• Marc Zyngier's avatar
    KVM: arm64: Don't eagerly teardown the vgic on init error · df5fd75e
    Marc Zyngier authored
    As there is very little ordering in the KVM API, userspace can
    instanciate a half-baked GIC (missing its memory map, for example)
    at almost any time.
    
    This means that, with the right timing, a thread running vcpu-0
    can enter the kernel without a GIC configured and get a GIC created
    behind its back by another thread. Amusingly, it will pick up
    that GIC and start messing with the data structures without the
    GIC having been fully initialised.
    
    Similarly, a thread running vcpu-1 can enter the kernel, and try
    to init the GIC that was previously created. Since this GIC isn't
    properly configured (no memory map), it fails to correctly initialise.
    
    And that's the point where we decide to teardown the GIC, freeing all
    its resources. Behind vcpu-0's back. Things stop pretty abruptly,
    with a variety of symptoms.  Clearly, this isn't good, we should be
    a bit more careful about this.
    
    It is obvious that this guest is not viable, as it is missing some
    important part of its configuration. So instead of trying to tear
    bits of it down, let's just mark it as *dead*. It means that any
    further interaction from userspace will result in -EIO. The memory
    will be released on the "normal" path, when userspace gives up.
    
    Cc: stable@vger.kernel.org
    Reported-by: default avatarAlexander Potapenko <glider@google.com>
    Reviewed-by: default avatarOliver Upton <oliver.upton@linux.dev>
    Link: https://lore.kernel.org/r/20241009183603.3221824-1-maz@kernel.orgSigned-off-by: default avatarMarc Zyngier <maz@kernel.org>
    df5fd75e
arm.c 69.9 KB