[PATCH] arm64: dts: qcom: monaco: Reserve full Gunyah metadata region

[PATCH] arm64: dts: qcom: monaco: Reserve full Gunyah metadata region

[Loic Poulain]

We observe spurious "Synchronous External Abort" exceptions
(ESR=0x96000010) and kernel crashes on Monaco-based platforms.
These faults are caused by the kernel inadvertently accessing
hypervisor-owned memory that is not properly marked as reserved.

From boot log, The Qualcomm hypervisor reports the memory range
at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned:
qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0

However, the EFI memory map provided by firmware only reserves the
subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion
(0x91a88000–0x91afffff) is incorrectly reported as conventional
memory (from efi debug):
efi:   0x000091a40000-0x000091a87fff [Reserved...]
efi:   0x000091a88000-0x0000938fffff [Conventional...]

As a result, the allocator may hand out PFNs inside the hypervisor
owned region, causing fatal aborts when the kernel accesses those
addresses.

Add a reserved-memory carveout for the Gunyah hypervisor metadata
at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not
map or allocate from this area.

For the record:
Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC)
UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1

Fixes: 7be190e4bdd2 ("arm64: dts: qcom: add QCS8300 platform")
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
 arch/arm64/boot/dts/qcom/monaco.dtsi | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/boot/dts/qcom/monaco.dtsi b/arch/arm64/boot/dts/qcom/monaco.dtsi
index 337e5ee0e520..1daa4ad215ba 100644
--- a/arch/arm64/boot/dts/qcom/monaco.dtsi
+++ b/arch/arm64/boot/dts/qcom/monaco.dtsi
@@ -772,6 +772,11 @@ smem_mem: smem@90900000 {
 			hwlocks = <&tcsr_mutex 3>;
 		};
 
+		gunyah_md_mem: gunyah-md-region@91a80000 {
+			reg = <0x0 0x91a80000 0x0 0x80000>;
+			no-map;
+		};
+
 		lpass_machine_learning_mem: lpass-machine-learning-region@93b00000 {
 			reg = <0x0 0x93b00000 0x0 0xf00000>;
 			no-map;
-- 
2.34.1

Re: [PATCH] arm64: dts: qcom: monaco: Reserve full Gunyah metadata region

[Dmitry Baryshkov]

On Mon, Mar 02, 2026 at 03:26:03PM +0100, Loic Poulain wrote:
> We observe spurious "Synchronous External Abort" exceptions
> (ESR=0x96000010) and kernel crashes on Monaco-based platforms.
> These faults are caused by the kernel inadvertently accessing
> hypervisor-owned memory that is not properly marked as reserved.
> 
> From boot log, The Qualcomm hypervisor reports the memory range
> at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned:
> qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0
> 
> However, the EFI memory map provided by firmware only reserves the
> subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion
> (0x91a88000–0x91afffff) is incorrectly reported as conventional
> memory (from efi debug):
> efi:   0x000091a40000-0x000091a87fff [Reserved...]
> efi:   0x000091a88000-0x0000938fffff [Conventional...]
> 
> As a result, the allocator may hand out PFNs inside the hypervisor
> owned region, causing fatal aborts when the kernel accesses those
> addresses.
> 
> Add a reserved-memory carveout for the Gunyah hypervisor metadata
> at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not
> map or allocate from this area.
> 
> For the record:
> Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC)
> UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1
> 
> Fixes: 7be190e4bdd2 ("arm64: dts: qcom: add QCS8300 platform")
> Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
> ---
>  arch/arm64/boot/dts/qcom/monaco.dtsi | 5 +++++
>  1 file changed, 5 insertions(+)
> 

Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>

Interesting, will that fix some of the issues we observe in the CI?

-- 
With best wishes
Dmitry

Re: [PATCH] arm64: dts: qcom: monaco: Reserve full Gunyah metadata region

[Konrad Dybcio]

On 3/2/26 3:26 PM, Loic Poulain wrote:
> We observe spurious "Synchronous External Abort" exceptions
> (ESR=0x96000010) and kernel crashes on Monaco-based platforms.
> These faults are caused by the kernel inadvertently accessing
> hypervisor-owned memory that is not properly marked as reserved.
> 
> From boot log, The Qualcomm hypervisor reports the memory range
> at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned:
> qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0
> 
> However, the EFI memory map provided by firmware only reserves the
> subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion
> (0x91a88000–0x91afffff) is incorrectly reported as conventional
> memory (from efi debug):
> efi:   0x000091a40000-0x000091a87fff [Reserved...]
> efi:   0x000091a88000-0x0000938fffff [Conventional...]

Please file a bug report with the boot folks

Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>

Konrad

Re: [PATCH] arm64: dts: qcom: monaco: Reserve full Gunyah metadata region

[Bjorn Andersson]

On Mon, 02 Mar 2026 15:26:03 +0100, Loic Poulain wrote:
> We observe spurious "Synchronous External Abort" exceptions
> (ESR=0x96000010) and kernel crashes on Monaco-based platforms.
> These faults are caused by the kernel inadvertently accessing
> hypervisor-owned memory that is not properly marked as reserved.
> 
> >From boot log, The Qualcomm hypervisor reports the memory range
> at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned:
> qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0
> 
> [...]

Applied, thanks!

[1/1] arm64: dts: qcom: monaco: Reserve full Gunyah metadata region
      commit: 85d98669fa7f1d3041d962515e45ee6e392db6f8

Best regards,
-- 
Bjorn Andersson <andersson@kernel.org>