xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Toshi Kani <toshi.kani@hpe.com>
To: mingo@kernel.org, bp@suse.de, hpa@zytor.com, tglx@linutronix.de
Cc: jgross@suse.com, Toshi Kani <toshi.kani@hpe.com>,
	mcgrof@suse.com, x86@kernel.org, linux-kernel@vger.kernel.org,
	paul.gortmaker@windriver.com, xen-devel@lists.xenproject.org,
Subject: [PATCH v2 3/6] x86/mtrr: Fix Xorg crashes in Qemu sessions
Date: Wed, 16 Mar 2016 18:46:56 -0600	[thread overview]
Message-ID: <1458175619-32206-2-git-send-email-toshi.kani__32665.2968455621$1458172562$gmane$org@hpe.com> (raw)
In-Reply-To: <1458175619-32206-1-git-send-email-toshi.kani@hpe.com>

A Xorg failure on qemu32 was reported as a regression caused
by 'commit 9cd25aac1f44 ("x86/mm/pat: Emulate PAT when it is
disabled")'. [1]  This patch fixes the regression.

Negative effects of this regression were two failures in Xorg
on qemu32 env, which were triggered by the fact that its virtual
CPU does not support MTRR. [2]

 #1. copy_process() failed in the check in reserve_pfn_range()


 #2. error path in copy_process() then hit WARN_ON_ONCE in

     x86/PAT: Xorg:509 map pfn expected mapping type uncached-
     minus for [mem 0xfd000000-0xfdffffff], got write-combining
      Call Trace:
     ? untrack_pfn+0x9f/0xb0
     ? untrack_pfn+0x9f/0xb0
     ? __kunmap_atomic+0x54/0x110
     ? pagevec_move_tail_fn+0xa0/0xa0

These negative effects are caused by two separate bugs, but they
can be dealt in lower priority.  Fixing the pat_init() issue below
avoids Xorg to hit these cases.

When the CPU does not support MTRR, MTRR does not call pat_init(),
which leaves PAT enabled without initializing PAT.  This pat_init()
issue is a long-standing issue, but manifested as issue #1 (and then
hit issue #2) with the commit because the memtype now tracks cache
attribute with 'page_cache_mode'.  A WC map request is tracked as WC
in memtype, but sets a PTE as UC (pgprot) per __cachemode2pte_tbl[].
This caused the error in reserve_pfn_range() when it was called from
track_pfn_copy(), which obtained pgprot from a PTE.  It converts
pgprot to page_cache_mode, which does not necessarily result in
the original page_cache_mode since __cachemode2pte_tbl[] redirects
multiple types to UC.  This is a separate issue in reserve_pfn_range().

This pat_init() issue existed before the commit, but we used pgprot
in memtype.  Hence, we did not have issue #1 before.  But WC request
resulted in WT in effect because WC pgrot is actually WT when PAT
is not initialized.  This is not how it was designed to work.  When
PAT is set to disable properly, WC is converted to UC.  The use of
WT can result in a system crash if the target range does not support
WT.  Fortunately, nobody ran into such issue before.

To fix this pat_init() issue, PAT code has been enhanced to provide
pat_disable() interface, which disables the OS to initialize PAT MSR,
and sets PAT table to the BIOS handoff state.  This patch changes
MTRR code to call pat_disable() when MTRR is disabled as PAT cannot
be initialized in this case.  This sets PAT to disable properly, and
makes PAT code to bypass the memtype check.  This avoids issue #1
(which can be dealt in lower priority).

[1]: https://lkml.org/lkml/2016/3/3/828
[2]: https://lkml.org/lkml/2016/3/4/775
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
 arch/x86/include/asm/mtrr.h     |    6 +++++-
 arch/x86/kernel/cpu/mtrr/main.c |   10 +++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/mtrr.h b/arch/x86/include/asm/mtrr.h
index b94f6f6..634c593 100644
--- a/arch/x86/include/asm/mtrr.h
+++ b/arch/x86/include/asm/mtrr.h
@@ -24,6 +24,7 @@
 #define _ASM_X86_MTRR_H
 #include <uapi/asm/mtrr.h>
+#include <asm/pat.h>
@@ -83,9 +84,12 @@ static inline int mtrr_trim_uncached_memory(unsigned long end_pfn)
 static inline void mtrr_centaur_report_mcr(int mcr, u32 lo, u32 hi)
+static inline void mtrr_bp_init(void)
+	pat_disable("Skip PAT initialization");
 #define mtrr_ap_init() do {} while (0)
-#define mtrr_bp_init() do {} while (0)
 #define set_mtrr_aps_delayed_init() do {} while (0)
 #define mtrr_aps_init() do {} while (0)
 #define mtrr_bp_restore() do {} while (0)
diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
index 10f8d47..2d7d8d7 100644
--- a/arch/x86/kernel/cpu/mtrr/main.c
+++ b/arch/x86/kernel/cpu/mtrr/main.c
@@ -759,8 +759,16 @@ void __init mtrr_bp_init(void)
-	if (!mtrr_enabled())
+	if (!mtrr_enabled()) {
 		pr_info("MTRR: Disabled\n");
+		/*
+		 * PAT initialization relies on MTRR's rendezvous handler.
+		 * Skip PAT init until the handler can initialize both
+		 * features independently.
+		 */
+		pat_disable("Skip PAT initialization");
+	}
 void mtrr_ap_init(void)

Xen-devel mailing list

  reply	other threads:[~2016-03-16 23:54 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-17  0:46 [PATCH v2 2/6] x86/mm/pat: Add pat_disable() interface Toshi Kani
2016-03-17  0:46 ` Toshi Kani [this message]
2016-03-17  0:46 ` [PATCH v2 4/6] x86/mtrr: Fix PAT init handling when MTRR MSR is disabled Toshi Kani
2016-03-17  0:46 ` [PATCH v2 5/6] x86/xen, pat: Remove PAT table init code from Xen Toshi Kani
2016-03-17  0:46 ` [PATCH v2 6/6] x86/pat: Document PAT initializations Toshi Kani
2016-03-22 16:59 ` [PATCH v2 2/6] x86/mm/pat: Add pat_disable() interface Borislav Petkov
     [not found] ` <1458175619-32206-2-git-send-email-toshi.kani@hpe.com>
2016-03-22 17:00   ` [PATCH v2 3/6] x86/mtrr: Fix Xorg crashes in Qemu sessions Borislav Petkov
     [not found]   ` <20160322170047.GD5656@pd.tnic>
2016-03-22 21:53     ` Toshi Kani
     [not found]     ` <1458683610.6393.624.camel@hpe.com>
2016-03-23  8:44       ` Borislav Petkov
     [not found]       ` <20160323084437.GB8031@pd.tnic>
2016-03-23 15:53         ` Toshi Kani
     [not found]         ` <1458748393.6393.653.camel@hpe.com>
2016-03-23 21:47           ` Toshi Kani
     [not found] ` <1458175619-32206-3-git-send-email-toshi.kani@hpe.com>
2016-03-22 17:01   ` [PATCH v2 4/6] x86/mtrr: Fix PAT init handling when MTRR MSR is disabled Borislav Petkov
     [not found]   ` <20160322170135.GE5656@pd.tnic>
2016-03-22 22:02     ` Toshi Kani
     [not found] ` <1458175619-32206-4-git-send-email-toshi.kani@hpe.com>
2016-03-22 17:02   ` [PATCH v2 5/6] x86/xen, pat: Remove PAT table init code from Xen Borislav Petkov
     [not found]   ` <20160322170206.GF5656@pd.tnic>
2016-03-23  6:08     ` Juergen Gross
     [not found] ` <1458175619-32206-5-git-send-email-toshi.kani@hpe.com>
2016-03-22 17:02   ` [PATCH v2 6/6] x86/pat: Document PAT initializations Borislav Petkov
     [not found]   ` <20160322170222.GG5656@pd.tnic>
2016-03-22 22:15     ` Toshi Kani
     [not found] ` <20160322165944.GC5656@pd.tnic>
2016-03-22 21:40   ` [PATCH v2 2/6] x86/mm/pat: Add pat_disable() interface Toshi Kani
     [not found]   ` <1458682845.6393.614.camel@hpe.com>
2016-03-23  8:51     ` Borislav Petkov
     [not found]     ` <20160323085141.GC8031@pd.tnic>
2016-03-23 15:49       ` Toshi Kani

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='1458175619-32206-2-git-send-email-toshi.kani__32665.2968455621$1458172562$gmane$org@hpe.com' \
    --to=toshi.kani@hpe.com \
    --cc=bp@suse.de \
    --cc=elliott@hpe.com \
    --cc=hpa@zytor.com \
    --cc=jgross@suse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mcgrof@suse.com \
    --cc=mingo@kernel.org \
    --cc=paul.gortmaker@windriver.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    --cc=xen-devel@lists.xenproject.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).