] KVM: fix kvm_vcpu_kick vs __vcpu_run
	race
Date: Fri, 11 Apr 2008 15:18:19 +0300
Message-ID: <47FF570B.2010708@qumranet.com>
References: <20080410201254.316224847@localhost.localdomain>
	<20080410201402.446470629@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: kvm-devel@lists.sourceforge.net
To: Marcelo Tosatti <mtosatti@redhat.com>
Return-path: <kvm-devel-bounces@lists.sourceforge.net>
In-Reply-To: <20080410201402.446470629@localhost.localdomain>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=kvm-devel>
List-Post: <mailto:kvm-devel@lists.sourceforge.net>
List-Help: <mailto:kvm-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request@lists.sourceforge.net?subject=subscribe>
Sender: kvm-devel-bounces@lists.sourceforge.net
Errors-To: kvm-devel-bounces@lists.sourceforge.net
List-Id: kvm.vger.kernel.org

Marcelo Tosatti wrote:
> There is a window open between testing of pending IRQ's 
> and assignment of guest_mode in __vcpu_run.
>
> Injection of IRQ's can race with __vcpu_run as follows:
>
> CPU0                                CPU1
> kvm_x86_ops->run()
> vcpu->guest_mode = 0                SET_IRQ_LINE ioctl
> ..
> kvm_x86_ops->inject_pending_irq     
> kvm_cpu_has_interrupt()
>
>                                     apic_test_and_set_irr()
>                                     kvm_vcpu_kick
>                                     if (vcpu->guest_mode)
>                                         send_ipi()
>                                     
> vcpu->guest_mode = 1
>
> So move guest_mode=1 assignment before ->inject_pending_irq, and make
> sure that it won't reorder after it.
>
> @@ -3944,11 +3950,12 @@ static void vcpu_kick_intr(void *info)
>  void kvm_vcpu_kick(struct kvm_vcpu *vcpu)
>  {
>  	int ipi_pcpu = vcpu->cpu;
> +	int cpu = smp_processor_id();
>  
>  	if (waitqueue_active(&vcpu->wq)) {
>  		wake_up_interruptible(&vcpu->wq);
>  		++vcpu->stat.halt_wakeup;
>  	}
> -	if (vcpu->guest_mode)
> +	if (vcpu->guest_mode && vcpu->cpu != cpu)
>  		smp_call_function_single(ipi_pcpu, vcpu_kick_intr, vcpu, 0, 0);
>  }
>
>   

kvm_vcpu_kick() can be called from nonatomic contexts, so the vcpu->cpu 
== cpu check is dangerous (and will warn on preemptible kernels, no?)

-- 
Any sufficiently difficult bug is indistinguishable from a feature.


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone