From patchwork Wed Jun  7 17:11:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christoffer Dall <cdall@linaro.org>
X-Patchwork-Id: 103302
Delivered-To: patch@linaro.org
Received: by 10.140.91.77 with SMTP id y71csp2042375qgd;
 Wed, 7 Jun 2017 10:12:17 -0700 (PDT)
X-Received: by 10.98.111.133 with SMTP id k127mr32522378pfc.215.1496855537725; 
 Wed, 07 Jun 2017 10:12:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1496855537; cv=none;
 d=google.com; s=arc-20160816;
 b=fFDRKCdZv1+9SRa+qxdJo/1RfaElhen76DC1m6mHZiEw1ESLbmOajmriAk9DUg6vM/
 GeGu0KVJxDRIaANhqRn466ZTethSaDt102BrXwp8NlAJj1CjQP3UlqAgvAkeksURbdXa
 BoVand7/TgodMGsxM5h/FGUHeUybbahML6t7Rc7ephUA6ISwspXvPH9VtKcv9YbtDuED
 MhXfGhx8cr4aajO8/MWv1NMRPmBriKxwXIeHvCP9aJ8bZILTjiwq6Hmte2vviLb0BRmE
 1KNQ8p0dGFNUBUOc3oXA/oZt5h64pg7jxRQp5PWKrhhHGTvvpqUrJfEA9G/h1SJXImjQ
 R3OA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature:arc-authentication-results;
 bh=S5X4aVMVwKwyxCJ1P/KCFfH7YvSJsKAmtf5ebjhgSb8=;
 b=cmdNKMeV1I11hzeeIE5fs+qoooc4CVdLCXIUorZTFH8FRaSjLVRL7vlIKanhGaQOo1
 N7NXKJ8UjJ50jf/QENS8kd80EloYAZCvW7lrTdw1Mi7mtsaONuJItod4SWV8Gwx9i1Yo
 pR3HNObY7loQZO6pm5CzlnuV4c1GxjMie5CzTfz6i7Gs3hW7AHiDJ+PiXV3zJ93qBuIQ
 3s82Qz9toyE77jKDeCh74ZobSWtvc1cNtH4LCjoUR2CNQ5jxI47yH2fdwHdEGTVW/bVz
 21wsYWFiH6NDaNuzED76/+JEjm0xKazwrX0uyiz7hwAyQuM3MV2MrBh/xTgF0y1MtnLX
 AfiA==
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 v62si2180106pgd.355.2017.06.07.10.12.17; 
 Wed, 07 Jun 2017 10:12:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1751739AbdFGRMQ (ORCPT <rfc822;sumit.semwal@linaro.org>
 + 6 others); Wed, 7 Jun 2017 13:12:16 -0400
Received: from mail-wm0-f47.google.com ([74.125.82.47]:35188 "EHLO
 mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1751522AbdFGRMK (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 7 Jun 2017 13:12:10 -0400
Received: by mail-wm0-f47.google.com with SMTP id x70so62270388wme.0
 for <stable@vger.kernel.org>; Wed, 07 Jun 2017 10:12:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=S5X4aVMVwKwyxCJ1P/KCFfH7YvSJsKAmtf5ebjhgSb8=;
 b=YAe9b5a6BXC8S5jpR0wtvu8n9dWAh/8kLpCzwuLboDF0Co1Wt6mcIjuBQ3tGv9S07F
 uv3S6XJ2njVhutKQHtm00CXM2kmLPSm+4qiPajnbgQ/gioImsj0vWPRUp3aD8sTS7K6N
 xpRtaBY+SsH81EO0zb4m4LePH3FLkSJrGGQtU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=S5X4aVMVwKwyxCJ1P/KCFfH7YvSJsKAmtf5ebjhgSb8=;
 b=m4jcx+6qbXVtpS/2V3pVFeEHL9TJsuq11VnUM4BH9agJOku9yWCckiQ89LipvPbUt8
 ylMyHG0cHnkevMrctDvZcZ4LisPuVh+TA916KTJPJDd05qsKBP4MbC5kcH4fymu97aKk
 +LB20iNqcwU6YeldzoMdzJB+qL3kCC4+rHlgFjH10YHsi8PTapgFxnzh4ZLrlSgAwNaX
 /6JYE2VsN+OURReRkt87uShm0SYkSfMOM2NOhwCKlHkyn78bP5devVSINBTFAD8MVcpZ
 edLcrjlryWek+mZCbqWqQQR+/XMo8v/j1I2DWOY0MlXoWt8Ytyur34h21UUu8W23tFDp
 dpwg==
X-Gm-Message-State: AODbwcChdI8PcS10p4VE4g8p2lm5vkp0vy/mwgyGPB3KtAODemA2tiiH
 g9fohdjXx2DBUdSt
X-Received: by 10.80.151.131 with SMTP id e3mr25588068edb.61.1496855529274; 
 Wed, 07 Jun 2017 10:12:09 -0700 (PDT)
Received: from localhost.localdomain (xd93ddc2d.cust.hiper.dk.
 [217.61.220.45]) by smtp.gmail.com with ESMTPSA id
 c2sm966244edc.34.2017.06.07.10.12.08
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 07 Jun 2017 10:12:08 -0700 (PDT)
From: Christoffer Dall <cdall@linaro.org>
To: Paolo Bonzini <pbonzini@redhat.com>, =?utf-8?b?UmFkaW0gS3LEjW3DocWZ?=
 <rkrcmar@redhat.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>, kvmarm@lists.cs.columbia.edu,
 kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
 stable@vger.kernel.org, Christoffer Dall <cdall@linaro.org>
Subject: [PULL v2 3/6] KVM: arm/arm64: Handle possible NULL stage2 pud when
 ageing pages
Date: Wed,  7 Jun 2017 19:11:49 +0200
Message-Id: <20170607171152.21874-4-cdall@linaro.org>
X-Mailer: git-send-email 2.9.0
In-Reply-To: <20170607171152.21874-1-cdall@linaro.org>
References: <20170607171152.21874-1-cdall@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Marc Zyngier <marc.zyngier@arm.com>

Under memory pressure, we start ageing pages, which amounts to parsing
the page tables. Since we don't want to allocate any extra level,
we pass NULL for our private allocation cache. Which means that
stage2_get_pud() is allowed to fail. This results in the following
splat:

[ 1520.409577] Unable to handle kernel NULL pointer dereference at virtual address 00000008
[ 1520.417741] pgd = ffff810f52fef000
[ 1520.421201] [00000008] *pgd=0000010f636c5003, *pud=0000010f56f48003, *pmd=0000000000000000
[ 1520.429546] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 1520.435156] Modules linked in:
[ 1520.438246] CPU: 15 PID: 53550 Comm: qemu-system-aar Tainted: G        W       4.12.0-rc4-00027-g1885c397eaec #7205
[ 1520.448705] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB12A 10/26/2016
[ 1520.463726] task: ffff800ac5fb4e00 task.stack: ffff800ce04e0000
[ 1520.469666] PC is at stage2_get_pmd+0x34/0x110
[ 1520.474119] LR is at kvm_age_hva_handler+0x44/0xf0
[ 1520.478917] pc : [<ffff0000080b137c>] lr : [<ffff0000080b149c>] pstate: 40000145
[ 1520.486325] sp : ffff800ce04e33d0
[ 1520.489644] x29: ffff800ce04e33d0 x28: 0000000ffff40064
[ 1520.494967] x27: 0000ffff27e00000 x26: 0000000000000000
[ 1520.500289] x25: ffff81051ba65008 x24: 0000ffff40065000
[ 1520.505618] x23: 0000ffff40064000 x22: 0000000000000000
[ 1520.510947] x21: ffff810f52b20000 x20: 0000000000000000
[ 1520.516274] x19: 0000000058264000 x18: 0000000000000000
[ 1520.521603] x17: 0000ffffa6fe7438 x16: ffff000008278b70
[ 1520.526940] x15: 000028ccd8000000 x14: 0000000000000008
[ 1520.532264] x13: ffff7e0018298000 x12: 0000000000000002
[ 1520.537582] x11: ffff000009241b93 x10: 0000000000000940
[ 1520.542908] x9 : ffff0000092ef800 x8 : 0000000000000200
[ 1520.548229] x7 : ffff800ce04e36a8 x6 : 0000000000000000
[ 1520.553552] x5 : 0000000000000001 x4 : 0000000000000000
[ 1520.558873] x3 : 0000000000000000 x2 : 0000000000000008
[ 1520.571696] x1 : ffff000008fd5000 x0 : ffff0000080b149c
[ 1520.577039] Process qemu-system-aar (pid: 53550, stack limit = 0xffff800ce04e0000)
[...]
[ 1521.510735] [<ffff0000080b137c>] stage2_get_pmd+0x34/0x110
[ 1521.516221] [<ffff0000080b149c>] kvm_age_hva_handler+0x44/0xf0
[ 1521.522054] [<ffff0000080b0610>] handle_hva_to_gpa+0xb8/0xe8
[ 1521.527716] [<ffff0000080b3434>] kvm_age_hva+0x44/0xf0
[ 1521.532854] [<ffff0000080a58b0>] kvm_mmu_notifier_clear_flush_young+0x70/0xc0
[ 1521.539992] [<ffff000008238378>] __mmu_notifier_clear_flush_young+0x88/0xd0
[ 1521.546958] [<ffff00000821eca0>] page_referenced_one+0xf0/0x188
[ 1521.552881] [<ffff00000821f36c>] rmap_walk_anon+0xec/0x250
[ 1521.558370] [<ffff000008220f78>] rmap_walk+0x78/0xa0
[ 1521.563337] [<ffff000008221104>] page_referenced+0x164/0x180
[ 1521.569002] [<ffff0000081f1af0>] shrink_active_list+0x178/0x3b8
[ 1521.574922] [<ffff0000081f2058>] shrink_node_memcg+0x328/0x600
[ 1521.580758] [<ffff0000081f23f4>] shrink_node+0xc4/0x328
[ 1521.585986] [<ffff0000081f2718>] do_try_to_free_pages+0xc0/0x340
[ 1521.592000] [<ffff0000081f2a64>] try_to_free_pages+0xcc/0x240
[...]

The trivial fix is to handle this NULL pud value early, rather than
dereferencing it blindly.

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Christoffer Dall <cdall@linaro.org>
Signed-off-by: Christoffer Dall <cdall@linaro.org>
---
 virt/kvm/arm/mmu.c | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.9.0

diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
index a2d6324..e2e5eff 100644
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -879,6 +879,9 @@ static pmd_t *stage2_get_pmd(struct kvm *kvm, struct kvm_mmu_memory_cache *cache
 	pmd_t *pmd;
 
 	pud = stage2_get_pud(kvm, cache, addr);
+	if (!pud)
+		return NULL;
+
 	if (stage2_pud_none(*pud)) {
 		if (!cache)
 			return NULL;