• N
    KVM: x86: Fix lost interrupt on irr_pending race · f210f757
    Nadav Amit 提交于
    apic_find_highest_irr assumes irr_pending is set if any vector in APIC_IRR is
    set.  If this assumption is broken and apicv is disabled, the injection of
    interrupts may be deferred until another interrupt is delivered to the guest.
    Ultimately, if no other interrupt should be injected to that vCPU, the pending
    interrupt may be lost.
    
    commit 56cc2406 ("KVM: nVMX: fix "acknowledge interrupt on exit" when APICv
    is in use") changed the behavior of apic_clear_irr so irr_pending is cleared
    after setting APIC_IRR vector. After this commit, if apic_set_irr and
    apic_clear_irr run simultaneously, a race may occur, resulting in APIC_IRR
    vector set, and irr_pending cleared. In the following example, assume a single
    vector is set in IRR prior to calling apic_clear_irr:
    
    apic_set_irr				apic_clear_irr
    ------------				--------------
    apic->irr_pending = true;
    					apic_clear_vector(...);
    					vec = apic_search_irr(apic);
    					// => vec == -1
    apic_set_vector(...);
    					apic->irr_pending = (vec != -1);
    					// => apic->irr_pending == false
    
    Nonetheless, it appears the race might even occur prior to this commit:
    
    apic_set_irr				apic_clear_irr
    ------------				--------------
    apic->irr_pending = true;
    					apic->irr_pending = false;
    					apic_clear_vector(...);
    					if (apic_search_irr(apic) != -1)
    						apic->irr_pending = true;
    					// => apic->irr_pending == false
    apic_set_vector(...);
    
    Fixing this issue by:
    1. Restoring the previous behavior of apic_clear_irr: clear irr_pending, call
       apic_clear_vector, and then if APIC_IRR is non-zero, set irr_pending.
    2. On apic_set_irr: first call apic_set_vector, then set irr_pending.
    Signed-off-by: NNadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
    f210f757
lapic.c 48.5 KB