From: David Sauerwein <dssauerw@amazon.de>
To: <jingzhangos@google.com>
Cc: <andre.przywara@arm.com>, <coltonlewis@google.com>,
<eauger@redhat.com>, <jiangkunkun@huawei.com>,
<joey.gouly@arm.com>, <kvm@vger.kernel.org>,
<kvmarm@lists.linux.dev>, <linux-arm-kernel@lists.infradead.org>,
<lishusen2@huawei.com>, <maz@kernel.org>, <oupton@google.com>,
<pbonzini@redhat.com>, <rananta@google.com>,
<suzuki.poulose@arm.com>, <yuzenghui@huawei.com>,
<graf@amazon.com>, <nh-open-source@amazon.com>
Subject: Re: [PATCH v4 5/5] KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE
Date: Mon, 12 May 2025 14:09:09 +0000 [thread overview]
Message-ID: <20250512140909.3464-1-dssauerw@amazon.de> (raw)
In-Reply-To: <20241107214137.428439-6-jingzhangos@google.com>
Hi Jing,
After pulling this patch in via the v6.6.64 and v5.10.226 LTS releases, I see
NULL pointer dereferences in some guests. The dereference happens in different
parts of the kernel outside of the GIC driver (file systems, NVMe driver,
etc.). The issue only appears once every few hundred DISCARDs / guest boots.
Reverting the commit does fix the problem. I have seen multiple different guest
kernel versions (4.14, 5.15) and distributions exhibit this issue.
The issue looks like some kind of race. I think the guest re-uses the memory
allocated for the ITT before the hypervisor is actually done with the DISCARD
command, i.e. before it zeros the ITE. From what I can tell, the guest should
wait for the command to finish via its_wait_for_range_completion(). I tried
locking reads to its->cwriter in vgic_mmio_read_its_cwriter() and its->creadr
in vgic_mmio_read_its_creadr() with its->cmd_lock in the hypervisor kernel, but
that did not help. I also instrumented the guest kernel both via printk() and
trace events. In both cases the issue disappears once the instrumentation is in
place, so I'm not able to fully observe what is happening on the guest side.
Do you have an idea of what might cause the issue?
David
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
next prev parent reply other threads:[~2025-05-12 14:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-07 21:41 [PATCH v4 0/5] Some fixes about vgic-its Jing Zhang
2024-11-07 21:41 ` [PATCH v4 1/5] KVM: selftests: aarch64: Add VGIC selftest for save/restore ITS table mappings Jing Zhang
2024-11-07 21:41 ` [PATCH v4 2/5] KVM: arm64: vgic-its: Add read/write helpers on ITS table entries Jing Zhang
2024-11-12 8:25 ` Marc Zyngier
2024-11-07 21:41 ` [PATCH v4 3/5] KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* Jing Zhang
2024-11-08 5:13 ` kernel test robot
2024-11-07 21:41 ` [PATCH v4 4/5] KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device Jing Zhang
2024-11-07 21:41 ` [PATCH v4 5/5] KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE Jing Zhang
2025-05-12 14:09 ` David Sauerwein [this message]
2025-05-16 9:52 ` Marc Zyngier
2025-08-11 12:40 ` David Woodhouse
2024-11-11 20:40 ` [PATCH v4 0/5] Some fixes about vgic-its Oliver Upton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250512140909.3464-1-dssauerw@amazon.de \
--to=dssauerw@amazon.de \
--cc=andre.przywara@arm.com \
--cc=coltonlewis@google.com \
--cc=eauger@redhat.com \
--cc=graf@amazon.com \
--cc=jiangkunkun@huawei.com \
--cc=jingzhangos@google.com \
--cc=joey.gouly@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=lishusen2@huawei.com \
--cc=maz@kernel.org \
--cc=nh-open-source@amazon.com \
--cc=oupton@google.com \
--cc=pbonzini@redhat.com \
--cc=rananta@google.com \
--cc=suzuki.poulose@arm.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox