Commit a6816314 authored by David Matlack's avatar David Matlack Committed by Sean Christopherson
Browse files

KVM: Introduce vcpu->wants_to_run 



Introduce vcpu->wants_to_run to indicate when a vCPU is in its core run
loop, i.e. when the vCPU is running the KVM_RUN ioctl and immediate_exit
was not set.

Replace all references to vcpu->run->immediate_exit with
!vcpu->wants_to_run to avoid TOCTOU races with userspace. For example, a
malicious userspace could invoked KVM_RUN with immediate_exit=true and
then after KVM reads it to set wants_to_run=false, flip it to false.
This would result in the vCPU running in KVM_RUN with
wants_to_run=false. This wouldn't cause any real bugs today but is a
dangerous landmine.

Signed-off-by: default avatarDavid Matlack <dmatlack@google.com>
Link: https://lore.kernel.org/r/20240503181734.1467938-2-dmatlack@google.com


Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
parent 438a496b

arch/arm64/kvm/arm.c

+1 −1
Original line number Diff line number Diff line
@@ -1099,7 +1099,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) 


	vcpu_load(vcpu);



	if (run->immediate_exit) {

	if (!vcpu->wants_to_run) {

		ret = -EINTR;

		goto out;

	}

arch/loongarch/kvm/vcpu.c

+1 −1
Original line number Diff line number Diff line
@@ -1266,7 +1266,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) 
			kvm_complete_iocsr_read(vcpu, run);

	}



	if (run->immediate_exit)

	if (!vcpu->wants_to_run)

		return r;



	/* Clear exit_reason */

arch/mips/kvm/mips.c

+1 −1
Original line number Diff line number Diff line
@@ -436,7 +436,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) 
		vcpu->mmio_needed = 0;

	}



	if (vcpu->run->immediate_exit)

	if (!vcpu->wants_to_run)

		goto out;



	lose_fpu(1);

arch/powerpc/kvm/powerpc.c

+1 −1
Original line number Diff line number Diff line
@@ -1852,7 +1852,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) 


	kvm_sigset_activate(vcpu);



	if (run->immediate_exit)

	if (!vcpu->wants_to_run)

		r = -EINTR;

	else

		r = kvmppc_vcpu_run(vcpu);

arch/riscv/kvm/vcpu.c

+1 −1
Original line number Diff line number Diff line
@@ -760,7 +760,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) 
		return ret;

	}



	if (run->immediate_exit) {

	if (!vcpu->wants_to_run) {

		kvm_vcpu_srcu_read_unlock(vcpu);

		return -EINTR;

	}