Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2108101pxb;
        Thu, 11 Feb 2021 04:44:17 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwchZVs8mTZENw26o1biS3zoq0IljVHUyFuE4Z4Orskx+7qDzcbGT78GhpDzTwZg0750UXO
X-Received: by 2002:a17:906:a099:: with SMTP id q25mr8219210ejy.549.1613047457463;
        Thu, 11 Feb 2021 04:44:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1613047457; cv=none;
        d=google.com; s=arc-20160816;
        b=oYiq20Uqyr3k1Iis/pXsF+Qb/9qOyXcgM4Z5HpIZk59l2htixBlebB9rWLSGKH/IUp
         YQco1H1jLAwhl/K8A3+wxDDS1mvQlVApgJb7XkpQVU3QfijygS1OtbEEE7sAYO/CeZ2n
         xpu45F9yI0CjWDsOb+bxP8QUlb8zdfQpqif1zpVYioj1LjZxo5SPrmaKHE18+DviJqtf
         YEHNnLvwxeCwxZhXZG41xHuVJV36xtbTUXOpWWEOld8Phm9xlzgZmVQ5hQA1iVeCTuq8
         yLpHCu9buwE507Ce4VyP3fMSvmKhy5/qK/tRl7FlyL3p9KqGZ45YwG4AYJsClXVBRLBo
         4+CQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :organization:references:in-reply-to:message-id:subject:cc:to:from
         :date:dkim-signature;
        bh=faRpucM8bYk3+6I7D614thA2FMfgheqmON/unvovBDw=;
        b=CgH5vNVJfC15PxTDpIBKv8jt6qcq447fVoQCZD0n4C4fTd2GxPsoMrEXdnJzYvFt3C
         /h7AcAgAH9t15skuV/gfNp65uCqE1GrtVEnZ1Fa9n8hDfuOegYYQ3QUCBwePIqJwfGRd
         eZBPTRMAxakhC+j2andpk43yQS0/yQBaHm+JLvbeJ9OjeLE+T1GoBaL3Agy2ugPFq1n/
         0BsxwDAbX17DXmvdI4TUZtSA81nledql54KPMaI9e1jU1jwbo3+hkBqaUxZewi55k9bu
         J4qwCpNmsz8hNcwD2Yk+eDjT+WU4+/cNtrUBK5889Fwxr5l4jFUwZaRuHwUs9c9pM4VW
         tY9A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=esxBciKJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id jx6si3642207ejc.37.2021.02.11.04.43.40;
        Thu, 11 Feb 2021 04:44:17 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=esxBciKJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229674AbhBKMlj (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Thu, 11 Feb 2021 07:41:39 -0500
Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:24795 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S230379AbhBKMYo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 Feb 2021 07:24:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1613046197;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=faRpucM8bYk3+6I7D614thA2FMfgheqmON/unvovBDw=;
        b=esxBciKJnRNdJvORnz4si/Ou7xDtRSAx5Dq70Zu2rH4DFpZ8rHQJkOy3tvOsDoLLJvZetM
        Jwn/jBLo2KYmjRa+1xZuHLJU35tq518auK+e547LAw6SH7QwJJm+IrcgHlW609+0dfJE1X
        MWTSeCqyg62YNOVRMKQiNLcx7fiwCZw=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-233-aPNvSw21OQiRLgyafqWlog-1; Thu, 11 Feb 2021 07:23:15 -0500
X-MC-Unique: aPNvSw21OQiRLgyafqWlog-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A20F81005501;
        Thu, 11 Feb 2021 12:23:13 +0000 (UTC)
Received: from gondolin (ovpn-112-229.ams2.redhat.com [10.36.112.229])
        by smtp.corp.redhat.com (Postfix) with ESMTP id BA37B60936;
        Thu, 11 Feb 2021 12:23:08 +0000 (UTC)
Date:   Thu, 11 Feb 2021 13:23:06 +0100
From:   Cornelia Huck <cohuck@redhat.com>
To:     Tony Krowiak <akrowiak@linux.ibm.com>
Cc:     linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
        kvm@vger.kernel.org, stable@vger.kernel.org,
        borntraeger@de.ibm.com, kwankhede@nvidia.com, pbonzini@redhat.com,
        alex.williamson@redhat.com, pasic@linux.vnet.ibm.com
Subject: Re: [PATCH 1/1] s390/vfio-ap: fix circular lockdep when
 setting/clearing crypto masks
Message-ID: <20210211132306.64249174.cohuck@redhat.com>
In-Reply-To: <6e2842e4-334d-6592-a781-5b85ec0ed13c@linux.ibm.com>
References: <20210209194830.20271-1-akrowiak@linux.ibm.com>
        <20210209194830.20271-2-akrowiak@linux.ibm.com>
        <20210210115334.46635966.cohuck@redhat.com>
        <6e2842e4-334d-6592-a781-5b85ec0ed13c@linux.ibm.com>
Organization: Red Hat GmbH
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 10 Feb 2021 15:34:24 -0500
Tony Krowiak <akrowiak@linux.ibm.com> wrote:

> On 2/10/21 5:53 AM, Cornelia Huck wrote:
> > On Tue,  9 Feb 2021 14:48:30 -0500
> > Tony Krowiak <akrowiak@linux.ibm.com> wrote:
> >  
> >> This patch fixes a circular locking dependency in the CI introduced by
> >> commit f21916ec4826 ("s390/vfio-ap: clean up vfio_ap resources when KVM
> >> pointer invalidated"). The lockdep only occurs when starting a Secure
> >> Execution guest. Crypto virtualization (vfio_ap) is not yet supported for
> >> SE guests; however, in order to avoid CI errors, this fix is being
> >> provided.
> >>
> >> The circular lockdep was introduced when the masks in the guest's APCB
> >> were taken under the matrix_dev->lock. While the lock is definitely
> >> needed to protect the setting/unsetting of the KVM pointer, it is not
> >> necessarily critical for setting the masks, so this will not be done under
> >> protection of the matrix_dev->lock.
> >>
> >> Fixes: f21916ec4826 ("s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated")
> >> Cc: stable@vger.kernel.org
> >> Signed-off-by: Tony Krowiak <akrowiak@linux.ibm.com>
> >> ---
> >>   drivers/s390/crypto/vfio_ap_ops.c | 75 ++++++++++++++++++-------------
> >>   1 file changed, 45 insertions(+), 30 deletions(-)
> >>
> >>   static void vfio_ap_mdev_unset_kvm(struct ap_matrix_mdev *matrix_mdev)
> >>   {
> >> -	kvm_arch_crypto_clear_masks(matrix_mdev->kvm);
> >> -	matrix_mdev->kvm->arch.crypto.pqap_hook = NULL;
> >> -	vfio_ap_mdev_reset_queues(matrix_mdev->mdev);
> >> -	kvm_put_kvm(matrix_mdev->kvm);
> >> -	matrix_mdev->kvm = NULL;
> >> +	if (matrix_mdev->kvm) {  
> > If you're doing setting/unsetting under matrix_dev->lock, is it
> > possible that matrix_mdev->kvm gets unset between here and the next
> > line, as you don't hold the lock?  
> 
> That is highly unlikely because the only place the matrix_mdev->kvm
> pointer is cleared is in this function which is called from only two
> places: the notifier that handles the VFIO_GROUP_NOTIFY_SET_KVM
> notification when the KVM pointer is cleared; the vfio_ap_mdev_release()
> function which is called when the mdev fd is closed (i.e., when the guest
> is shut down). The fact is, with the only end-to-end implementation
> currently available, the notifier callback is never invoked to clear
> the KVM pointer because the vfio_ap_mdev_release callback is
> invoked first and it unregisters the notifier callback.
> 
> Having said that, I suppose there is no guarantee that there will not
> be different userspace clients in the future that do things in a
> different order. At the very least, it wouldn't hurt to protect against
> that as you suggest below.

Yes, if userspace is able to use the interfaces in the certain way, we
should always make sure that nothing bad happens if it does so, even if
known userspace applications are well-behaved.

[Can we make an 'evil userspace' test program, maybe? The hardware
dependency makes this hard to run, though.]

> 
> >
> > Maybe you could
> > - grab a reference to kvm while holding the lock
> > - call the mask handling functions with that kvm reference
> > - lock again, drop the reference, and do the rest of the processing?
> >  
> >> +		kvm_arch_crypto_clear_masks(matrix_mdev->kvm);
> >> +		mutex_lock(&matrix_dev->lock);
> >> +		matrix_mdev->kvm->arch.crypto.pqap_hook = NULL;
> >> +		vfio_ap_mdev_reset_queues(matrix_mdev->mdev);
> >> +		kvm_put_kvm(matrix_mdev->kvm);
> >> +		matrix_mdev->kvm = NULL;
> >> +		mutex_unlock(&matrix_dev->lock);
> >> +	}
> >>   }  
>