Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: "Carlos López" <clopez@suse.de>
To: Oliver Upton <oupton@kernel.org>
Cc: kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org,
	Marc Zyngier <maz@kernel.org>, Joey Gouly <joey.gouly@arm.com>,
	Steffen Eiden <seiden@linux.ibm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Zenghui Yu <yuzenghui@huawei.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	"moderated list:KERNEL VIRTUAL MACHINE FOR ARM64 (KVM/arm64)"
	<linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH v2] KVM: arm64: vgic: Fix race between LPI release and re-registration
Date: Fri, 3 Jul 2026 11:16:50 +0200	[thread overview]
Message-ID: <3ee3840a-d14c-48b9-9e0e-829f0fab530d@suse.de> (raw)
In-Reply-To: <akd2bIjF34e3m6TQ@kernel.org>

Hi,

I was about to reply to Sashiko, I'd rather talk to a human :)

On 7/3/26 10:44 AM, Oliver Upton wrote:
> Hi Carlos,
> 
> Thanks for reporting this ugly bug.
> 
> On Fri, Jul 03, 2026 at 04:15:08AM +0200, Carlos López wrote:
>> To fix the direct release path, move the reference count drop inside
>> the xarray lock, making sure that vgic_add_lpi() never encounters the
>> to-be-released LPI.
> 
> As Sashiko pointed out, this is going to massively regress performance
> of LPI injection. I don't think this is going to be a viable option.

I think we can just use refcount_dec_and_lock_irqsave(), no? Then we
grab the lock only if the refcount drops to 0.

As for the other issue (spurious -ENOMEM on __xa_store()), it's a
preexisting issue, but should be fixed by just passing GFP_NOWAIT to
__xa_store(). I can add another patch in v3 for this.

>> To fix the deferred release path, since the refcount drop must happen
>> under a raw spinlock, the same solution does not work. Instead, update
>> vgic_add_lpi(), so that if it evicts a non-NULL refcount=0 LPI from the
>> xarray, it takes on the responsibility of releasing it. If this happens,
>> vgic_release_deleted_lpis() will iterate the xarray normally and will
>> simply not find the already released structure.
>>
>> Reported-by: Claude:claude-opus-4-6
>> Fixes: 3a08a6ca7c37 ("KVM: arm64: vgic-v3: Use bare refcount for VGIC LPIs")
>> Fixes: d54594accf73 ("KVM: arm64: vgic-v3: Erase LPIs from xarray outside of raw spinlocks")
>> Signed-off-by: Carlos López <clopez@suse.de>
>> ---
>> v2:
>> * Address Sashiko's review. Fix the direct release path by decrementing the
>>   refcount under the xarray spinlock, preventing a UAF that would have been
>>   introduced in v1.
> 
> So I actually agree with your approach in v1, vgic_release_lpi_locked()
> should do an __xa_cmpxchg() to only erase if the to-be-deleted IRQ that
> it owns remains in the xarray.
> 
> I believe the UAF could've been avoided by unconditionally calling
> kfree_rcu() in vgic_release_lpi_locked() and not attempting to cleanup
> dead LPIs in vgic_add_lpi(). IOW, whoever takes the refcount of an LPI
> to 0 always has the responsibility of freeing it.


I think this would solve the direct release path, but not the deferred
path. If vgic_add_lpi() does not perform any cleanup, and encounters an
IRQ that was vgic_put_irq_norelease()-ed before
vgic_release_deleted_lpis() grabs the xarray lock then the struct is
overwritten without being released.

> Maybe below would be enough?
> 
> Thanks,
> Oliver
> 
> diff --git a/arch/arm64/kvm/vgic/vgic.c b/arch/arm64/kvm/vgic/vgic.c
> index 5a4768d8cd4f..4c79e1096af4 100644
> --- a/arch/arm64/kvm/vgic/vgic.c
> +++ b/arch/arm64/kvm/vgic/vgic.c
> @@ -132,7 +132,14 @@ struct vgic_irq *vgic_get_vcpu_irq(struct kvm_vcpu *vcpu, u32 intid)
>  static void vgic_release_lpi_locked(struct vgic_dist *dist, struct vgic_irq *irq)
>  {
>  	lockdep_assert_held(&dist->lpi_xa.xa_lock);
> -	__xa_erase(&dist->lpi_xa, irq->intid);
> +
> +	/*
> +	 * Another LPI could've been inserted prior to taking the xa_lock, as
> +	 * vgic_add_lpi() can only take a reference on a pre-existing LPI if
> +	 * the refcount is nonzero. While freeing the object is always done here,
> +	 * only delete the entry @INTID if it is this IRQ.
> +	 */
> +	__xa_cmpxchg(&dist->lpi_xa, irq->intid, irq, NULL, 0);
>  	kfree_rcu(irq, rcu);
>  }
>  



      reply	other threads:[~2026-07-03  9:17 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03  2:15 [PATCH v2] KVM: arm64: vgic: Fix race between LPI release and re-registration Carlos López
2026-07-03  8:44 ` Oliver Upton
2026-07-03  9:16   ` Carlos López [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3ee3840a-d14c-48b9-9e0e-829f0fab530d@suse.de \
    --to=clopez@suse.de \
    --cc=catalin.marinas@arm.com \
    --cc=joey.gouly@arm.com \
    --cc=kvmarm@lists.linux.dev \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maz@kernel.org \
    --cc=oupton@kernel.org \
    --cc=seiden@linux.ibm.com \
    --cc=suzuki.poulose@arm.com \
    --cc=will@kernel.org \
    --cc=yuzenghui@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox