[PATCH] KVM: x86: ioapic: Fix level-triggered EOI and userspace IOAPIC reconfigure race

Adamos Ttofari <attofari@xxxxxxxxx> · Wed, 7 Dec 2022 09:13:24 +0000

When split-irqchip is used KVM uses ioapic_handled_vectors to identify
which vectors require an exit to userspace IOAPIC. Unfortunately, when the
IOAPIC is reconfigured while the interrupt is being handled, it will use
the newest configuration; therefore, the EOI will not be delivered to
IOAPIC.

A previous commit 0fc5a36dd6b3
("KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race")
fixed the race for kernel ioapic, but the issue still persists for
userspace IOAPIC:

1) Userspace IOAPIC sends a level triggered interrupt to VCPU0.
2) VCPU0's handler reconfigures the IOAPIC to route the interrupts to
   VCPU1. (This can cause userspace IOAPIC to commit a new routing table,
   eventually leading KVM to unset the vector in ioapic_handled_vectors)
3) VCPU0 triggers an EOI, and it's not delivered to userspace IOAPIC
   because the vector bit is not set in ioapic_handled_vectors.
4) The loss of EOI, leaves remote_irr in IOAPIC set. Eventually blocking
   new interrupts.

To avoid the above scenario, we should apply a similar fix like
commit 0fc5a36dd6b3 ("KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC
reconfigure race") Which is to add all pending and running vectors to
ioapic_handled_vectors.

Fixes: 0fc5a36dd6b3 ("KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race")

Signed-off-by: Adamos Ttofari <attofari@xxxxxxxxx>
---
 arch/x86/kvm/irq_comm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/irq_comm.c b/arch/x86/kvm/irq_comm.c
index 0687162c4f22..36d65997a212 100644
--- a/arch/x86/kvm/irq_comm.c
+++ b/arch/x86/kvm/irq_comm.c
@@ -426,8 +426,8 @@ void kvm_scan_ioapic_routes(struct kvm_vcpu *vcpu,
 			kvm_set_msi_irq(vcpu->kvm, entry, &irq);
 
 			if (irq.trig_mode &&
-			    kvm_apic_match_dest(vcpu, NULL, APIC_DEST_NOSHORT,
-						irq.dest_id, irq.dest_mode))
+			    (kvm_apic_match_dest(vcpu, NULL, APIC_DEST_NOSHORT, irq.dest_id,
+				 irq.dest_mode) || kvm_apic_pending_eoi(vcpu, irq.vector)))
 				__set_bit(irq.vector, ioapic_handled_vectors);
 		}
 	}
-- 
2.38.1




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879









