From: Marc Zyngier <maz@kernel.org>
To: James Morse <james.morse@arm.com>
Cc: Julien Grall <julien@xen.org>,
kvm@vger.kernel.org, Andre Przywara <Andre.Przywara@arm.com>,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v3 5/6] KVM: arm64: vgic-v3: Retire all pending LPIs on vcpu destroy
Date: Thu, 23 Apr 2020 16:13:42 +0100 [thread overview]
Message-ID: <339204221453ecbf3ef8946f8313ad2c@kernel.org> (raw)
In-Reply-To: <b76bf753-caaa-a6ce-9cdc-0fcf05821a56@arm.com>
Hi James,
On 2020-04-23 15:34, James Morse wrote:
> Hi guys,
>
> On 23/04/2020 13:03, Marc Zyngier wrote:
>> On 2020-04-23 12:35, James Morse wrote:
[...]
>>> [ 1742.348215] page dumped because: kasan: bad access detected
>
>> I think this is slightly more concerning. The issue is that we have
>> started freeing parts of the interrupt state already (we free the
>> SPIs early in kvm_vgic_dist_destroy()).
>
> (I took this to be some wild pointer access. Previously for
> use-after-free I've seen it
> print where it was allocated and where it was freed).
This is indeed what I managed to trigger by forcing a pending
SPI (the kvmtool UART interrupt) in the guest and forcefully
terminating it:
[ 3807.084237]
==================================================================
[ 3807.086516] BUG: KASAN: use-after-free in
vgic_flush_pending_lpis+0x54/0x198
[ 3807.088027] Read of size 8 at addr ffff00085514a328 by task
ioeventfd-worke/231
[ 3807.089771]
[ 3807.090911] CPU: 4 PID: 231 Comm: ioeventfd-worke Not tainted
5.7.0-rc2-00086-g2100c066e9a78 #200
[ 3807.092864] Hardware name: FVP Base RevC (DT)
[ 3807.094003] Call trace:
[ 3807.095180] dump_backtrace+0x0/0x268
[ 3807.096445] show_stack+0x1c/0x28
[ 3807.097961] dump_stack+0xe8/0x144
[ 3807.099374] print_address_description.isra.11+0x6c/0x354
[ 3807.101002] __kasan_report+0x110/0x1c8
[ 3807.102332] kasan_report+0x48/0x60
[ 3807.103769] __asan_load8+0x9c/0xc0
[ 3807.105113] vgic_flush_pending_lpis+0x54/0x198
[ 3807.107187] __kvm_vgic_destroy+0x120/0x278
[ 3807.108814] kvm_vgic_destroy+0x30/0x48
[ 3807.110443] kvm_arch_destroy_vm+0x20/0xa8
[ 3807.111868] kvm_put_kvm+0x234/0x460
[ 3807.113697] kvm_vm_release+0x34/0x48
[ 3807.115162] __fput+0x104/0x2f8
[ 3807.116464] ____fput+0x14/0x20
[ 3807.117929] task_work_run+0xbc/0x188
[ 3807.119419] do_exit+0x514/0xff8
[ 3807.120859] do_group_exit+0x78/0x108
[ 3807.122323] get_signal+0x164/0xcc0
[ 3807.123951] do_notify_resume+0x244/0x5e0
[ 3807.125416] work_pending+0x8/0x10
[ 3807.126392]
[ 3807.126969] Allocated by task 229:
[ 3807.128834] save_stack+0x24/0x50
[ 3807.130462] __kasan_kmalloc.isra.10+0xc4/0xe0
[ 3807.132134] kasan_kmalloc+0xc/0x18
[ 3807.133554] __kmalloc+0x174/0x270
[ 3807.135182] vgic_init.part.2+0xe0/0x4f0
[ 3807.136809] vgic_init+0x48/0x58
[ 3807.138095] vgic_set_common_attr.isra.4+0x2fc/0x388
[ 3807.140081] vgic_v3_set_attr+0x8c/0x350
[ 3807.141692] kvm_device_ioctl_attr+0x124/0x190
[ 3807.143260] kvm_device_ioctl+0xe8/0x170
[ 3807.144947] ksys_ioctl+0xb8/0xf8
[ 3807.146575] __arm64_sys_ioctl+0x48/0x60
[ 3807.148365] el0_svc_common.constprop.1+0xc8/0x1c8
[ 3807.150015] do_el0_svc+0x94/0xa0
[ 3807.151605] el0_sync_handler+0x120/0x190
[ 3807.152922] el0_sync+0x140/0x180
[ 3807.153899]
[ 3807.154784] Freed by task 231:
[ 3807.156178] save_stack+0x24/0x50
[ 3807.157805] __kasan_slab_free+0x10c/0x188
[ 3807.159433] kasan_slab_free+0x10/0x18
[ 3807.160897] kfree+0x88/0x350
[ 3807.162570] __kvm_vgic_destroy+0x5c/0x278
[ 3807.164153] kvm_vgic_destroy+0x30/0x48
[ 3807.165780] kvm_arch_destroy_vm+0x20/0xa8
[ 3807.167408] kvm_put_kvm+0x234/0x460
[ 3807.168691] kvm_vm_release+0x34/0x48
[ 3807.170281] __fput+0x104/0x2f8
[ 3807.171870] ____fput+0x14/0x20
[ 3807.173268] task_work_run+0xbc/0x188
[ 3807.174733] do_exit+0x514/0xff8
[ 3807.176242] do_group_exit+0x78/0x108
[ 3807.177434] get_signal+0x164/0xcc0
[ 3807.179289] do_notify_resume+0x244/0x5e0
[ 3807.180755] work_pending+0x8/0x10
[ 3807.181731]
[ 3807.182707] The buggy address belongs to the object at
ffff00085514a000
[ 3807.182707] which belongs to the cache kmalloc-4k of size 4096
[ 3807.185381] The buggy address is located 808 bytes inside of
[ 3807.185381] 4096-byte region [ffff00085514a000, ffff00085514b000)
[ 3807.187591] The buggy address belongs to the page:
[ 3807.189381] page:fffffe0021345200 refcount:1 mapcount:0
mapping:00000000090b1068 index:0x0 head:fffffe0021345200 order:3
compound_mapcount:0 compound_pincount:0
[ 3807.192148] flags: 0x2ffff00000010200(slab|head)
[ 3807.194123] raw: 2ffff00000010200 dead000000000100 dead000000000122
ffff00085a00f200
[ 3807.196379] raw: 0000000000000000 0000000080040004 00000001ffffffff
0000000000000000
[ 3807.198097] page dumped because: kasan: bad access detected
[ 3807.199289]
[ 3807.200123] Memory state around the buggy address:
[ 3807.201750] ffff00085514a200: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.203704] ffff00085514a280: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.205657] >ffff00085514a300: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.207285] ^
[ 3807.208826] ffff00085514a380: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.210812] ffff00085514a400: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.212402]
==================================================================
>> If a SPI was pending or active at this stage (i.e. present in the
>> ap_list), we are going to iterate over memory that has been freed
>> already. This is bad, and this can happen on GICv3 as well.
>
>
>> I think this should solve it, but I need to test it on a GICv2 system:
>>
>> diff --git a/virt/kvm/arm/vgic/vgic-init.c
>> b/virt/kvm/arm/vgic/vgic-init.c
>> index 53ec9b9d9bc43..30dbec9fe0b4a 100644
>> --- a/virt/kvm/arm/vgic/vgic-init.c
>> +++ b/virt/kvm/arm/vgic/vgic-init.c
>> @@ -365,10 +365,10 @@ static void __kvm_vgic_destroy(struct kvm *kvm)
>>
>> vgic_debug_destroy(kvm);
>>
>> - kvm_vgic_dist_destroy(kvm);
>> -
>> kvm_for_each_vcpu(i, vcpu, kvm)
>> kvm_vgic_vcpu_destroy(vcpu);
>> +
>> + kvm_vgic_dist_destroy(kvm);
>> }
>> > void kvm_vgic_destroy(struct kvm *kvm)
>
> This works for me on Juno.
I've verified that the above splat disappears on the FVP too.
I'll squash the fix in, add your RB (which I assume stands)
and send the whole thing as a lockdown present to Paolo!
Thanks,
M.
--
Jazz is not dead. It just smells funny...
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: James Morse <james.morse@arm.com>
Cc: Julien Grall <julien@xen.org>,
kvm@vger.kernel.org, Suzuki K Poulose <suzuki.poulose@arm.com>,
Andre Przywara <Andre.Przywara@arm.com>,
Eric Auger <eric.auger@redhat.com>,
Julien Thierry <julien.thierry.kdev@gmail.com>,
Zenghui Yu <yuzenghui@huawei.com>,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v3 5/6] KVM: arm64: vgic-v3: Retire all pending LPIs on vcpu destroy
Date: Thu, 23 Apr 2020 16:13:42 +0100 [thread overview]
Message-ID: <339204221453ecbf3ef8946f8313ad2c@kernel.org> (raw)
In-Reply-To: <b76bf753-caaa-a6ce-9cdc-0fcf05821a56@arm.com>
Hi James,
On 2020-04-23 15:34, James Morse wrote:
> Hi guys,
>
> On 23/04/2020 13:03, Marc Zyngier wrote:
>> On 2020-04-23 12:35, James Morse wrote:
[...]
>>> [ 1742.348215] page dumped because: kasan: bad access detected
>
>> I think this is slightly more concerning. The issue is that we have
>> started freeing parts of the interrupt state already (we free the
>> SPIs early in kvm_vgic_dist_destroy()).
>
> (I took this to be some wild pointer access. Previously for
> use-after-free I've seen it
> print where it was allocated and where it was freed).
This is indeed what I managed to trigger by forcing a pending
SPI (the kvmtool UART interrupt) in the guest and forcefully
terminating it:
[ 3807.084237]
==================================================================
[ 3807.086516] BUG: KASAN: use-after-free in
vgic_flush_pending_lpis+0x54/0x198
[ 3807.088027] Read of size 8 at addr ffff00085514a328 by task
ioeventfd-worke/231
[ 3807.089771]
[ 3807.090911] CPU: 4 PID: 231 Comm: ioeventfd-worke Not tainted
5.7.0-rc2-00086-g2100c066e9a78 #200
[ 3807.092864] Hardware name: FVP Base RevC (DT)
[ 3807.094003] Call trace:
[ 3807.095180] dump_backtrace+0x0/0x268
[ 3807.096445] show_stack+0x1c/0x28
[ 3807.097961] dump_stack+0xe8/0x144
[ 3807.099374] print_address_description.isra.11+0x6c/0x354
[ 3807.101002] __kasan_report+0x110/0x1c8
[ 3807.102332] kasan_report+0x48/0x60
[ 3807.103769] __asan_load8+0x9c/0xc0
[ 3807.105113] vgic_flush_pending_lpis+0x54/0x198
[ 3807.107187] __kvm_vgic_destroy+0x120/0x278
[ 3807.108814] kvm_vgic_destroy+0x30/0x48
[ 3807.110443] kvm_arch_destroy_vm+0x20/0xa8
[ 3807.111868] kvm_put_kvm+0x234/0x460
[ 3807.113697] kvm_vm_release+0x34/0x48
[ 3807.115162] __fput+0x104/0x2f8
[ 3807.116464] ____fput+0x14/0x20
[ 3807.117929] task_work_run+0xbc/0x188
[ 3807.119419] do_exit+0x514/0xff8
[ 3807.120859] do_group_exit+0x78/0x108
[ 3807.122323] get_signal+0x164/0xcc0
[ 3807.123951] do_notify_resume+0x244/0x5e0
[ 3807.125416] work_pending+0x8/0x10
[ 3807.126392]
[ 3807.126969] Allocated by task 229:
[ 3807.128834] save_stack+0x24/0x50
[ 3807.130462] __kasan_kmalloc.isra.10+0xc4/0xe0
[ 3807.132134] kasan_kmalloc+0xc/0x18
[ 3807.133554] __kmalloc+0x174/0x270
[ 3807.135182] vgic_init.part.2+0xe0/0x4f0
[ 3807.136809] vgic_init+0x48/0x58
[ 3807.138095] vgic_set_common_attr.isra.4+0x2fc/0x388
[ 3807.140081] vgic_v3_set_attr+0x8c/0x350
[ 3807.141692] kvm_device_ioctl_attr+0x124/0x190
[ 3807.143260] kvm_device_ioctl+0xe8/0x170
[ 3807.144947] ksys_ioctl+0xb8/0xf8
[ 3807.146575] __arm64_sys_ioctl+0x48/0x60
[ 3807.148365] el0_svc_common.constprop.1+0xc8/0x1c8
[ 3807.150015] do_el0_svc+0x94/0xa0
[ 3807.151605] el0_sync_handler+0x120/0x190
[ 3807.152922] el0_sync+0x140/0x180
[ 3807.153899]
[ 3807.154784] Freed by task 231:
[ 3807.156178] save_stack+0x24/0x50
[ 3807.157805] __kasan_slab_free+0x10c/0x188
[ 3807.159433] kasan_slab_free+0x10/0x18
[ 3807.160897] kfree+0x88/0x350
[ 3807.162570] __kvm_vgic_destroy+0x5c/0x278
[ 3807.164153] kvm_vgic_destroy+0x30/0x48
[ 3807.165780] kvm_arch_destroy_vm+0x20/0xa8
[ 3807.167408] kvm_put_kvm+0x234/0x460
[ 3807.168691] kvm_vm_release+0x34/0x48
[ 3807.170281] __fput+0x104/0x2f8
[ 3807.171870] ____fput+0x14/0x20
[ 3807.173268] task_work_run+0xbc/0x188
[ 3807.174733] do_exit+0x514/0xff8
[ 3807.176242] do_group_exit+0x78/0x108
[ 3807.177434] get_signal+0x164/0xcc0
[ 3807.179289] do_notify_resume+0x244/0x5e0
[ 3807.180755] work_pending+0x8/0x10
[ 3807.181731]
[ 3807.182707] The buggy address belongs to the object at
ffff00085514a000
[ 3807.182707] which belongs to the cache kmalloc-4k of size 4096
[ 3807.185381] The buggy address is located 808 bytes inside of
[ 3807.185381] 4096-byte region [ffff00085514a000, ffff00085514b000)
[ 3807.187591] The buggy address belongs to the page:
[ 3807.189381] page:fffffe0021345200 refcount:1 mapcount:0
mapping:00000000090b1068 index:0x0 head:fffffe0021345200 order:3
compound_mapcount:0 compound_pincount:0
[ 3807.192148] flags: 0x2ffff00000010200(slab|head)
[ 3807.194123] raw: 2ffff00000010200 dead000000000100 dead000000000122
ffff00085a00f200
[ 3807.196379] raw: 0000000000000000 0000000080040004 00000001ffffffff
0000000000000000
[ 3807.198097] page dumped because: kasan: bad access detected
[ 3807.199289]
[ 3807.200123] Memory state around the buggy address:
[ 3807.201750] ffff00085514a200: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.203704] ffff00085514a280: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.205657] >ffff00085514a300: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.207285] ^
[ 3807.208826] ffff00085514a380: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.210812] ffff00085514a400: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.212402]
==================================================================
>> If a SPI was pending or active at this stage (i.e. present in the
>> ap_list), we are going to iterate over memory that has been freed
>> already. This is bad, and this can happen on GICv3 as well.
>
>
>> I think this should solve it, but I need to test it on a GICv2 system:
>>
>> diff --git a/virt/kvm/arm/vgic/vgic-init.c
>> b/virt/kvm/arm/vgic/vgic-init.c
>> index 53ec9b9d9bc43..30dbec9fe0b4a 100644
>> --- a/virt/kvm/arm/vgic/vgic-init.c
>> +++ b/virt/kvm/arm/vgic/vgic-init.c
>> @@ -365,10 +365,10 @@ static void __kvm_vgic_destroy(struct kvm *kvm)
>>
>> vgic_debug_destroy(kvm);
>>
>> - kvm_vgic_dist_destroy(kvm);
>> -
>> kvm_for_each_vcpu(i, vcpu, kvm)
>> kvm_vgic_vcpu_destroy(vcpu);
>> +
>> + kvm_vgic_dist_destroy(kvm);
>> }
>> > void kvm_vgic_destroy(struct kvm *kvm)
>
> This works for me on Juno.
I've verified that the above splat disappears on the FVP too.
I'll squash the fix in, add your RB (which I assume stands)
and send the whole thing as a lockdown present to Paolo!
Thanks,
M.
--
Jazz is not dead. It just smells funny...
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: James Morse <james.morse@arm.com>
Cc: Zenghui Yu <yuzenghui@huawei.com>,
linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org,
Eric Auger <eric.auger@redhat.com>,
Andre Przywara <Andre.Przywara@arm.com>,
Julien Grall <julien@xen.org>,
Julien Thierry <julien.thierry.kdev@gmail.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>
Subject: Re: [PATCH v3 5/6] KVM: arm64: vgic-v3: Retire all pending LPIs on vcpu destroy
Date: Thu, 23 Apr 2020 16:13:42 +0100 [thread overview]
Message-ID: <339204221453ecbf3ef8946f8313ad2c@kernel.org> (raw)
In-Reply-To: <b76bf753-caaa-a6ce-9cdc-0fcf05821a56@arm.com>
Hi James,
On 2020-04-23 15:34, James Morse wrote:
> Hi guys,
>
> On 23/04/2020 13:03, Marc Zyngier wrote:
>> On 2020-04-23 12:35, James Morse wrote:
[...]
>>> [ 1742.348215] page dumped because: kasan: bad access detected
>
>> I think this is slightly more concerning. The issue is that we have
>> started freeing parts of the interrupt state already (we free the
>> SPIs early in kvm_vgic_dist_destroy()).
>
> (I took this to be some wild pointer access. Previously for
> use-after-free I've seen it
> print where it was allocated and where it was freed).
This is indeed what I managed to trigger by forcing a pending
SPI (the kvmtool UART interrupt) in the guest and forcefully
terminating it:
[ 3807.084237]
==================================================================
[ 3807.086516] BUG: KASAN: use-after-free in
vgic_flush_pending_lpis+0x54/0x198
[ 3807.088027] Read of size 8 at addr ffff00085514a328 by task
ioeventfd-worke/231
[ 3807.089771]
[ 3807.090911] CPU: 4 PID: 231 Comm: ioeventfd-worke Not tainted
5.7.0-rc2-00086-g2100c066e9a78 #200
[ 3807.092864] Hardware name: FVP Base RevC (DT)
[ 3807.094003] Call trace:
[ 3807.095180] dump_backtrace+0x0/0x268
[ 3807.096445] show_stack+0x1c/0x28
[ 3807.097961] dump_stack+0xe8/0x144
[ 3807.099374] print_address_description.isra.11+0x6c/0x354
[ 3807.101002] __kasan_report+0x110/0x1c8
[ 3807.102332] kasan_report+0x48/0x60
[ 3807.103769] __asan_load8+0x9c/0xc0
[ 3807.105113] vgic_flush_pending_lpis+0x54/0x198
[ 3807.107187] __kvm_vgic_destroy+0x120/0x278
[ 3807.108814] kvm_vgic_destroy+0x30/0x48
[ 3807.110443] kvm_arch_destroy_vm+0x20/0xa8
[ 3807.111868] kvm_put_kvm+0x234/0x460
[ 3807.113697] kvm_vm_release+0x34/0x48
[ 3807.115162] __fput+0x104/0x2f8
[ 3807.116464] ____fput+0x14/0x20
[ 3807.117929] task_work_run+0xbc/0x188
[ 3807.119419] do_exit+0x514/0xff8
[ 3807.120859] do_group_exit+0x78/0x108
[ 3807.122323] get_signal+0x164/0xcc0
[ 3807.123951] do_notify_resume+0x244/0x5e0
[ 3807.125416] work_pending+0x8/0x10
[ 3807.126392]
[ 3807.126969] Allocated by task 229:
[ 3807.128834] save_stack+0x24/0x50
[ 3807.130462] __kasan_kmalloc.isra.10+0xc4/0xe0
[ 3807.132134] kasan_kmalloc+0xc/0x18
[ 3807.133554] __kmalloc+0x174/0x270
[ 3807.135182] vgic_init.part.2+0xe0/0x4f0
[ 3807.136809] vgic_init+0x48/0x58
[ 3807.138095] vgic_set_common_attr.isra.4+0x2fc/0x388
[ 3807.140081] vgic_v3_set_attr+0x8c/0x350
[ 3807.141692] kvm_device_ioctl_attr+0x124/0x190
[ 3807.143260] kvm_device_ioctl+0xe8/0x170
[ 3807.144947] ksys_ioctl+0xb8/0xf8
[ 3807.146575] __arm64_sys_ioctl+0x48/0x60
[ 3807.148365] el0_svc_common.constprop.1+0xc8/0x1c8
[ 3807.150015] do_el0_svc+0x94/0xa0
[ 3807.151605] el0_sync_handler+0x120/0x190
[ 3807.152922] el0_sync+0x140/0x180
[ 3807.153899]
[ 3807.154784] Freed by task 231:
[ 3807.156178] save_stack+0x24/0x50
[ 3807.157805] __kasan_slab_free+0x10c/0x188
[ 3807.159433] kasan_slab_free+0x10/0x18
[ 3807.160897] kfree+0x88/0x350
[ 3807.162570] __kvm_vgic_destroy+0x5c/0x278
[ 3807.164153] kvm_vgic_destroy+0x30/0x48
[ 3807.165780] kvm_arch_destroy_vm+0x20/0xa8
[ 3807.167408] kvm_put_kvm+0x234/0x460
[ 3807.168691] kvm_vm_release+0x34/0x48
[ 3807.170281] __fput+0x104/0x2f8
[ 3807.171870] ____fput+0x14/0x20
[ 3807.173268] task_work_run+0xbc/0x188
[ 3807.174733] do_exit+0x514/0xff8
[ 3807.176242] do_group_exit+0x78/0x108
[ 3807.177434] get_signal+0x164/0xcc0
[ 3807.179289] do_notify_resume+0x244/0x5e0
[ 3807.180755] work_pending+0x8/0x10
[ 3807.181731]
[ 3807.182707] The buggy address belongs to the object at
ffff00085514a000
[ 3807.182707] which belongs to the cache kmalloc-4k of size 4096
[ 3807.185381] The buggy address is located 808 bytes inside of
[ 3807.185381] 4096-byte region [ffff00085514a000, ffff00085514b000)
[ 3807.187591] The buggy address belongs to the page:
[ 3807.189381] page:fffffe0021345200 refcount:1 mapcount:0
mapping:00000000090b1068 index:0x0 head:fffffe0021345200 order:3
compound_mapcount:0 compound_pincount:0
[ 3807.192148] flags: 0x2ffff00000010200(slab|head)
[ 3807.194123] raw: 2ffff00000010200 dead000000000100 dead000000000122
ffff00085a00f200
[ 3807.196379] raw: 0000000000000000 0000000080040004 00000001ffffffff
0000000000000000
[ 3807.198097] page dumped because: kasan: bad access detected
[ 3807.199289]
[ 3807.200123] Memory state around the buggy address:
[ 3807.201750] ffff00085514a200: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.203704] ffff00085514a280: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.205657] >ffff00085514a300: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.207285] ^
[ 3807.208826] ffff00085514a380: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.210812] ffff00085514a400: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 3807.212402]
==================================================================
>> If a SPI was pending or active at this stage (i.e. present in the
>> ap_list), we are going to iterate over memory that has been freed
>> already. This is bad, and this can happen on GICv3 as well.
>
>
>> I think this should solve it, but I need to test it on a GICv2 system:
>>
>> diff --git a/virt/kvm/arm/vgic/vgic-init.c
>> b/virt/kvm/arm/vgic/vgic-init.c
>> index 53ec9b9d9bc43..30dbec9fe0b4a 100644
>> --- a/virt/kvm/arm/vgic/vgic-init.c
>> +++ b/virt/kvm/arm/vgic/vgic-init.c
>> @@ -365,10 +365,10 @@ static void __kvm_vgic_destroy(struct kvm *kvm)
>>
>> vgic_debug_destroy(kvm);
>>
>> - kvm_vgic_dist_destroy(kvm);
>> -
>> kvm_for_each_vcpu(i, vcpu, kvm)
>> kvm_vgic_vcpu_destroy(vcpu);
>> +
>> + kvm_vgic_dist_destroy(kvm);
>> }
>> > void kvm_vgic_destroy(struct kvm *kvm)
>
> This works for me on Juno.
I've verified that the above splat disappears on the FVP too.
I'll squash the fix in, add your RB (which I assume stands)
and send the whole thing as a lockdown present to Paolo!
Thanks,
M.
--
Jazz is not dead. It just smells funny...
next prev parent reply other threads:[~2020-04-23 15:13 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 16:18 [PATCH v3 0/6] KVM: arm: vgic fixes for 5.7 Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` [PATCH v3 1/6] KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` [PATCH v3 2/6] KVM: arm: vgic: Synchronize the whole guest on GIC{D, R}_I{S, C}ACTIVER read Marc Zyngier
2020-04-22 16:18 ` [PATCH v3 2/6] KVM: arm: vgic: Synchronize the whole guest on GIC{D,R}_I{S,C}ACTIVER read Marc Zyngier
2020-04-22 16:18 ` [PATCH v3 2/6] KVM: arm: vgic: Synchronize the whole guest on GIC{D, R}_I{S, C}ACTIVER read Marc Zyngier
2020-04-22 16:18 ` [PATCH v3 3/6] KVM: arm: vgic: Only use the virtual state when userspace accesses enable bits Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` [PATCH v3 4/6] KVM: arm: vgic-v2: Only use the virtual state when userspace accesses pending bits Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-23 11:05 ` James Morse
2020-04-23 11:05 ` James Morse
2020-04-23 11:05 ` James Morse
2020-04-22 16:18 ` [PATCH v3 5/6] KVM: arm64: vgic-v3: Retire all pending LPIs on vcpu destroy Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-23 11:35 ` James Morse
2020-04-23 11:35 ` James Morse
2020-04-23 11:35 ` James Morse
2020-04-23 11:57 ` Zenghui Yu
2020-04-23 11:57 ` Zenghui Yu
2020-04-23 11:57 ` Zenghui Yu
2020-04-23 14:34 ` James Morse
2020-04-23 14:34 ` James Morse
2020-04-23 14:34 ` James Morse
2020-04-23 12:03 ` Marc Zyngier
2020-04-23 12:03 ` Marc Zyngier
2020-04-23 12:03 ` Marc Zyngier
2020-04-23 12:18 ` Zenghui Yu
2020-04-23 12:18 ` Zenghui Yu
2020-04-23 12:18 ` Zenghui Yu
2020-04-23 14:34 ` James Morse
2020-04-23 14:34 ` James Morse
2020-04-23 14:34 ` James Morse
2020-04-23 15:13 ` Marc Zyngier [this message]
2020-04-23 15:13 ` Marc Zyngier
2020-04-23 15:13 ` Marc Zyngier
2020-04-22 16:18 ` [PATCH v3 6/6] KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi() Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
2020-04-22 16:18 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=339204221453ecbf3ef8946f8313ad2c@kernel.org \
--to=maz@kernel.org \
--cc=Andre.Przywara@arm.com \
--cc=james.morse@arm.com \
--cc=julien@xen.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.