From patchwork Wed Aug 3 16:13:24 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoffer Dall X-Patchwork-Id: 73220 Delivered-To: patch@linaro.org Received: by 10.140.29.52 with SMTP id a49csp938837qga; Wed, 3 Aug 2016 09:13:46 -0700 (PDT) X-Received: by 10.66.135.40 with SMTP id pp8mr118675192pab.113.1470240826020; Wed, 03 Aug 2016 09:13:46 -0700 (PDT) Return-Path: Received: from bombadil.infradead.org (bombadil.infradead.org. [2001:1868:205::9]) by mx.google.com with ESMTPS id v12si9444926pfi.276.2016.08.03.09.13.45 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Aug 2016 09:13:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org designates 2001:1868:205::9 as permitted sender) client-ip=2001:1868:205::9; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org designates 2001:1868:205::9 as permitted sender) smtp.mailfrom=linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org; dmarc=fail (p=NONE dis=NONE) header.from=linaro.org Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bUyme-0007ow-RQ; Wed, 03 Aug 2016 16:12:40 +0000 Received: from mail-wm0-x236.google.com ([2a00:1450:400c:c09::236]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bUymB-0007gQ-Kx for linux-arm-kernel@lists.infradead.org; Wed, 03 Aug 2016 16:12:13 +0000 Received: by mail-wm0-x236.google.com with SMTP id f65so454161267wmi.0 for ; Wed, 03 Aug 2016 09:11:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=DracycPwAQmxUgNl1q/yM41f9rQeIeg3C550f4AYQy4=; b=B/SCUOM5abTIMaaZN/47AA5gTKTH03zMxC3fDV/FThUkIHl8sT25330B9mE08T3yxr 6NfJYkEwOqLg/GelcEEStRUJvcrmsh/wvKvFOf4S8T1t+NJ6rYQhKXMUQkS+Y7lL8lyh vAMt0bnReqY/qZbeRyDVRnyKW29ikwqXF0m1Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DracycPwAQmxUgNl1q/yM41f9rQeIeg3C550f4AYQy4=; b=F2F+NmspmVK2tyMetbTCbmIqwJdwzTnkTEUnHM0rvQByceOci2G+Wk3Z/CeVY/bZ+h 02lOT+eLYb1CcPihVUBTqiiRv/RO8kTAYl4k56uEz4Gut2gvufWvc0GoMVl3NBdlw6s4 A19BVqNNHD3DcqPXcGbu4GpHv//a6zXhqadPIrHPxlV0kr2fx0xoV2M28PN0RHblh/su uto1YzYcOga/rtB1U1+wTYJGjs6wg5PxPpoMWnKWyOCewrwMjj7uxz0jPddZROAao9wN Ua6SvRWNzoi/LKyiY9wC+uZqQu0YUjdBkagmxGopNb86BNroMbkl5oFHESPHzDaqEHa2 LPLA== X-Gm-Message-State: AEkoousvvE87qh1u5kissnEkO7ehwxjPVjWEZH1iUpw97jGkxh5+HOLJr3e5jZz/nTvgIIZk X-Received: by 10.194.75.198 with SMTP id e6mr62646024wjw.31.1470240710530; Wed, 03 Aug 2016 09:11:50 -0700 (PDT) Received: from localhost.localdomain ([94.18.191.146]) by smtp.gmail.com with ESMTPSA id n131sm27817583wmd.3.2016.08.03.09.11.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 Aug 2016 09:11:50 -0700 (PDT) From: Christoffer Dall To: Marc Zyngier , Andre Przywara , kvmarm@lists.cs.columbia.edu Subject: [PATCH 2/3] KVM: arm64: vgic-its: Plug race in vgic_put_irq Date: Wed, 3 Aug 2016 18:13:24 +0200 Message-Id: <20160803161325.14933-3-christoffer.dall@linaro.org> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20160803161325.14933-1-christoffer.dall@linaro.org> References: <20160803161325.14933-1-christoffer.dall@linaro.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160803_091211_870473_FC9CFCBF X-CRM114-Status: GOOD ( 12.53 ) X-Spam-Score: -2.7 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2a00:1450:400c:c09:0:0:0:236 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Christoffer Dall , linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org Right now the following sequence of events can happen: 1. Thread X calls vgic_put_irq 2. Thread Y calls vgic_add_lpi 3. Thread Y gets lpi_list_lock 4. Thread X drops the ref count to 0 and blocks on lpi_list_lock 5. Thread Y finds the irq via the lpi_list_lock, raises the ref count to 1, and release the lpi_list_lock. 6. Thread X proceeds and frees the irq. Avoid this by holding the spinlock around the kref_put. Signed-off-by: Christoffer Dall --- virt/kvm/arm/vgic/vgic.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) -- 2.9.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c index e7aeac7..fb8c0ab 100644 --- a/virt/kvm/arm/vgic/vgic.c +++ b/virt/kvm/arm/vgic/vgic.c @@ -117,22 +117,22 @@ static void vgic_irq_release(struct kref *ref) void vgic_put_irq(struct kvm *kvm, struct vgic_irq *irq) { - struct vgic_dist *dist; + struct vgic_dist *dist = &kvm->arch.vgic; if (irq->intid < VGIC_MIN_LPI) return; - if (!kref_put(&irq->refcount, vgic_irq_release)) - return; - - dist = &kvm->arch.vgic; - spin_lock(&dist->lpi_list_lock); - list_del(&irq->lpi_list); - dist->lpi_list_count--; - spin_unlock(&dist->lpi_list_lock); + if (!kref_put(&irq->refcount, vgic_irq_release)) { + spin_unlock(&dist->lpi_list_lock); + return; + } else { + list_del(&irq->lpi_list); + dist->lpi_list_count--; + spin_unlock(&dist->lpi_list_lock); - kfree(irq); + kfree(irq); + } } /**