KVM: x86: clean/fix memory barriers in irqchip_in_kernel

The memory barriers are trying to protect against concurrent RCU-based
interrupt injection, but the IRQ routing table is not valid at the time
kvm->arch.vpic is written.  Fix this by writing kvm->arch.vpic last.
kvm_destroy_pic then need not set kvm->arch.vpic to NULL; modify it
to take a struct kvm_pic* and reuse it if the IOAPIC creation fails.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c
index fef922ff263589de97348e76ee4faeaeb5aaeef2..7cc2360f1848e1893a3a554c0a773731a1f3f146 100644 (file)
--- a/arch/x86/kvm/i8259.c
+++ b/arch/x86/kvm/i8259.c
@@ -651,15 +651,10 @@ fail_unlock:
        return NULL;
 }
 
-void kvm_destroy_pic(struct kvm *kvm)
+void kvm_destroy_pic(struct kvm_pic *vpic)
 {
-       struct kvm_pic *vpic = kvm->arch.vpic;
-
-       if (vpic) {
-               kvm_io_bus_unregister_dev(kvm, KVM_PIO_BUS, &vpic->dev_master);
-               kvm_io_bus_unregister_dev(kvm, KVM_PIO_BUS, &vpic->dev_slave);
-               kvm_io_bus_unregister_dev(kvm, KVM_PIO_BUS, &vpic->dev_eclr);
-               kvm->arch.vpic = NULL;
-               kfree(vpic);
-       }
+       kvm_io_bus_unregister_dev(vpic->kvm, KVM_PIO_BUS, &vpic->dev_master);
+       kvm_io_bus_unregister_dev(vpic->kvm, KVM_PIO_BUS, &vpic->dev_slave);
+       kvm_io_bus_unregister_dev(vpic->kvm, KVM_PIO_BUS, &vpic->dev_eclr);
+       kfree(vpic);
 }

diff --git a/arch/x86/kvm/irq.h b/arch/x86/kvm/irq.h
index ad68c73008c57f0c1926f0cec9e83f79fe070252..3d782a2c336aceb4b4fac3092b68f1c3143e1a12 100644 (file)
--- a/arch/x86/kvm/irq.h
+++ b/arch/x86/kvm/irq.h
@@ -74,7 +74,7 @@ struct kvm_pic {
 };
 
 struct kvm_pic *kvm_create_pic(struct kvm *kvm);
-void kvm_destroy_pic(struct kvm *kvm);
+void kvm_destroy_pic(struct kvm_pic *vpic);
 int kvm_pic_read_irq(struct kvm *kvm);
 void kvm_pic_update_irq(struct kvm_pic *s);
 
@@ -85,11 +85,11 @@ static inline struct kvm_pic *pic_irqchip(struct kvm *kvm)
 
 static inline int irqchip_in_kernel(struct kvm *kvm)
 {
-       int ret;
+       struct kvm_pic *vpic = pic_irqchip(kvm);
 
-       ret = (pic_irqchip(kvm) != NULL);
+       /* Read vpic before kvm->irq_routing.  */
        smp_rmb();
-       return ret;
+       return vpic != NULL;
 }
 
 void kvm_pic_reset(struct kvm_kpic_state *s);

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 2d62229aac26c9b54ae141dd9926a8c720ad6ff3..23e47a0b054bafe4b46bd304d26ab08f848c1243 100644 (file)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3626,30 +3626,25 @@ long kvm_arch_vm_ioctl(struct file *filp,
                        r = kvm_ioapic_init(kvm);
                        if (r) {
                                mutex_lock(&kvm->slots_lock);
-                               kvm_io_bus_unregister_dev(kvm, KVM_PIO_BUS,
-                                                         &vpic->dev_master);
-                               kvm_io_bus_unregister_dev(kvm, KVM_PIO_BUS,
-                                                         &vpic->dev_slave);
-                               kvm_io_bus_unregister_dev(kvm, KVM_PIO_BUS,
-                                                         &vpic->dev_eclr);
+                               kvm_destroy_pic(vpic);
                                mutex_unlock(&kvm->slots_lock);
-                               kfree(vpic);
                                goto create_irqchip_unlock;
                        }
                } else
                        goto create_irqchip_unlock;
-               smp_wmb();
-               kvm->arch.vpic = vpic;
-               smp_wmb();
                r = kvm_setup_default_irq_routing(kvm);
                if (r) {
                        mutex_lock(&kvm->slots_lock);
                        mutex_lock(&kvm->irq_lock);
                        kvm_ioapic_destroy(kvm);
-                       kvm_destroy_pic(kvm);
+                       kvm_destroy_pic(vpic);
                        mutex_unlock(&kvm->irq_lock);
                        mutex_unlock(&kvm->slots_lock);
+                       goto create_irqchip_unlock;
                }
+               /* Write kvm->irq_routing before kvm->arch.vpic.  */
+               smp_wmb();
+               kvm->arch.vpic = vpic;
        create_irqchip_unlock:
                mutex_unlock(&kvm->lock);
                break;