ppc: Reparent the interrupt presenter

[PATCH 0/6] ppc: Reparent the interrupt presenter

Greg Kurz posted 6 patches 4 years, 5 months ago

Download series mbox

Failed in applying to current master (apply log)

hw/intc/spapr_xive.c       |   19 ++++---
hw/intc/xics.c             |   30 ++++++++++-
hw/intc/xics_spapr.c       |   21 +++++--
hw/intc/xive.c             |  125 ++++++++++++++++++++++++++++++--------------
hw/ppc/pnv.c               |   28 +++++++++-
hw/ppc/pnv_core.c          |    7 +-
hw/ppc/spapr_cpu_core.c    |    7 --
hw/ppc/spapr_irq.c         |   14 +++++
include/hw/ppc/pnv.h       |    1
include/hw/ppc/spapr_irq.h |    2 +
include/hw/ppc/xics.h      |    4 +
include/hw/ppc/xive.h      |    3 +
include/qom/object.h       |   35 ++++++++++++
qom/object.c               |   30 ++++++++---
14 files changed, 251 insertions(+), 75 deletions(-)

Expand all Fold all

[PATCH 0/6] ppc: Reparent the interrupt presenter

Posted by Greg Kurz 4 years, 5 months ago

The interrupt presenters are currently parented to their associated
VCPU, and we rely on CPU_FOREACH() when we need to perform a specific
task with them. Like exposing their state with 'info pic', or finding
the target VCPU for an interrupt when using the XIVE controller.

We recently realized that the latter could crash QEMU because CPU_FOREACH()
can race with CPU hotplug. This got fixed by checking the presenter pointer
under the CPU was set (commit 627fa61746f7) but this is still fragile. And
we still can crash QEMU with 'info pic' while doing CPU hotplug/unplug:

With XIVE:

Thread 1 "qemu-system-ppc" received signal SIGSEGV, Segmentation fault.
0x00000001003d2848 in xive_tctx_pic_print_info (tctx=0x101ae5280, 
    mon=0x7fffffffe180) at /home/greg/Work/qemu/qemu-spapr/hw/intc/xive.c:526
526         int cpu_index = tctx->cs ? tctx->cs->cpu_index : -1;
(gdb) p tctx
$1 = (XiveTCTX *) 0x101ae5280
(gdb) p tctx->cs
$2 = (CPUState *) 0x2057512020203a5d
(gdb) p tctx->cs->cpu_index
Cannot access memory at address 0x205751202020bead

With XICS:

Thread 1 "qemu-system-ppc" received signal SIGSEGV, Segmentation fault.
0x00000001003cc39c in icp_pic_print_info (icp=0x10244ccf0, mon=0x7fffffffe940)
    at /home/greg/Work/qemu/qemu-spapr/hw/intc/xics.c:47
47          int cpu_index = icp->cs ? icp->cs->cpu_index : -1;
(gdb) p icp
$1 = (ICPState *) 0x10244ccf0
(gdb) p icp->cs
$2 = (CPUState *) 0x524958203220
(gdb) p icp->cs->cpu_index
Cannot access memory at address 0x52495820b670


This series fixes the issue globally by moving the presenter objects under
the interrupt controller and to loop on them with object_child_foreach()
instead of CPU_FOREACH().

It is based on Cédric Le Goater's series:

[v5,0/7] ppc: reset the interrupt presenter from the CPU reset handler

https://patchwork.ozlabs.org/cover/1181522/

--
Greg

---

Greg Kurz (6):
      ppc: Add intc_destroy() handlers to SpaprInterruptController/PnvChip
      xive, xics: Fix reference counting on CPU objects
      ppc: Reparent presenter objects to the interrupt controller object
      qom: Add object_child_foreach_type() helper function
      spapr: Don't use CPU_FOREACH() in 'info pic'
      xive: Don't use CPU_FOREACH() to perform CAM line matching


 hw/intc/spapr_xive.c       |   19 ++++---
 hw/intc/xics.c             |   30 ++++++++++-
 hw/intc/xics_spapr.c       |   21 +++++--
 hw/intc/xive.c             |  125 ++++++++++++++++++++++++++++++--------------
 hw/ppc/pnv.c               |   28 +++++++++-
 hw/ppc/pnv_core.c          |    7 +-
 hw/ppc/spapr_cpu_core.c    |    7 --
 hw/ppc/spapr_irq.c         |   14 +++++
 include/hw/ppc/pnv.h       |    1 
 include/hw/ppc/spapr_irq.h |    2 +
 include/hw/ppc/xics.h      |    4 +
 include/hw/ppc/xive.h      |    3 +
 include/qom/object.h       |   35 ++++++++++++
 qom/object.c               |   30 ++++++++---
 14 files changed, 251 insertions(+), 75 deletions(-)