From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 2 Jun 2025 07:05:29 +0000 (-0400)
Subject: Merge tag 'kvmarm-fixes-6.16-1' of https://git.kernel.org/pub/scm/linux/kernel/git... 
X-Git-Tag: v6.16-rc1~78^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=61374cc145f4a56377eaf87c7409a97ec7a34041;p=thirdparty%2Flinux.git

Merge tag 'kvmarm-fixes-6.16-1' of https://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD

KVM/arm64 fixes for 6.16, take #1

- Make the irqbypass hooks resilient to changes in the GSI<->MSI
  routing, avoiding behind stale vLPI mappings being left behind. The
  fix is to resolve the VGIC IRQ using the host IRQ (which is stable)
  and nuking the vLPI mapping upon a routing change.

- Close another VGIC race where vCPU creation races with VGIC
  creation, leading to in-flight vCPUs entering the kernel w/o private
  IRQs allocated.

- Fix a build issue triggered by the recently added workaround for
  Ampere's AC04_CPU_23 erratum.

- Correctly sign-extend the VA when emulating a TLBI instruction
  potentially targeting a VNCR mapping.

- Avoid dereferencing a NULL pointer in the VGIC debug code, which can
  happen if the device doesn't have any mapping yet.
---

61374cc145f4a56377eaf87c7409a97ec7a34041
diff --cc arch/arm64/kvm/vgic/vgic-init.c
index 6a426d403a6b3,0611a1c2ce8ef..eb1205654ac89
--- a/arch/arm64/kvm/vgic/vgic-init.c
+++ b/arch/arm64/kvm/vgic/vgic-init.c
@@@ -84,15 -84,40 +84,40 @@@ int kvm_vgic_create(struct kvm *kvm, u3
  		!kvm_vgic_global_state.can_emulate_gicv2)
  		return -ENODEV;
  
- 	/* Must be held to avoid race with vCPU creation */
+ 	/*
+ 	 * Ensure mutual exclusion with vCPU creation and any vCPU ioctls by:
+ 	 *
+ 	 *  - Holding kvm->lock to prevent KVM_CREATE_VCPU from reaching
+ 	 *    kvm_arch_vcpu_precreate() and ensuring created_vcpus is stable.
+ 	 *    This alone is insufficient, as kvm_vm_ioctl_create_vcpu() drops
+ 	 *    the kvm->lock before completing the vCPU creation.
+ 	 */
  	lockdep_assert_held(&kvm->lock);
  
+ 	/*
+ 	 *  - Acquiring the vCPU mutex for every *online* vCPU to prevent
+ 	 *    concurrent vCPU ioctls for vCPUs already visible to userspace.
+ 	 */
  	ret = -EBUSY;
 -	if (!lock_all_vcpus(kvm))
 +	if (kvm_trylock_all_vcpus(kvm))
  		return ret;
  
+ 	/*
+ 	 *  - Taking the config_lock which protects VGIC data structures such
+ 	 *    as the per-vCPU arrays of private IRQs (SGIs, PPIs).
+ 	 */
  	mutex_lock(&kvm->arch.config_lock);
  
+ 	/*
+ 	 * - Bailing on the entire thing if a vCPU is in the middle of creation,
+ 	 *   dropped the kvm->lock, but hasn't reached kvm_arch_vcpu_create().
+ 	 *
+ 	 * The whole combination of this guarantees that no vCPU can get into
+ 	 * KVM with a VGIC configuration inconsistent with the VM's VGIC.
+ 	 */
+ 	if (kvm->created_vcpus != atomic_read(&kvm->online_vcpus))
+ 		goto out_unlock;
+ 
  	if (irqchip_in_kernel(kvm)) {
  		ret = -EEXIST;
  		goto out_unlock;