On Tue, Apr 18, 2023 at 01:57:37PM +0100, Marc Zyngier wrote:
> Per-vcpu flags are updated using a non-atomic RMW operation.
> Which means it is possible to get preempted between the read and
> write operations.
>
> Another interesting thing to note is that preemption also updates
> flags, as we have some flag manipulation in both the load and put
> operations.
>
> It is thus possible to lose information communicated by either
> load or put, as the preempted flag update will overwrite the flags
> when the thread is resumed. This is specially critical if either
> load or put has stored information which depends on the physical
> CPU the vcpu runs on.
>
> This results in really elusive bugs, and kudos must be given to
> Mostafa for the long hours of debugging, and finally spotting
> the problem.
>
> Fix it by disabling preemption during the RMW operation, which
> ensures that the state stays consistent. Also upgrade vcpu_get_flag
> path to use READ_ONCE() to make sure the field is always atomically
> accessed.
>
> Fixes: e87abb73e594 ("KVM: arm64: Add helpers to manipulate vcpu flags among a set")
> Reported-by: Mostafa Saleh <smostafa@xxxxxxxxxx>
> Signed-off-by: Marc Zyngier <maz@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> ---
>
> Notes:
> v2: add READ_ONCE() on the read path, expand commit message
Acked-by: Will Deacon <will@xxxxxxxxxx>
Will
