From: Paolo Bonzini <pbonzini@redhat.com>
To: Marc Zyngier <marc.zyngier@arm.com>
Cc: "kwolf@redhat.com" <kwolf@redhat.com>,
"lersek@redhat.com" <lersek@redhat.com>,
"Richard W.M. Jones" <rjones@redhat.com>,
"stefanha@redhat.com" <stefanha@redhat.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH v2 0/3] AioContext: ctx->dispatching is dead, all hail ctx->notify_me
Date: Fri, 17 Jul 2015 16:04:27 +0200 [thread overview]
Message-ID: <55A90B6B.9040202@redhat.com> (raw)
In-Reply-To: <20150717142826.6da03734@arm.com>
On 17/07/2015 15:28, Marc Zyngier wrote:
> >
> > Marc, does it ring any bell?
> Well, this is an example of a guest accessing non-memory using an
> instruction that we cannot safely emulate - not an IO accessor (load
> multiple, for example).
>
> In this case, we kill the guest (we could as well inject a fault).
Yup, I later found this in the dmesg:
[1875219.903969] kvm [14843]: load/store instruction decoding not implemented
> This vcpu seems to be accessing 0x9000018 (the mmio structure points
> there), but I can't immediately relate it to the content of the
> registers.
0x9000018 is the pl011, which makes some sense.
Have you ever seen a corrupted register dump? The guest RAM goes
from 0x40000000 to 0xbfffffff, so SP is pointing outside memory.
> > PC=00000000bf671210 SP=00000000c00001f0
> > X00=000000000a003e70 X01=0000000000000000 X02=00000000bf680548 X03=0000000000000030
> > X04=00000000bbb5fc18 X05=00000000004b7770 X06=00000000bf721930 X07=000000000000009a
> > X08=00000000bf716858 X09=0000000000000090 X10=0000000000000000 X11=0000000000000046
> > X12=00000000a007e03a X13=0000000000000000 X14=0000000000000000 X15=0000000000000000
> > X16=00000000bf716df0 X17=0000000000000000 X18=0000000000000000 X19=00000000bf6f5f18
> > X20=0000000000000000 X21=0000000000000000 X22=0000000000000000 X23=0000000000000000
> > X24=0000000000000000 X25=0000000000000000 X26=0000000000000000 X27=0000000000000000
> > X28=0000000000000000 X29=0000000000000000 X30=0000000000000000 PSTATE=60000305 (flags -ZC-)
If the register dump is not corrupted, execution went in the weeds...
I don't have the guest anymore but it's just firmware so the memory
contents are well reproducible:
0x00000000bf671200: a97d6ffa ldmdbge sp!, {r1, r3, r4, r5, r6, r7, r8, r9, sl, fp, sp, lr}^
0x00000000bf671204: a97e77fc ldmdbge lr!, {r2, r3, r4, r5, r6, r7, r8, r9, sl, ip, sp, lr}^
0x00000000bf671208: f85f03fe undefined instruction 0xf85f03fe
0x00000000bf67120c: 910803ff strdls r0, [r8, -pc]
0x00000000bf671210: ad7007e0 ldclge 7, cr0, [r0, #-896]!
0x00000000bf671214: ad710fe2 ldclge 15, cr0, [r1, #-904]!
0x00000000bf671218: ad7217e4 ldclge 7, cr1, [r2, #-912]!
0x00000000bf67121c: ad731fe6 ldclge 15, cr1, [r3, #-920]!
0x00000000bf671220: ad7427e8 ldclge 7, cr2, [r4, #-928]!
0x00000000bf671224: ad752fea ldclge 15, cr2, [r5, #-936]!
> What looks a bit weird is that all the registers are clamped to 32bit,
> but the PSTATE indicates it is running in 64bit (EL1h, which makes the
> PC being utterly wrong).
The PC can be okay since UEFI code doesn't really use virtual addressing,
but the other registers are weird indeed.
> What are you running there?
Just firmware. It's a UEFI reboot loop (as soon as you get to the
UEFI shell QEMU exits and the script starts a new one).
The kernel is an old 3.19 one, I'll upgrade and retest.
Paolo
next prev parent reply other threads:[~2015-07-17 14:04 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-16 9:56 [Qemu-devel] [PATCH v2 0/3] AioContext: ctx->dispatching is dead, all hail ctx->notify_me Paolo Bonzini
2015-07-16 9:56 ` [Qemu-devel] [PATCH v2 1/3] tests: remove irrelevant assertions from test-aio Paolo Bonzini
2015-07-16 9:56 ` [Qemu-devel] [PATCH v2 2/3] aio-win32: reorganize polling loop Paolo Bonzini
2015-07-16 9:56 ` [Qemu-devel] [PATCH v2 3/3] AioContext: fix broken ctx->dispatching optimization Paolo Bonzini
2015-07-17 2:25 ` Fam Zheng
2015-07-17 2:27 ` Paolo Bonzini
2015-07-17 4:17 ` Paolo Bonzini
2015-07-17 8:39 ` Stefan Hajnoczi
2015-07-16 11:07 ` [Qemu-devel] [PATCH v2 0/3] AioContext: ctx->dispatching is dead, all hail ctx->notify_me Kevin Wolf
2015-07-16 12:44 ` Richard W.M. Jones
2015-07-16 19:05 ` Richard W.M. Jones
2015-07-16 22:06 ` Paolo Bonzini
2015-07-17 0:17 ` Paolo Bonzini
2015-07-17 4:44 ` Paolo Bonzini
2015-07-17 9:30 ` Paolo Bonzini
2015-07-17 12:58 ` Richard W.M. Jones
2015-07-17 13:02 ` Paolo Bonzini
2015-07-17 13:28 ` Marc Zyngier
2015-07-17 13:39 ` Laszlo Ersek
2015-07-17 13:48 ` Marc Zyngier
2015-07-17 13:53 ` Richard W.M. Jones
2015-07-17 14:03 ` Marc Zyngier
2015-07-17 13:57 ` Laszlo Ersek
2015-07-17 14:04 ` Paolo Bonzini [this message]
2015-07-17 14:18 ` Marc Zyngier
-- strict thread matches above, loose matches on Subject: below --
2015-07-18 20:21 Paolo Bonzini
2015-07-19 10:08 ` Richard W.M. Jones
2015-07-20 16:17 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55A90B6B.9040202@redhat.com \
--to=pbonzini@redhat.com \
--cc=kwolf@redhat.com \
--cc=lersek@redhat.com \
--cc=marc.zyngier@arm.com \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.