From patchwork Wed May  2 07:08:31 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jia He <hejianet@gmail.com>
X-Patchwork-Id: 10375039
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0B0EE6037D for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed,  2 May 2018 07:09:10 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EA7E228C6B
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed,  2 May 2018 07:09:09 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DEFD528C84; Wed,  2 May 2018 07:09:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM,
	MAILING_LIST_MULTI autolearn=unavailable version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4016928C6B
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed,  2 May 2018 07:09:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=rjUvpr4eD9LsDrDsa+OJcJ1hY4LtPkvbNUSjD/7P47E=;
	b=dUN
	0jSEFtc1XL2zU25BrIaZnRVwHAstgwSDpx2BQiNn/D23yY3susrq+QI3GiOGnPexYjfv29acOwznn
	5lMd/GBXtK95bJxzVuichk5F6rK+60DUKQ5Tvsm8G6wuTzAmqaGbF8S6N6EUkD1A3ZQWoZzhndHw/
	QU7y13vR4oHvs1F226+AOSgfYDSw1kDAJgAVkNIgsWOp5F/ga/eJf+EbEEuRV1VJY7vnkzEiswP5v
	MC2cojihs3bvK7+CklqWOFoVv1j5tCDzOVeDnT6OOBaUDDT829F+WM/S712Ujqm1UC7UT5OogEgEI
	N5h3o3MLspLPODjqQIqylPtC7Iz9SIQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fDlsq-00015j-MU; Wed, 02 May 2018 07:09:00 +0000
Received: from mail-pg0-x244.google.com ([2607:f8b0:400e:c05::244])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1fDlsl-00014L-Qj
	for linux-arm-kernel@lists.infradead.org;
	Wed, 02 May 2018 07:08:58 +0000
Received: by mail-pg0-x244.google.com with SMTP id l2-v6so9940110pgc.7
	for <linux-arm-kernel@lists.infradead.org>;
	Wed, 02 May 2018 00:08:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=5vnx+8+r8RDQGWtOdhuSvxg/UR+evtvZsBiGRTJiTcM=;
	b=mTNnw0hYTuwE7BTB3az97DT/f5I3wmigXWO8ihxcGaPT98ik7q15kiVSJeesnv9REj
	h/a6tIdWwGiAE/vSfWraAd9ZzBSqJPY6tXEDP+PrWdkLtNdGJ/LW313BqEGDd1nXkRX8
	0avuYdYzb5ffJyJadgXWbrq4ohvA5ab3btLALEGVK2KXTjxvjkCAW4y/CiOVENEQlW5t
	tW3N6ec3gbvmnClWtBS5hG56w5sx+bjncRqjIXeUiQaz2qWp+cMWfaxqHPOZCKRfAPJe
	Bn4DL+rJABxS23YMnUyeY0630nBBOOm1BMqbFmm4e1KLMqpmx4KvBHlMoDd/yAFAANsj
	AArw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=5vnx+8+r8RDQGWtOdhuSvxg/UR+evtvZsBiGRTJiTcM=;
	b=MlTtJyRkAw0T2NV2jSZI0O7rQadmHPyEqNEuQDNzjjnjm/pQ4VYyZdBnVH3c9K4qSI
	/vuQAghQPyJBynlGiqCjUhV4efeMzvtKcG5QF+mXrtJzgSd4RUCreKnY31ZUcNWNKCmk
	mtFAO28I2z+FqLCoJJ5AG+BYVq1fMfgwVZrrAx96az2bbl+NiHX99lwmeDtHn09eC8cB
	biNBX7ul2afSr+W6yUShjV4IPYPXOuFyHcqgq1K+NRoEUcA2au0NdYgwXtFCCt0e6q77
	CdrvzU8h0N7z8h+aHCjLoVKcSxqJBS94g555VAous8SXbbMAYPlFyFSShtxKWvBaeUv1
	RNHw==
X-Gm-Message-State: ALQs6tBpwEVeRscmyepzhECHrVjCr3yleVrdTGAGKxqmaMNpiqqfaB0O
	aRiWlESctaaSFxmTsTrL1xlscQ==
X-Google-Smtp-Source: 
 AB8JxZqNrZZ7o4z8BDXjHBI4bqvt+jsVPu5lh7+z2rUVxsBCm4P7l0L5AD4SkAJlrSh1BMh5+xWN9w==
X-Received: by 10.98.174.19 with SMTP id q19mr18277360pff.155.1525244924819;
	Wed, 02 May 2018 00:08:44 -0700 (PDT)
Received: from ct7host.localdomain ([38.106.11.25])
	by smtp.gmail.com with ESMTPSA id
	a76sm24073724pfc.97.2018.05.02.00.08.40
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 02 May 2018 00:08:44 -0700 (PDT)
From: Jia He <hejianet@gmail.com>
To: Christoffer Dall <christoffer.dall@arm.com>,
	Marc Zyngier <marc.zyngier@arm.com>,
	linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu
Subject: [PATCH] KVM: arm/arm64: fix unaligned hva start and end in
	handle_hva_to_gpa
Date: Wed,  2 May 2018 15:08:31 +0800
Message-Id: <1525244911-5519-1-git-send-email-hejianet@gmail.com>
X-Mailer: git-send-email 1.8.3.1
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180502_000855_894027_56ED49FC 
X-CRM114-Status: GOOD (  13.58  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Jia He <jia.he@hxt-semitech.com>, li.zhang@hxt-semitech.com,
	linux-kernel@vger.kernel.org
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Jia He <jia.he@hxt-semitech.com>

In our armv8a server (QDF2400), I noticed a WARN_ON as follows:

[  800.202850] WARNING: CPU: 33 PID: 255 at arch/arm64/kvm/../../../virt/kvm/arm/mmu.c:1670 kvm_age_hva_handler+0xcc/0xd4
[  800.213535] Modules linked in: vhost_net vhost tap xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm vfat fat iw_cm mlx5_ib ib_core dm_mirror dm_region_hash dm_log dm_mod crc32_ce ipmi_ssif sg nfsd
[  800.284115]  auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c mlx5_core ixgbe mlxfw devlink mdio ahci_platform libahci_platform qcom_emac libahci hdma hdma_mgmt i2c_qup
[  800.300382] CPU: 33 PID: 255 Comm: khugepaged Tainted: G        W       4.14.36+ #6
[  800.308030] Hardware name: <snip for confidential issues>
[  800.318717] task: ffff8017c949c000 task.stack: ffff8017c9498000
[  800.324629] PC is at kvm_age_hva_handler+0xcc/0xd4
[  800.329412] LR is at handle_hva_to_gpa+0xec/0x15c
[  800.334109] pc : [<ffff0000080b4f2c>] lr : [<ffff0000080b4838>] pstate: 20400145
[  800.341496] sp : ffff8017c949b260
[  800.344804] x29: ffff8017c949b260 x28: ffff801663e25008
[  800.350110] x27: 0000000000020000 x26: 00000001fb1a0000
[  800.355416] x25: 0000ffff605b0200 x24: 0000ffff605a0200
[  800.360722] x23: 0000000000000000 x22: 000000000000ffff
[  800.366028] x21: 00000001fb1a0000 x20: ffff8017c085a000
[  800.371334] x19: ffff801663e20008 x18: 0000000000000000
[  800.376641] x17: 0000000000000000 x16: 0000000000000000
[  800.381947] x15: 0000000000000000 x14: 3d646e655f617668
[  800.387254] x13: 2c30303230623530 x12: 36666666663d646e
[  800.392560] x11: 652c303032306135 x10: 3036666666663d74
[  800.397867] x9 : 0000000000003796 x8 : 655f6e66672c3030
[  800.403173] x7 : ffff00000859434c x6 : ffff8017f9c30cb8
[  800.408479] x5 : ffff8017f9c30cb8 x4 : ffff0000080b4e60
[  800.413786] x3 : 0000000000000000 x2 : 0000000000020000
[  800.419092] x1 : 00000001fb1a0000 x0 : 0000000020000000
[  800.424398] Call trace:
[  800.426838] Exception stack(0xffff8017c949b120 to 0xffff8017c949b260)
[  800.433272] b120: 0000000020000000 00000001fb1a0000 0000000000020000 0000000000000000
[  800.441095] b140: ffff0000080b4e60 ffff8017f9c30cb8 ffff8017f9c30cb8 ffff00000859434c
[  800.448918] b160: 655f6e66672c3030 0000000000003796 3036666666663d74 652c303032306135
[  800.456740] b180: 36666666663d646e 2c30303230623530 3d646e655f617668 0000000000000000
[  800.464563] b1a0: 0000000000000000 0000000000000000 0000000000000000 ffff801663e20008
[  800.472385] b1c0: ffff8017c085a000 00000001fb1a0000 000000000000ffff 0000000000000000
[  800.480208] b1e0: 0000ffff605a0200 0000ffff605b0200 00000001fb1a0000 0000000000020000
[  800.488030] b200: ffff801663e25008 ffff8017c949b260 ffff0000080b4838 ffff8017c949b260
[  800.495853] b220: ffff0000080b4f2c 0000000020400145 0000000000000001 ffff8017c949b2a0
[  800.503676] b240: ffffffffffffffff ffff8017c949b260 ffff8017c949b260 ffff0000080b4f2c
[  800.511498] [<ffff0000080b4f2c>] kvm_age_hva_handler+0xcc/0xd4
[  800.517324] [<ffff0000080b4838>] handle_hva_to_gpa+0xec/0x15c
[  800.523063] [<ffff0000080b6c5c>] kvm_age_hva+0x5c/0xcc
[  800.528194] [<ffff0000080a7c3c>] kvm_mmu_notifier_clear_flush_young+0x54/0x90
[  800.535324] [<ffff00000827a0e8>] __mmu_notifier_clear_flush_young+0x6c/0xa8
[  800.542279] [<ffff00000825a644>] page_referenced_one+0x1e0/0x1fc
[  800.548279] [<ffff00000827e8f8>] rmap_walk_ksm+0x124/0x1a0
[  800.553759] [<ffff00000825c974>] rmap_walk+0x94/0x98
[  800.558717] [<ffff00000825ca98>] page_referenced+0x120/0x180
[  800.564369] [<ffff000008228c58>] shrink_active_list+0x218/0x4a4
[  800.570281] [<ffff000008229470>] shrink_node_memcg+0x58c/0x6fc
[  800.576107] [<ffff0000082296c4>] shrink_node+0xe4/0x328
[  800.581325] [<ffff000008229c9c>] do_try_to_free_pages+0xe4/0x3b8
[  800.587324] [<ffff00000822a094>] try_to_free_pages+0x124/0x234
[  800.593150] [<ffff000008216aa0>] __alloc_pages_nodemask+0x564/0xf7c
[  800.599412] [<ffff000008292814>] khugepaged_alloc_page+0x38/0xb8
[  800.605411] [<ffff0000082933bc>] collapse_huge_page+0x74/0xd70
[  800.611238] [<ffff00000829470c>] khugepaged_scan_mm_slot+0x654/0xa98
[  800.617585] [<ffff000008294e0c>] khugepaged+0x2bc/0x49c
[  800.622803] [<ffff0000080ffb70>] kthread+0x124/0x150
[  800.627762] [<ffff0000080849f0>] ret_from_fork+0x10/0x1c
[  800.633066] ---[ end trace 944c130b5252fb01 ]---
-------------------------------------------------------------------------

The root cause might be: we can't guarantee that the parameter start and end
in handle_hva_to_gpa is PAGE_SIZE aligned, let alone hva_start and hva_end.

This bug is introduced by commit 056aad67f836 ("kvm: arm/arm64: Rework gpa
callback handlers")

It fixes the bug by use pfn size converted.

Fixes: 056aad67f836 ("kvm: arm/arm64: Rework gpa callback handlers")

Signed-off-by: jia.he@hxt-semitech.com
Signed-off-by: li.zhang@hxt-semitech.com
---
 virt/kvm/arm/mmu.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
index 7f6a944..9dd7ae4 100644
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -1744,7 +1744,7 @@ static int handle_hva_to_gpa(struct kvm *kvm,
 	/* we only care about the pages that the guest sees */
 	kvm_for_each_memslot(memslot, slots) {
 		unsigned long hva_start, hva_end;
-		gfn_t gpa;
+		gpa_t gpa, gpa_end;
 
 		hva_start = max(start, memslot->userspace_addr);
 		hva_end = min(end, memslot->userspace_addr +
@@ -1753,7 +1753,9 @@ static int handle_hva_to_gpa(struct kvm *kvm,
 			continue;
 
 		gpa = hva_to_gfn_memslot(hva_start, memslot) << PAGE_SHIFT;
-		ret |= handler(kvm, gpa, (u64)(hva_end - hva_start), data);
+		gpa_end = hva_to_gfn_memslot(hva_end + PAGE_SIZE - 1, memslot)
+							 << PAGE_SHIFT;
+		ret |= handler(kvm, gpa, (u64)(gpa_end - gpa), data);
 	}
 
 	return ret;
@@ -1823,7 +1825,7 @@ static int kvm_age_hva_handler(struct kvm *kvm, gpa_t gpa, u64 size, void *data)
 	pmd_t *pmd;
 	pte_t *pte;
 
-	WARN_ON(size != PAGE_SIZE && size != PMD_SIZE);
+	WARN_ON((size & ~PAGE_MASK) != 0);
 	pmd = stage2_get_pmd(kvm, NULL, gpa);
 	if (!pmd || pmd_none(*pmd))	/* Nothing there */
 		return 0;
@@ -1843,7 +1845,7 @@ static int kvm_test_age_hva_handler(struct kvm *kvm, gpa_t gpa, u64 size, void *
 	pmd_t *pmd;
 	pte_t *pte;
 
-	WARN_ON(size != PAGE_SIZE && size != PMD_SIZE);
+	WARN_ON((size & ~PAGE_MASK) != 0);
 	pmd = stage2_get_pmd(kvm, NULL, gpa);
 	if (!pmd || pmd_none(*pmd))	/* Nothing there */
 		return 0;