From patchwork Wed Jun  7 17:11:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christoffer Dall <cdall@linaro.org>
X-Patchwork-Id: 9772049
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	956DD6034B for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 17:13:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4704626785
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 17:13:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3B90B28451; Wed,  7 Jun 2017 17:13:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID autolearn=unavailable version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AD90626785
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 17:13:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References:
	In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Owner;
	bh=uUmPjLTuyskmyTvr5Fm4VuklYG+3OLdKVL4Eqtg+MmQ=;
	b=fhj9F6Pg80VpMyxRNHAtS14hvv
	urI31+peTwNtvh+qZXXx1wMPgVnxuZw7X+K1MPZa9tDHrj66ziyyKfHELFwa8brIeXafsMA144tTF
	UfRd3nH/f7JaFCST1nEn2/zKmRQZ++6i5Q5W2NvB9lt9Hl4d4zOzx7ldcH/v3myZWVB31zGMJsVk2
	XsIcT6f3deA1V7mVG/1tB2G//DncZ+DsIltvAasY8jVYHkZSqZoPdkdUdEzmkSoeVJ2Y+mXQrUId5
	yzQED7LyNfmsxTt2ZUUJPf57o16f9s2hZLudEtFt1pOaEDBoSt9nW8/yFBkfka8eXUubQo3peFW1X
	6YfgtsqQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1dIeVy-00057S-09; Wed, 07 Jun 2017 17:13:02 +0000
Received: from mail-wm0-x22f.google.com ([2a00:1450:400c:c09::22f])
	by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
	id 1dIeVT-0004pO-54 for linux-arm-kernel@lists.infradead.org;
	Wed, 07 Jun 2017 17:12:33 +0000
Received: by mail-wm0-x22f.google.com with SMTP id 7so122726094wmo.1
	for <linux-arm-kernel@lists.infradead.org>;
	Wed, 07 Jun 2017 10:12:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=S5X4aVMVwKwyxCJ1P/KCFfH7YvSJsKAmtf5ebjhgSb8=;
	b=YAe9b5a6BXC8S5jpR0wtvu8n9dWAh/8kLpCzwuLboDF0Co1Wt6mcIjuBQ3tGv9S07F
	uv3S6XJ2njVhutKQHtm00CXM2kmLPSm+4qiPajnbgQ/gioImsj0vWPRUp3aD8sTS7K6N
	xpRtaBY+SsH81EO0zb4m4LePH3FLkSJrGGQtU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=S5X4aVMVwKwyxCJ1P/KCFfH7YvSJsKAmtf5ebjhgSb8=;
	b=VNzqtMakEMVWUIp3lirOdhA3knsrwXmFLaF5ujV36FT8xRPpgkvwfoQnj2S1u7vS5s
	3ly/OkDN8HZWHzyY8D4oyw/ov2UaLwaK4VsEbMwus1oftjlol+w2sUvrlJfpb9zysxVi
	kpCgZP81eZobcyEsokVc3zADd9lDrrASUOuXF1R9ln4Ajkwh6CNwmt3hwZYK0WjN983W
	xjbhgFz6pENv9MYhvRh5NLSH/IVNAJo54ipOH9fp0I3dtfhQJUTtSGH7QZn4RiI69Ll6
	EpaVigz8Il6GOrMUBOZ9j4JGCPJ7iYA+Zj17ptCrg6Lo97Lew2XaewafzYuNKw4zG5KN
	0grw==
X-Gm-Message-State: AODbwcBbRBPquq9jsxspgfPZsbcSRmjG4TzZ6wQefzsXtZYnphDRWQNn
	ZapxZx6Ny0w+ddkaOebNhQ==
X-Received: by 10.80.151.131 with SMTP id e3mr25588068edb.61.1496855529274;
	Wed, 07 Jun 2017 10:12:09 -0700 (PDT)
Received: from localhost.localdomain (xd93ddc2d.cust.hiper.dk.
	[217.61.220.45]) by smtp.gmail.com with ESMTPSA id
	c2sm966244edc.34.2017.06.07.10.12.08
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 07 Jun 2017 10:12:08 -0700 (PDT)
From: Christoffer Dall <cdall@linaro.org>
To: Paolo Bonzini <pbonzini@redhat.com>,
	=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
Subject: [PULL v2 3/6] KVM: arm/arm64: Handle possible NULL stage2 pud when
	ageing pages
Date: Wed,  7 Jun 2017 19:11:49 +0200
Message-Id: <20170607171152.21874-4-cdall@linaro.org>
X-Mailer: git-send-email 2.9.0
In-Reply-To: <20170607171152.21874-1-cdall@linaro.org>
References: <20170607171152.21874-1-cdall@linaro.org>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170607_101231_351885_0AB1DA03 
X-CRM114-Status: GOOD (  12.66  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Christoffer Dall <cdall@linaro.org>, kvm@vger.kernel.org,
	Marc Zyngier <marc.zyngier@arm.com>, stable@vger.kernel.org,
	kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Marc Zyngier <marc.zyngier@arm.com>

Under memory pressure, we start ageing pages, which amounts to parsing
the page tables. Since we don't want to allocate any extra level,
we pass NULL for our private allocation cache. Which means that
stage2_get_pud() is allowed to fail. This results in the following
splat:

[ 1520.409577] Unable to handle kernel NULL pointer dereference at virtual address 00000008
[ 1520.417741] pgd = ffff810f52fef000
[ 1520.421201] [00000008] *pgd=0000010f636c5003, *pud=0000010f56f48003, *pmd=0000000000000000
[ 1520.429546] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 1520.435156] Modules linked in:
[ 1520.438246] CPU: 15 PID: 53550 Comm: qemu-system-aar Tainted: G        W       4.12.0-rc4-00027-g1885c397eaec #7205
[ 1520.448705] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB12A 10/26/2016
[ 1520.463726] task: ffff800ac5fb4e00 task.stack: ffff800ce04e0000
[ 1520.469666] PC is at stage2_get_pmd+0x34/0x110
[ 1520.474119] LR is at kvm_age_hva_handler+0x44/0xf0
[ 1520.478917] pc : [<ffff0000080b137c>] lr : [<ffff0000080b149c>] pstate: 40000145
[ 1520.486325] sp : ffff800ce04e33d0
[ 1520.489644] x29: ffff800ce04e33d0 x28: 0000000ffff40064
[ 1520.494967] x27: 0000ffff27e00000 x26: 0000000000000000
[ 1520.500289] x25: ffff81051ba65008 x24: 0000ffff40065000
[ 1520.505618] x23: 0000ffff40064000 x22: 0000000000000000
[ 1520.510947] x21: ffff810f52b20000 x20: 0000000000000000
[ 1520.516274] x19: 0000000058264000 x18: 0000000000000000
[ 1520.521603] x17: 0000ffffa6fe7438 x16: ffff000008278b70
[ 1520.526940] x15: 000028ccd8000000 x14: 0000000000000008
[ 1520.532264] x13: ffff7e0018298000 x12: 0000000000000002
[ 1520.537582] x11: ffff000009241b93 x10: 0000000000000940
[ 1520.542908] x9 : ffff0000092ef800 x8 : 0000000000000200
[ 1520.548229] x7 : ffff800ce04e36a8 x6 : 0000000000000000
[ 1520.553552] x5 : 0000000000000001 x4 : 0000000000000000
[ 1520.558873] x3 : 0000000000000000 x2 : 0000000000000008
[ 1520.571696] x1 : ffff000008fd5000 x0 : ffff0000080b149c
[ 1520.577039] Process qemu-system-aar (pid: 53550, stack limit = 0xffff800ce04e0000)
[...]
[ 1521.510735] [<ffff0000080b137c>] stage2_get_pmd+0x34/0x110
[ 1521.516221] [<ffff0000080b149c>] kvm_age_hva_handler+0x44/0xf0
[ 1521.522054] [<ffff0000080b0610>] handle_hva_to_gpa+0xb8/0xe8
[ 1521.527716] [<ffff0000080b3434>] kvm_age_hva+0x44/0xf0
[ 1521.532854] [<ffff0000080a58b0>] kvm_mmu_notifier_clear_flush_young+0x70/0xc0
[ 1521.539992] [<ffff000008238378>] __mmu_notifier_clear_flush_young+0x88/0xd0
[ 1521.546958] [<ffff00000821eca0>] page_referenced_one+0xf0/0x188
[ 1521.552881] [<ffff00000821f36c>] rmap_walk_anon+0xec/0x250
[ 1521.558370] [<ffff000008220f78>] rmap_walk+0x78/0xa0
[ 1521.563337] [<ffff000008221104>] page_referenced+0x164/0x180
[ 1521.569002] [<ffff0000081f1af0>] shrink_active_list+0x178/0x3b8
[ 1521.574922] [<ffff0000081f2058>] shrink_node_memcg+0x328/0x600
[ 1521.580758] [<ffff0000081f23f4>] shrink_node+0xc4/0x328
[ 1521.585986] [<ffff0000081f2718>] do_try_to_free_pages+0xc0/0x340
[ 1521.592000] [<ffff0000081f2a64>] try_to_free_pages+0xcc/0x240
[...]

The trivial fix is to handle this NULL pud value early, rather than
dereferencing it blindly.

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Christoffer Dall <cdall@linaro.org>
Signed-off-by: Christoffer Dall <cdall@linaro.org>
---
 virt/kvm/arm/mmu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
index a2d6324..e2e5eff 100644
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -879,6 +879,9 @@ static pmd_t *stage2_get_pmd(struct kvm *kvm, struct kvm_mmu_memory_cache *cache
 	pmd_t *pmd;
 
 	pud = stage2_get_pud(kvm, cache, addr);
+	if (!pud)
+		return NULL;
+
 	if (stage2_pud_none(*pud)) {
 		if (!cache)
 			return NULL;