linux_dsm_epyc7002/arch/powerpc/kvm
Greg Kurz f54db39fbe KVM: PPC: Book3S HV: XIVE: Fix vCPU id sanity check
Commit 062cfab706 ("KVM: PPC: Book3S HV: XIVE: Make VP block size
configurable") updated kvmppc_xive_vcpu_id_valid() in a way that
allows userspace to trigger an assertion in skiboot and crash the host:

[  696.186248988,3] XIVE[ IC 08  ] eq_blk != vp_blk (0 vs. 1) for target 0x4300008c/0
[  696.186314757,0] Assert fail: hw/xive.c:2370:0
[  696.186342458,0] Aborting!
xive-kvCPU 0043 Backtrace:
 S: 0000000031e2b8f0 R: 0000000030013840   .backtrace+0x48
 S: 0000000031e2b990 R: 000000003001b2d0   ._abort+0x4c
 S: 0000000031e2ba10 R: 000000003001b34c   .assert_fail+0x34
 S: 0000000031e2ba90 R: 0000000030058984   .xive_eq_for_target.part.20+0xb0
 S: 0000000031e2bb40 R: 0000000030059fdc   .xive_setup_silent_gather+0x2c
 S: 0000000031e2bc20 R: 000000003005a334   .opal_xive_set_vp_info+0x124
 S: 0000000031e2bd20 R: 00000000300051a4   opal_entry+0x134
 --- OPAL call token: 0x8a caller R1: 0xc000001f28563850 ---

XIVE maintains the interrupt context state of non-dispatched vCPUs in
an internal VP structure. We allocate a bunch of those on startup to
accommodate all possible vCPUs. Each VP has an id, that we derive from
the vCPU id for efficiency:

static inline u32 kvmppc_xive_vp(struct kvmppc_xive *xive, u32 server)
{
	return xive->vp_base + kvmppc_pack_vcpu_id(xive->kvm, server);
}

The KVM XIVE device used to allocate KVM_MAX_VCPUS VPs. This was
limitting the number of concurrent VMs because the VP space is
limited on the HW. Since most of the time, VMs run with a lot less
vCPUs, commit 062cfab706 ("KVM: PPC: Book3S HV: XIVE: Make VP
block size configurable") gave the possibility for userspace to
tune the size of the VP block through the KVM_DEV_XIVE_NR_SERVERS
attribute.

The check in kvmppc_pack_vcpu_id() was changed from

	cpu < KVM_MAX_VCPUS * xive->kvm->arch.emul_smt_mode

to

	cpu < xive->nr_servers * xive->kvm->arch.emul_smt_mode

The previous check was based on the fact that the VP block had
KVM_MAX_VCPUS entries and that kvmppc_pack_vcpu_id() guarantees
that packed vCPU ids are below KVM_MAX_VCPUS. We've changed the
size of the VP block, but kvmppc_pack_vcpu_id() has nothing to
do with it and it certainly doesn't ensure that the packed vCPU
ids are below xive->nr_servers. kvmppc_xive_vcpu_id_valid() might
thus return true when the VM was configured with a non-standard
VSMT mode, even if the packed vCPU id is higher than what we
expect. We end up using an unallocated VP id, which confuses
OPAL. The assert in OPAL is probably abusive and should be
converted to a regular error that the kernel can handle, but
we shouldn't really use broken VP ids in the first place.

Fix kvmppc_xive_vcpu_id_valid() so that it checks the packed
vCPU id is below xive->nr_servers, which is explicitly what we
want.

Fixes: 062cfab706 ("KVM: PPC: Book3S HV: XIVE: Make VP block size configurable")
Cc: stable@vger.kernel.org # v5.5+
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/160673876747.695514.1809676603724514920.stgit@bahia.lan
2020-12-01 21:45:51 +11:00
..
book3s_32_mmu_host.c KVM: PPC: Book3S PR: Move kvmppc_mmu_init() into PR KVM 2020-03-19 16:39:52 +11:00
book3s_32_mmu.c KVM: PPC: Use fallthrough; 2020-03-19 16:39:52 +11:00
book3s_32_sr.S
book3s_64_mmu_host.c KVM: PPC: Book3S PR: Move kvmppc_mmu_init() into PR KVM 2020-03-19 16:39:52 +11:00
book3s_64_mmu_hv.c KVM: PPC: Book3S HV: Increase KVMPPC_NR_LPIDS on POWER8 and POWER9 2020-07-21 15:38:03 +10:00
book3s_64_mmu_radix.c KVM: PPC: Book3S: Fix symbol undeclared warnings 2020-09-22 11:53:55 +10:00
book3s_64_mmu.c KVM: PPC: Use fallthrough; 2020-03-19 16:39:52 +11:00
book3s_64_slb.S
book3s_64_vio_hv.c treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
book3s_64_vio.c KVM: PPC: Book3S: Fix symbol undeclared warnings 2020-09-22 11:53:55 +10:00
book3s_emulate.c KVM: PPC: Clean up redundant 'kvm_run' parameters 2020-05-27 11:39:31 +10:00
book3s_exports.c
book3s_hv_builtin.c KVM: PPC: Book3S HV: simplify kvm_cma_reserve() 2020-10-13 18:38:34 -07:00
book3s_hv_hmi.c
book3s_hv_interrupts.S KVM: PPC: Book3S HV: Set LPCR[HDICE] before writing HDEC 2020-09-17 11:38:17 +10:00
book3s_hv_nested.c KVM: PPC: Book3S: Fix symbol undeclared warnings 2020-09-22 11:53:55 +10:00
book3s_hv_ras.c powerpc/64s: Move HMI IRQ stat from percpu variable to paca. 2020-07-29 23:47:53 +10:00
book3s_hv_rm_mmu.c powerpc: Define new SRR1 bits for a ISA v3.1 2020-05-19 00:10:38 +10:00
book3s_hv_rm_xics.c KVM: PPC: Book3S: Fix symbol undeclared warnings 2020-09-22 11:53:55 +10:00
book3s_hv_rm_xive.c mm: reorder includes after introduction of linux/pgtable.h 2020-06-09 09:39:13 -07:00
book3s_hv_rmhandlers.S powerpc/64s: handle ISA v3.1 local copy-paste context switches 2020-09-08 22:57:12 +10:00
book3s_hv_tm_builtin.c KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones 2020-03-19 16:39:52 +11:00
book3s_hv_tm.c KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones 2020-03-19 16:39:52 +11:00
book3s_hv_uvmem.c mm/memremap_pages: support multiple ranges per invocation 2020-10-13 18:38:28 -07:00
book3s_hv.c ARM: 2020-10-23 11:17:56 -07:00
book3s_interrupts.S PPC KVM update for 5.9 2020-08-09 13:24:02 -04:00
book3s_mmu_hpte.c
book3s_paired_singles.c KVM: PPC: Clean up redundant 'kvm_run' parameters 2020-05-27 11:39:31 +10:00
book3s_pr_papr.c
book3s_pr.c KVM: PPC: Book3S: Fix symbol undeclared warnings 2020-09-22 11:53:55 +10:00
book3s_rmhandlers.S
book3s_rtas.c KVM: PPC: Protect kvm_vcpu_read_guest with srcu locks 2020-07-21 15:38:03 +10:00
book3s_segment.S powerpc/64s/exception: Move KVM test to common code 2020-04-01 13:42:11 +11:00
book3s_xics.c KVM: PPC: Book3S HV: XICS: Replace the 'destroy' method by a 'release' method 2020-09-03 14:12:48 +10:00
book3s_xics.h
book3s_xive_native.c KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page 2020-11-16 23:28:30 +11:00
book3s_xive_template.c powerpc/xive: Enforce load-after-store ordering when StoreEOI is active 2020-05-07 22:58:31 +10:00
book3s_xive.c KVM: PPC: Book3S HV: XIVE: Fix vCPU id sanity check 2020-12-01 21:45:51 +11:00
book3s_xive.h
book3s.c KVM: PPC: Don't return -ENOTSUPP to userspace in ioctls 2020-09-17 11:38:17 +10:00
book3s.h KVM: PPC: Clean up redundant 'kvm_run' parameters 2020-05-27 11:39:31 +10:00
booke_emulate.c KVM: PPC: Clean up redundant 'kvm_run' parameters 2020-05-27 11:39:31 +10:00
booke_interrupts.S KVM: PPC: Clean up redundant kvm_run parameters in assembly 2020-07-23 15:50:01 +10:00
booke.c KVM: PPC: Don't return -ENOTSUPP to userspace in ioctls 2020-09-17 11:38:17 +10:00
booke.h KVM: PPC: Clean up redundant 'kvm_run' parameters 2020-05-27 11:39:31 +10:00
bookehv_interrupts.S KVM: PPC: Clean up redundant kvm_run parameters in assembly 2020-07-23 15:50:01 +10:00
e500_emulate.c KVM: PPC: Clean up redundant 'kvm_run' parameters 2020-05-27 11:39:31 +10:00
e500_mmu_host.c KVM: Pass MMU notifier range flags to kvm_unmap_hva_range() 2020-08-21 18:03:47 -04:00
e500_mmu_host.h
e500_mmu.c KVM: PPC: Kill kvmppc_ops::mmu_destroy() and kvmppc_mmu_destroy() 2020-03-19 16:43:07 +11:00
e500.c KVM: PPC: Kill kvmppc_ops::mmu_destroy() and kvmppc_mmu_destroy() 2020-03-19 16:43:07 +11:00
e500.h
e500mc.c KVM: PPC: Kill kvmppc_ops::mmu_destroy() and kvmppc_mmu_destroy() 2020-03-19 16:43:07 +11:00
emulate_loadstore.c MIPS: 2020-06-12 11:05:52 -07:00
emulate.c KVM: PPC: Clean up redundant 'kvm_run' parameters 2020-05-27 11:39:31 +10:00
fpu.S mm: reorder includes after introduction of linux/pgtable.h 2020-06-09 09:39:13 -07:00
irq.h
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
mpic.c KVM: Remove unnecessary asm/kvm_host.h includes 2020-03-16 17:57:34 +01:00
powerpc.c PPC KVM update for 5.9 2020-08-09 13:24:02 -04:00
timing.c
timing.h KVM: Remove unnecessary asm/kvm_host.h includes 2020-03-16 17:57:34 +01:00
tm.S
trace_book3s.h
trace_booke.h
trace_hv.h KVM: PPC: Fix typo on H_DISABLE_AND_GET hcall 2020-07-23 17:43:35 +10:00
trace_pr.h
trace.h