From:   "Liu, Yi L" <yi.l.liu@intel.com>
To:     Alex Williamson <alex.williamson@redhat.com>,
        Matthew Rosato <mjrosato@linux.ibm.com>
CC:     "pbonzini@redhat.com" <pbonzini@redhat.com>,
        "jgg@nvidia.com" <jgg@nvidia.com>,
        "cohuck@redhat.com" <cohuck@redhat.com>,
        "farman@linux.ibm.com" <farman@linux.ibm.com>,
        "pmorel@linux.ibm.com" <pmorel@linux.ibm.com>,
        "borntraeger@linux.ibm.com" <borntraeger@linux.ibm.com>,
        "frankja@linux.ibm.com" <frankja@linux.ibm.com>,
        "imbrenda@linux.ibm.com" <imbrenda@linux.ibm.com>,
        "david@redhat.com" <david@redhat.com>,
        "akrowiak@linux.ibm.com" <akrowiak@linux.ibm.com>,
        "jjherne@linux.ibm.com" <jjherne@linux.ibm.com>,
        "pasic@linux.ibm.com" <pasic@linux.ibm.com>,
        "zhenyuw@linux.intel.com" <zhenyuw@linux.intel.com>,
        "Wang, Zhi A" <zhi.a.wang@intel.com>,
        "Christopherson,, Sean" <seanjc@google.com>,
        "Tian, Kevin" <kevin.tian@intel.com>,
        "linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
        "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
        "intel-gvt-dev@lists.freedesktop.org" 
        <intel-gvt-dev@lists.freedesktop.org>,
        "intel-gfx@lists.freedesktop.org" <intel-gfx@lists.freedesktop.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH v2] vfio: fix deadlock between group lock and kvm lock
Thread-Topic: [PATCH v2] vfio: fix deadlock between group lock and kvm lock
Thread-Index: AQHZNnJFDhMzPRK6pEGcr6itqpvSQ666vJwAgAA/7dA=
Date:   Thu, 2 Feb 2023 03:46:59 +0000
Message-ID: <DS0PR11MB75298437F96D08758DB92368C3D69@DS0PR11MB7529.namprd11.prod.outlook.com>
References: <20230201192010.42748-1-mjrosato@linux.ibm.com>
 <20230201162730.685b5332.alex.williamson@redhat.com>
In-Reply-To: <20230201162730.685b5332.alex.williamson@redhat.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?W/QUfnDG5tk/AIjnSLZEGEHBPQlQolihrxYfqcHcw9NFKcoctgHqpteqfdg0?=
 =?us-ascii?Q?tong8tmq4JCSxpOQa3tdAeb63KS4h9Zsx7Tk91ZP/wzp7EkV8kwCJmB3rwWw?=
 =?us-ascii?Q?Kw7leGVEb3EkPrQZmc+ZL8GMTltAlsLHe8A3eKduBCA9C566ahdsV2C/9QZC?=
 =?us-ascii?Q?AM1J1bHXt9TDtAyJ2Lgb//agNIdnjKagiX7kARCGEVMsart35fZvFOCVXNr5?=
 =?us-ascii?Q?VAzhyJm2cAhk95IjDxrIPo9B6mD4bUpDnZgCnYmcWKwCuiv2SgtYhyJBWvRS?=
 =?us-ascii?Q?czKKsDZrG1/0clrMp7dkVbxP5+Nn7LUHO7hDLPzLtHSKShJ/kNANx6hp67EN?=
 =?us-ascii?Q?9tsC15Mj0JClLV2viRoPpQpDiSfAjIT55jUW0LdzAXXwVcxD5WzJYUYlJK/v?=
 =?us-ascii?Q?E9l7Q2mFSlU/UCrqO2a2GDZycQ+3lkzvHmhJ8pfNl0ixyJoJNen+qIVpaaEz?=
 =?us-ascii?Q?NxnuBzsSatzdKZbFvcHMwM413OP7W2/6ddLYUa6INxamA8B9jGzbUPEUZF0f?=
 =?us-ascii?Q?TGhb5/9/qa/BtphuYGVtYkkOU2mO5UIBExTTnR2JMuT8s+bDoYERWbPAHdrY?=
 =?us-ascii?Q?4ILMAwYB9dsO0LYDR+vP4hoBlM2+0eev/Qxrn1W38qZLRymXdLg64271lo/8?=
 =?us-ascii?Q?UBKzZ6DBOJjNrHSLBI5G+tIzsnBaCIorvCl0e6a5++x+7BFsClVT3lEHCLsx?=
 =?us-ascii?Q?Q5pQKiaddA7zM/VYPYkN3qPWWXox7/1hLYmodHbxf7C39BV7ebxP/jDMh5lP?=
 =?us-ascii?Q?qG7x4bxqJRCEpckXowZiQPy8JI9DyQEsLlBk/kp8rTLGWimPq3IQf/GVnRFF?=
 =?us-ascii?Q?+SyD7Y+8GEjf3YqDrJfaAenUmzl9QtA00vjgahp0nobXnMQ5FS7cHEuA+OBe?=
 =?us-ascii?Q?Zefviv4wWS2mzQN0opaR+eTVQFlo2amSHlK2Wu7Bxr6nmuHffERnjL7JWIPQ?=
 =?us-ascii?Q?1rk5EZwOuBOJeipTa0LfQ2gU4yVIxmGtskikOrfQUIWKkRV6NUMWlWAExZH2?=
 =?us-ascii?Q?KY+NFPRdGdy4V5K3wTw/J0GFTdXaw3vsivRAmlneq8mjtahSefxuNbHvxSJf?=
 =?us-ascii?Q?u5YQMubDgCuh4RwTWXNED5qJ4OJFWViOeNokglGYRz8Y5F/KBJj+6ZBSO9wP?=
 =?us-ascii?Q?EsadJ/5PEVFp4c0IztFWiAFYBhn/CSqenF5o6OoMEVw/ohAxqs9dVboHssRX?=
 =?us-ascii?Q?fJpNeM5i8KPfSiDKRyjeul0G58PzmdET2YCRj0mH9NvTM8NI1xy4rMKymCsY?=
 =?us-ascii?Q?3GI3YUKi7hc+GVruzglPOYkDE2ogbu1E3YGFgzy6AiO48Nx9Rs7Lg9aGSIDj?=
 =?us-ascii?Q?Pu3Uyn1xOAg4zOobg53lDls2qNXVTAJyXNBIQyfP3Tq57BLiXGe2mLshD8uq?=
 =?us-ascii?Q?cJ2YlNwg4jyz1xweAdA+uN4/PIu9CjYi5pI3F0OYBI42pVP92FFieHZYYY1r?=
 =?us-ascii?Q?WHeb+sP1E+e1ap3GF26N81YYjTyPG894Twww6OYY0liyh4VFxovvbJL37V5o?=
 =?us-ascii?Q?4Ir3LZIiyYgcrzvhxDuDw8DAM6G8pKXmKo2/Y2sJ69XXLN2M0nqANa0bN2d3?=
 =?us-ascii?Q?JrWtPRjFIhiAap9+FviwxMl8WF66ensbZUNq4OJC?=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB7529.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7ec14ef4-b44c-4200-8954-08db04d02339
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2023 03:46:59.3582
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6KKH0XDqF5rMKKzePZZ0oAcOinSK0k3PoxHUwp6fhNes8jV/Yj9S7bb11HznOGe/owFrVnxwzK/kc2l6lOETfw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB7351
X-OriginatorOrg: intel.com
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> From: Alex Williamson <alex.williamson@redhat.com>
> Sent: Thursday, February 2, 2023 7:28 AM
>=20
> On Wed,  1 Feb 2023 14:20:10 -0500
> Matthew Rosato <mjrosato@linux.ibm.com> wrote:
>=20
> > After 51cdc8bc120e, we have another deadlock scenario between the
> > kvm->lock and the vfio group_lock with two different codepaths acquirin=
g
> > the locks in different order.  Specifically in vfio_open_device, vfio
> > holds the vfio group_lock when issuing device->ops->open_device but
> some
> > drivers (like vfio-ap) need to acquire kvm->lock during their open_devi=
ce
> > routine;  Meanwhile, kvm_vfio_release will acquire the kvm->lock first
> > before calling vfio_file_set_kvm which will acquire the vfio group_lock=
.
> >
> > To resolve this, let's remove the need for the vfio group_lock from the
> > kvm_vfio_release codepath.  This is done by introducing a new spinlock =
to
> > protect modifications to the vfio group kvm pointer, and acquiring a kv=
m
> > ref from within vfio while holding this spinlock, with the reference he=
ld
> > until the last close for the device in question.
> >
> > Fixes: 51cdc8bc120e ("kvm/vfio: Fix potential deadlock on vfio group_lo=
ck")
> > Reported-by: Anthony Krowiak <akrowiak@linux.ibm.com>
> > Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
> > Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
> > ---
> > Changes from v1:
> > * use spin_lock instead of spin_lock_irqsave (Jason)
> > * clear device->kvm_put as part of vfio_kvm_put_kvm (Yi)
> > * Re-arrange code to avoid referencing the group contents from within
> >   vfio_main (Kevin) which meant moving most of the code in this patch
> >   to group.c along with getting/dropping of the dev_set lock
> > ---
> >  drivers/vfio/group.c     | 90
> +++++++++++++++++++++++++++++++++++++---
> >  drivers/vfio/vfio.h      |  1 +
> >  drivers/vfio/vfio_main.c | 11 ++---
> >  include/linux/vfio.h     |  2 +-
> >  4 files changed, 91 insertions(+), 13 deletions(-)
> >
> > diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
> > index bb24b2f0271e..52f434861294 100644
> > --- a/drivers/vfio/group.c
> > +++ b/drivers/vfio/group.c
> > @@ -13,6 +13,9 @@
> >  #include <linux/vfio.h>
> >  #include <linux/iommufd.h>
> >  #include <linux/anon_inodes.h>
> > +#ifdef CONFIG_HAVE_KVM
> > +#include <linux/kvm_host.h>
> > +#endif
> >  #include "vfio.h"
> >
> >  static struct vfio {
> > @@ -154,6 +157,55 @@ static int vfio_group_ioctl_set_container(struct
> vfio_group *group,
> >  	return ret;
> >  }
> >
> > +#ifdef CONFIG_HAVE_KVM
> > +static bool vfio_kvm_get_kvm_safe(struct vfio_device *device, struct
> kvm *kvm)
>=20
> I'm tempted to name these vfio_device_get_kvm_safe() and only pass the
> vfio_device, where of course we can get the kvm pointer from the group
> internally.
>=20
> > +{
> > +	void (*pfn)(struct kvm *kvm);
> > +	bool (*fn)(struct kvm *kvm);
> > +	bool ret;
> > +
>=20
> We should assert_lockdep_held(&device->dev_set->lock) in both of these
> since that seems to be what's protecting device->kvm and
> device->put_kvm.
>=20
> If we change as above to get the kvm pointer from the group within this
> function, we can also move the kvm_ref_lock here, which seems to
> simplify the caller quite a bit.
>=20
> > +	pfn =3D symbol_get(kvm_put_kvm);
> > +	if (WARN_ON(!pfn))
> > +		return false;
> > +
> > +	fn =3D symbol_get(kvm_get_kvm_safe);
> > +	if (WARN_ON(!fn)) {
> > +		symbol_put(kvm_put_kvm);
> > +		return false;
> > +	}
> > +
> > +	ret =3D fn(kvm);
> > +	if (ret)
> > +		device->put_kvm =3D pfn;
> > +	else
> > +		symbol_put(kvm_put_kvm);
> > +
> > +	symbol_put(kvm_get_kvm_safe);
> > +
> > +	return ret;
> > +}
> > +
> > +static void vfio_kvm_put_kvm(struct vfio_device *device)
> > +{
> > +	if (WARN_ON(!device->kvm || !device->put_kvm))
> > +		return;
>=20
> It simplifies the caller if we can use this even in the !device->kvm
> case.
>=20
> > +
> > +	device->put_kvm(device->kvm);
> > +	device->put_kvm =3D NULL;
> > +	symbol_put(kvm_put_kvm);
> > +}
> > +
> > +#else
> > +static bool vfio_kvm_get_kvm_safe(struct vfio_device *device, struct
> kvm *kvm)
> > +{
> > +	return false;
> > +}
> > +
> > +static void vfio_kvm_put_kvm(struct vfio_device *device)
> > +{
> > +}
> > +#endif
> > +
> >  static int vfio_device_group_open(struct vfio_device *device)
> >  {
> >  	int ret;
> > @@ -164,14 +216,32 @@ static int vfio_device_group_open(struct
> vfio_device *device)
> >  		goto out_unlock;
> >  	}
> >
> > +	mutex_lock(&device->dev_set->lock);
> > +
> >  	/*
> > -	 * Here we pass the KVM pointer with the group under the lock.  If
> the
> > -	 * device driver will use it, it must obtain a reference and release =
it
> > -	 * during close_device.
> > +	 * Before the first device open, get the KVM pointer currently
> > +	 * associated with the group (if there is one) and obtain a reference
> > +	 * now that will be held until the open_count reaches 0 again.  Save
> > +	 * the pointer in the device for use by drivers.
> >  	 */
> > +	if (device->open_count =3D=3D 0) {
> > +		spin_lock(&device->group->kvm_ref_lock);
> > +		if (device->group->kvm &&
> > +		    vfio_kvm_get_kvm_safe(device, device->group->kvm))
> > +			device->kvm =3D device->group->kvm;
> > +		spin_unlock(&device->group->kvm_ref_lock);
> > +	}
> > +
> >  	ret =3D vfio_device_open(device, device->group->iommufd,
> >  			       device->group->kvm);
>=20
> We're using device->group->kvm outside of kvm_ref_lock here, it should
> be using device->kvm.

Existing code set device->kvm in the vfio_device_first_open() which is
called by vfio_device_open(). After above change, seems not necessary
to pass kvm pointer into the call chain. Isn't it?

Regards,
Yi Liu