From patchwork Wed Jun  7 17:11:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christoffer Dall <cdall@linaro.org>
X-Patchwork-Id: 9772041
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9E43C60393 for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 17:12:23 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 514FA283B9
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 17:12:23 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4616A28479; Wed,  7 Jun 2017 17:12:23 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A42AF283B9
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 17:12:22 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751522AbdFGRMQ (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Wed, 7 Jun 2017 13:12:16 -0400
Received: from mail-wm0-f46.google.com ([74.125.82.46]:36398 "EHLO
	mail-wm0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751533AbdFGRMK (ORCPT <rfc822; kvm@vger.kernel.org>);
	Wed, 7 Jun 2017 13:12:10 -0400
Received: by mail-wm0-f46.google.com with SMTP id 7so122726092wmo.1
	for <kvm@vger.kernel.org>; Wed, 07 Jun 2017 10:12:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=S5X4aVMVwKwyxCJ1P/KCFfH7YvSJsKAmtf5ebjhgSb8=;
	b=YAe9b5a6BXC8S5jpR0wtvu8n9dWAh/8kLpCzwuLboDF0Co1Wt6mcIjuBQ3tGv9S07F
	uv3S6XJ2njVhutKQHtm00CXM2kmLPSm+4qiPajnbgQ/gioImsj0vWPRUp3aD8sTS7K6N
	xpRtaBY+SsH81EO0zb4m4LePH3FLkSJrGGQtU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=S5X4aVMVwKwyxCJ1P/KCFfH7YvSJsKAmtf5ebjhgSb8=;
	b=YABlGbgnqJfWmAwG0Pa4nTF7rLzKAOwtT+sS5FaiP2iZhU7M+5HsyXdQF+hTp0tTzG
	38oUHf1fQ6edllpgI/F8PzAIcDBBZvtY80KBjJuxWmlc1VT3CjYlQiBuWtVTzw1CJ6ch
	3Rn47CmBIdK5qS9P5NgnjTlZ9HKuE3y7my2HHHtllDzyC2i+cYGl2bXvEbN82yO670wx
	zCxd16Xd9i0wt8qATK5+nxkLTRhS0bkgHZrkYsNT7jCZllYbZBCl7kbcNuSr4pqTtER5
	TDkvFwW4aYh6o1fNs88gJTpWBmjiDteWYvxRNLGQJHpOcdcXJoBEuyjPBBX3Gr4sIepA
	E+0g==
X-Gm-Message-State: AODbwcBSuKEw73ih1ArdHJRqXbPE9VyN8fi47Brw3X0s38c8pZiyllnM
	d+LDC4enlQZIQltn
X-Received: by 10.80.151.131 with SMTP id e3mr25588068edb.61.1496855529274;
	Wed, 07 Jun 2017 10:12:09 -0700 (PDT)
Received: from localhost.localdomain (xd93ddc2d.cust.hiper.dk.
	[217.61.220.45]) by smtp.gmail.com with ESMTPSA id
	c2sm966244edc.34.2017.06.07.10.12.08
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 07 Jun 2017 10:12:08 -0700 (PDT)
From: Christoffer Dall <cdall@linaro.org>
To: Paolo Bonzini <pbonzini@redhat.com>,
	=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>, kvmarm@lists.cs.columbia.edu,
	kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
	stable@vger.kernel.org, Christoffer Dall <cdall@linaro.org>
Subject: [PULL v2 3/6] KVM: arm/arm64: Handle possible NULL stage2 pud when
	ageing pages
Date: Wed,  7 Jun 2017 19:11:49 +0200
Message-Id: <20170607171152.21874-4-cdall@linaro.org>
X-Mailer: git-send-email 2.9.0
In-Reply-To: <20170607171152.21874-1-cdall@linaro.org>
References: <20170607171152.21874-1-cdall@linaro.org>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Marc Zyngier <marc.zyngier@arm.com>

Under memory pressure, we start ageing pages, which amounts to parsing
the page tables. Since we don't want to allocate any extra level,
we pass NULL for our private allocation cache. Which means that
stage2_get_pud() is allowed to fail. This results in the following
splat:

[ 1520.409577] Unable to handle kernel NULL pointer dereference at virtual address 00000008
[ 1520.417741] pgd = ffff810f52fef000
[ 1520.421201] [00000008] *pgd=0000010f636c5003, *pud=0000010f56f48003, *pmd=0000000000000000
[ 1520.429546] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 1520.435156] Modules linked in:
[ 1520.438246] CPU: 15 PID: 53550 Comm: qemu-system-aar Tainted: G        W       4.12.0-rc4-00027-g1885c397eaec #7205
[ 1520.448705] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB12A 10/26/2016
[ 1520.463726] task: ffff800ac5fb4e00 task.stack: ffff800ce04e0000
[ 1520.469666] PC is at stage2_get_pmd+0x34/0x110
[ 1520.474119] LR is at kvm_age_hva_handler+0x44/0xf0
[ 1520.478917] pc : [<ffff0000080b137c>] lr : [<ffff0000080b149c>] pstate: 40000145
[ 1520.486325] sp : ffff800ce04e33d0
[ 1520.489644] x29: ffff800ce04e33d0 x28: 0000000ffff40064
[ 1520.494967] x27: 0000ffff27e00000 x26: 0000000000000000
[ 1520.500289] x25: ffff81051ba65008 x24: 0000ffff40065000
[ 1520.505618] x23: 0000ffff40064000 x22: 0000000000000000
[ 1520.510947] x21: ffff810f52b20000 x20: 0000000000000000
[ 1520.516274] x19: 0000000058264000 x18: 0000000000000000
[ 1520.521603] x17: 0000ffffa6fe7438 x16: ffff000008278b70
[ 1520.526940] x15: 000028ccd8000000 x14: 0000000000000008
[ 1520.532264] x13: ffff7e0018298000 x12: 0000000000000002
[ 1520.537582] x11: ffff000009241b93 x10: 0000000000000940
[ 1520.542908] x9 : ffff0000092ef800 x8 : 0000000000000200
[ 1520.548229] x7 : ffff800ce04e36a8 x6 : 0000000000000000
[ 1520.553552] x5 : 0000000000000001 x4 : 0000000000000000
[ 1520.558873] x3 : 0000000000000000 x2 : 0000000000000008
[ 1520.571696] x1 : ffff000008fd5000 x0 : ffff0000080b149c
[ 1520.577039] Process qemu-system-aar (pid: 53550, stack limit = 0xffff800ce04e0000)
[...]
[ 1521.510735] [<ffff0000080b137c>] stage2_get_pmd+0x34/0x110
[ 1521.516221] [<ffff0000080b149c>] kvm_age_hva_handler+0x44/0xf0
[ 1521.522054] [<ffff0000080b0610>] handle_hva_to_gpa+0xb8/0xe8
[ 1521.527716] [<ffff0000080b3434>] kvm_age_hva+0x44/0xf0
[ 1521.532854] [<ffff0000080a58b0>] kvm_mmu_notifier_clear_flush_young+0x70/0xc0
[ 1521.539992] [<ffff000008238378>] __mmu_notifier_clear_flush_young+0x88/0xd0
[ 1521.546958] [<ffff00000821eca0>] page_referenced_one+0xf0/0x188
[ 1521.552881] [<ffff00000821f36c>] rmap_walk_anon+0xec/0x250
[ 1521.558370] [<ffff000008220f78>] rmap_walk+0x78/0xa0
[ 1521.563337] [<ffff000008221104>] page_referenced+0x164/0x180
[ 1521.569002] [<ffff0000081f1af0>] shrink_active_list+0x178/0x3b8
[ 1521.574922] [<ffff0000081f2058>] shrink_node_memcg+0x328/0x600
[ 1521.580758] [<ffff0000081f23f4>] shrink_node+0xc4/0x328
[ 1521.585986] [<ffff0000081f2718>] do_try_to_free_pages+0xc0/0x340
[ 1521.592000] [<ffff0000081f2a64>] try_to_free_pages+0xcc/0x240
[...]

The trivial fix is to handle this NULL pud value early, rather than
dereferencing it blindly.

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Christoffer Dall <cdall@linaro.org>
Signed-off-by: Christoffer Dall <cdall@linaro.org>
---
 virt/kvm/arm/mmu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
index a2d6324..e2e5eff 100644
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -879,6 +879,9 @@ static pmd_t *stage2_get_pmd(struct kvm *kvm, struct kvm_mmu_memory_cache *cache
 	pmd_t *pmd;
 
 	pud = stage2_get_pud(kvm, cache, addr);
+	if (!pud)
+		return NULL;
+
 	if (stage2_pud_none(*pud)) {
 		if (!cache)
 			return NULL;