[PATCH] KVM: PPC: Book3S HV: XIVE: fix page offset when clearing ESB pages

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] KVM: PPC: Book3S HV: XIVE: fix page offset when clearing ESB pages
@ 2019-05-28 21:13 ` Cédric Le Goater
  0 siblings, 0 replies; 22+ messages in thread
From: Cédric Le Goater @ 2019-05-28 21:13 UTC (permalink / raw)
  To: Paul Mackerras
  Cc: Alexey Kardashevskiy, David Gibson, Greg Kurz, kvm, kvm-ppc,
	Cédric Le Goater

Under XIVE, the ESB pages of an interrupt are used for interrupt
management (EOI) and triggering. They are made available to guests
through a mapping of the XIVE KVM device.

When a device is passed-through, the passthru_irq helpers,
kvmppc_xive_set_mapped() and kvmppc_xive_clr_mapped(), clear the ESB
pages of the guest IRQ number being mapped and let the VM fault
handler repopulate with the correct page.

The ESB pages are mapped at offset 4 (KVM_XIVE_ESB_PAGE_OFFSET) in the
KVM device mapping. Unfortunately, this offset was not taken into
account when clearing the pages. This lead to issues with the
passthrough devices for which the interrupts were not functional under
some guest configuration (tg3 and single CPU) or in any configuration
(e1000e adapter).

Signed-off-by: CÃ©dric Le Goater <clg@kaod.org>
---

 if unmap_mapping_pages() could be called from a module, we would
 simplify a bit this code.

 arch/powerpc/kvm/book3s_xive_native.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
index 8b762e3ebbc5..5596c8ec221a 100644
--- a/arch/powerpc/kvm/book3s_xive_native.c
+++ b/arch/powerpc/kvm/book3s_xive_native.c
@@ -172,6 +172,7 @@ int kvmppc_xive_native_connect_vcpu(struct kvm_device *dev,
 static int kvmppc_xive_native_reset_mapped(struct kvm *kvm, unsigned long irq)
 {
 	struct kvmppc_xive *xive = kvm->arch.xive;
+	pgoff_t esb_pgoff = KVM_XIVE_ESB_PAGE_OFFSET + irq * 2;

 	if (irq >= KVMPPC_XIVE_NR_IRQS)
 		return -EINVAL;
@@ -185,7 +186,7 @@ static int kvmppc_xive_native_reset_mapped(struct kvm *kvm, unsigned long irq)
 	mutex_lock(&xive->mapping_lock);
 	if (xive->mapping)
 		unmap_mapping_range(xive->mapping,
-				    irq * (2ull << PAGE_SHIFT),
+				    esb_pgoff << PAGE_SHIFT,
 				    2ull << PAGE_SHIFT, 1);
 	mutex_unlock(&xive->mapping_lock);
 	return 0;
-- 
2.21.0

^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH] KVM: PPC: Book3S HV: XIVE: fix page offset when clearing ESB pages
@ 2019-05-28 21:13 ` Cédric Le Goater
  0 siblings, 0 replies; 22+ messages in thread
From: Cédric Le Goater @ 2019-05-28 21:13 UTC (permalink / raw)
  To: Paul Mackerras
  Cc: Alexey Kardashevskiy, David Gibson, Greg Kurz, kvm, kvm-ppc,
	Cédric Le Goater

Under XIVE, the ESB pages of an interrupt are used for interrupt
management (EOI) and triggering. They are made available to guests
through a mapping of the XIVE KVM device.

When a device is passed-through, the passthru_irq helpers,
kvmppc_xive_set_mapped() and kvmppc_xive_clr_mapped(), clear the ESB
pages of the guest IRQ number being mapped and let the VM fault
handler repopulate with the correct page.

The ESB pages are mapped at offset 4 (KVM_XIVE_ESB_PAGE_OFFSET) in the
KVM device mapping. Unfortunately, this offset was not taken into
account when clearing the pages. This lead to issues with the
passthrough devices for which the interrupts were not functional under
some guest configuration (tg3 and single CPU) or in any configuration
(e1000e adapter).

Signed-off-by: Cédric Le Goater <clg@kaod.org>
---

 if unmap_mapping_pages() could be called from a module, we would
 simplify a bit this code.

 arch/powerpc/kvm/book3s_xive_native.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
index 8b762e3ebbc5..5596c8ec221a 100644
--- a/arch/powerpc/kvm/book3s_xive_native.c
+++ b/arch/powerpc/kvm/book3s_xive_native.c
@@ -172,6 +172,7 @@ int kvmppc_xive_native_connect_vcpu(struct kvm_device *dev,
 static int kvmppc_xive_native_reset_mapped(struct kvm *kvm, unsigned long irq)
 {
 	struct kvmppc_xive *xive = kvm->arch.xive;
+	pgoff_t esb_pgoff = KVM_XIVE_ESB_PAGE_OFFSET + irq * 2;

 	if (irq >= KVMPPC_XIVE_NR_IRQS)
 		return -EINVAL;
@@ -185,7 +186,7 @@ static int kvmppc_xive_native_reset_mapped(struct kvm *kvm, unsigned long irq)
 	mutex_lock(&xive->mapping_lock);
 	if (xive->mapping)
 		unmap_mapping_range(xive->mapping,
-				    irq * (2ull << PAGE_SHIFT),
+				    esb_pgoff << PAGE_SHIFT,
 				    2ull << PAGE_SHIFT, 1);
 	mutex_unlock(&xive->mapping_lock);
 	return 0;
-- 
2.21.0

^ permalink raw reply related	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: fix page offset when clearing ESB pages
  2019-05-28 21:13 ` Cédric Le Goater
@ 2019-05-29  9:06   ` Greg Kurz
  -1 siblings, 0 replies; 22+ messages in thread
From: Greg Kurz @ 2019-05-29  9:06 UTC (permalink / raw)
  To: Cédric Le Goater
  Cc: Paul Mackerras, Alexey Kardashevskiy, David Gibson, kvm, kvm-ppc

On Tue, 28 May 2019 23:13:24 +0200
Cédric Le Goater <clg@kaod.org> wrote:

> Under XIVE, the ESB pages of an interrupt are used for interrupt
> management (EOI) and triggering. They are made available to guests
> through a mapping of the XIVE KVM device.
> 
> When a device is passed-through, the passthru_irq helpers,
> kvmppc_xive_set_mapped() and kvmppc_xive_clr_mapped(), clear the ESB
> pages of the guest IRQ number being mapped and let the VM fault
> handler repopulate with the correct page.
> 
> The ESB pages are mapped at offset 4 (KVM_XIVE_ESB_PAGE_OFFSET) in the
> KVM device mapping. Unfortunately, this offset was not taken into
> account when clearing the pages. This lead to issues with the

Good catch ! :)

Reviwed-by: Greg Kurz <groug@kaod.org>

> passthrough devices for which the interrupts were not functional under
> some guest configuration (tg3 and single CPU) or in any configuration

And this patch fixes my tg3 use case.

Tested-by: Greg Kurz <groug@kaod.org>

> (e1000e adapter).
> 
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> ---
> 
>  if unmap_mapping_pages() could be called from a module, we would
>  simplify a bit this code.
> 
>  arch/powerpc/kvm/book3s_xive_native.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
> index 8b762e3ebbc5..5596c8ec221a 100644
> --- a/arch/powerpc/kvm/book3s_xive_native.c
> +++ b/arch/powerpc/kvm/book3s_xive_native.c
> @@ -172,6 +172,7 @@ int kvmppc_xive_native_connect_vcpu(struct kvm_device *dev,
>  static int kvmppc_xive_native_reset_mapped(struct kvm *kvm, unsigned long irq)
>  {
>  	struct kvmppc_xive *xive = kvm->arch.xive;
> +	pgoff_t esb_pgoff = KVM_XIVE_ESB_PAGE_OFFSET + irq * 2;
>  
>  	if (irq >= KVMPPC_XIVE_NR_IRQS)
>  		return -EINVAL;
> @@ -185,7 +186,7 @@ static int kvmppc_xive_native_reset_mapped(struct kvm *kvm, unsigned long irq)
>  	mutex_lock(&xive->mapping_lock);
>  	if (xive->mapping)
>  		unmap_mapping_range(xive->mapping,
> -				    irq * (2ull << PAGE_SHIFT),
> +				    esb_pgoff << PAGE_SHIFT,
>  				    2ull << PAGE_SHIFT, 1);
>  	mutex_unlock(&xive->mapping_lock);
>  	return 0;

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: fix page offset when clearing ESB pages
@ 2019-05-29  9:06   ` Greg Kurz
  0 siblings, 0 replies; 22+ messages in thread
From: Greg Kurz @ 2019-05-29  9:06 UTC (permalink / raw)
  To: Cédric Le Goater
  Cc: Paul Mackerras, Alexey Kardashevskiy, David Gibson, kvm, kvm-ppc

On Tue, 28 May 2019 23:13:24 +0200
Cédric Le Goater <clg@kaod.org> wrote:

> Under XIVE, the ESB pages of an interrupt are used for interrupt
> management (EOI) and triggering. They are made available to guests
> through a mapping of the XIVE KVM device.
> 
> When a device is passed-through, the passthru_irq helpers,
> kvmppc_xive_set_mapped() and kvmppc_xive_clr_mapped(), clear the ESB
> pages of the guest IRQ number being mapped and let the VM fault
> handler repopulate with the correct page.
> 
> The ESB pages are mapped at offset 4 (KVM_XIVE_ESB_PAGE_OFFSET) in the
> KVM device mapping. Unfortunately, this offset was not taken into
> account when clearing the pages. This lead to issues with the

Good catch ! :)

Reviwed-by: Greg Kurz <groug@kaod.org>

> passthrough devices for which the interrupts were not functional under
> some guest configuration (tg3 and single CPU) or in any configuration

And this patch fixes my tg3 use case.

Tested-by: Greg Kurz <groug@kaod.org>

> (e1000e adapter).
> 
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> ---
> 
>  if unmap_mapping_pages() could be called from a module, we would
>  simplify a bit this code.
> 
>  arch/powerpc/kvm/book3s_xive_native.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
> index 8b762e3ebbc5..5596c8ec221a 100644
> --- a/arch/powerpc/kvm/book3s_xive_native.c
> +++ b/arch/powerpc/kvm/book3s_xive_native.c
> @@ -172,6 +172,7 @@ int kvmppc_xive_native_connect_vcpu(struct kvm_device *dev,
>  static int kvmppc_xive_native_reset_mapped(struct kvm *kvm, unsigned long irq)
>  {
>  	struct kvmppc_xive *xive = kvm->arch.xive;
> +	pgoff_t esb_pgoff = KVM_XIVE_ESB_PAGE_OFFSET + irq * 2;
>  
>  	if (irq >= KVMPPC_XIVE_NR_IRQS)
>  		return -EINVAL;
> @@ -185,7 +186,7 @@ static int kvmppc_xive_native_reset_mapped(struct kvm *kvm, unsigned long irq)
>  	mutex_lock(&xive->mapping_lock);
>  	if (xive->mapping)
>  		unmap_mapping_range(xive->mapping,
> -				    irq * (2ull << PAGE_SHIFT),
> +				    esb_pgoff << PAGE_SHIFT,
>  				    2ull << PAGE_SHIFT, 1);
>  	mutex_unlock(&xive->mapping_lock);
>  	return 0;


^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: fix page offset when clearing ESB pages
  2019-05-28 21:13 ` Cédric Le Goater
@ 2019-05-31  6:36   ` Paul Mackerras
  -1 siblings, 0 replies; 22+ messages in thread
From: Paul Mackerras @ 2019-05-31  6:36 UTC (permalink / raw)
  To: Cédric Le Goater
  Cc: Alexey Kardashevskiy, David Gibson, Greg Kurz, kvm, kvm-ppc

On Tue, May 28, 2019 at 11:13:24PM +0200, Cédric Le Goater wrote:
> Under XIVE, the ESB pages of an interrupt are used for interrupt
> management (EOI) and triggering. They are made available to guests
> through a mapping of the XIVE KVM device.
> 
> When a device is passed-through, the passthru_irq helpers,
> kvmppc_xive_set_mapped() and kvmppc_xive_clr_mapped(), clear the ESB
> pages of the guest IRQ number being mapped and let the VM fault
> handler repopulate with the correct page.
> 
> The ESB pages are mapped at offset 4 (KVM_XIVE_ESB_PAGE_OFFSET) in the
> KVM device mapping. Unfortunately, this offset was not taken into
> account when clearing the pages. This lead to issues with the
> passthrough devices for which the interrupts were not functional under
> some guest configuration (tg3 and single CPU) or in any configuration
> (e1000e adapter).
> 
> Signed-off-by: Cédric Le Goater <clg@kaod.org>

Thanks, patch applied to my kvm-ppc-fixes branch.

Paul.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: fix page offset when clearing ESB pages
@ 2019-05-31  6:36   ` Paul Mackerras
  0 siblings, 0 replies; 22+ messages in thread
From: Paul Mackerras @ 2019-05-31  6:36 UTC (permalink / raw)
  To: Cédric Le Goater
  Cc: Alexey Kardashevskiy, David Gibson, Greg Kurz, kvm, kvm-ppc

On Tue, May 28, 2019 at 11:13:24PM +0200, Cédric Le Goater wrote:
> Under XIVE, the ESB pages of an interrupt are used for interrupt
> management (EOI) and triggering. They are made available to guests
> through a mapping of the XIVE KVM device.
> 
> When a device is passed-through, the passthru_irq helpers,
> kvmppc_xive_set_mapped() and kvmppc_xive_clr_mapped(), clear the ESB
> pages of the guest IRQ number being mapped and let the VM fault
> handler repopulate with the correct page.
> 
> The ESB pages are mapped at offset 4 (KVM_XIVE_ESB_PAGE_OFFSET) in the
> KVM device mapping. Unfortunately, this offset was not taken into
> account when clearing the pages. This lead to issues with the
> passthrough devices for which the interrupts were not functional under
> some guest configuration (tg3 and single CPU) or in any configuration
> (e1000e adapter).
> 
> Signed-off-by: Cédric Le Goater <clg@kaod.org>

Thanks, patch applied to my kvm-ppc-fixes branch.

Paul.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-05 13:47   ` Cédric Le Goater
  0 siblings, 0 replies; 22+ messages in thread
From: Cédric Le Goater @ 2020-11-05 13:47 UTC (permalink / raw)
  To: Paul Mackerras
  Cc: linuxppc-dev, Michael Ellerman, kvm-ppc, kvm, Greg Kurz,
	Gustavo Romero, David Gibson, Cédric Le Goater

When accessing the ESB page of a source interrupt, the fault handler
will retrieve the page address from the XIVE interrupt 'xive_irq_data'
structure. If the associated KVM XIVE interrupt is not valid, that is
not allocated at the HW level for some reason, the fault handler will
dereference a NULL pointer leading to the oops below :

    WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
    CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
    NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
    REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
    MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
    CFAR: c00000000044b160 IRQMASK: 0
    GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
    GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
    GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
    GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
    GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
    GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
    GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
    GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
    NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
    LR [c00000000044b164] __do_fault+0x64/0x220
    Call Trace:
    [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
    [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
    [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
    [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
    [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
    [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
    [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
    [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
    Instruction dump:
    40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
    7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
    ---[ end trace 66c6ff034c53f64f ]---
    xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !

Fix that by checking the validity of the KVM XIVE interrupt structure.

Reported-by: Greg Kurz <groug@kaod.org>
Signed-off-by: CÃ©dric Le Goater <clg@kaod.org>
---
 arch/powerpc/kvm/book3s_xive_native.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
index d0c2db0e07fa..a59a94f02733 100644
--- a/arch/powerpc/kvm/book3s_xive_native.c
+++ b/arch/powerpc/kvm/book3s_xive_native.c
@@ -251,6 +251,13 @@ static vm_fault_t xive_native_esb_fault(struct vm_fault *vmf)
 	}
 
 	state = &sb->irq_state[src];
+
+	/* Some sanity checking */
+	if (!state->valid) {
+		pr_devel("%s: source %lx invalid !\n", __func__, irq);
+		return VM_FAULT_SIGBUS;
+	}
+
 	kvmppc_xive_select_irq(state, &hw_num, &xd);
 
 	arch_spin_lock(&sb->lock);
-- 
2.26.2

^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-05 13:47   ` Cédric Le Goater
  0 siblings, 0 replies; 22+ messages in thread
From: Cédric Le Goater @ 2020-11-05 13:47 UTC (permalink / raw)
  To: Paul Mackerras
  Cc: linuxppc-dev, Michael Ellerman, kvm-ppc, kvm, Greg Kurz,
	Gustavo Romero, David Gibson, Cédric Le Goater

When accessing the ESB page of a source interrupt, the fault handler
will retrieve the page address from the XIVE interrupt 'xive_irq_data'
structure. If the associated KVM XIVE interrupt is not valid, that is
not allocated at the HW level for some reason, the fault handler will
dereference a NULL pointer leading to the oops below :

    WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
    CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
    NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
    REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
    MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
    CFAR: c00000000044b160 IRQMASK: 0
    GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
    GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
    GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
    GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
    GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
    GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
    GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
    GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
    NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
    LR [c00000000044b164] __do_fault+0x64/0x220
    Call Trace:
    [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
    [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
    [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
    [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
    [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
    [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
    [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
    [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
    Instruction dump:
    40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
    7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
    ---[ end trace 66c6ff034c53f64f ]---
    xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !

Fix that by checking the validity of the KVM XIVE interrupt structure.

Reported-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
---
 arch/powerpc/kvm/book3s_xive_native.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
index d0c2db0e07fa..a59a94f02733 100644
--- a/arch/powerpc/kvm/book3s_xive_native.c
+++ b/arch/powerpc/kvm/book3s_xive_native.c
@@ -251,6 +251,13 @@ static vm_fault_t xive_native_esb_fault(struct vm_fault *vmf)
 	}
 
 	state = &sb->irq_state[src];
+
+	/* Some sanity checking */
+	if (!state->valid) {
+		pr_devel("%s: source %lx invalid !\n", __func__, irq);
+		return VM_FAULT_SIGBUS;
+	}
+
 	kvmppc_xive_select_irq(state, &hw_num, &xd);
 
 	arch_spin_lock(&sb->lock);
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-05 13:47   ` Cédric Le Goater
  0 siblings, 0 replies; 22+ messages in thread
From: Cédric Le Goater @ 2020-11-05 13:47 UTC (permalink / raw)
  To: Paul Mackerras
  Cc: kvm, Gustavo Romero, Greg Kurz, kvm-ppc, Cédric Le Goater,
	linuxppc-dev, David Gibson

When accessing the ESB page of a source interrupt, the fault handler
will retrieve the page address from the XIVE interrupt 'xive_irq_data'
structure. If the associated KVM XIVE interrupt is not valid, that is
not allocated at the HW level for some reason, the fault handler will
dereference a NULL pointer leading to the oops below :

    WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
    CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
    NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
    REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
    MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
    CFAR: c00000000044b160 IRQMASK: 0
    GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
    GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
    GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
    GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
    GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
    GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
    GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
    GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
    NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
    LR [c00000000044b164] __do_fault+0x64/0x220
    Call Trace:
    [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
    [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
    [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
    [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
    [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
    [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
    [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
    [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
    Instruction dump:
    40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
    7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
    ---[ end trace 66c6ff034c53f64f ]---
    xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !

Fix that by checking the validity of the KVM XIVE interrupt structure.

Reported-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
---
 arch/powerpc/kvm/book3s_xive_native.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
index d0c2db0e07fa..a59a94f02733 100644
--- a/arch/powerpc/kvm/book3s_xive_native.c
+++ b/arch/powerpc/kvm/book3s_xive_native.c
@@ -251,6 +251,13 @@ static vm_fault_t xive_native_esb_fault(struct vm_fault *vmf)
 	}
 
 	state = &sb->irq_state[src];
+
+	/* Some sanity checking */
+	if (!state->valid) {
+		pr_devel("%s: source %lx invalid !\n", __func__, irq);
+		return VM_FAULT_SIGBUS;
+	}
+
 	kvmppc_xive_select_irq(state, &hw_num, &xd);
 
 	arch_spin_lock(&sb->lock);
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
  2020-11-05 13:47   ` Cédric Le Goater
  (?)
@ 2020-11-05 17:41     ` Greg Kurz
  -1 siblings, 0 replies; 22+ messages in thread
From: Greg Kurz @ 2020-11-05 17:41 UTC (permalink / raw)
  To: Cédric Le Goater
  Cc: Paul Mackerras, linuxppc-dev, Michael Ellerman, kvm-ppc, kvm,
	Gustavo Romero, David Gibson

On Thu, 5 Nov 2020 14:47:13 +0100
Cédric Le Goater <clg@kaod.org> wrote:

> When accessing the ESB page of a source interrupt, the fault handler
> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
> structure. If the associated KVM XIVE interrupt is not valid, that is
> not allocated at the HW level for some reason, the fault handler will
> dereference a NULL pointer leading to the oops below :
> 
>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>     CFAR: c00000000044b160 IRQMASK: 0
>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>     LR [c00000000044b164] __do_fault+0x64/0x220
>     Call Trace:
>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>     Instruction dump:
>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>     ---[ end trace 66c6ff034c53f64f ]---
>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
> 
> Fix that by checking the validity of the KVM XIVE interrupt structure.
> 
> Reported-by: Greg Kurz <groug@kaod.org>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> ---

Looks sane to me. QEMU still crashes on SIGBUS but no more oops at least.

Tested-by: Greg Kurz <groug@kaod.org>

>  arch/powerpc/kvm/book3s_xive_native.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
> index d0c2db0e07fa..a59a94f02733 100644
> --- a/arch/powerpc/kvm/book3s_xive_native.c
> +++ b/arch/powerpc/kvm/book3s_xive_native.c
> @@ -251,6 +251,13 @@ static vm_fault_t xive_native_esb_fault(struct vm_fault *vmf)
>  	}
>  
>  	state = &sb->irq_state[src];
> +
> +	/* Some sanity checking */
> +	if (!state->valid) {
> +		pr_devel("%s: source %lx invalid !\n", __func__, irq);
> +		return VM_FAULT_SIGBUS;
> +	}
> +
>  	kvmppc_xive_select_irq(state, &hw_num, &xd);
>  
>  	arch_spin_lock(&sb->lock);

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-05 17:41     ` Greg Kurz
  0 siblings, 0 replies; 22+ messages in thread
From: Greg Kurz @ 2020-11-05 17:41 UTC (permalink / raw)
  To: Cédric Le Goater
  Cc: Paul Mackerras, linuxppc-dev, Michael Ellerman, kvm-ppc, kvm,
	Gustavo Romero, David Gibson

On Thu, 5 Nov 2020 14:47:13 +0100
Cédric Le Goater <clg@kaod.org> wrote:

> When accessing the ESB page of a source interrupt, the fault handler
> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
> structure. If the associated KVM XIVE interrupt is not valid, that is
> not allocated at the HW level for some reason, the fault handler will
> dereference a NULL pointer leading to the oops below :
> 
>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>     CFAR: c00000000044b160 IRQMASK: 0
>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>     LR [c00000000044b164] __do_fault+0x64/0x220
>     Call Trace:
>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>     Instruction dump:
>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>     ---[ end trace 66c6ff034c53f64f ]---
>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
> 
> Fix that by checking the validity of the KVM XIVE interrupt structure.
> 
> Reported-by: Greg Kurz <groug@kaod.org>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> ---

Looks sane to me. QEMU still crashes on SIGBUS but no more oops at least.

Tested-by: Greg Kurz <groug@kaod.org>

>  arch/powerpc/kvm/book3s_xive_native.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
> index d0c2db0e07fa..a59a94f02733 100644
> --- a/arch/powerpc/kvm/book3s_xive_native.c
> +++ b/arch/powerpc/kvm/book3s_xive_native.c
> @@ -251,6 +251,13 @@ static vm_fault_t xive_native_esb_fault(struct vm_fault *vmf)
>  	}
>  
>  	state = &sb->irq_state[src];
> +
> +	/* Some sanity checking */
> +	if (!state->valid) {
> +		pr_devel("%s: source %lx invalid !\n", __func__, irq);
> +		return VM_FAULT_SIGBUS;
> +	}
> +
>  	kvmppc_xive_select_irq(state, &hw_num, &xd);
>  
>  	arch_spin_lock(&sb->lock);


^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-05 17:41     ` Greg Kurz
  0 siblings, 0 replies; 22+ messages in thread
From: Greg Kurz @ 2020-11-05 17:41 UTC (permalink / raw)
  To: Cédric Le Goater
  Cc: kvm, Gustavo Romero, kvm-ppc, Paul Mackerras, linuxppc-dev,
	David Gibson

On Thu, 5 Nov 2020 14:47:13 +0100
Cédric Le Goater <clg@kaod.org> wrote:

> When accessing the ESB page of a source interrupt, the fault handler
> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
> structure. If the associated KVM XIVE interrupt is not valid, that is
> not allocated at the HW level for some reason, the fault handler will
> dereference a NULL pointer leading to the oops below :
> 
>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>     CFAR: c00000000044b160 IRQMASK: 0
>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>     LR [c00000000044b164] __do_fault+0x64/0x220
>     Call Trace:
>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>     Instruction dump:
>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>     ---[ end trace 66c6ff034c53f64f ]---
>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
> 
> Fix that by checking the validity of the KVM XIVE interrupt structure.
> 
> Reported-by: Greg Kurz <groug@kaod.org>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> ---

Looks sane to me. QEMU still crashes on SIGBUS but no more oops at least.

Tested-by: Greg Kurz <groug@kaod.org>

>  arch/powerpc/kvm/book3s_xive_native.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
> index d0c2db0e07fa..a59a94f02733 100644
> --- a/arch/powerpc/kvm/book3s_xive_native.c
> +++ b/arch/powerpc/kvm/book3s_xive_native.c
> @@ -251,6 +251,13 @@ static vm_fault_t xive_native_esb_fault(struct vm_fault *vmf)
>  	}
>  
>  	state = &sb->irq_state[src];
> +
> +	/* Some sanity checking */
> +	if (!state->valid) {
> +		pr_devel("%s: source %lx invalid !\n", __func__, irq);
> +		return VM_FAULT_SIGBUS;
> +	}
> +
>  	kvmppc_xive_select_irq(state, &hw_num, &xd);
>  
>  	arch_spin_lock(&sb->lock);


^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
  2020-11-05 13:47   ` Cédric Le Goater
  (?)
@ 2020-11-06  3:19     ` Michael Ellerman
  -1 siblings, 0 replies; 22+ messages in thread
From: Michael Ellerman @ 2020-11-06  3:19 UTC (permalink / raw)
  To: Cédric Le Goater, Paul Mackerras
  Cc: linuxppc-dev, kvm-ppc, kvm, Greg Kurz, Gustavo Romero,
	David Gibson, Cédric Le Goater

Cédric Le Goater <clg@kaod.org> writes:
> When accessing the ESB page of a source interrupt, the fault handler
> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
> structure. If the associated KVM XIVE interrupt is not valid, that is
> not allocated at the HW level for some reason, the fault handler will
> dereference a NULL pointer leading to the oops below :
>
>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>     CFAR: c00000000044b160 IRQMASK: 0
>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>     LR [c00000000044b164] __do_fault+0x64/0x220
>     Call Trace:
>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>     Instruction dump:
>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>     ---[ end trace 66c6ff034c53f64f ]---
>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>
> Fix that by checking the validity of the KVM XIVE interrupt structure.
>
> Reported-by: Greg Kurz <groug@kaod.org>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>

Fixes ?

cheers

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-06  3:19     ` Michael Ellerman
  0 siblings, 0 replies; 22+ messages in thread
From: Michael Ellerman @ 2020-11-06  3:19 UTC (permalink / raw)
  To: Cédric Le Goater, Paul Mackerras
  Cc: linuxppc-dev, kvm-ppc, kvm, Greg Kurz, Gustavo Romero,
	David Gibson, Cédric Le Goater

Cédric Le Goater <clg@kaod.org> writes:
> When accessing the ESB page of a source interrupt, the fault handler
> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
> structure. If the associated KVM XIVE interrupt is not valid, that is
> not allocated at the HW level for some reason, the fault handler will
> dereference a NULL pointer leading to the oops below :
>
>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>     CFAR: c00000000044b160 IRQMASK: 0
>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>     LR [c00000000044b164] __do_fault+0x64/0x220
>     Call Trace:
>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>     Instruction dump:
>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>     ---[ end trace 66c6ff034c53f64f ]---
>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>
> Fix that by checking the validity of the KVM XIVE interrupt structure.
>
> Reported-by: Greg Kurz <groug@kaod.org>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>

Fixes ?

cheers

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-06  3:19     ` Michael Ellerman
  0 siblings, 0 replies; 22+ messages in thread
From: Michael Ellerman @ 2020-11-06  3:19 UTC (permalink / raw)
  To: Cédric Le Goater, Paul Mackerras
  Cc: kvm, Gustavo Romero, Greg Kurz, kvm-ppc, Cédric Le Goater,
	linuxppc-dev, David Gibson

Cédric Le Goater <clg@kaod.org> writes:
> When accessing the ESB page of a source interrupt, the fault handler
> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
> structure. If the associated KVM XIVE interrupt is not valid, that is
> not allocated at the HW level for some reason, the fault handler will
> dereference a NULL pointer leading to the oops below :
>
>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>     CFAR: c00000000044b160 IRQMASK: 0
>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>     LR [c00000000044b164] __do_fault+0x64/0x220
>     Call Trace:
>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>     Instruction dump:
>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>     ---[ end trace 66c6ff034c53f64f ]---
>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>
> Fix that by checking the validity of the KVM XIVE interrupt structure.
>
> Reported-by: Greg Kurz <groug@kaod.org>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>

Fixes ?

cheers

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
  2020-11-06  3:19     ` Michael Ellerman
  (?)
@ 2020-11-10 22:04       ` Cédric Le Goater
  -1 siblings, 0 replies; 22+ messages in thread
From: Cédric Le Goater @ 2020-11-10 22:04 UTC (permalink / raw)
  To: Michael Ellerman, Paul Mackerras
  Cc: linuxppc-dev, kvm-ppc, kvm, Greg Kurz, Gustavo Romero,
	David Gibson

On 11/6/20 4:19 AM, Michael Ellerman wrote:
> Cédric Le Goater <clg@kaod.org> writes:
>> When accessing the ESB page of a source interrupt, the fault handler
>> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
>> structure. If the associated KVM XIVE interrupt is not valid, that is
>> not allocated at the HW level for some reason, the fault handler will
>> dereference a NULL pointer leading to the oops below :
>>
>>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>>     CFAR: c00000000044b160 IRQMASK: 0
>>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>>     LR [c00000000044b164] __do_fault+0x64/0x220
>>     Call Trace:
>>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>>     Instruction dump:
>>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>>     ---[ end trace 66c6ff034c53f64f ]---
>>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>>
>> Fix that by checking the validity of the KVM XIVE interrupt structure.
>>
>> Reported-by: Greg Kurz <groug@kaod.org>
>> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> 
> Fixes ?

Ah yes :/  

Cc: stable@vger.kernel.org # v5.2+
Fixes: 6520ca64cde7 ("KVM: PPC: Book3S HV: XIVE: Add a mapping for the source ESB pages")

Since my provider changed its imap servers, my email filters are really screwed 
up and I miss emails. 

Sorry about that,

C.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-10 22:04       ` Cédric Le Goater
  0 siblings, 0 replies; 22+ messages in thread
From: Cédric Le Goater @ 2020-11-10 22:04 UTC (permalink / raw)
  To: Michael Ellerman, Paul Mackerras
  Cc: linuxppc-dev, kvm-ppc, kvm, Greg Kurz, Gustavo Romero,
	David Gibson

On 11/6/20 4:19 AM, Michael Ellerman wrote:
> Cédric Le Goater <clg@kaod.org> writes:
>> When accessing the ESB page of a source interrupt, the fault handler
>> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
>> structure. If the associated KVM XIVE interrupt is not valid, that is
>> not allocated at the HW level for some reason, the fault handler will
>> dereference a NULL pointer leading to the oops below :
>>
>>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>>     CFAR: c00000000044b160 IRQMASK: 0
>>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>>     LR [c00000000044b164] __do_fault+0x64/0x220
>>     Call Trace:
>>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>>     Instruction dump:
>>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>>     ---[ end trace 66c6ff034c53f64f ]---
>>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>>
>> Fix that by checking the validity of the KVM XIVE interrupt structure.
>>
>> Reported-by: Greg Kurz <groug@kaod.org>
>> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> 
> Fixes ?

Ah yes :/  

Cc: stable@vger.kernel.org # v5.2+
Fixes: 6520ca64cde7 ("KVM: PPC: Book3S HV: XIVE: Add a mapping for the source ESB pages")

Since my provider changed its imap servers, my email filters are really screwed 
up and I miss emails. 

Sorry about that,

C.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-10 22:04       ` Cédric Le Goater
  0 siblings, 0 replies; 22+ messages in thread
From: Cédric Le Goater @ 2020-11-10 22:04 UTC (permalink / raw)
  To: Michael Ellerman, Paul Mackerras
  Cc: kvm, Gustavo Romero, Greg Kurz, kvm-ppc, linuxppc-dev,
	David Gibson

On 11/6/20 4:19 AM, Michael Ellerman wrote:
> Cédric Le Goater <clg@kaod.org> writes:
>> When accessing the ESB page of a source interrupt, the fault handler
>> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
>> structure. If the associated KVM XIVE interrupt is not valid, that is
>> not allocated at the HW level for some reason, the fault handler will
>> dereference a NULL pointer leading to the oops below :
>>
>>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>>     CFAR: c00000000044b160 IRQMASK: 0
>>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>>     LR [c00000000044b164] __do_fault+0x64/0x220
>>     Call Trace:
>>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>>     Instruction dump:
>>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>>     ---[ end trace 66c6ff034c53f64f ]---
>>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>>
>> Fix that by checking the validity of the KVM XIVE interrupt structure.
>>
>> Reported-by: Greg Kurz <groug@kaod.org>
>> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> 
> Fixes ?

Ah yes :/  

Cc: stable@vger.kernel.org # v5.2+
Fixes: 6520ca64cde7 ("KVM: PPC: Book3S HV: XIVE: Add a mapping for the source ESB pages")

Since my provider changed its imap servers, my email filters are really screwed 
up and I miss emails. 

Sorry about that,

C.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
  2020-11-10 22:04       ` Cédric Le Goater
  (?)
@ 2020-11-16 12:29         ` Michael Ellerman
  -1 siblings, 0 replies; 22+ messages in thread
From: Michael Ellerman @ 2020-11-16 12:29 UTC (permalink / raw)
  To: Cédric Le Goater, Paul Mackerras
  Cc: linuxppc-dev, kvm-ppc, kvm, Greg Kurz, Gustavo Romero,
	David Gibson

Cédric Le Goater <clg@kaod.org> writes:
> On 11/6/20 4:19 AM, Michael Ellerman wrote:
>> Cédric Le Goater <clg@kaod.org> writes:
>>> When accessing the ESB page of a source interrupt, the fault handler
>>> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
>>> structure. If the associated KVM XIVE interrupt is not valid, that is
>>> not allocated at the HW level for some reason, the fault handler will
>>> dereference a NULL pointer leading to the oops below :
>>>
>>>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>>>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>>>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>>>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>>>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>>>     CFAR: c00000000044b160 IRQMASK: 0
>>>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>>>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>>>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>>>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>>>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>>>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>>>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>>>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>>>     LR [c00000000044b164] __do_fault+0x64/0x220
>>>     Call Trace:
>>>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>>>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>>>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>>>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>>>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>>>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>>>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>>>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>>>     Instruction dump:
>>>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>>>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>>>     ---[ end trace 66c6ff034c53f64f ]---
>>>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>>>
>>> Fix that by checking the validity of the KVM XIVE interrupt structure.
>>>
>>> Reported-by: Greg Kurz <groug@kaod.org>
>>> Signed-off-by: Cédric Le Goater <clg@kaod.org>
>> 
>> Fixes ?
>
> Ah yes :/  
>
> Cc: stable@vger.kernel.org # v5.2+
> Fixes: 6520ca64cde7 ("KVM: PPC: Book3S HV: XIVE: Add a mapping for the source ESB pages")
>
> Since my provider changed its imap servers, my email filters are really screwed 
> up and I miss emails. 
>
> Sorry about that,

No worries.

It doesn't look like Paul has grabbed this, so I'll take it.

cheers

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-16 12:29         ` Michael Ellerman
  0 siblings, 0 replies; 22+ messages in thread
From: Michael Ellerman @ 2020-11-16 12:29 UTC (permalink / raw)
  To: Cédric Le Goater, Paul Mackerras
  Cc: linuxppc-dev, kvm-ppc, kvm, Greg Kurz, Gustavo Romero,
	David Gibson

Cédric Le Goater <clg@kaod.org> writes:
> On 11/6/20 4:19 AM, Michael Ellerman wrote:
>> Cédric Le Goater <clg@kaod.org> writes:
>>> When accessing the ESB page of a source interrupt, the fault handler
>>> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
>>> structure. If the associated KVM XIVE interrupt is not valid, that is
>>> not allocated at the HW level for some reason, the fault handler will
>>> dereference a NULL pointer leading to the oops below :
>>>
>>>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>>>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>>>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>>>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>>>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>>>     CFAR: c00000000044b160 IRQMASK: 0
>>>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>>>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>>>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>>>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>>>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>>>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>>>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>>>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>>>     LR [c00000000044b164] __do_fault+0x64/0x220
>>>     Call Trace:
>>>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>>>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>>>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>>>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>>>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>>>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>>>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>>>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>>>     Instruction dump:
>>>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>>>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>>>     ---[ end trace 66c6ff034c53f64f ]---
>>>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>>>
>>> Fix that by checking the validity of the KVM XIVE interrupt structure.
>>>
>>> Reported-by: Greg Kurz <groug@kaod.org>
>>> Signed-off-by: Cédric Le Goater <clg@kaod.org>
>> 
>> Fixes ?
>
> Ah yes :/  
>
> Cc: stable@vger.kernel.org # v5.2+
> Fixes: 6520ca64cde7 ("KVM: PPC: Book3S HV: XIVE: Add a mapping for the source ESB pages")
>
> Since my provider changed its imap servers, my email filters are really screwed 
> up and I miss emails. 
>
> Sorry about that,

No worries.

It doesn't look like Paul has grabbed this, so I'll take it.

cheers

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
@ 2020-11-16 12:29         ` Michael Ellerman
  0 siblings, 0 replies; 22+ messages in thread
From: Michael Ellerman @ 2020-11-16 12:29 UTC (permalink / raw)
  To: Cédric Le Goater, Paul Mackerras
  Cc: kvm, Gustavo Romero, Greg Kurz, kvm-ppc, linuxppc-dev,
	David Gibson

Cédric Le Goater <clg@kaod.org> writes:
> On 11/6/20 4:19 AM, Michael Ellerman wrote:
>> Cédric Le Goater <clg@kaod.org> writes:
>>> When accessing the ESB page of a source interrupt, the fault handler
>>> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
>>> structure. If the associated KVM XIVE interrupt is not valid, that is
>>> not allocated at the HW level for some reason, the fault handler will
>>> dereference a NULL pointer leading to the oops below :
>>>
>>>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>>>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>>>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>>>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>>>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>>>     CFAR: c00000000044b160 IRQMASK: 0
>>>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>>>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>>>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>>>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>>>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>>>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>>>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>>>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>>>     LR [c00000000044b164] __do_fault+0x64/0x220
>>>     Call Trace:
>>>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>>>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>>>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>>>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>>>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>>>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>>>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>>>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>>>     Instruction dump:
>>>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>>>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>>>     ---[ end trace 66c6ff034c53f64f ]---
>>>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
>>>
>>> Fix that by checking the validity of the KVM XIVE interrupt structure.
>>>
>>> Reported-by: Greg Kurz <groug@kaod.org>
>>> Signed-off-by: Cédric Le Goater <clg@kaod.org>
>> 
>> Fixes ?
>
> Ah yes :/  
>
> Cc: stable@vger.kernel.org # v5.2+
> Fixes: 6520ca64cde7 ("KVM: PPC: Book3S HV: XIVE: Add a mapping for the source ESB pages")
>
> Since my provider changed its imap servers, my email filters are really screwed 
> up and I miss emails. 
>
> Sorry about that,

No worries.

It doesn't look like Paul has grabbed this, so I'll take it.

cheers

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
  2020-11-05 13:47   ` Cédric Le Goater
                     ` (3 preceding siblings ...)
  (?)
@ 2020-11-17 10:52   ` Michael Ellerman
  -1 siblings, 0 replies; 22+ messages in thread
From: Michael Ellerman @ 2020-11-17 10:52 UTC (permalink / raw)
  To: Paul Mackerras, Cédric Le Goater
  Cc: kvm, Gustavo Romero, Greg Kurz, kvm-ppc, linuxppc-dev,
	David Gibson

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2811 bytes --]

On Thu, 5 Nov 2020 14:47:13 +0100, Cédric Le Goater wrote:
> When accessing the ESB page of a source interrupt, the fault handler
> will retrieve the page address from the XIVE interrupt 'xive_irq_data'
> structure. If the associated KVM XIVE interrupt is not valid, that is
> not allocated at the HW level for some reason, the fault handler will
> dereference a NULL pointer leading to the oops below :
> 
>     WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm]
>     CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-240.el8.ppc64le #1
>     NIP:  c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8
>     REGS: c000001f69617840 TRAP: 0700   Tainted: G        W        --------- -  -  (4.18.0-240.el8.ppc64le)
>     MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 44044282  XER: 00000000
>     CFAR: c00000000044b160 IRQMASK: 0
>     GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10
>     GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff
>     GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
>     GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000
>     GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>     GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90
>     GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78
>     GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011
>     NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm]
>     LR [c00000000044b164] __do_fault+0x64/0x220
>     Call Trace:
>     [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable)
>     [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220
>     [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930
>     [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0
>     [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310
>     [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0
>     [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0
>     [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38
>     Instruction dump:
>     40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac
>     7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018
>     ---[ end trace 66c6ff034c53f64f ]---
>     xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 !
> 
> [...]

Applied to powerpc/fixes.

[1/1] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page
      https://git.kernel.org/powerpc/c/75b49620267c700f0a07fec7f27f69852db70e46

cheers

^ permalink raw reply	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2020-11-17 10:54 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-28 21:13 [PATCH] KVM: PPC: Book3S HV: XIVE: fix page offset when clearing ESB pages Cédric Le Goater
2019-05-28 21:13 ` Cédric Le Goater
2019-05-29  9:06 ` Greg Kurz
2019-05-29  9:06   ` Greg Kurz
2019-05-31  6:36 ` Paul Mackerras
2019-05-31  6:36   ` Paul Mackerras
2020-11-05 13:47 ` [PATCH] KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page Cédric Le Goater
2020-11-05 13:47   ` Cédric Le Goater
2020-11-05 13:47   ` Cédric Le Goater
2020-11-05 17:41   ` Greg Kurz
2020-11-05 17:41     ` Greg Kurz
2020-11-05 17:41     ` Greg Kurz
2020-11-06  3:19   ` Michael Ellerman
2020-11-06  3:19     ` Michael Ellerman
2020-11-06  3:19     ` Michael Ellerman
2020-11-10 22:04     ` Cédric Le Goater
2020-11-10 22:04       ` Cédric Le Goater
2020-11-10 22:04       ` Cédric Le Goater
2020-11-16 12:29       ` Michael Ellerman
2020-11-16 12:29         ` Michael Ellerman
2020-11-16 12:29         ` Michael Ellerman
2020-11-17 10:52   ` Michael Ellerman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.