From: christoffer.dall@linaro.org (Christoffer Dall)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v3 09/11] KVM: arm/arm64: vgic: Prevent userspace injection of a mapped interrupt
Date: Wed, 5 Aug 2015 12:53:45 +0200 [thread overview]
Message-ID: <20150805105345.GA4657@cbox> (raw)
In-Reply-To: <55C1DAE9.1050609@arm.com>
On Wed, Aug 05, 2015 at 10:44:09AM +0100, Marc Zyngier wrote:
> On 05/08/15 08:32, Eric Auger wrote:
> > Hi Marc,
> > On 08/04/2015 06:44 PM, Marc Zyngier wrote:
> >> On 04/08/15 17:21, Eric Auger wrote:
> >>> Hi Marc,
> >>> On 07/24/2015 05:55 PM, Marc Zyngier wrote:
> >>>> Virtual interrupts mapped to a HW interrupt should only be triggered
> >>>> from inside the kernel. Otherwise, you could end up confusing the
> >>>> kernel (and the GIC's) state machine.
> >>>>
> >>>> Rearrange the injection path so that kvm_vgic_inject_irq is
> >>>> used for non-mapped interrupts, and kvm_vgic_inject_mapped_irq is
> >>>> used for mapped interrupts. The latter should only be called from
> >>>> inside the kernel (timer, VFIO).
> >>> nit: I would replace VFIO by irqfd.
> >>> VFIO just triggers the eventfd/irqfd. This is KVM/irqfd that injects the
> >>> virtual irq upon the irqfd signaling and he irqfd adaptation/ARM
> >>> currently is implemented in vgic.c
> >>
> >> Ah, thanks for reminding me of the right terminology, I tend to think of
> >> it as one big bag of nasty tricks... ;-)
> >>
> >> I'll update the commit message.
> >>
> >>>>
> >>>> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
> >>>> ---
> >>>> include/kvm/arm_vgic.h | 2 +
> >>>> virt/kvm/arm/vgic.c | 99 ++++++++++++++++++++++++++++++++++----------------
> >>>> 2 files changed, 70 insertions(+), 31 deletions(-)
> >>>>
> >>>> diff --git a/include/kvm/arm_vgic.h b/include/kvm/arm_vgic.h
> >>>> index 7306b4b..f6bfd79 100644
> >>>> --- a/include/kvm/arm_vgic.h
> >>>> +++ b/include/kvm/arm_vgic.h
> >>>> @@ -351,6 +351,8 @@ void kvm_vgic_flush_hwstate(struct kvm_vcpu *vcpu);
> >>>> void kvm_vgic_sync_hwstate(struct kvm_vcpu *vcpu);
> >>>> int kvm_vgic_inject_irq(struct kvm *kvm, int cpuid, unsigned int irq_num,
> >>>> bool level);
> >>>> +int kvm_vgic_inject_mapped_irq(struct kvm *kvm, int cpuid,
> >>>> + struct irq_phys_map *map, bool level);
> >>>> void vgic_v3_dispatch_sgi(struct kvm_vcpu *vcpu, u64 reg);
> >>>> int kvm_vgic_vcpu_pending_irq(struct kvm_vcpu *vcpu);
> >>>> int kvm_vgic_vcpu_active_irq(struct kvm_vcpu *vcpu);
> >>>> diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c
> >>>> index 3f7b690..e40ef70 100644
> >>>> --- a/virt/kvm/arm/vgic.c
> >>>> +++ b/virt/kvm/arm/vgic.c
> >>>> @@ -1533,7 +1533,8 @@ static int vgic_validate_injection(struct kvm_vcpu *vcpu, int irq, int level)
> >>>> }
> >>>>
> >>>> static int vgic_update_irq_pending(struct kvm *kvm, int cpuid,
> >>>> - unsigned int irq_num, bool level)
> >>>> + struct irq_phys_map *map,
> >>>> + unsigned int irq_num, bool level)
> >>>> {
> >>> In vgic_update_irq_pending, I needed to modify the following line and
> >>> add the "&& !map".
> >>>
> >>> if (!vgic_validate_injection(vcpu, irq_num, level) && !map) {
> >>>
> >>> Without that, the level being not properly modeled for level sensitive
> >>> forwarded IRQs, the 2d injection fails.
> >>
> >> Ah! Is that because we never see the line being reset to zero, and the
> >> VGIC still sees the line as pending at the distributor level?
> > yes indeed
>
> Then it is a bigger problem we need to solve, and your solution just
> papers over the issue.
>
> The main problem is that irqfd is essentially an edge-triggered
> signalling. Fire and forget. Given that we're dealing with a level
> triggered interrupt, we end up with the interrupt still marked as
> pending (nobody took the signal down).
>
> The usual way to get out of that mess in is to evaluate the state of the
> level on EOI. But we can't trap on EOI for a HW interrupt.
>
> So it raises the question: should we instead consider the HW pending
> state instead of the software one for mapped interrupts? It is
> expensive, but it feels more correct.
>
I thought we already covered this at LCA. For mapped interrupts
(forwarded) we should never consider the software pending state, because
that state is managed by the hardware. Or am I confusing concepts here?
Thanks,
-Christoffer
next prev parent reply other threads:[~2015-08-05 10:53 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-24 15:54 [PATCH v3 00/11] arm/arm64: KVM: Active interrupt state switching for shared devices Marc Zyngier
2015-07-24 15:54 ` [PATCH v3 01/11] arm/arm64: KVM: Fix ordering of timer/GIC on guest entry Marc Zyngier
2015-07-24 15:55 ` [PATCH v3 02/11] arm/arm64: KVM: Move vgic handling to a non-preemptible section Marc Zyngier
2015-07-24 15:55 ` [PATCH v3 03/11] KVM: arm/arm64: vgic: Convert struct vgic_lr to use bitfields Marc Zyngier
2015-07-24 15:55 ` [PATCH v3 04/11] KVM: arm/arm64: vgic: Allow HW irq to be encoded in LR Marc Zyngier
2015-08-04 14:33 ` Christoffer Dall
2015-07-24 15:55 ` [PATCH v3 05/11] KVM: arm/arm64: vgic: Relax vgic_can_sample_irq for edge IRQs Marc Zyngier
2015-07-24 15:55 ` [PATCH v3 06/11] KVM: arm/arm64: vgic: Allow dynamic mapping of physical/virtual interrupts Marc Zyngier
2015-08-04 13:04 ` Christoffer Dall
2015-08-04 15:27 ` Marc Zyngier
2015-08-04 17:36 ` Christoffer Dall
2015-08-04 18:10 ` Marc Zyngier
2015-07-24 15:55 ` [PATCH v3 07/11] KVM: arm/arm64: vgic: Allow HW interrupts to be queued to a guest Marc Zyngier
2015-08-04 14:33 ` Christoffer Dall
2015-07-24 15:55 ` [PATCH v3 08/11] KVM: arm/arm64: vgic: Add vgic_{get, set}_phys_irq_active Marc Zyngier
2015-07-24 15:55 ` [PATCH v3 09/11] KVM: arm/arm64: vgic: Prevent userspace injection of a mapped interrupt Marc Zyngier
2015-08-04 13:45 ` Christoffer Dall
2015-08-04 16:02 ` Marc Zyngier
2015-08-04 17:38 ` Christoffer Dall
2015-08-04 16:21 ` Eric Auger
2015-08-04 16:44 ` Marc Zyngier
2015-08-05 7:32 ` Eric Auger
2015-08-05 9:44 ` Marc Zyngier
2015-08-05 10:53 ` Christoffer Dall [this message]
2015-08-05 11:47 ` Eric Auger
2015-08-05 13:47 ` Christoffer Dall
2015-08-06 16:44 ` Marc Zyngier
2015-08-07 7:05 ` Eric Auger
2015-08-07 8:29 ` Marc Zyngier
2015-07-24 15:55 ` [PATCH v3 10/11] KVM: arm/arm64: timer: Allow the timer to control the active state Marc Zyngier
2015-08-04 13:56 ` Christoffer Dall
2015-08-04 16:14 ` Marc Zyngier
2015-08-04 17:40 ` Christoffer Dall
2015-07-24 15:55 ` [PATCH v3 11/11] KVM: arm/arm64: vgic: Allow HW interrupts for non-shared devices Marc Zyngier
2015-08-04 14:32 ` Christoffer Dall
2015-08-04 17:08 ` Marc Zyngier
2015-08-04 18:07 ` Christoffer Dall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150805105345.GA4657@cbox \
--to=christoffer.dall@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).