From: Marc Zyngier <maz@kernel.org>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: Peter Maydell <peter.maydell@linaro.org>,
qemu-arm@nongnu.org, kvmarm@lists.linux.dev, kvm@vger.kernel.org,
Pengutronix Kernel Team <kernel@pengutronix.de>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
Enrico Joerns <ejo@pengutronix.de>
Subject: Re: [BUG] ARM64 KVM: Data abort executing post-indexed LDR on MMIO address
Date: Sat, 05 Oct 2024 11:31:45 +0100 [thread overview]
Message-ID: <864j5q7sdq.wl-maz@kernel.org> (raw)
In-Reply-To: <4d559b9e-c208-46f3-851a-68086dc8a50f@pengutronix.de>
On Fri, 04 Oct 2024 20:50:18 +0100,
Ahmad Fatoum <a.fatoum@pengutronix.de> wrote:
>
> Hi,
>
> On 04.10.24 14:10, Peter Maydell wrote:
> > On Fri, 4 Oct 2024 at 12:51, Ahmad Fatoum <a.fatoum@pengutronix.de> wrote:
> >> On 04.10.24 12:40, Peter Maydell wrote:
> >>> Don't do this -- KVM doesn't support it. For access to MMIO,
> >>> stick to instructions which will set the ISV bit in ESR_EL1.
> >>>
> >>> That is:
> >>>
> >>> * AArch64 loads and stores of a single general-purpose register
> >>> (including the register specified with 0b11111, including those
> >>> with Acquire/Release semantics, but excluding Load Exclusive
> >>> or Store Exclusive and excluding those with writeback).
> >>> * AArch32 instructions where the instruction:
> >>> - Is an LDR, LDA, LDRT, LDRSH, LDRSHT, LDRH, LDAH, LDRHT,
> >>> LDRSB, LDRSBT, LDRB, LDAB, LDRBT, STR, STL, STRT, STRH,
> >>> STLH, STRHT, STRB, STLB, or STRBT instruction.
> >>> - Is not performing register writeback.
> >>> - Is not using R15 as a source or destination register.
> >>>
> >>> Your instruction is doing writeback. Do the address update
> >>> as a separate instruction.
>
> With readl/writel implemented in assembly, I get beyond that point, but
> now I get a data abort running an DC IVAC instruction on address 0x1000,
> where the cfi-flash is located. This instruction is part of a routine
> to remap the cfi-flash to start a page later, so the zero page can be
> mapped faulting.
>
> Simple reproducer:
>
> start:
> ldr x0, =0x1000
> ldr x1, =0x1040
> bl v8_inv_dcache_range
>
> mov w10, '!'
> bl putch
>
> ret
>
> v8_inv_dcache_range:
> mrs x3, ctr_el0
> lsr x3, x3, #16
> and x3, x3, #0xf
> mov x2, #0x4
> lsl x2, x2, x3
> sub x3, x2, #0x1
> bic x0, x0, x3
> 1:
> dc ivac, x0
> add x0, x0, x2
> cmp x0, x1
> b.cc 1b
> dsb sy
> ret
>
> This prints ! without KVM, but triggers a data abort before that with -enable-kvm:
>
> DABT (current EL) exception (ESR 0x96000010) at 0x0000000000001000
> elr: 000000007fbe0550 lr : 000000007fbe01ac
> [snip]
>
> Call trace:
> [<7fbe0550>] (v8_inv_dcache_range+0x1c/0x34) from [<7fbe0218>] (arch_remap_range+0x64/0x70)
> [<7fbe0218>] (arch_remap_range+0x64/0x70) from [<7fb8795c>] (of_platform_device_create+0x1e8/0x22c)
> [<7fb8795c>] (of_platform_device_create+0x1e8/0x22c) from [<7fb87a04>] (of_platform_bus_create+0x64/0xbc)
> [snip]
>
> Any idea what this is about?
IIRC, the QEMU flash is implemented as a read-only memslot. A data
cache invalidation is a *write*, as it can be (and is) upgraded to a
clean+invalidate by the HW.
KVM cannot satisfy the write, for obvious reasons, and tells the guest
to bugger off (__gfn_to_pfn_memslot() returns KVM_PFN_ERR_RO_FAULT,
which satisfies is_error_noslot_pfn() -- a slight oddity, but hey, why
not).
In the end, you get an exception. We could relax this by
special-casing CMOs to RO memslots, but this doesn't look great.
The real question is: what are you trying to achieve with this?
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2024-10-05 10:31 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-04 9:47 [BUG] ARM64 KVM: Data abort executing post-indexed LDR on MMIO address Ahmad Fatoum
2024-10-04 10:40 ` Peter Maydell
2024-10-04 11:51 ` Ahmad Fatoum
2024-10-04 12:10 ` Peter Maydell
2024-10-04 15:52 ` Oliver Upton
2024-10-04 15:57 ` Peter Maydell
2024-10-04 16:21 ` Oliver Upton
2024-10-04 19:50 ` Ahmad Fatoum
2024-10-05 10:31 ` Marc Zyngier [this message]
2024-10-05 18:38 ` Ahmad Fatoum
2024-10-05 21:35 ` Marc Zyngier
2024-10-06 7:59 ` Ahmad Fatoum
2024-10-06 10:28 ` Marc Zyngier
2024-10-09 6:11 ` Ahmad Fatoum
2024-10-09 8:05 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=864j5q7sdq.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=a.fatoum@pengutronix.de \
--cc=ejo@pengutronix.de \
--cc=kernel@pengutronix.de \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.