From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4A47920127D for ; Fri, 20 Jun 2025 17:22:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750440156; cv=none; b=mhxBcjTiKnhsbJiD+OiEvn9MKJetasqgSR0v5M3wNLRZh0v1gy+lnovfZPlbBvSXG9ugBFBpdRj8tB7UCvfBF5KKvM4h2JyL+C+EZdUiu1P78uEEwsJGyhYjTHJELEtsJCPWRlKOGKgd2Qe5Gz09U6uZsbeBv7l0Uum+Vmdg0R4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750440156; c=relaxed/simple; bh=6ISGtVsG/IWGFssbzjNwBrProURsy368G0H6yNcnXt4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=f7pSQPCULi+giViTH66mLrMcAYpUsPVsgSJRaBt+1kxiF40OsgTSz5C1/Ni5NPpePn9Qg+6vQjx2uytOdjWfojjWCV9ctuy/dvjVDoUSIu+zzixl6JcO0vBqzhRouR/HKctescrPCidHoOAk4Ia7z7zf6S0kjL5rIkBY2w3AJwE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=fR/hqiRi; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="fR/hqiRi" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-31218e2d5b0so3307385a91.2 for ; Fri, 20 Jun 2025 10:22:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1750440153; x=1751044953; darn=lists.linux.dev; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=NErYkcwCW0ofBX6e5hYOIbXlxwjpJ4sRagkANyVcFH4=; b=fR/hqiRiJ7CS3FrAe/umN/LHMa0/c0AXdaiVLYt+9aLjr3YFaWVtx8z7I6HxBxbmmo Tf0Bmx/4ZLjRQs1qOhsT9MYvwkvWG4yzTicTDBRGAIT6Gz9qjaZXLj7yUikI8agZnXwV GPaPT5M+p3hIoVKPQVe1l/0BiUVz8lJQJDaQV/GlDVjOAYEGrQXPPdKFqyuRF4LqH6oJ Iv3s3NSp1sHIuqn0scsvtnnVjDr8fkUvn7svlLJM/O9yaPW58Zw3aZOvqYW5B7yeFVvR rTMd13vRMEKTJJyoWVHVJdX4uytGn74XGO88RTpvhpeyYsMrCtiEwaTqPYM+bxK25xLj kitQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750440153; x=1751044953; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NErYkcwCW0ofBX6e5hYOIbXlxwjpJ4sRagkANyVcFH4=; b=RHTpc3EDo9vyJXUqdIeCqbJcdl7t5KRsnKLBdlEyz9UYQft9aZLqe2dIOTlTtDqr7u Mc4Q1xoO2p6Kigh4JbtTxLBUjHAGN9WWmhY8fNrOicDpYuwD+Rtad2SPU2gveUl7kXpa ZA0edfvhA+n2zcPpjLNL+58lYCiTWQ6QOeWJubeSJK1y/5XEKghyr9kH700WS//m3Jjo QIWcRNMN2JiZMQVO9RI6Wwwusu5kWUSD5I1LCDeNrGT7HqIWtpL5MIhQIDXQRlobu2p1 uLP0cs+EU1pxRHbf0ZMmVLK64SR0rjgoGXQxgTB1c1sI59/7tvRfNBhAGjqdryIfaKMc xQtA== X-Forwarded-Encrypted: i=1; AJvYcCWAEYQtpkzM4J8DO1REGid4JgEOkpVgrHbSQtQCyHZFZ86jcl6ov5oIgFzvHfH90jvXc+WJEso=@lists.linux.dev X-Gm-Message-State: AOJu0YxEOoEqspa1T6C9OxBVFSTjcndVtu0CHbhC4XPtTWVGSIDMn43N A5P+RZGvcTlmhC7UWebPNxNOd784XZZ7a3wj3X8AWXrnrADlGDgWvUhi88FD20mccEoIFLrIlyS Jx+4EVg== X-Google-Smtp-Source: AGHT+IHXGxBdpxT88k3O204/zN4ifc12tJw1aK+nMcKj7rx2Ml8z17hcOCexso6J6CnRpxLft2px3MEAX6w= X-Received: from pjbpl17.prod.google.com ([2002:a17:90b:2691:b0:311:4aa8:2179]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90a:c883:b0:311:ab20:159a with SMTP id 98e67ed59e1d1-3159d8d9098mr6199506a91.29.1750440153664; Fri, 20 Jun 2025 10:22:33 -0700 (PDT) Date: Fri, 20 Jun 2025 10:22:32 -0700 In-Reply-To: Precedence: bulk X-Mailing-List: kvmarm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250611224604.313496-2-seanjc@google.com> <20250611224604.313496-4-seanjc@google.com> <86tt4lcgs3.wl-maz@kernel.org> Message-ID: Subject: Re: [PATCH v3 02/62] KVM: arm64: WARN if unmapping vLPI fails From: Sean Christopherson To: Oliver Upton Cc: Marc Zyngier , Paolo Bonzini , Joerg Roedel , David Woodhouse , Lu Baolu , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, kvm@vger.kernel.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org, Sairaj Kodilkar , Vasant Hegde , Maxim Levitsky , Joao Martins , Francesco Lavra , David Matlack Content-Type: text/plain; charset="us-ascii" On Fri, Jun 13, 2025, Oliver Upton wrote: > On Thu, Jun 12, 2025 at 07:34:35AM -0700, Sean Christopherson wrote: > > On Thu, Jun 12, 2025, Marc Zyngier wrote: > > > But not having an VLPI mapping for an interrupt at the point where we're > > > tearing down the forwarding is pretty benign. IRQs *still* go where they > > > should, and we don't lose anything. > > The VM may not actually be getting torn down, though. The series of > fixes [*] we took for 6.16 addressed games that VMMs might be playing on > irqbypass for a live VM. > > [*] https://lore.kernel.org/kvmarm/20250523194722.4066715-1-oliver.upton@linux.dev/ > > > All of those failure scenario seem like warnable offences when KVM thinks it has > > configured the IRQ to be forwarded to a vCPU. > > I tend to agree here, especially considering how horribly fragile GICv4 > has been in some systems. I know of a couple implementations where ITS > command failures and/or unmapped MSIs are fatal for the entire machine. > Debugging them has been a genuine pain in the ass. > > WARN'ing when state tracking for vLPIs is out of whack would've made it > a little easier. Marc, does this look and read better? I'd really, really like to get this sorted out asap, as it's the only thing blocking the series, and I want to get the series into linux-next early next week, before I go OOO for ~10 days. -- From: Sean Christopherson Date: Thu, 12 Jun 2025 16:51:47 -0700 Subject: [PATCH] KVM: arm64: WARN if unmapping a vLPI fails in any path When unmapping a vLPI, WARN if nullifying vCPU affinity fails, not just if failure occurs when freeing an ITE. If undoing vCPU affinity fails, then odds are very good that vLPI state tracking has has gotten out of whack, i.e. that KVM and the GIC disagree on the state of an IRQ/vLPI. At best, inconsistent state means there is a lurking bug/flaw somewhere. At worst, the inconsistency could eventually be fatal to the host, e.g. if an ITS command fails because KVM's view of things doesn't match reality/hardware. Note, only the call from kvm_arch_irq_bypass_del_producer() by way of kvm_vgic_v4_unset_forwarding() doesn't already WARN. Common KVM's kvm_irq_routing_update() WARNs if kvm_arch_update_irqfd_routing() fails. For that path, if its_unmap_vlpi() fails in kvm_vgic_v4_unset_forwarding(), the only possible causes are that the GIC doesn't have a v4 ITS (from its_irq_set_vcpu_affinity()): /* Need a v4 ITS */ if (!is_v4(its_dev->its)) return -EINVAL; guard(raw_spinlock)(&its_dev->event_map.vlpi_lock); /* Unmap request? */ if (!info) return its_vlpi_unmap(d); or that KVM has gotten out of sync with the GIC/ITS (from its_vlpi_unmap()): if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) return -EINVAL; All of the above failure scenarios are warnable offences, as they should never occur absent a kernel/KVM bug. Signed-off-by: Sean Christopherson --- arch/arm64/kvm/vgic/vgic-its.c | 2 +- arch/arm64/kvm/vgic/vgic-v4.c | 4 ++-- drivers/irqchip/irq-gic-v4.c | 4 ++-- include/linux/irqchip/arm-gic-v4.h | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c index 534049c7c94b..98630dae910d 100644 --- a/arch/arm64/kvm/vgic/vgic-its.c +++ b/arch/arm64/kvm/vgic/vgic-its.c @@ -758,7 +758,7 @@ static void its_free_ite(struct kvm *kvm, struct its_ite *ite) if (irq) { scoped_guard(raw_spinlock_irqsave, &irq->irq_lock) { if (irq->hw) - WARN_ON(its_unmap_vlpi(ite->irq->host_irq)); + its_unmap_vlpi(ite->irq->host_irq); irq->hw = false; } diff --git a/arch/arm64/kvm/vgic/vgic-v4.c b/arch/arm64/kvm/vgic/vgic-v4.c index 193946108192..911170d4a9c8 100644 --- a/arch/arm64/kvm/vgic/vgic-v4.c +++ b/arch/arm64/kvm/vgic/vgic-v4.c @@ -545,10 +545,10 @@ int kvm_vgic_v4_unset_forwarding(struct kvm *kvm, int host_irq) if (irq->hw) { atomic_dec(&irq->target_vcpu->arch.vgic_cpu.vgic_v3.its_vpe.vlpi_count); irq->hw = false; - ret = its_unmap_vlpi(host_irq); + its_unmap_vlpi(host_irq); } raw_spin_unlock_irqrestore(&irq->irq_lock, flags); vgic_put_irq(kvm, irq); - return ret; + return 0; } diff --git a/drivers/irqchip/irq-gic-v4.c b/drivers/irqchip/irq-gic-v4.c index 58c28895f8c4..8455b4a5fbb0 100644 --- a/drivers/irqchip/irq-gic-v4.c +++ b/drivers/irqchip/irq-gic-v4.c @@ -342,10 +342,10 @@ int its_get_vlpi(int irq, struct its_vlpi_map *map) return irq_set_vcpu_affinity(irq, &info); } -int its_unmap_vlpi(int irq) +void its_unmap_vlpi(int irq) { irq_clear_status_flags(irq, IRQ_DISABLE_UNLAZY); - return irq_set_vcpu_affinity(irq, NULL); + WARN_ON_ONCE(irq_set_vcpu_affinity(irq, NULL)); } int its_prop_update_vlpi(int irq, u8 config, bool inv) diff --git a/include/linux/irqchip/arm-gic-v4.h b/include/linux/irqchip/arm-gic-v4.h index 7f1f11a5e4e4..0b0887099fd7 100644 --- a/include/linux/irqchip/arm-gic-v4.h +++ b/include/linux/irqchip/arm-gic-v4.h @@ -146,7 +146,7 @@ int its_commit_vpe(struct its_vpe *vpe); int its_invall_vpe(struct its_vpe *vpe); int its_map_vlpi(int irq, struct its_vlpi_map *map); int its_get_vlpi(int irq, struct its_vlpi_map *map); -int its_unmap_vlpi(int irq); +void its_unmap_vlpi(int irq); int its_prop_update_vlpi(int irq, u8 config, bool inv); int its_prop_update_vsgi(int irq, u8 priority, bool group); base-commit: 4fc39a165c70a49991b7cc29be3a19eddcd9e5b9 --