All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bharat Bhushan <bbhushan2@marvell.com>
To: "ankur.a.arora@oracle.com" <ankur.a.arora@oracle.com>,
	"alex.williamson@redhat.com" <alex.williamson@redhat.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"Sunil Kovvuri Goutham" <sgoutham@marvell.com>
Subject: vfio-pci: protect remap_pfn_range() from simultaneous calls
Date: Wed, 6 Jan 2021 16:17:41 +0000	[thread overview]
Message-ID: <MWHPR18MB152034C6BAE8CC6D503DDEBEE3D09@MWHPR18MB1520.namprd18.prod.outlook.com> (raw)

Hi Ankur,

We are observing below BUG_ON() with latest kernel 

   [10011.321645] ------------[ cut here ]------------
   [10011.322262] kernel BUG at mm/memory.c:1816!
   [10011.323793] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
   [10011.326108] CPU: 2 PID: 1147 Comm: odp_l2fwd Not tainted 5.4.74-05938-gb9598e49fe61 #15
   [10011.328272] Hardware name: Marvell CN106XX board (DT)
   [10011.330328] pstate: 80400009 (Nzcv daif +PAN -UAO)
   [10011.332402] pc : remap_pfn_range+0x1a4/0x260
   [10011.334383] lr : remap_pfn_range+0x14c/0x260
   [10011.335911] sp : ffff8000156afc10
   [10011.337360] x29: ffff8000156afc10 x28: ffffffdffa240000 
   [10011.339671] x27: ffff00014a241000 x26: 0000002182000000 
   [10011.341984] x25: ffff0001489fbe00 x24: 0000002182040000  
   [10011.344279] x23: 0000002182040000 x22: 0068000000000fc3 
   [10011.346539] x21: 0000002182040000 x20: ffff000149d70860 
   [10011.348846] x19: 0000000000000041 x18: 0000000000000000 
   [10011.351064] x17: 0000000000000000 x16: 0000000000000000 
   [10011.353304] x15: 0000000000000000 x14: 0000000000000000 
   [10011.355519] x13: 0000000000000000 x12: 0000000000000000 
   [10011.357812] x11: 0000000000000000 x10: ffffffdfffe00000 
   [10011.360136] x9 : 0000000000000000 x8 : 0000000000000000 
   [10011.362414] x7 : 0000000000000000 x6 : 0000042182000000 
   [10011.364773] x5 : 0001000000000000 x4 : 0000000000000000 
   [10011.367103] x3 : ffffffe000328928 x2 : 016800017c240fc3 
   [10011.369462] x1 : 0000000000000000 x0 : ffffffe000328928 
   [10011.371694] Call trace:
   [10011.373510]  remap_pfn_range+0x1a4/0x260
   [10011.375386]  vfio_pci_mmap_fault+0x9c/0x114
   [10011.377346]  __do_fault+0x38/0x100
   [10011.379253]  __handle_mm_fault+0x81c/0xce4
   [10011.381247]  handle_mm_fault+0xb4/0x17c
   [10011.383220]  do_page_fault+0x110/0x430
   [10011.385188]  do_translation_fault+0x80/0x90
   [10011.387069]  do_mem_abort+0x3c/0xa0
   [10011.388852]  el0_da+0x20/0x24
   [10011.391239] Code: eb1a02ff 54000080 f9400362 b4fffe42 (d4210000) 
   [10011.393306] ---[ end trace ae8b75b32426d53c ]---
   [10011.395140] note: odp_l2fwd[1147] exited with preempt_count 2

This is observed after patch "vfio-pci: Fault mmaps to enable vma tracking" where actual mapping delayed on page fault.
When address of same page accessed by multiple threads at/around same time by threads running on different cores causes page fault for same page on multiple cores at same time. One of the fault hander creates mapping while second hander find that page-table mapping already exists and leads to above kernel BUG_ON().

While article  https://lwn.net/Articles/828536/ suggest that you have already faced and fixed this issue
       "- vfio-pci: protect remap_pfn_range() from simultaneous calls (Ankur  Arora) [Orabug: 31663628] {CVE-2020-12888} {CVE-2020-12888}"

But I do not see any patch submitted or under review in upstream, hopefully I did not missed some discussion. Please let us know in case you already submitted or planning to submit fix or someone else fixed same.

Thanks
-Bharat

             reply	other threads:[~2021-01-06 16:18 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-06 16:17 Bharat Bhushan [this message]
2021-01-06 18:13 ` vfio-pci: protect remap_pfn_range() from simultaneous calls Ankur Arora
2021-01-07  4:57   ` [EXT] " Bharat Bhushan
2021-01-19  8:51   ` Bharat Bhushan
2021-01-21  4:39     ` Ankur Arora
2021-02-26  0:53       ` Ankur Arora
2021-03-02 12:47         ` [EXT] " Bharat Bhushan
2021-03-08  6:59           ` Ankur Arora
2021-03-08  7:03             ` Bharat Bhushan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=MWHPR18MB152034C6BAE8CC6D503DDEBEE3D09@MWHPR18MB1520.namprd18.prod.outlook.com \
    --to=bbhushan2@marvell.com \
    --cc=alex.williamson@redhat.com \
    --cc=ankur.a.arora@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sgoutham@marvell.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.