[5/6] KVM: x86/xen: fix recursive deadlock in timer injection

Commit Message

David Woodhouse Feb. 17, 2024, 11:27 a.m. UTC

From: David Woodhouse <dwmw@amazon.co.uk>

The fast-path timer delivery introduced a recursive locking deadlock
when userspace configures a timer which has already expired and is
delivered immediately. The call to kvm_xen_inject_timer_irqs() can
call to kvm_xen_set_evtchn() which may take kvm->arch.xen.xen_lock,
which is already held in kvm_xen_vcpu_get_attr().

 ============================================
 WARNING: possible recursive locking detected
 6.8.0-smp--5e10b4d51d77-drs #232 Tainted: G           O
 --------------------------------------------
 xen_shinfo_test/250013 is trying to acquire lock:
 ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_set_evtchn+0x74/0x170 [kvm]

 but task is already holding lock:
 ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_vcpu_get_attr+0x38/0x250 [kvm]

Now that the gfn_to_pfn_cache has its own self-sufficient locking, its
callers no longer need to ensure serialization, so just stop taking
kvm->arch.xen.xen_lock from kvm_xen_set_evtchn().

Fixes: 77c9b9dea4fb ("KVM: x86/xen: Use fast path for Xen timer delivery")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
 arch/x86/kvm/xen.c | 4 ----
 1 file changed, 4 deletions(-)

Comments

Paul Durrant Feb. 19, 2024, 9:01 a.m. UTC | #1

On 17/02/2024 11:27, David Woodhouse wrote:
> From: David Woodhouse <dwmw@amazon.co.uk>
> 
> The fast-path timer delivery introduced a recursive locking deadlock
> when userspace configures a timer which has already expired and is
> delivered immediately. The call to kvm_xen_inject_timer_irqs() can
> call to kvm_xen_set_evtchn() which may take kvm->arch.xen.xen_lock,
> which is already held in kvm_xen_vcpu_get_attr().
> 
>   ============================================
>   WARNING: possible recursive locking detected
>   6.8.0-smp--5e10b4d51d77-drs #232 Tainted: G           O
>   --------------------------------------------
>   xen_shinfo_test/250013 is trying to acquire lock:
>   ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_set_evtchn+0x74/0x170 [kvm]
> 
>   but task is already holding lock:
>   ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_vcpu_get_attr+0x38/0x250 [kvm]
> 
> Now that the gfn_to_pfn_cache has its own self-sufficient locking, its
> callers no longer need to ensure serialization, so just stop taking
> kvm->arch.xen.xen_lock from kvm_xen_set_evtchn().
> 
> Fixes: 77c9b9dea4fb ("KVM: x86/xen: Use fast path for Xen timer delivery")
> Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
> ---
>   arch/x86/kvm/xen.c | 4 ----
>   1 file changed, 4 deletions(-)
> 

Reviewed-by: Paul Durrant <paul@xen.org>

Patch

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index e6c7353e5315..706af2935277 100644
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -1903,8 +1903,6 @@  static int kvm_xen_set_evtchn(struct kvm_xen_evtchn *xe, struct kvm *kvm)
 		mm_borrowed = true;
 	}
 
-	mutex_lock(&kvm->arch.xen.xen_lock);
-
 	/*
 	 * It is theoretically possible for the page to be unmapped
 	 * and the MMU notifier to invalidate the shared_info before
@@ -1932,8 +1930,6 @@  static int kvm_xen_set_evtchn(struct kvm_xen_evtchn *xe, struct kvm *kvm)
 		srcu_read_unlock(&kvm->srcu, idx);
 	} while(!rc);
 
-	mutex_unlock(&kvm->arch.xen.xen_lock);
-
 	if (mm_borrowed)
 		kthread_unuse_mm(kvm->mm);