On Tue, 24 Jan 2017 17:50:26 +0100
Greg Kurz <groug@xxxxxxxx> wrote:
> The recently added mediated VFIO driver doesn't know about powerpc iommu.
> It thus doesn't register a struct iommu_table_group in the iommu group
> upon device creation. The iommu_data pointer hence remains null.
>
> This causes a kernel oops when userspace tries to set the iommu type of a
> container associated with a mediated device to VFIO_SPAPR_TCE_v2_IOMMU.
>
> [ 82.585440] mtty mtty: MDEV: Registered
> [ 87.655522] iommu: Adding device 83b8f4f2-509f-382f-3c1e-e6bfe0fa1001 to group 10
> [ 87.655527] vfio_mdev 83b8f4f2-509f-382f-3c1e-e6bfe0fa1001: MDEV: group_id = 10
> [ 116.297184] Unable to handle kernel paging request for data at address 0x00000030
> [ 116.297389] Faulting instruction address: 0xd000000007870524
> [ 116.297465] Oops: Kernel access of bad area, sig: 11 [#1]
> [ 116.297611] SMP NR_CPUS=2048
> [ 116.297611] NUMA
> [ 116.297627] PowerNV
> ...
> [ 116.297954] CPU: 33 PID: 7067 Comm: qemu-system-ppc Not tainted 4.10.0-rc5-mdev-test #8
> [ 116.297993] task: c000000e7718b680 task.stack: c000000e77214000
> [ 116.298025] NIP: d000000007870524 LR: d000000007870518 CTR: 0000000000000000
> [ 116.298064] REGS: c000000e77217990 TRAP: 0300 Not tainted (4.10.0-rc5-mdev-test)
> [ 116.298103] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>
> [ 116.298107] CR: 84004444 XER: 00000000
> [ 116.298154] CFAR: c00000000000888c DAR: 0000000000000030 DSISR: 40000000 SOFTE: 1
> GPR00: d000000007870518 c000000e77217c10 d00000000787b0ed c000000eed2103c0
> GPR04: 0000000000000000 0000000000000000 c000000eed2103e0 0000000f24320000
> GPR08: 0000000000000104 0000000000000001 0000000000000000 d0000000078729b0
> GPR12: c00000000025b7e0 c00000000fe08400 0000000000000001 000001002d31d100
> GPR16: 000001002c22c850 00003ffff315c750 0000000043145680 0000000043141bc0
> GPR20: ffffffffffffffed fffffffffffff000 0000000020003b65 d000000007706018
> GPR24: c000000f16cf0d98 d000000007706000 c000000003f42980 c000000003f42980
> GPR28: c000000f1575ac00 c000000003f429c8 0000000000000000 c000000eed2103c0
> [ 116.298504] NIP [d000000007870524] tce_iommu_attach_group+0x10c/0x360 [vfio_iommu_spapr_tce]
> [ 116.298555] LR [d000000007870518] tce_iommu_attach_group+0x100/0x360 [vfio_iommu_spapr_tce]
> [ 116.298601] Call Trace:
> [ 116.298610] [c000000e77217c10] [d000000007870518] tce_iommu_attach_group+0x100/0x360 [vfio_iommu_spapr_tce] (unreliable)
> [ 116.298671] [c000000e77217cb0] [d0000000077033a0] vfio_fops_unl_ioctl+0x278/0x3e0 [vfio]
> [ 116.298713] [c000000e77217d40] [c0000000002a3ebc] do_vfs_ioctl+0xcc/0x8b0
> [ 116.298745] [c000000e77217de0] [c0000000002a4700] SyS_ioctl+0x60/0xc0
> [ 116.298782] [c000000e77217e30] [c00000000000b220] system_call+0x38/0xfc
> [ 116.298812] Instruction dump:
> [ 116.298828] 7d3f4b78 409effc8 3d220000 e9298020 3c800140 38a00018 608480c0 e8690028
> [ 116.298869] 4800249d e8410018 7c7f1b79 41820230 <e93e0030> 2fa90000 419e0114 e9090020
> [ 116.298914] ---[ end trace 1e10b0ced08b9120 ]---
>
> This patch fixes the oops.
>
> Reported-by: Vaibhav Jain <vaibhav@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Greg Kurz <groug@xxxxxxxx>
> ---
> drivers/vfio/vfio_iommu_spapr_tce.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/vfio/vfio_iommu_spapr_tce.c b/drivers/vfio/vfio_iommu_spapr_tce.c
> index c8823578a1b2..128d10282d16 100644
> --- a/drivers/vfio/vfio_iommu_spapr_tce.c
> +++ b/drivers/vfio/vfio_iommu_spapr_tce.c
> @@ -1270,6 +1270,10 @@ static int tce_iommu_attach_group(void *iommu_data,
> /* pr_debug("tce_vfio: Attaching group #%u to iommu %p\n",
> iommu_group_id(iommu_group), iommu_group); */
> table_group = iommu_group_get_iommudata(iommu_group);
> + if (!table_group) {
> + ret = -ENODEV;
> + goto unlock_exit;
> + }
>
> if (tce_groups_attached(container) && (!table_group->ops ||
> !table_group->ops->take_ownership ||
>
Seems sane to me.
David/Alexey, please review. Thanks,
Alex
