Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3087939rwb; Mon, 15 Aug 2022 17:50:06 -0700 (PDT) X-Google-Smtp-Source: AA6agR7bKy8ubi94EhfSmcFzrnH8kjlYfMs3DTNYAPDXOAwaGDmXIycGblazIU19ngzwZRhgh5MZ X-Received: by 2002:a17:907:6d98:b0:731:2bb3:8e17 with SMTP id sb24-20020a1709076d9800b007312bb38e17mr11950345ejc.203.1660611006125; Mon, 15 Aug 2022 17:50:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660611006; cv=none; d=google.com; s=arc-20160816; b=P2L4RENU9IzG6NkNii7a619JfIhpedUp9MF4wyO7vitsnaP5EmaxeSrVERxLTbzGef ztXcncZbphEKT5D+rB65sP8pbLhEs37BmnhQW/1j1WQ5bFmZllKgieei5fcFhBKcIb97 XWgm5jlgog+m8XkPf+HrrhfeR+kIg6dx59+MZTGfimD9qWQ9rq4IfYGg4sCZVzDlLHpi XgKOIylo6mjtVo/uDk20x2umTg+i1NASLTH1jPY5kFcYiCP9E6urn/nc1IvCe67TauFw kmVmPc88BK1DFdSii7u+f767uS9EFZJnqNfL8Hp3HLWSh5iidPzBCfTvQCq8BkJ8WZGp gbQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kWUKThMC6B8XWFLyRUMWH6YGQ3c+talfHVh7Ccck/AM=; b=xPFOFZfXx964w38DNBRUoO/e5ZW0twzh7HBS5q7MZVbiVZrYsCLushO61Vi2F1K6IH EZTZs0y7OTzSF660oeAnbeM7MbUpTbBuCe7ePftF0LaGLDqenEgON1Xt55fuqG3CBD4G 3WPPXMmhqrt2i0xnuzgQ+ze4QBt+A0/diFkCrJqVbChGax9PHcFUnwOCaQkX6inl3snI 740/lphiSutm1qeK690HqGfgnj5Q1B/kPHi321fxcexM2FzP+VKkiKkJ+1Q6Aj1Hq56T 5zjjhugA9bwQKbU7yCEqpYBVBCykBTc5VqH1fop3JtjD7D2wBvwEo83FZxugoctlzmC7 mWjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=t5njc038; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p10-20020a056402154a00b0043c2919cfcesi7815215edx.122.2022.08.15.17.49.40; Mon, 15 Aug 2022 17:50:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=t5njc038; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244442AbiHOV5Q (ORCPT + 99 others); Mon, 15 Aug 2022 17:57:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349880AbiHOVzR (ORCPT ); Mon, 15 Aug 2022 17:55:17 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F79D61B1C; Mon, 15 Aug 2022 12:33:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A442A60EF0; Mon, 15 Aug 2022 19:33:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 900C4C433C1; Mon, 15 Aug 2022 19:33:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660592021; bh=Q2dgt9Sdu7oI8QD/EPZKBrUp1mnjKjtEBYvU2xvNhAg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=t5njc038uZx9BrfTWLELMDp0cSQdetU/5SehvaRauwvJC1m+z7ZHZGGqxJyDxhWFf PChtFRxpocIul5qjTy2TdBj3LLsDl50xZr8n9Ia7qMuKG0uq9DxnsM1cx0UJKsoLBI HG4IBp9SFvTIgSX/AlOieX9+r6GTcFNWgZR8dZSM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+e54f930ed78eb0f85281@syzkaller.appspotmail.com, Coleman Dietsch , Sean Christopherson , David Woodhouse , Paolo Bonzini Subject: [PATCH 5.19 0045/1157] KVM: x86/xen: Stop Xen timer before changing IRQ Date: Mon, 15 Aug 2022 19:50:01 +0200 Message-Id: <20220815180441.248083880@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180439.416659447@linuxfoundation.org> References: <20220815180439.416659447@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Coleman Dietsch commit c036899136355758dcd88878145036ab4d9c1f26 upstream. Stop Xen timer (if it's running) prior to changing the IRQ vector and potentially (re)starting the timer. Changing the IRQ vector while the timer is still running can result in KVM injecting a garbage event, e.g. vm_xen_inject_timer_irqs() could see a non-zero xen.timer_pending from a previous timer but inject the new xen.timer_virq. Fixes: 536395260582 ("KVM: x86/xen: handle PV timers oneshot mode") Cc: stable@vger.kernel.org Link: https://syzkaller.appspot.com/bug?id=8234a9dfd3aafbf092cc5a7cd9842e3ebc45fc42 Reported-by: syzbot+e54f930ed78eb0f85281@syzkaller.appspotmail.com Signed-off-by: Coleman Dietsch Reviewed-by: Sean Christopherson Acked-by: David Woodhouse Message-Id: <20220808190607.323899-3-dietschc@csp.edu> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/xen.c | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -707,25 +707,24 @@ int kvm_xen_vcpu_set_attr(struct kvm_vcp break; case KVM_XEN_VCPU_ATTR_TYPE_TIMER: - if (data->u.timer.port) { - if (data->u.timer.priority != KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL) { - r = -EINVAL; - break; - } - vcpu->arch.xen.timer_virq = data->u.timer.port; + if (data->u.timer.port && + data->u.timer.priority != KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL) { + r = -EINVAL; + break; + } - if (!vcpu->arch.xen.timer.function) - kvm_xen_init_timer(vcpu); + if (!vcpu->arch.xen.timer.function) + kvm_xen_init_timer(vcpu); - /* Restart the timer if it's set */ - if (data->u.timer.expires_ns) - kvm_xen_start_timer(vcpu, data->u.timer.expires_ns, - data->u.timer.expires_ns - - get_kvmclock_ns(vcpu->kvm)); - } else if (kvm_xen_timer_enabled(vcpu)) { - kvm_xen_stop_timer(vcpu); - vcpu->arch.xen.timer_virq = 0; - } + /* Stop the timer (if it's running) before changing the vector */ + kvm_xen_stop_timer(vcpu); + vcpu->arch.xen.timer_virq = data->u.timer.port; + + /* Start the timer if the new value has a valid vector+expiry. */ + if (data->u.timer.port && data->u.timer.expires_ns) + kvm_xen_start_timer(vcpu, data->u.timer.expires_ns, + data->u.timer.expires_ns - + get_kvmclock_ns(vcpu->kvm)); r = 0; break;