From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Greg Kurz" <groug@kaod.org>,
"Cédric Le Goater" <clg@kaod.org>,
"Michael Ellerman" <mpe@ellerman.id.au>
Subject: [PATCH 5.9 40/75] KVM: PPC: Book3S HV: XIVE: Fix vCPU id sanity check
Date: Thu, 10 Dec 2020 15:27:05 +0100 [thread overview]
Message-ID: <20201210142608.044106525@linuxfoundation.org> (raw)
In-Reply-To: <20201210142606.074509102@linuxfoundation.org>
From: Greg Kurz <groug@kaod.org>
commit f54db39fbe40731c40aefdd3bc26e7d56d668c64 upstream.
Commit 062cfab7069f ("KVM: PPC: Book3S HV: XIVE: Make VP block size
configurable") updated kvmppc_xive_vcpu_id_valid() in a way that
allows userspace to trigger an assertion in skiboot and crash the host:
[ 696.186248988,3] XIVE[ IC 08 ] eq_blk != vp_blk (0 vs. 1) for target 0x4300008c/0
[ 696.186314757,0] Assert fail: hw/xive.c:2370:0
[ 696.186342458,0] Aborting!
xive-kvCPU 0043 Backtrace:
S: 0000000031e2b8f0 R: 0000000030013840 .backtrace+0x48
S: 0000000031e2b990 R: 000000003001b2d0 ._abort+0x4c
S: 0000000031e2ba10 R: 000000003001b34c .assert_fail+0x34
S: 0000000031e2ba90 R: 0000000030058984 .xive_eq_for_target.part.20+0xb0
S: 0000000031e2bb40 R: 0000000030059fdc .xive_setup_silent_gather+0x2c
S: 0000000031e2bc20 R: 000000003005a334 .opal_xive_set_vp_info+0x124
S: 0000000031e2bd20 R: 00000000300051a4 opal_entry+0x134
--- OPAL call token: 0x8a caller R1: 0xc000001f28563850 ---
XIVE maintains the interrupt context state of non-dispatched vCPUs in
an internal VP structure. We allocate a bunch of those on startup to
accommodate all possible vCPUs. Each VP has an id, that we derive from
the vCPU id for efficiency:
static inline u32 kvmppc_xive_vp(struct kvmppc_xive *xive, u32 server)
{
return xive->vp_base + kvmppc_pack_vcpu_id(xive->kvm, server);
}
The KVM XIVE device used to allocate KVM_MAX_VCPUS VPs. This was
limitting the number of concurrent VMs because the VP space is
limited on the HW. Since most of the time, VMs run with a lot less
vCPUs, commit 062cfab7069f ("KVM: PPC: Book3S HV: XIVE: Make VP
block size configurable") gave the possibility for userspace to
tune the size of the VP block through the KVM_DEV_XIVE_NR_SERVERS
attribute.
The check in kvmppc_pack_vcpu_id() was changed from
cpu < KVM_MAX_VCPUS * xive->kvm->arch.emul_smt_mode
to
cpu < xive->nr_servers * xive->kvm->arch.emul_smt_mode
The previous check was based on the fact that the VP block had
KVM_MAX_VCPUS entries and that kvmppc_pack_vcpu_id() guarantees
that packed vCPU ids are below KVM_MAX_VCPUS. We've changed the
size of the VP block, but kvmppc_pack_vcpu_id() has nothing to
do with it and it certainly doesn't ensure that the packed vCPU
ids are below xive->nr_servers. kvmppc_xive_vcpu_id_valid() might
thus return true when the VM was configured with a non-standard
VSMT mode, even if the packed vCPU id is higher than what we
expect. We end up using an unallocated VP id, which confuses
OPAL. The assert in OPAL is probably abusive and should be
converted to a regular error that the kernel can handle, but
we shouldn't really use broken VP ids in the first place.
Fix kvmppc_xive_vcpu_id_valid() so that it checks the packed
vCPU id is below xive->nr_servers, which is explicitly what we
want.
Fixes: 062cfab7069f ("KVM: PPC: Book3S HV: XIVE: Make VP block size configurable")
Cc: stable@vger.kernel.org # v5.5+
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/160673876747.695514.1809676603724514920.stgit@bahia.lan
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kvm/book3s_xive.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/arch/powerpc/kvm/book3s_xive.c
+++ b/arch/powerpc/kvm/book3s_xive.c
@@ -1214,12 +1214,9 @@ void kvmppc_xive_cleanup_vcpu(struct kvm
static bool kvmppc_xive_vcpu_id_valid(struct kvmppc_xive *xive, u32 cpu)
{
/* We have a block of xive->nr_servers VPs. We just need to check
- * raw vCPU ids are below the expected limit for this guest's
- * core stride ; kvmppc_pack_vcpu_id() will pack them down to an
- * index that can be safely used to compute a VP id that belongs
- * to the VP block.
+ * packed vCPU ids are below that.
*/
- return cpu < xive->nr_servers * xive->kvm->arch.emul_smt_mode;
+ return kvmppc_pack_vcpu_id(xive->kvm, cpu) < xive->nr_servers;
}
int kvmppc_xive_compute_vp_id(struct kvmppc_xive *xive, u32 cpu, u32 *vp)
next prev parent reply other threads:[~2020-12-10 14:46 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-10 14:26 [PATCH 5.9 00/75] 5.9.14-rc1 review Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 01/75] usb: gadget: f_fs: Use local copy of descriptors for userspace copy Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 02/75] USB: serial: kl5kusb105: fix memleak on open Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 03/75] USB: serial: ch341: add new Product ID for CH341A Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 04/75] USB: serial: ch341: sort device-id entries Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 05/75] USB: serial: option: add Fibocom NL668 variants Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 06/75] USB: serial: option: add support for Thales Cinterion EXS82 Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 07/75] USB: serial: option: fix Quectel BG96 matching Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 08/75] tty: Fix ->pgrp locking in tiocspgrp() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 09/75] tty: Fix ->session locking Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 10/75] speakup: Reject setting the speakup line discipline outside of speakup Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 11/75] ALSA: hda/realtek: Fix bass speaker DAC assignment on Asus Zephyrus G14 Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 12/75] ALSA: hda/realtek: Add mute LED quirk to yet another HP x360 model Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 13/75] ALSA: hda/realtek: Enable headset of ASUS UX482EG & B9400CEA with ALC294 Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 14/75] ALSA: hda/realtek - Add new codec supported for ALC897 Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 15/75] ALSA: hda/realtek - Fixed Dell AIO wrong sound tone Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 16/75] ALSA: hda/generic: Add option to enforce preferred_dacs pairs Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 17/75] ring-buffer: Update write stamp with the correct ts Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 18/75] ring-buffer: Set the right timestamp in the slow path of __rb_reserve_next() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 19/75] ring-buffer: Always check to put back before stamp when crossing pages Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 20/75] ftrace: Fix updating FTRACE_FL_TRAMP Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 21/75] ftrace: Fix DYNAMIC_FTRACE_WITH_DIRECT_CALLS dependency Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 22/75] cifs: allow syscalls to be restarted in __smb_send_rqst() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 23/75] cifs: fix potential use-after-free in cifs_echo_request() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 24/75] cifs: refactor create_sd_buf() and and avoid corrupting the buffer Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 25/75] cifs: add NULL check for ses->tcon_ipc Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 26/75] gfs2: Upgrade shared glocks for atime updates Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 27/75] gfs2: Fix deadlock between gfs2_{create_inode,inode_lookup} and delete_work_func Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 28/75] s390/pci: fix CPU address in MSI for directed IRQ Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 29/75] i2c: imx: Fix reset of I2SR_IAL flag Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 30/75] i2c: imx: Check for I2SR_IAL after every byte Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 31/75] i2c: imx: Dont generate STOP condition if arbitration has been lost Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 32/75] tracing: Fix userstacktrace option for instances Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 33/75] thunderbolt: Fix use-after-free in remove_unplugged_switch() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 5.9 34/75] drm/omap: sdi: fix bridge enable/disable Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 35/75] drm/amdgpu/vcn3.0: stall DPG when WPTR/RPTR reset Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 36/75] drm/amdgpu/vcn3.0: remove old DPG workaround Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 37/75] drm/i915/gt: Retain default context state across shrinking Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 38/75] drm/i915/gt: Limit frequency drop to RPe on parking Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 39/75] drm/i915/gt: Program mocs:63 for cache eviction on gen9 Greg Kroah-Hartman
2020-12-10 14:27 ` Greg Kroah-Hartman [this message]
2020-12-10 14:27 ` [PATCH 5.9 41/75] scsi: mpt3sas: Fix ioctl timeout Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 42/75] io_uring: fix recvmsg setup with compat buf-select Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 43/75] dm writecache: advance the number of arguments when reporting max_age Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 44/75] dm writecache: fix the maximum number of arguments Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 45/75] powerpc/64s/powernv: Fix memory corruption when saving SLB entries on MCE Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 46/75] genirq/irqdomain: Add an irq_create_mapping_affinity() function Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 47/75] powerpc/pseries: Pass MSI affinity to irq_create_mapping() Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 48/75] dm: fix bug with RCU locking in dm_blk_report_zones Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 49/75] dm: fix double RCU unlock in dm_dax_zero_page_range() error path Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 50/75] dm: remove invalid sparse __acquires and __releases annotations Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 51/75] x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 52/75] coredump: fix core_pattern parse error Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 53/75] mm: list_lru: set shrinker map bit when child nr_items is not zero Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 54/75] mm/swapfile: do not sleep with a spin lock held Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 55/75] hugetlb_cgroup: fix offline of hugetlb cgroup with reservations Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 56/75] [PATCH] Revert "amd/amdgpu: Disable VCN DPG mode for Picasso" Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 57/75] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 58/75] mm: memcg/slab: fix obj_cgroup_charge() return value handling Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 59/75] lib/syscall: fix syscall registers retrieval on 32-bit platforms Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 60/75] can: af_can: can_rx_unregister(): remove WARN() statement from list operation sanity check Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 61/75] gfs2: check for empty rgrp tree in gfs2_ri_update Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 62/75] netfilter: ipset: prevent uninit-value in hash_ip6_add Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 63/75] tipc: fix a deadlock when flushing scheduled work Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 64/75] ASoC: wm_adsp: fix error return code in wm_adsp_load() Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 65/75] gfs2: Fix deadlock dumping resource group glocks Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 66/75] gfs2: Dont freeze the file system during unmount Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 67/75] rtw88: debug: Fix uninitialized memory in debugfs code Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 68/75] i2c: qcom: Fix IRQ error misassignement Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 69/75] i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc() Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 70/75] dm writecache: remove BUG() and fail gracefully instead Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 71/75] Input: i8042 - fix error return code in i8042_setup_aux() Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 72/75] netfilter: nf_tables: avoid false-postive lockdep splat Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 73/75] netfilter: nftables_offload: set address type in control dissector Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 74/75] netfilter: nftables_offload: build mask based from the matching bytes Greg Kroah-Hartman
2020-12-10 14:27 ` [PATCH 5.9 75/75] x86/insn-eval: Use new for_each_insn_prefix() macro to loop over prefixes bytes Greg Kroah-Hartman
2020-12-10 21:20 ` [PATCH 5.9 00/75] 5.9.14-rc1 review Shuah Khan
2020-12-11 14:23 ` Greg Kroah-Hartman
2020-12-10 21:24 ` Jeffrin Jose T
2020-12-10 23:46 ` Guenter Roeck
2020-12-11 14:23 ` Greg Kroah-Hartman
2020-12-11 5:31 ` Naresh Kamboju
2020-12-11 14:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201210142608.044106525@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=clg@kaod.org \
--cc=groug@kaod.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).