1. Patchew
  2. Xen
  3. View series

[PATCH for-4.22 v2 0/2] xen/arm: handle vGIC vCPU init failures

Mykola Kvach posted 2 patches 3 days, 9 hours ago
Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/cover.1779840898.git.mykola._5Fkvach@epam.com
docs/misc/arm/device-tree/booting.txt | 9 +++++++++
docs/misc/xen-command-line.pandoc     | 3 +++
xen/arch/arm/vgic-v3.c                | 2 +-
xen/arch/arm/vgic.c                   | 9 +++++++--
4 files changed, 20 insertions(+), 3 deletions(-)
[PATCH for-4.22 v2 0/2] xen/arm: handle vGIC vCPU init failures
Posted by Mykola Kvach 3 days, 9 hours ago 
From: Mykola Kvach <mykola_kvach@epam.com>

This series fixes two related GICv3 host-layout issues exposed when a
boot-time domain requests more vCPUs than the guest-visible
redistributor MMIO regions can cover.

For domains using the host memory layout, Xen exposes GICv3
redistributor MMIO regions based on the host layout. Each vCPU needs a
virtual redistributor frame covered by one of those regions. On FVP with
a 2 MiB redistributor region, only 16 128 KiB guest redistributor frames
are covered; a request for 64 vCPUs leaves vCPU16 and above without a
corresponding redistributor frame.

The vGICv3 per-vCPU init path detects this and rejects the first
uncovered vCPU, but the generic vGIC init path ignored that error. As a
result, vcpu_create() could succeed with invalid per-vCPU vGIC state, and
the guest could observe more possible CPUs than Xen can back with
emulated redistributors.

There was also an off-by-one in the host-layout redistributor region
count when all hardware regions had been consumed. That could make Xen
describe a guest-visible GICR MMIO region beyond the populated
redistributor region list. A guest access to that exposed window would
then fail to match any emulated redistributor frame.

Patch 1 fixes the vCPU creation path by propagating per-vCPU vGIC init
failures, and also fixes the related host-layout redistributor region
count so Xen does not expose an unbacked GICR window.

Patch 2 documents the resulting Arm GICv3 host-layout constraint for
boot-time domains and keeps dom0_max_vcpus documentation generic.

Changes in v2:
- use min(i + 1U, vgic_v3_hw.nr_rdist_regions) for the host-layout
  redistributor region count.
- keep the trailing blank line at the end of xen/arch/arm/vgic.c.
- move the detailed GICv3 host-layout documentation from dom0_max_vcpus
  to the Arm device-tree booting documentation.
- add Michal's Reviewed-by tag to patch 1.

Mykola Kvach (2):
  xen/arm: propagate vGIC vCPU init failures
  docs/arm: Document GICv3 vCPU limit for host-layout domains

 docs/misc/arm/device-tree/booting.txt | 9 +++++++++
 docs/misc/xen-command-line.pandoc     | 3 +++
 xen/arch/arm/vgic-v3.c                | 2 +-
 xen/arch/arm/vgic.c                   | 9 +++++++--
 4 files changed, 20 insertions(+), 3 deletions(-)

-- 
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.