Hi all,

I found a problem with occasionally issuing VMOVP to an unmapped VPE on 
GICv4.1. In my test environment, operating an unmapped VPE will generate 
RAS, so I found this problem. The detailed analysis is as follows.

The vgic_v4_teardown() will be executed when VM is destroyed to free the 
GICv4 data structures. The code is as follows:

/**
 * vgic_v4_teardown - Free the GICv4 data structures
 * @kvm:        Pointer to the VM being destroyed
 */
void vgic_v4_teardown(struct kvm *kvm)
{
        struct its_vm *its_vm = &kvm->arch.vgic.its_vm;
        int i;

        lockdep_assert_held(&kvm->arch.config_lock);

        if (!its_vm->vpes)
                return;

        for (i = 0; i < its_vm->nr_vpes; i++) {
                struct kvm_vcpu *vcpu = kvm_get_vcpu(kvm, i);
                int irq = its_vm->vpes[i]->irq;

                irq_clear_status_flags(irq, DB_IRQ_FLAGS);
                free_irq(irq, vcpu);
        }

        its_free_vcpu_irqs(its_vm);
        kfree(its_vm->vpes);
        its_vm->nr_vpes = 0;
        its_vm->vpes = NULL;
}

[1] In irq_clear_status_flags(irq, DB_IRQ_FLAGS), the status flags of a 
doorbell are cleared. DB_IRQ_FLAGS contains IRQ_NO_BALANCING. So after 
this,the irqbalance.service can schedule the doorbell.
[2] In free_irq(), the VPE is unmaped.
[3] In its_free_vcpu_irqs(its_vm), unregister_irq_proc() is called to 
delete the contents in /proc/irq/xx/ of the doorbell.

For VPEs in large-scale VM, there is a centain time window between [2] 
and [3]. The irqbalance.service got a chance to schedule the doorbell. 
Therefore, the VMOVP is issued to an unmapped VPE.

I tried not clearing IRQ_NO_BALANCING and the problem was solved. But 
it's not clear if there's any other problem with doing so.

Thanks,
Kunkun Jiang