linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Arnd Bergmann <arnd@arndb.de>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: "Dmitry Vyukov" <dvyukov@google.com>,
	"Mark Rutland" <mark.rutland@arm.com>,
	"Marc Zyngier" <maz@kernel.org>, "Will Deacon" <will@kernel.org>,
	"Ard Biesheuvel" <ardb@kernel.org>,
	"Linux ARM" <linux-arm-kernel@lists.infradead.org>,
	syzkaller <syzkaller@googlegroups.com>,
	LKML <linux-kernel@vger.kernel.org>,
	"John Garry" <john.garry@huawei.com>,
	"Alex Bennée" <alex.bennee@linaro.org>
Subject: Re: arm64 syzbot instances
Date: Sun, 21 Mar 2021 19:59:52 +0100	[thread overview]
Message-ID: <CAK8P3a26dWjbS8CjGwc7S5S0M4SonWh4afqdxpoa8Q9vQhC0TA@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA-s79=4VDSA3TO8tpLUMwJE=HcFT4eZO8L8CCkAAfj8PA@mail.gmail.com>

On Sat, Mar 20, 2021 at 9:43 PM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Fri, 12 Mar 2021 at 09:16, Arnd Bergmann <arnd@arndb.de> wrote:
> > So it's probably qemu that triggers the 'synchronous external
> > abort' when accessing the PCI I/O space, which in turn hints
> > towards a bug in qemu. Presumably it only returns data from
> > I/O ports that are actually mapped to a device when real hardware
> > is supposed to return 0xffffffff when reading from unused I/O ports.
>
> Do you have a reference to the bit of the PCI spec that mandates
> this -1/discard behaviour for attempted access to places where
> there isn't actually a PCI device mapped ? The spec is pretty
> long and hard to read...
>
> (Knowing to what extent this behaviour is mandatory for all
> PCI systems/host controllers vs just "it would be nice if the
> gpex host controller worked this way" would help in figuring
> out where in QEMU to change.)

I spent some more time looking at both really old PCI specifications,
and new ones.
The old PCI specs seem to just leave this bit as out of scope because
it does not concern transactions on the bus. The PCI host controller
can either report a 'master abort' to the CPU, or ignore it, and each
bridge can decide to turn master aborts on reads into all 1s.
We do have support some SoCs in Linux that trigger a CPU exception,
but we tend to deal with those with an ugly hack that just ignores
all exceptions from the CPU. Most host bridges fortunately behave
like an x86 PC though, and do not trigger an exception here.

In the PCIe 4.0 specification, I found that the behavior is configurable
at the root port, using the 'RP PIO Exception Register' at offset 0x1c
in the DPC Extended Capability. This register defaults to '0', meaning
that reads from an unknown port that generate a 'Unsupported Request
Completion' get turned into all 1s. If the firmware or OS enables it,
this can be turned into an AER log event, generate an interrupt or
a CPU exception.

Linux has a driver for DPC, which apparently configures it to
cause an interrupt to log the event, but it does not hook up the
CPU exception handler to this. I don't see an implementation of DPC
in qemu, which I take as an indication that it should use the
default behavior and cause neither an interrupt nor a CPU exception.

      Arnd

  parent reply	other threads:[~2021-03-21 19:01 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-11 11:38 arm64 syzbot instances Dmitry Vyukov
2021-03-11 12:33 ` Mark Rutland
2021-03-11 16:56   ` Dmitry Vyukov
2021-03-17 18:45     ` Mark Rutland
2021-03-18  8:32       ` Dmitry Vyukov
2021-03-11 17:11   ` Dmitry Vyukov
2021-03-11 13:30 ` Arnd Bergmann
2021-03-11 17:25   ` Dmitry Vyukov
2021-03-12  6:42     ` Dmitry Vyukov
2021-03-11 17:57   ` Dmitry Vyukov
2021-03-12  8:39     ` Arnd Bergmann
2021-03-12  8:46       ` Dmitry Vyukov
2021-03-12  9:16         ` Arnd Bergmann
2021-03-12  9:21           ` Dmitry Vyukov
2021-03-12 10:10             ` Arnd Bergmann
2021-03-12 10:38               ` Dmitry Vyukov
2021-03-12 10:52                 ` Arnd Bergmann
2021-03-15  9:43                   ` John Garry
2021-03-15 10:01                     ` Dmitry Vyukov
2021-03-15 10:29                       ` John Garry
2021-03-15 10:34                         ` Dmitry Vyukov
2021-03-15 11:11                         ` Arnd Bergmann
2021-03-20 20:43           ` Peter Maydell
2021-03-21 11:52             ` Arnd Bergmann
2021-03-21 11:55               ` Arnd Bergmann
2021-03-21 18:59             ` Arnd Bergmann [this message]
2021-03-22 13:51               ` Peter Maydell
2021-03-22 15:42                 ` Arnd Bergmann
2021-03-22 16:34                   ` John Garry
2021-03-22 16:49                     ` Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAK8P3a26dWjbS8CjGwc7S5S0M4SonWh4afqdxpoa8Q9vQhC0TA@mail.gmail.com \
    --to=arnd@arndb.de \
    --cc=alex.bennee@linaro.org \
    --cc=ardb@kernel.org \
    --cc=dvyukov@google.com \
    --cc=john.garry@huawei.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=maz@kernel.org \
    --cc=peter.maydell@linaro.org \
    --cc=syzkaller@googlegroups.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).