Re: [PATCH] vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 24 Jan 2017 17:50:26 +0100
Greg Kurz <groug@xxxxxxxx> wrote:

> The recently added mediated VFIO driver doesn't know about powerpc iommu.
> It thus doesn't register a struct iommu_table_group in the iommu group
> upon device creation. The iommu_data pointer hence remains null.
> 
> This causes a kernel oops when userspace tries to set the iommu type of a
> container associated with a mediated device to VFIO_SPAPR_TCE_v2_IOMMU.
> 
> [   82.585440] mtty mtty: MDEV: Registered
> [   87.655522] iommu: Adding device 83b8f4f2-509f-382f-3c1e-e6bfe0fa1001 to group 10
> [   87.655527] vfio_mdev 83b8f4f2-509f-382f-3c1e-e6bfe0fa1001: MDEV: group_id = 10
> [  116.297184] Unable to handle kernel paging request for data at address 0x00000030
> [  116.297389] Faulting instruction address: 0xd000000007870524
> [  116.297465] Oops: Kernel access of bad area, sig: 11 [#1]
> [  116.297611] SMP NR_CPUS=2048
> [  116.297611] NUMA
> [  116.297627] PowerNV
> ...
> [  116.297954] CPU: 33 PID: 7067 Comm: qemu-system-ppc Not tainted 4.10.0-rc5-mdev-test #8
> [  116.297993] task: c000000e7718b680 task.stack: c000000e77214000
> [  116.298025] NIP: d000000007870524 LR: d000000007870518 CTR: 0000000000000000
> [  116.298064] REGS: c000000e77217990 TRAP: 0300   Not tainted  (4.10.0-rc5-mdev-test)
> [  116.298103] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>
> [  116.298107]   CR: 84004444  XER: 00000000
> [  116.298154] CFAR: c00000000000888c DAR: 0000000000000030 DSISR: 40000000 SOFTE: 1
>                GPR00: d000000007870518 c000000e77217c10 d00000000787b0ed c000000eed2103c0
>                GPR04: 0000000000000000 0000000000000000 c000000eed2103e0 0000000f24320000
>                GPR08: 0000000000000104 0000000000000001 0000000000000000 d0000000078729b0
>                GPR12: c00000000025b7e0 c00000000fe08400 0000000000000001 000001002d31d100
>                GPR16: 000001002c22c850 00003ffff315c750 0000000043145680 0000000043141bc0
>                GPR20: ffffffffffffffed fffffffffffff000 0000000020003b65 d000000007706018
>                GPR24: c000000f16cf0d98 d000000007706000 c000000003f42980 c000000003f42980
>                GPR28: c000000f1575ac00 c000000003f429c8 0000000000000000 c000000eed2103c0
> [  116.298504] NIP [d000000007870524] tce_iommu_attach_group+0x10c/0x360 [vfio_iommu_spapr_tce]
> [  116.298555] LR [d000000007870518] tce_iommu_attach_group+0x100/0x360 [vfio_iommu_spapr_tce]
> [  116.298601] Call Trace:
> [  116.298610] [c000000e77217c10] [d000000007870518] tce_iommu_attach_group+0x100/0x360 [vfio_iommu_spapr_tce] (unreliable)
> [  116.298671] [c000000e77217cb0] [d0000000077033a0] vfio_fops_unl_ioctl+0x278/0x3e0 [vfio]
> [  116.298713] [c000000e77217d40] [c0000000002a3ebc] do_vfs_ioctl+0xcc/0x8b0
> [  116.298745] [c000000e77217de0] [c0000000002a4700] SyS_ioctl+0x60/0xc0
> [  116.298782] [c000000e77217e30] [c00000000000b220] system_call+0x38/0xfc
> [  116.298812] Instruction dump:
> [  116.298828] 7d3f4b78 409effc8 3d220000 e9298020 3c800140 38a00018 608480c0 e8690028
> [  116.298869] 4800249d e8410018 7c7f1b79 41820230 <e93e0030> 2fa90000 419e0114 e9090020
> [  116.298914] ---[ end trace 1e10b0ced08b9120 ]---
> 
> This patch fixes the oops.
> 
> Reported-by: Vaibhav Jain <vaibhav@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Greg Kurz <groug@xxxxxxxx>
> ---
>  drivers/vfio/vfio_iommu_spapr_tce.c |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/vfio/vfio_iommu_spapr_tce.c b/drivers/vfio/vfio_iommu_spapr_tce.c
> index c8823578a1b2..128d10282d16 100644
> --- a/drivers/vfio/vfio_iommu_spapr_tce.c
> +++ b/drivers/vfio/vfio_iommu_spapr_tce.c
> @@ -1270,6 +1270,10 @@ static int tce_iommu_attach_group(void *iommu_data,
>  	/* pr_debug("tce_vfio: Attaching group #%u to iommu %p\n",
>  			iommu_group_id(iommu_group), iommu_group); */
>  	table_group = iommu_group_get_iommudata(iommu_group);
> +	if (!table_group) {
> +		ret = -ENODEV;
> +		goto unlock_exit;
> +	}
>  
>  	if (tce_groups_attached(container) && (!table_group->ops ||
>  			!table_group->ops->take_ownership ||
> 

Seems sane to me.

David/Alexey, please review.  Thanks,

Alex



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux