diff mbox

KVM: arm/arm64: drop resource size check for GICV window

Message ID 20180601150628.10111-1-ard.biesheuvel@linaro.org (mailing list archive)
State New, archived
Headers show

Commit Message

Ard Biesheuvel June 1, 2018, 3:06 p.m. UTC
When booting a 64 KB pages kernel on a ACPI GICv3 system that
implements support for v2 emulation, the following warning is
produced

  GICV size 0x2000 not a multiple of page size 0x10000

and support for v2 emulation is disabled, preventing GICv2 VMs
from being able to run on such hosts.

The reason is that vgic_v3_probe() performs a sanity check on the
size of the window (it should be a multiple of the page size),
while the ACPI MADT parsing code hardcodes the size of the window
to 8 KB. This makes sense, considering that ACPI does not bother
to describe the size in the first place, under the assumption that
platforms implementing ACPI will follow the architecture and not
put anything else in the same 64 KB window.

So let's just drop the sanity check altogether, and assume that
the window is at least 64 KB in size.

Fixes: 909777324588 ("KVM: arm/arm64: vgic-new: vgic_init: implement kvm_vgic_hyp_init")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 virt/kvm/arm/vgic/vgic-v3.c | 5 -----
 1 file changed, 5 deletions(-)

Comments

Christoffer Dall June 9, 2018, 10:06 a.m. UTC | #1
On Fri, Jun 01, 2018 at 05:06:28PM +0200, Ard Biesheuvel wrote:
> When booting a 64 KB pages kernel on a ACPI GICv3 system that
> implements support for v2 emulation, the following warning is
> produced
> 
>   GICV size 0x2000 not a multiple of page size 0x10000
> 
> and support for v2 emulation is disabled, preventing GICv2 VMs
> from being able to run on such hosts.
> 
> The reason is that vgic_v3_probe() performs a sanity check on the
> size of the window (it should be a multiple of the page size),
> while the ACPI MADT parsing code hardcodes the size of the window
> to 8 KB. This makes sense, considering that ACPI does not bother
> to describe the size in the first place, under the assumption that
> platforms implementing ACPI will follow the architecture and not
> put anything else in the same 64 KB window.

Does the architecture actually say that anywhere?

> 
> So let's just drop the sanity check altogether, and assume that
> the window is at least 64 KB in size.

This could obviously be dangerous if broken systems actually exist.
Marc may know more about that than me.  An alternative would be to
modify the ACPI code to assume max(8 KB, page size) instead, and/or a
command line parameter to override this check.

That said, I'm not directly opposed to this patch, but I'll let Marc
have a look as well.

Thanks,
-Christoffer

> 
> Fixes: 909777324588 ("KVM: arm/arm64: vgic-new: vgic_init: implement kvm_vgic_hyp_init")
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  virt/kvm/arm/vgic/vgic-v3.c | 5 -----
>  1 file changed, 5 deletions(-)
> 
> diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c
> index bdcf8e7a6161..72fc688c3e9d 100644
> --- a/virt/kvm/arm/vgic/vgic-v3.c
> +++ b/virt/kvm/arm/vgic/vgic-v3.c
> @@ -552,11 +552,6 @@ int vgic_v3_probe(const struct gic_kvm_info *info)
>  		pr_warn("GICV physical address 0x%llx not page aligned\n",
>  			(unsigned long long)info->vcpu.start);
>  		kvm_vgic_global_state.vcpu_base = 0;
> -	} else if (!PAGE_ALIGNED(resource_size(&info->vcpu))) {
> -		pr_warn("GICV size 0x%llx not a multiple of page size 0x%lx\n",
> -			(unsigned long long)resource_size(&info->vcpu),
> -			PAGE_SIZE);
> -		kvm_vgic_global_state.vcpu_base = 0;
>  	} else {
>  		kvm_vgic_global_state.vcpu_base = info->vcpu.start;
>  		kvm_vgic_global_state.can_emulate_gicv2 = true;
> -- 
> 2.17.0
>
Ard Biesheuvel June 9, 2018, 10:30 a.m. UTC | #2
> On 9 Jun 2018, at 12:06, Christoffer Dall <christoffer.dall@arm.com> wrote:
> 
>> On Fri, Jun 01, 2018 at 05:06:28PM +0200, Ard Biesheuvel wrote:
>> When booting a 64 KB pages kernel on a ACPI GICv3 system that
>> implements support for v2 emulation, the following warning is
>> produced
>> 
>>  GICV size 0x2000 not a multiple of page size 0x10000
>> 
>> and support for v2 emulation is disabled, preventing GICv2 VMs
>> from being able to run on such hosts.
>> 
>> The reason is that vgic_v3_probe() performs a sanity check on the
>> size of the window (it should be a multiple of the page size),
>> while the ACPI MADT parsing code hardcodes the size of the window
>> to 8 KB. This makes sense, considering that ACPI does not bother
>> to describe the size in the first place, under the assumption that
>> platforms implementing ACPI will follow the architecture and not
>> put anything else in the same 64 KB window.
> 
> Does the architecture actually say that anywhere?
> 
>> 
>> So let's just drop the sanity check altogether, and assume that
>> the window is at least 64 KB in size.
> 
> This could obviously be dangerous if broken systems actually exist.
> Marc may know more about that than me.  An alternative would be to
> modify the ACPI code to assume max(8 KB, page size) instead, and/or a
> command line parameter to override this check.
> 
> That said, I'm not directly opposed to this patch, but I'll let Marc
> have a look as well.
> 

This approach was actually Marc’s idea, and he already applied the patch to the queue branch afaik.


> 
>> 
>> Fixes: 909777324588 ("KVM: arm/arm64: vgic-new: vgic_init: implement kvm_vgic_hyp_init")
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> ---
>> virt/kvm/arm/vgic/vgic-v3.c | 5 -----
>> 1 file changed, 5 deletions(-)
>> 
>> diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c
>> index bdcf8e7a6161..72fc688c3e9d 100644
>> --- a/virt/kvm/arm/vgic/vgic-v3.c
>> +++ b/virt/kvm/arm/vgic/vgic-v3.c
>> @@ -552,11 +552,6 @@ int vgic_v3_probe(const struct gic_kvm_info *info)
>>        pr_warn("GICV physical address 0x%llx not page aligned\n",
>>            (unsigned long long)info->vcpu.start);
>>        kvm_vgic_global_state.vcpu_base = 0;
>> -    } else if (!PAGE_ALIGNED(resource_size(&info->vcpu))) {
>> -        pr_warn("GICV size 0x%llx not a multiple of page size 0x%lx\n",
>> -            (unsigned long long)resource_size(&info->vcpu),
>> -            PAGE_SIZE);
>> -        kvm_vgic_global_state.vcpu_base = 0;
>>    } else {
>>        kvm_vgic_global_state.vcpu_base = info->vcpu.start;
>>        kvm_vgic_global_state.can_emulate_gicv2 = true;
>> -- 
>> 2.17.0
>>
Christoffer Dall June 9, 2018, 11:20 a.m. UTC | #3
On Sat, Jun 09, 2018 at 12:30:14PM +0200, Ard Biesheuvel wrote:
> 
> 
> > On 9 Jun 2018, at 12:06, Christoffer Dall <christoffer.dall@arm.com> wrote:
> > 
> >> On Fri, Jun 01, 2018 at 05:06:28PM +0200, Ard Biesheuvel wrote:
> >> When booting a 64 KB pages kernel on a ACPI GICv3 system that
> >> implements support for v2 emulation, the following warning is
> >> produced
> >> 
> >>  GICV size 0x2000 not a multiple of page size 0x10000
> >> 
> >> and support for v2 emulation is disabled, preventing GICv2 VMs
> >> from being able to run on such hosts.
> >> 
> >> The reason is that vgic_v3_probe() performs a sanity check on the
> >> size of the window (it should be a multiple of the page size),
> >> while the ACPI MADT parsing code hardcodes the size of the window
> >> to 8 KB. This makes sense, considering that ACPI does not bother
> >> to describe the size in the first place, under the assumption that
> >> platforms implementing ACPI will follow the architecture and not
> >> put anything else in the same 64 KB window.
> > 
> > Does the architecture actually say that anywhere?
> > 
> >> 
> >> So let's just drop the sanity check altogether, and assume that
> >> the window is at least 64 KB in size.
> > 
> > This could obviously be dangerous if broken systems actually exist.
> > Marc may know more about that than me.  An alternative would be to
> > modify the ACPI code to assume max(8 KB, page size) instead, and/or a
> > command line parameter to override this check.
> > 
> > That said, I'm not directly opposed to this patch, but I'll let Marc
> > have a look as well.
> > 
> 
> This approach was actually Marc’s idea, and he already applied the patch to the queue branch afaik.
> 

Hmmm, ok.
-Christoffer
Marc Zyngier June 9, 2018, 12:09 p.m. UTC | #4
On Sat, 09 Jun 2018 11:06:57 +0100,
Christoffer Dall wrote:
> 
> On Fri, Jun 01, 2018 at 05:06:28PM +0200, Ard Biesheuvel wrote:
> > When booting a 64 KB pages kernel on a ACPI GICv3 system that
> > implements support for v2 emulation, the following warning is
> > produced
> > 
> >   GICV size 0x2000 not a multiple of page size 0x10000
> > 
> > and support for v2 emulation is disabled, preventing GICv2 VMs
> > from being able to run on such hosts.
> > 
> > The reason is that vgic_v3_probe() performs a sanity check on the
> > size of the window (it should be a multiple of the page size),
> > while the ACPI MADT parsing code hardcodes the size of the window
> > to 8 KB. This makes sense, considering that ACPI does not bother
> > to describe the size in the first place, under the assumption that
> > platforms implementing ACPI will follow the architecture and not
> > put anything else in the same 64 KB window.
> 
> Does the architecture actually say that anywhere?

It implies it in section 8.14 of the GICv3 spec:

<quote>
To enable use of 64KB pages, the GICV_* memory map must ensure that:

* The base address of the GICV_* registers is 64KB aligned.

* An alias of the GICV_* registers is provided starting at offset
  0xF000 from the start of the page such that a second copy of
  GICV_DIR exists at the start of the next 64KB page.  This provides
  support for both 4KB and 64KB pages.
</quote>

> > So let's just drop the sanity check altogether, and assume that
> > the window is at least 64 KB in size.
> 
> This could obviously be dangerous if broken systems actually exist.
> Marc may know more about that than me.  An alternative would be to
> modify the ACPI code to assume max(8 KB, page size) instead, and/or a
> command line parameter to override this check.

While the above is in effect very similar to the corresponding GICv2
requirements with the ARMv8 architecture (described in SBSA, which
everybody and their dog are unfortunately making a point in ignoring),
this is implemented in the CPU, meaning that integrators do not have
the opportunity to fsck it up. Hooray!

And as far as I know, this is only implemented on A35, A53, A57, A72
and A73 (all the other ARMv8 CPUs are purely GICv3, and no other
architectural licensee ever shipped a system with the compat
interface).

> That said, I'm not directly opposed to this patch, but I'll let Marc
> have a look as well.

My take on this is that we should play it as per the architecture, and
only add more checks if we're presented with a non-compliant
implementation.

Thanks,

	M.
Christoffer Dall June 9, 2018, 6:58 p.m. UTC | #5
On Sat, Jun 09, 2018 at 01:09:32PM +0100, Marc Zyngier wrote:
> On Sat, 09 Jun 2018 11:06:57 +0100,
> Christoffer Dall wrote:
> > 
> > On Fri, Jun 01, 2018 at 05:06:28PM +0200, Ard Biesheuvel wrote:
> > > When booting a 64 KB pages kernel on a ACPI GICv3 system that
> > > implements support for v2 emulation, the following warning is
> > > produced
> > > 
> > >   GICV size 0x2000 not a multiple of page size 0x10000
> > > 
> > > and support for v2 emulation is disabled, preventing GICv2 VMs
> > > from being able to run on such hosts.
> > > 
> > > The reason is that vgic_v3_probe() performs a sanity check on the
> > > size of the window (it should be a multiple of the page size),
> > > while the ACPI MADT parsing code hardcodes the size of the window
> > > to 8 KB. This makes sense, considering that ACPI does not bother
> > > to describe the size in the first place, under the assumption that
> > > platforms implementing ACPI will follow the architecture and not
> > > put anything else in the same 64 KB window.
> > 
> > Does the architecture actually say that anywhere?
> 
> It implies it in section 8.14 of the GICv3 spec:
> 
> <quote>
> To enable use of 64KB pages, the GICV_* memory map must ensure that:
> 
> * The base address of the GICV_* registers is 64KB aligned.
> 
> * An alias of the GICV_* registers is provided starting at offset
>   0xF000 from the start of the page such that a second copy of
>   GICV_DIR exists at the start of the next 64KB page.  This provides
>   support for both 4KB and 64KB pages.
> </quote>
> 
> > > So let's just drop the sanity check altogether, and assume that
> > > the window is at least 64 KB in size.
> > 
> > This could obviously be dangerous if broken systems actually exist.
> > Marc may know more about that than me.  An alternative would be to
> > modify the ACPI code to assume max(8 KB, page size) instead, and/or a
> > command line parameter to override this check.
> 
> While the above is in effect very similar to the corresponding GICv2
> requirements with the ARMv8 architecture (described in SBSA, which
> everybody and their dog are unfortunately making a point in ignoring),
> this is implemented in the CPU, meaning that integrators do not have
> the opportunity to fsck it up. Hooray!
> 
> And as far as I know, this is only implemented on A35, A53, A57, A72
> and A73 (all the other ARMv8 CPUs are purely GICv3, and no other
> architectural licensee ever shipped a system with the compat
> interface).
> 
> > That said, I'm not directly opposed to this patch, but I'll let Marc
> > have a look as well.
> 
> My take on this is that we should play it as per the architecture, and
> only add more checks if we're presented with a non-compliant
> implementation.
> 

I had some faint memory that we had actually seen that, but I'm clearly
mixing things up.

Thanks for the extended explanation.
-Christoffer
diff mbox

Patch

diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c
index bdcf8e7a6161..72fc688c3e9d 100644
--- a/virt/kvm/arm/vgic/vgic-v3.c
+++ b/virt/kvm/arm/vgic/vgic-v3.c
@@ -552,11 +552,6 @@  int vgic_v3_probe(const struct gic_kvm_info *info)
 		pr_warn("GICV physical address 0x%llx not page aligned\n",
 			(unsigned long long)info->vcpu.start);
 		kvm_vgic_global_state.vcpu_base = 0;
-	} else if (!PAGE_ALIGNED(resource_size(&info->vcpu))) {
-		pr_warn("GICV size 0x%llx not a multiple of page size 0x%lx\n",
-			(unsigned long long)resource_size(&info->vcpu),
-			PAGE_SIZE);
-		kvm_vgic_global_state.vcpu_base = 0;
 	} else {
 		kvm_vgic_global_state.vcpu_base = info->vcpu.start;
 		kvm_vgic_global_state.can_emulate_gicv2 = true;