KVM: arm64: vgic: Hold config_lock while tearing down a CPU interface

Tearing down a vcpu CPU interface involves freeing the private interrupt
array. If we don't hold the lock, we may race against another thread
trying to configure it. Yeah, fuzzers do wonderful things...

Taking the lock early solves this particular problem.

Fixes: 03b3d00a70b5 ("KVM: arm64: vgic: Allocate private interrupts on demand")
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20240808091546.3262111-1-maz@kernel.org
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>

diff --git a/arch/arm64/kvm/vgic/vgic-init.c b/arch/arm64/kvm/vgic/vgic-init.c
index 7f68cf58b978fb11c78b4b0bb6d9c15a0625c45b..41feb858ff9a5e2c83046750a8168d578e2f202a 100644 (file)
--- a/arch/arm64/kvm/vgic/vgic-init.c
+++ b/arch/arm64/kvm/vgic/vgic-init.c
@@ -438,14 +438,13 @@ void kvm_vgic_destroy(struct kvm *kvm)
        unsigned long i;
 
        mutex_lock(&kvm->slots_lock);
+       mutex_lock(&kvm->arch.config_lock);
 
        vgic_debug_destroy(kvm);
 
        kvm_for_each_vcpu(i, vcpu, kvm)
                __kvm_vgic_vcpu_destroy(vcpu);
 
-       mutex_lock(&kvm->arch.config_lock);
-
        kvm_vgic_dist_destroy(kvm);
 
        mutex_unlock(&kvm->arch.config_lock);