Change theme
Help
Press space for more information.
Show links for this issue (Shortcut: i, l)
Copy issue ID
Previous Issue (Shortcut: k)
Next Issue (Shortcut: j)
Sign in to use full features.
Vote: I am impacted
Notification menu
Refresh (Shortcut: Shift+r)
Go home (Shortcut: u)
Pending code changes (auto-populated)
Maintained by go/gitwatcher - Please do not modify manually. [ID: 762704]
Maintained by go/gitwatcher - Please do not modify manually. [ID: 762733]
View issue level access limits(Press Alt + Right arrow for more information)
Unintended behavior
View staffing
Description
The problems described here were found during code review for the virtio-iommu specification update, which is discussed at:https://lore.kernel.org/virtio-dev/20230803153238.541803-5-jean-philippe@linaro.org/
The Linux driver of virtio-iommu DETACHes an endpoint for unplugged devices since 6.5:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=809d0810e3520da669d231303608cdf5fe5c1a70
This interacts badly with crosvm:
This limitation is stated in:https://chromium.googlesource.com/crosvm/crosvm/+/fef85d48c85ea6a50b12bcab0ad61d6be17469fd%5E%21/
Such a detach operation is inherently prone to a race condition that can result in use-after-free in a scenario like following:
As such, crosvm must not automatically DETACH an endpoint.
Moreover, the automatic DETACH is implemented wrongly. crosvm destroys the domain even if there are other endpoints attached to the domain. You can see the relevant code at:https://chromium.googlesource.com/crosvm/crosvm/+/7cd94642e79a39f740b3a49373e9cdef77e9150d/devices/src/virtio/iommu/sys/unix.rs#69
Recommended fixes:
It is proposed to clarify what the guest and host should do with hot-unplug on the virtio-dev thread mentioned above. Please reply to it if you have any questions.