KVM: fix race with level interrupts

When more than 1 source id is in use for the same GSI, we have the
following race related to handling irq_states race:

CPU 0 clears bit 0. CPU 0 read irq_state as 0. CPU 1 sets level to 1.
CPU 1 calls kvm_ioapic_set_irq(1). CPU 0 calls kvm_ioapic_set_irq(0).
Now ioapic thinks the level is 0 but irq_state is not 0.

Fix by performing all irq_states bitmap handling under pic/ioapic lock.
This also removes the need for atomics with irq_states handling.

Reported-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

3 files changed, 23 insertions, 31 deletions

diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
index 26fd54dc459e..ef61d529a6c4 100644
--- a/virt/kvm/ioapic.c
+++ b/virt/kvm/ioapic.c
@@ -191,7 +191,8 @@ static int ioapic_deliver(struct kvm_ioapic *ioapic, int irq)
         return kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe);
 }
 
-int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int level)
+int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int irq_source_id,
+                       int level)
 {
         u32 old_irr;
         u32 mask = 1 << irq;
@@ -201,9 +202,11 @@ int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int level)
         spin_lock(&ioapic->lock);
         old_irr = ioapic->irr;
         if (irq >= 0 && irq < IOAPIC_NUM_PINS) {
+                int irq_level = __kvm_irq_line_state(&ioapic->irq_states[irq],
+                                                     irq_source_id, level);
                 entry = ioapic->redirtbl[irq];
-                level ^= entry.fields.polarity;
-                if (!level)
+                irq_level ^= entry.fields.polarity;
+                if (!irq_level)
                         ioapic->irr &= ~mask;
                 else {
                         int edge = (entry.fields.trig_mode == IOAPIC_EDGE_TRIG);
@@ -221,6 +224,16 @@ int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int level)
         return ret;
 }
 
+void kvm_ioapic_clear_all(struct kvm_ioapic *ioapic, int irq_source_id)
+{
+        int i;
+
+        spin_lock(&ioapic->lock);
+        for (i = 0; i < KVM_IOAPIC_NUM_PINS; i++)
+                __clear_bit(irq_source_id, &ioapic->irq_states[i]);
+        spin_unlock(&ioapic->lock);
+}
+
 static void __kvm_ioapic_update_eoi(struct kvm_ioapic *ioapic, int vector,
                                      int trigger_mode)
 {
diff --git a/virt/kvm/ioapic.h b/virt/kvm/ioapic.h
index 32872a09b63f..a30abfe6ed16 100644
--- a/virt/kvm/ioapic.h
+++ b/virt/kvm/ioapic.h
@@ -74,7 +74,9 @@ void kvm_ioapic_update_eoi(struct kvm *kvm, int vector, int trigger_mode);
 bool kvm_ioapic_handles_vector(struct kvm *kvm, int vector);
 int kvm_ioapic_init(struct kvm *kvm);
 void kvm_ioapic_destroy(struct kvm *kvm);
-int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int level);
+int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int irq_source_id,
+                       int level);
+void kvm_ioapic_clear_all(struct kvm_ioapic *ioapic, int irq_source_id);
 void kvm_ioapic_reset(struct kvm_ioapic *ioapic);
 int kvm_irq_delivery_to_apic(struct kvm *kvm, struct kvm_lapic *src,
                 struct kvm_lapic_irq *irq);
diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
index a6a0365475ed..cc59c68da032 100644
--- a/virt/kvm/irq_comm.c
+++ b/virt/kvm/irq_comm.c
@@ -33,26 +33,12 @@
 
 #include "ioapic.h"
 
-static inline int kvm_irq_line_state(unsigned long *irq_state,
-                                     int irq_source_id, int level)
-{
-        /* Logical OR for level trig interrupt */
-        if (level)
-                set_bit(irq_source_id, irq_state);
-        else
-                clear_bit(irq_source_id, irq_state);
-
-        return !!(*irq_state);
-}
-
 static int kvm_set_pic_irq(struct kvm_kernel_irq_routing_entry *e,
                            struct kvm *kvm, int irq_source_id, int level)
 {
 #ifdef CONFIG_X86
         struct kvm_pic *pic = pic_irqchip(kvm);
-        level = kvm_irq_line_state(&pic->irq_states[e->irqchip.pin],
-                                   irq_source_id, level);
-        return kvm_pic_set_irq(pic, e->irqchip.pin, level);
+        return kvm_pic_set_irq(pic, e->irqchip.pin, irq_source_id, level);
 #else
         return -1;
 #endif
@@ -62,10 +48,7 @@ static int kvm_set_ioapic_irq(struct kvm_kernel_irq_routing_entry *e,
                               struct kvm *kvm, int irq_source_id, int level)
 {
         struct kvm_ioapic *ioapic = kvm->arch.vioapic;
-        level = kvm_irq_line_state(&ioapic->irq_states[e->irqchip.pin],
-                                   irq_source_id, level);
-
-        return kvm_ioapic_set_irq(ioapic, e->irqchip.pin, level);
+        return kvm_ioapic_set_irq(ioapic, e->irqchip.pin, irq_source_id, level);
 }
 
 inline static bool kvm_is_dm_lowest_prio(struct kvm_lapic_irq *irq)
@@ -249,8 +232,6 @@ unlock:
 
 void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id)
 {
-        int i;
-
         ASSERT(irq_source_id != KVM_USERSPACE_IRQ_SOURCE_ID);
 
         mutex_lock(&kvm->irq_lock);
@@ -263,14 +244,10 @@ void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id)
         if (!irqchip_in_kernel(kvm))
                 goto unlock;
 
-        for (i = 0; i < KVM_IOAPIC_NUM_PINS; i++) {
-                clear_bit(irq_source_id, &kvm->arch.vioapic->irq_states[i]);
-                if (i >= 16)
-                        continue;
+        kvm_ioapic_clear_all(kvm->arch.vioapic, irq_source_id);
 #ifdef CONFIG_X86
-                clear_bit(irq_source_id, &pic_irqchip(kvm)->irq_states[i]);
+        kvm_pic_clear_all(pic_irqchip(kvm), irq_source_id);
 #endif
-        }
 unlock:
         mutex_unlock(&kvm->irq_lock);
 }