Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2839379pxk; Mon, 28 Sep 2020 01:02:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqDTMsbbnWiFbE7PbcsOVlkryFY6ULHGIk+GNUxbe+dGBGN9cuCn5oeBP4ghqHxVuRUNaL X-Received: by 2002:aa7:ce97:: with SMTP id y23mr413017edv.128.1601280177699; Mon, 28 Sep 2020 01:02:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601280177; cv=none; d=google.com; s=arc-20160816; b=mRCc+0/K5JQPXEfF+QXB5vVLZI9MdNBD4c4A2Gdf/qXPMJT2BnNPD5ZkragNgkuW5G xHdWIOwzRxuh7cO84bFYJ9ZRwTDF0Thr+sCQ5teBj+Mua24rjqlbSmhvz9LrJlQ2J0iT fLWaB++FjCNAg6kG++5jRWnPMhzEyRH0hBW4of/mnai7wdrOdf73NC+LENB3YIJf3guT a6PMw62sO0bb6ISFmDuNcWr8dH0lWRNbQmHdMApPBuQdoAxLVYA3kaOmajBTkpZ68spd vs7LFfXFQKfPJG4jCjNyK+erI7b45cTH08WC53yocdrfCPgOVNaF6QzSrobvccly6uFY DIFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=T7R9m9FhJdi6KLm4nsGm74cvSvwdnrQBjKd7fzOBDVM=; b=EQENeJU+HJfB3yDPSDrMCuqw0tnlk7sbxGkADaSgcT9ooznqNrTzLgXgg3HG5Ffm/w RseGvmDmePDY2GH6095vCR0KQ8vGk6MsEf0LBzXuZYunb3BvfC+CkPKFwY2C4TsISPoE fUh4CsqQNLD4YScuwLoTPDhd12FFcDBzvZpgU8KwBVc5m7fWBu2Ckl9F3KacepnIHBsn hV72stOqv10pzlYLbEneYXoC9tN9t8XaE2T18EjuWxhMjuZ/Np0tQlFsZJiziPosjnKP kIJ87w7L5XqBGNkvI/ZpXxhhWU4zWrwor4VbBUJk3C27di7rNHL5RMVvuXBjxZRTfi/N JDAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=L+Cypgwx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i8si156539ejg.90.2020.09.28.01.02.34; Mon, 28 Sep 2020 01:02:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=L+Cypgwx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726590AbgI1IBf (ORCPT + 99 others); Mon, 28 Sep 2020 04:01:35 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:38951 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726461AbgI1IBe (ORCPT ); Mon, 28 Sep 2020 04:01:34 -0400 Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1601280093; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=T7R9m9FhJdi6KLm4nsGm74cvSvwdnrQBjKd7fzOBDVM=; b=L+CypgwxCAYnKtAgsffsZAhxzSNad7zu8nTtYOuUEm5+SFzgLHRDVcMtJCuUPOUtAUF0oP OGcK79Dvip6gDPbhqdD3+Bm7xKRs5oag71+MCMFX+pNnCU3EXQ19ys/cloMwAaFx+xU4uj KALeSIhJfu4yn4ceG1CnJ0lBXbVqyzE= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-505-C-W4VjEpOZS4584GuEjSUg-1; Mon, 28 Sep 2020 04:01:31 -0400 X-MC-Unique: C-W4VjEpOZS4584GuEjSUg-1 Received: by mail-wr1-f69.google.com with SMTP id v5so81388wrr.0 for ; Mon, 28 Sep 2020 01:01:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=T7R9m9FhJdi6KLm4nsGm74cvSvwdnrQBjKd7fzOBDVM=; b=FqxBSLs43OhooO3di1vgL1J1eRAcLH3QZgr4prYFwEP9o2iqJRdHt4//AVD2Yba3jp C/nRAxKAQ6Zjp86Fza3tvui83hcRksRJbotqHvBLfF0/eVYiNLwUofEY679EHHj6fi4D PKqF6RQIXFB8As60gP9QeHbHLkgZz9FTcuETyDlO+epoMBq555ssga+MGXnWwF9M59c/ 4nOr9mXh1vCzPwIcPF30yAGxFPv3Vz0QiINTZRabWaHwmEKOcYMrWBOppDfaBisZaZYm AGeJQR4CRhxm/w3S3Pmnj9/qbjoS24QvzZoJJYRXtBqtGhWFXqrYB2XxgU7UVTzOXzoR Fcow== X-Gm-Message-State: AOAM5332SJWS58csJGm/oc6XdUsQRaYpp3eR0FZBerVqu440x+EA3ms6 sQ29QNgzkwYx6un6oIgTVjDokU+8qi9RCiyrw3B3xE1ZPD6FCQkWtaFTi1W0eR5hILve+YsoErP PmNSR2e5mqz5kOP9T951rCXP9 X-Received: by 2002:a1c:9ad0:: with SMTP id c199mr320692wme.54.1601280089807; Mon, 28 Sep 2020 01:01:29 -0700 (PDT) X-Received: by 2002:a1c:9ad0:: with SMTP id c199mr320667wme.54.1601280089566; Mon, 28 Sep 2020 01:01:29 -0700 (PDT) Received: from ?IPv6:2001:b07:6468:f312:18a0:e78d:6703:1066? ([2001:b07:6468:f312:18a0:e78d:6703:1066]) by smtp.gmail.com with ESMTPSA id f12sm145381wmf.26.2020.09.28.01.01.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 28 Sep 2020 01:01:28 -0700 (PDT) Subject: Re: [PATCH] KVM: SVM: Initialize ir_list and ir_list_lock regardless of AVIC enablement To: Suravee Suthikulpanit , linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: joro@8bytes.org References: <20200922084446.7218-1-suravee.suthikulpanit@amd.com> <1b8ff096-85a4-3dda-61d3-9a44ca6bb360@amd.com> From: Paolo Bonzini Message-ID: Date: Mon, 28 Sep 2020 10:01:27 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <1b8ff096-85a4-3dda-61d3-9a44ca6bb360@amd.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 28/09/20 07:53, Suravee Suthikulpanit wrote: > Hi, > > Are there any issues or concerns about this patch? Yes, sorry I haven't replied yet. Looks like Linus is doing an -rc8 so there's plenty of time to have it in 5.9. The thing I'm wondering is, why is svm_update_pi_irte doing anything if you don't have AVIC enabled? In other word, this might not be the root cause of the bug. You always get to the "else" branch of the loop of course, and I'm not sure how irq_set_vcpu_affinity returns something with pi.prev_ga_tag set. Thanks, Paolo > Thank you, > Suravee > > On 9/22/20 3:44 PM, Suravee Suthikulpanit wrote: >> The struct vcpu_svm.ir_list and ir_list_lock are being accessed even when >> AVIC is not enabled, while current code only initialize the list and >> the lock only when AVIC is enabled. This ended up trigger NULL pointer >> dereference bug in the function vm_ir_list_del with the following >> call trace: >> >>      svm_update_pi_irte+0x3c2/0x550 [kvm_amd] >>      ? proc_create_single_data+0x41/0x50 >>      kvm_arch_irq_bypass_add_producer+0x40/0x60 [kvm] >>      __connect+0x5f/0xb0 [irqbypass] >>      irq_bypass_register_producer+0xf8/0x120 [irqbypass] >>      vfio_msi_set_vector_signal+0x1de/0x2d0 [vfio_pci] >>      vfio_msi_set_block+0x77/0xe0 [vfio_pci] >>      vfio_pci_set_msi_trigger+0x25c/0x2f0 [vfio_pci] >>      vfio_pci_set_irqs_ioctl+0x88/0xb0 [vfio_pci] >>      vfio_pci_ioctl+0x2ea/0xed0 [vfio_pci] >>      ? alloc_file_pseudo+0xa5/0x100 >>      vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] >>      ? vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] >>      __x64_sys_ioctl+0x96/0xd0 >>      do_syscall_64+0x37/0x80 >>      entry_SYSCALL_64_after_hwframe+0x44/0xa9 >> >> Therefore, move the initialziation code before checking for AVIC enabled >> so that it is always excuted. >> >> Fixes: dfa20099e26e ("KVM: SVM: Refactor AVIC vcpu initialization into >> avic_init_vcpu()") >> Signed-off-by: Suravee Suthikulpanit >> --- >>   arch/x86/kvm/svm/avic.c | 2 -- >>   arch/x86/kvm/svm/svm.c  | 3 +++ >>   2 files changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c >> index ac830cd50830..1ccf13783785 100644 >> --- a/arch/x86/kvm/svm/avic.c >> +++ b/arch/x86/kvm/svm/avic.c >> @@ -572,8 +572,6 @@ int avic_init_vcpu(struct vcpu_svm *svm) >>       if (ret) >>           return ret; >>   -    INIT_LIST_HEAD(&svm->ir_list); >> -    spin_lock_init(&svm->ir_list_lock); >>       svm->dfr_reg = APIC_DFR_FLAT; >>         return ret; >> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c >> index c44f3e9140d5..714d791fe5a5 100644 >> --- a/arch/x86/kvm/svm/svm.c >> +++ b/arch/x86/kvm/svm/svm.c >> @@ -1225,6 +1225,9 @@ static int svm_create_vcpu(struct kvm_vcpu *vcpu) >>       svm_init_osvw(vcpu); >>       vcpu->arch.microcode_version = 0x01000065; >>   +    INIT_LIST_HEAD(&svm->ir_list); >> +    spin_lock_init(&svm->ir_list_lock); >> + >>       return 0; >>     free_page4: >> >