redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/virt/kvm/arm/vgic
History
Zenghui Yu 969ce8b526 KVM: arm64: vgic-v3: Retire all pending LPIs on vcpu destroy 
It's likely that the vcpu fails to handle all virtual interrupts if
userspace decides to destroy it, leaving the pending ones stay in the
ap_list. If the un-handled one is a LPI, its vgic_irq structure will
be eventually leaked because of an extra refcount increment in
vgic_queue_irq_unlock().

This was detected by kmemleak on almost every guest destroy, the
backtrace is as follows:

unreferenced object 0xffff80725aed5500 (size 128):
comm "CPU 5/KVM", pid 40711, jiffies 4298024754 (age 166366.512s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 01 a9 73 6d 80 ff ff ...........sm...
c8 61 ee a9 00 20 ff ff 28 1e 55 81 6c 80 ff ff .a... ..(.U.l...
backtrace:
[<000000004bcaa122>] kmem_cache_alloc_trace+0x2dc/0x418
[<0000000069c7dabb>] vgic_add_lpi+0x88/0x418
[<00000000bfefd5c5>] vgic_its_cmd_handle_mapi+0x4dc/0x588
[<00000000cf993975>] vgic_its_process_commands.part.5+0x484/0x1198
[<000000004bd3f8e3>] vgic_its_process_commands+0x50/0x80
[<00000000b9a65b2b>] vgic_mmio_write_its_cwriter+0xac/0x108
[<0000000009641ebb>] dispatch_mmio_write+0xd0/0x188
[<000000008f79d288>] __kvm_io_bus_write+0x134/0x240
[<00000000882f39ac>] kvm_io_bus_write+0xe0/0x150
[<0000000078197602>] io_mem_abort+0x484/0x7b8
[<0000000060954e3c>] kvm_handle_guest_abort+0x4cc/0xa58
[<00000000e0d0cd65>] handle_exit+0x24c/0x770
[<00000000b44a7fad>] kvm_arch_vcpu_ioctl_run+0x460/0x1988
[<0000000025fb897c>] kvm_vcpu_ioctl+0x4f8/0xee0
[<000000003271e317>] do_vfs_ioctl+0x160/0xcd8
[<00000000e7f39607>] ksys_ioctl+0x98/0xd8

Fix it by retiring all pending LPIs in the ap_list on the destroy path.

p.s. I can also reproduce it on a normal guest shutdown. It is because
userspace still send LPIs to vcpu (through KVM_SIGNAL_MSI ioctl) while
the guest is being shutdown and unable to handle it. A little strange
though and haven't dig further...

Reviewed-by: James Morse <james.morse@arm.com>
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
[maz: moved the distributor deallocation down to avoid an UAF splat]
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20200414030349.625-2-yuzenghui@huawei.com
 		2020-04-23 16:26:56 +01:00
..
trace.h KVM: arm/arm64: vgic: Use the appropriate TRACE_INCLUDE_PATH 2019-09-11 16:36:19 +01:00
vgic-debug.c KVM: arm64: GICv4.1: Expose HW-based SGIs in debugfs 2020-03-24 12:15:52 +00:00
vgic-init.c KVM: arm64: vgic-v3: Retire all pending LPIs on vcpu destroy 2020-04-23 16:26:56 +01:00
vgic-irqfd.c KVM: arm/arm64: vgic-irqfd: Implement kvm_arch_set_irq_inatomic 2019-08-18 18:38:54 +01:00
vgic-its.c KVM: arm/arm64: vgic-its: Properly check the unmapped coll in DISCARD handler 2020-01-19 18:06:20 +00:00
vgic-kvm-device.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174 2019-05-30 11:26:41 -07:00
vgic-mmio-v2.c KVM: arm: vgic-v2: Only use the virtual state when userspace accesses pending bits 2020-04-23 16:26:31 +01:00
vgic-mmio-v3.c KVM: arm: vgic: Only use the virtual state when userspace accesses enable bits 2020-04-22 17:13:30 +01:00
vgic-mmio.c KVM: arm: vgic-v2: Only use the virtual state when userspace accesses pending bits 2020-04-23 16:26:31 +01:00
vgic-mmio.h KVM: arm: vgic-v2: Only use the virtual state when userspace accesses pending bits 2020-04-23 16:26:31 +01:00
vgic-v2.c * s390: ioctl hardening, selftests 2019-09-18 09:49:13 -07:00
vgic-v3.c KVM: arm64: GICv4.1: Plumb SGI implementation selection in the distributor 2020-03-24 12:15:51 +00:00
vgic-v4.c KVM: arm64: GICv4.1: Allow SGIs to switch between HW and SW interrupts 2020-03-24 12:15:51 +00:00
vgic.c KVM: arm64: vgic-v4: Move the GICv4 residency flow to be driven by vcpu_load/put 2019-10-28 16:20:58 +00:00
vgic.h KVM: arm64: GICv4.1: Allow SGIs to switch between HW and SW interrupts 2020-03-24 12:15:51 +00:00