From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44021)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bharata@linux.vnet.ibm.com>) id 1bSEy5-0008N3-JI
	for qemu-devel@nongnu.org; Tue, 26 Jul 2016 22:53:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <bharata@linux.vnet.ibm.com>) id 1bSExz-0004Fj-HT
	for qemu-devel@nongnu.org; Tue, 26 Jul 2016 22:53:08 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50129)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bharata@linux.vnet.ibm.com>) id 1bSExz-0004F6-8Y
	for qemu-devel@nongnu.org; Tue, 26 Jul 2016 22:53:03 -0400
Received: from pps.filterd (m0098404.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id
	u6R2n18J071384
	for <qemu-devel@nongnu.org>; Tue, 26 Jul 2016 22:53:01 -0400
Received: from e23smtp08.au.ibm.com (e23smtp08.au.ibm.com [202.81.31.141])
	by mx0a-001b2d01.pphosted.com with ESMTP id 24e1h8d601-1
	(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
	for <qemu-devel@nongnu.org>; Tue, 26 Jul 2016 22:53:01 -0400
Received: from localhost
	by e23smtp08.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <bharata@linux.vnet.ibm.com>;
	Wed, 27 Jul 2016 12:52:58 +1000
Received: from d23relay08.au.ibm.com (d23relay08.au.ibm.com [9.185.71.33])
	by d23dlp01.au.ibm.com (Postfix) with ESMTP id C13E62CE8056
	for <qemu-devel@nongnu.org>; Wed, 27 Jul 2016 12:52:56 +1000 (EST)
Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138])
	by d23relay08.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
	u6R2qu1M27066396
	for <qemu-devel@nongnu.org>; Wed, 27 Jul 2016 12:52:56 +1000
Received: from d23av02.au.ibm.com (localhost [127.0.0.1])
	by d23av02.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id
	u6R2qu5J006799
	for <qemu-devel@nongnu.org>; Wed, 27 Jul 2016 12:52:56 +1000
Date: Wed, 27 Jul 2016 08:22:51 +0530
From: Bharata B Rao <bharata@linux.vnet.ibm.com>
Reply-To: bharata@linux.vnet.ibm.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20160727025251.GF7036@in.ibm.com>
Subject: [Qemu-devel] Segfault with coalesced mmio and boot CPU removal
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: david@gibson.dropbear.id.au, imammedo@redhat.com

Hi,

Coalesced mmio buffer is part of vCPU 0's kvm_run mmap'ed area
and with the introduction of CPU hotplug, vCPU 0 can be removed on
PowerPC leading to the below seen segfault in QEMU.

0x00000000100a1d34 in kvm_flush_coalesced_mmio_buffer ()
    at qemu/kvm-all.c:1828
1828	        while (ring->first != ring->last) {

#0  0x00000000100a1d34 in kvm_flush_coalesced_mmio_buffer ()
    at qemu/kvm-all.c:1828
#1  0x00000000100160e0 in qemu_flush_coalesced_mmio_buffer ()
    at qemu/exec.c:1206
#2  0x00000000100a961c in memory_region_transaction_begin ()
    at qemu/memory.c:904
#3  0x00000000100add90 in memory_region_set_enabled (mr=0x3fff96420310, enabled=false)
    at qemu/memory.c:1974
#4  0x00000000104577b0 in pci_default_write_config (d=0x3fff96420010, addr=4, val_in=258, 
    l=2) at hw/pci/pci.c:1340
#5  0x0000000010465d0c in pci_host_config_write_common (pci_dev=0x3fff96420010, addr=4, 
    limit=4096, val=258, len=2) at hw/pci/pci_host.c:66
#6  0x0000000010170500 in finish_write_pci_config (spapr=0x10fc6290, 
    buid=576460752840294400, addr=4, size=2, val=258, rets=20547656)
    at qemu/hw/ppc/spapr_pci.c:199
#7  0x0000000010170620 in rtas_ibm_write_pci_config (cpu=0x3fffac590010, spapr=0x10fc6290, 
    token=8215, nargs=5, args=20547636, nret=1, rets=20547656)
    at qemu/hw/ppc/spapr_pci.c:223
#8  0x000000001016e540 in spapr_rtas_call (cpu=0x3fffac590010, spapr=0x10fc6290, token=8215, 
    nargs=5, args=20547636, nret=1, rets=20547656)
    at qemu/hw/ppc/spapr_rtas.c:675
#9  0x0000000010167dfc in h_rtas (cpu=0x3fffac590010, spapr=0x10fc6290, opcode=61440, 
    args=0x3fffac570030) at qemu/hw/ppc/spapr_hcall.c:665
#10 0x00000000101693ec in spapr_hypercall (cpu=0x3fffac590010, opcode=61440, 
    args=0x3fffac570030) at qemu/hw/ppc/spapr_hcall.c:1094
#11 0x000000001026c82c in kvm_arch_handle_exit (cs=0x3fffac590010, run=0x3fffac570000)
    at qemu/target-ppc/kvm.c:1731
#12 0x00000000100a246c in kvm_cpu_exec (cpu=0x3fffac590010)
    at qemu/kvm-all.c:2005
#13 0x000000001007d8d4 in qemu_kvm_cpu_thread_fn (arg=0x3fffac590010) 

This happens because during CPU removal, though we park the kvm_fd
corresponding to the removed vCPU thread, we unmap the kvm_run (and
hence coalesced mmio ring).

What would be the best way to fix this ? Is disassociating coalesced_mmio_ring
from vCPU 0's kvm_run the correct solution ?

Regards,
Bharata.