From: Paolo Bonzini <pbonzini@redhat.com>
To: Marc Zyngier <marc.zyngier@arm.com>
Cc: "kwolf@redhat.com" <kwolf@redhat.com>,
"lersek@redhat.com" <lersek@redhat.com>,
"Richard W.M. Jones" <rjones@redhat.com>,
"stefanha@redhat.com" <stefanha@redhat.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH v2 0/3] AioContext: ctx->dispatching is dead, all hail ctx->notify_me
Date: Fri, 17 Jul 2015 16:04:27 +0200 [thread overview]
Message-ID: <55A90B6B.9040202@redhat.com> (raw)
In-Reply-To: <20150717142826.6da03734@arm.com>
On 17/07/2015 15:28, Marc Zyngier wrote:
> >
> > Marc, does it ring any bell?
> Well, this is an example of a guest accessing non-memory using an
> instruction that we cannot safely emulate - not an IO accessor (load
> multiple, for example).
>
> In this case, we kill the guest (we could as well inject a fault).
Yup, I later found this in the dmesg:
[1875219.903969] kvm [14843]: load/store instruction decoding not implemented
> This vcpu seems to be accessing 0x9000018 (the mmio structure points
> there), but I can't immediately relate it to the content of the
> registers.
0x9000018 is the pl011, which makes some sense.
Have you ever seen a corrupted register dump? The guest RAM goes
from 0x40000000 to 0xbfffffff, so SP is pointing outside memory.
> > PC=00000000bf671210 SP=00000000c00001f0
> > X00=000000000a003e70 X01=0000000000000000 X02=00000000bf680548 X03=0000000000000030
> > X04=00000000bbb5fc18 X05=00000000004b7770 X06=00000000bf721930 X07=000000000000009a
> > X08=00000000bf716858 X09=0000000000000090 X10=0000000000000000 X11=0000000000000046
> > X12=00000000a007e03a X13=0000000000000000 X14=0000000000000000 X15=0000000000000000
> > X16=00000000bf716df0 X17=0000000000000000 X18=0000000000000000 X19=00000000bf6f5f18
> > X20=0000000000000000 X21=0000000000000000 X22=0000000000000000 X23=0000000000000000
> > X24=0000000000000000 X25=0000000000000000 X26=0000000000000000 X27=0000000000000000
> > X28=0000000000000000 X29=0000000000000000 X30=0000000000000000 PSTATE=60000305 (flags -ZC-)
If the register dump is not corrupted, execution went in the weeds...
I don't have the guest anymore but it's just firmware so the memory
contents are well reproducible:
0x00000000bf671200: a97d6ffa ldmdbge sp!, {r1, r3, r4, r5, r6, r7, r8, r9, sl, fp, sp, lr}^
0x00000000bf671204: a97e77fc ldmdbge lr!, {r2, r3, r4, r5, r6, r7, r8, r9, sl, ip, sp, lr}^
0x00000000bf671208: f85f03fe undefined instruction 0xf85f03fe
0x00000000bf67120c: 910803ff strdls r0, [r8, -pc]
0x00000000bf671210: ad7007e0 ldclge 7, cr0, [r0, #-896]!
0x00000000bf671214: ad710fe2 ldclge 15, cr0, [r1, #-904]!
0x00000000bf671218: ad7217e4 ldclge 7, cr1, [r2, #-912]!
0x00000000bf67121c: ad731fe6 ldclge 15, cr1, [r3, #-920]!
0x00000000bf671220: ad7427e8 ldclge 7, cr2, [r4, #-928]!
0x00000000bf671224: ad752fea ldclge 15, cr2, [r5, #-936]!
> What looks a bit weird is that all the registers are clamped to 32bit,
> but the PSTATE indicates it is running in 64bit (EL1h, which makes the
> PC being utterly wrong).
The PC can be okay since UEFI code doesn't really use virtual addressing,
but the other registers are weird indeed.
> What are you running there?
Just firmware. It's a UEFI reboot loop (as soon as you get to the
UEFI shell QEMU exits and the script starts a new one).
The kernel is an old 3.19 one, I'll upgrade and retest.
Paolo
next prev parent reply other threads:[~2015-07-17 14:04 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-16 9:56 [Qemu-devel] [PATCH v2 0/3] AioContext: ctx->dispatching is dead, all hail ctx->notify_me Paolo Bonzini
2015-07-16 9:56 ` [Qemu-devel] [PATCH v2 1/3] tests: remove irrelevant assertions from test-aio Paolo Bonzini
2015-07-16 9:56 ` [Qemu-devel] [PATCH v2 2/3] aio-win32: reorganize polling loop Paolo Bonzini
2015-07-16 9:56 ` [Qemu-devel] [PATCH v2 3/3] AioContext: fix broken ctx->dispatching optimization Paolo Bonzini
2015-07-17 2:25 ` Fam Zheng
2015-07-17 2:27 ` Paolo Bonzini
2015-07-17 4:17 ` Paolo Bonzini
2015-07-17 8:39 ` Stefan Hajnoczi
2015-07-16 11:07 ` [Qemu-devel] [PATCH v2 0/3] AioContext: ctx->dispatching is dead, all hail ctx->notify_me Kevin Wolf
2015-07-16 12:44 ` Richard W.M. Jones
2015-07-16 19:05 ` Richard W.M. Jones
2015-07-16 22:06 ` Paolo Bonzini
2015-07-17 0:17 ` Paolo Bonzini
2015-07-17 4:44 ` Paolo Bonzini
2015-07-17 9:30 ` Paolo Bonzini
2015-07-17 12:58 ` Richard W.M. Jones
2015-07-17 13:02 ` Paolo Bonzini
2015-07-17 13:28 ` Marc Zyngier
2015-07-17 13:39 ` Laszlo Ersek
2015-07-17 13:48 ` Marc Zyngier
2015-07-17 13:53 ` Richard W.M. Jones
2015-07-17 14:03 ` Marc Zyngier
2015-07-17 13:57 ` Laszlo Ersek
2015-07-17 14:04 ` Paolo Bonzini [this message]
2015-07-17 14:18 ` Marc Zyngier
-- strict thread matches above, loose matches on Subject: below --
2015-07-18 20:21 Paolo Bonzini
2015-07-19 10:08 ` Richard W.M. Jones
2015-07-20 16:17 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55A90B6B.9040202@redhat.com \
--to=pbonzini@redhat.com \
--cc=kwolf@redhat.com \
--cc=lersek@redhat.com \
--cc=marc.zyngier@arm.com \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).