Re: [PATCH] PCI: designware: add a check of msi_desc in irqchip

From: Cao Zou
Date: Wed Dec 27 2017 - 21:06:59 EST

Hi lorenzo:

 What do you think?

Regards,

czou


On 12/22/2017 05:35 PM, Marc Zyngier wrote:
On 22/12/17 07:38, Cao Zou wrote:

On 12/22/2017 11:04 AM, Cao Zou wrote:

On 12/20/2017 12:20 AM, Lorenzo Pieralisi wrote:
On Mon, Dec 18, 2017 at 10:02:20AM +0800, Cao Zou wrote:
On 12/16/2017 01:20 AM, Marc Zyngier wrote:
On 15/12/17 16:17, Lorenzo Pieralisi wrote:
[+Marc]

On Thu, Dec 14, 2017 at 10:21:23AM +0800, cao.zou@xxxxxxxxxxxxx
wrote:
From: Zou Cao <cao.zou@xxxxxxxxxxxxx>

When PCIE host setup, 32 MSI irq descriptions are created, but its
msi_desc is NULL, msi_desc is bound in MSI irq requested by PCI
device,
normally just part of MSI are used, for others not used MSI irqs,
its
msi_desc is NULL, it is dangerous for MSI irq mask when MSI irq
mask use
the msi_desc to mask irq without checking, normally not used MSI
irqs are
never masked, it looks fine, but in some specified case, such as
kdump,
machine_kexec_mask_interrupts will force to mask these not used
MSI irqs,
than a crash will happen with NULL msi_desc. it is necessary to
add check
of msi_desc in irqchip, if we still bind the msi_desc only in
irqs request
and mask MSI irq by msi_desc.

Add dwc_pci_msi_mask/unmask_irq, so we can get a chance to check the
msi_desc.

here is reproduced crash log in IMX7-SABER board with Intel 1030
PCI,
when running kdump by "echo c > /proc/sysrq-trigger":

sysrq: SysRq : Trigger a crash
Unable to handle kernel NULL pointer dereference at virtual
address 00000000
pgd = 98ee1839
[00000000] *pgd=00000000
Internal error: Oops: 805 [#1] SMP ARM
Modules linked in:
CPU: 0 PID: 1370 Comm: sh Not tainted 4.15.0-rc3-00033-ga638349 #1
Hardware name: Freescale i.MX7 Dual (Device Tree)
PC is at sysrq_handle_crash+0x50/0x98
LR is at sysrq_handle_crash+0x50/0x98
<snip>
Backtrace:
[<c047a15c>] (msi_set_mask_bit) from [<c047a1f0>]
(pci_msi_mask_irq+0x14/0x18)
[<c047a1dc>] (pci_msi_mask_irq) from [<c011142c>]
(machine_crash_shutdown+0xd8/0x190)
[<c0111354>] (machine_crash_shutdown) from [<c01b2924>]
(__crash_kexec+0x5c/0xa0)
[<c01b28c8>] (__crash_kexec) from [<c01b29dc>]
(crash_kexec+0x74/0x80)
[<c01b2968>] (crash_kexec) from [<c010cfa4>] (die+0x220/0x358)
[<c010cd84>] (die) from [<c01169f0>]
(__do_kernel_fault.part.0+0x5c/0x7c)
[<c0116994>] (__do_kernel_fault.part.0) from [<c0116784>]
(do_page_fault+0x2cc/0x37c)
[<c01164b8>] (do_page_fault) from [<c0116970>]
(do_translation_fault+0xb0/0xbc)
[<c01168c0>] (do_translation_fault) from [<c010138c>]
(do_DataAbort+0x3c/0xbc)
[<c0101350>] (do_DataAbort) from [<c010d944>] (__dabt_svc+0x64/0xa0)
Exception stack(0xec08bdf8 to 0xec08be40)
bde0:
00000000 ec08be10
be00: 00000000 00000000 00000000 00000001 00000063 00000000
00000007 ec08a000
be20: 00000000 ec08be5c ec08be48 ec08be48 c04c46b8 c04c46b8
60060013 ffffffff
[<c04c4668>] (sysrq_handle_crash) from [<c04c4900>]
(__handle_sysrq+0xe0/0x254)
[<c04c4820>] (__handle_sysrq) from [<c04c4aec>]
(write_sysrq_trigger+0x78/0x90)
[<c04c4a74>] (write_sysrq_trigger) from [<c029148c>]
(proc_reg_write+0x68/0x90)
[<c0291424>] (proc_reg_write) from [<c0229ef8>]
(__vfs_write+0x34/0x12c)
[<c0229ec4>] (__vfs_write) from [<c022a16c>] (vfs_write+0xa8/0x16c)
[<c022a0c4>] (vfs_write) from [<c022a340>] (SyS_write+0x44/0x90)
[<c022a2fc>] (SyS_write) from [<c0108220>]
(ret_fast_syscall+0x0/0x28)

Signed-off-by: Zou Cao <cao.zou@xxxxxxxxxxxxx>
---
 drivers/pci/dwc/pcie-designware-host.c | 24
++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/drivers/pci/dwc/pcie-designware-host.c
b/drivers/pci/dwc/pcie-designware-host.c
index 81e2157..485c4df 100644
--- a/drivers/pci/dwc/pcie-designware-host.c
+++ b/drivers/pci/dwc/pcie-designware-host.c
@@ -45,12 +45,28 @@ static int dw_pcie_wr_own_conf(struct
pcie_port *pp, int where, int size,
ÂÂÂÂÂ return dw_pcie_write(pci->dbi_base + where, size, val);
 }
+static void dwc_pci_msi_mask_irq(struct irq_data *data)
+{
+ÂÂÂ struct msi_desc *desc = irq_data_get_msi_desc(data);
+
+ÂÂÂ if (desc)
+ÂÂÂÂÂÂÂ pci_msi_mask_irq(data);
+}
+
+static void dwc_pci_msi_unmask_irq(struct irq_data *data)
+{
+ÂÂÂ struct msi_desc *desc = irq_data_get_msi_desc(data);
+
+ÂÂÂ if (desc)
+ÂÂÂÂÂÂÂ pci_msi_unmask_irq(data);
+}
+
 static struct irq_chip dw_msi_irq_chip = {
ÂÂÂÂÂ .name = "PCI-MSI",
-ÂÂÂ .irq_enable = pci_msi_unmask_irq,
-ÂÂÂ .irq_disable = pci_msi_mask_irq,
-ÂÂÂ .irq_mask = pci_msi_mask_irq,
-ÂÂÂ .irq_unmask = pci_msi_unmask_irq,
+ÂÂÂ .irq_enable = dwc_pci_msi_unmask_irq,
+ÂÂÂ .irq_disable = dwc_pci_msi_mask_irq,
+ÂÂÂ .irq_mask = dwc_pci_msi_mask_irq,
+ÂÂÂ .irq_unmask = dwc_pci_msi_unmask_irq,
 };
You have to CC me next time please.

CC'ed Marc since he knows this code ways better than me and will
help us find the right way of fixing it.

I do not think that's a DWC-only problem - I see no reason why this
would not affect other host bridges still relying on
struct msi_controller (that we have to remove from the kernel).

I do not think that this code is an actual fix but a plaster to
paper over the issue - I will have a look into this as soon as
possible to come up with an actual fix.
Yeah, this looks mad. The problem is that this seems to allocate
interrupts upfront, without being bound to an MSI. What could possibly
go wrong? And that's definitely not the only one (pci-tegra.c is one
fine example too).

Until we take msi_controller and co to the backyard, how about the
following:

>From b4aa5d20ee7b716795ac875e180f564fe0f52de6 Mon Sep 17 00:00:00 2001
From: Marc Zyngier <marc.zyngier@xxxxxxx>
Date: Fri, 15 Dec 2017 17:10:14 +0000
Subject: [PATCH] PCI/MSI: Don't try to mask/unmask an MSI that
doesn't have an
 msi_desc

There are a lot of MSI drivers out there that preallocate their
interrupts but not the corresponding MSIs. That's a prettty
naughty behaviour. On a kexec crash, we try to shut down all
the interrupts by calling the disable/mask methods.

On these drivers, pci_msi_mask_irq() is unconditionnaly called,
leading to a crash. You wanted a crash kernel, right?

So let's paper over the issue for the time being by detecting
the NULL msi_desc in msi_set_mask_bit(). Eventually, these drivers
will have to be fixed...

Signed-off-by: Marc Zyngier <marc.zyngier@xxxxxxx>
---
 drivers/pci/msi.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
index e06607167858..a5042cc8f3fc 100644
--- a/drivers/pci/msi.c
+++ b/drivers/pci/msi.c
@@ -227,6 +227,9 @@ static void msi_set_mask_bit(struct irq_data
*data, u32 flag)
 {
ÂÂÂÂÂ struct msi_desc *desc = irq_data_get_msi_desc(data);
+ÂÂÂ if (WARN_ONCE(!desc, "NULL MSI descriptor!"))
+ÂÂÂÂÂÂÂ return;
+
ÂÂÂÂÂ if (desc->msi_attrib.is_msix) {
ÂÂÂÂÂÂÂÂÂ msix_mask_irq(desc, flag);
ÂÂÂÂÂÂÂÂÂ readl(desc->mask_base);ÂÂÂÂÂÂÂ /* Flush write to device */
For "if (WARN_ONCE(!desc, "NULL MSI descriptor!")", it is a good way,
just one problem. how to fix the kexec/kdump? this WARN_ONCE can tell
the pci dirver to fix the MIS bound problem, but in kexec/kdump, it
will force to mask all MSI, it means that there are a lot of WARNINGS
when running kexec/kdump.
There will be one warning as Marc said. Mind testing Marc's patch
and reporting the result on the mailing list please if you want
the issue fixed ?

Thanks,
Lorenzo

Hi Lorenzo:
 Of course it can fix this issue, but warning will be seen in every
time when running kdump


root@nxp-imx7:~# echo c > /proc/sysrandom: crng init done

sys/ sysrq-trigger sysvipc/
root@nxp-imx7:~# echo c > /proc/sysrq-trigger
sysrq: SysRq : Trigger a crash
Unable to handle kernel NULL pointer dereference at virtual address
00000000
pgd = a9470000
[00000000] *pgd=a9474835, *pte=00000000, *ppte=00000000
Internal error: Oops: 817 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 369 Comm: sh Not tainted 4.12.14-yocto-standard+ #98
Hardware name: Freescale i.MX7 Dual (Device Tree)
task: a86e5400 task.stack: a9438000
PC is at sysrq_handle_crash+0x30/0x3c
LR is at sysrq_handle_crash+0x2c/0x3c
pc : [<8059576c>]ÂÂÂ lr : [<80595768>]ÂÂÂ psr: 600e0013
sp : a9439eb8Â ip : a9439eb8Â fp : a9439ecc
r10: 00000000Â r9 : a9438000Â r8 : 00000001
r7 : 00000000Â r6 : 00000063Â r5 : 00000007Â r4 : 00000001
r3 : 00000000Â r2 : a9439ea0Â r1 : ab615434Â r0 : 00000063
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: a947006a DAC: 00000051
Process sh (pid: 369, stack limit = 0xa9438210)
Stack: (0xa9439eb8 to 0xa943a000)
9ea0: 8059573c 8106f41c
9ec0: a9439eec a9439ed0 80595968 80595748 00000002 a8451444 a8451400
00000000
9ee0: a9439f04 a9439ef0 80595a78 805958c4 a9439f78 a8451444 a9439f2c
a9439f08
9f00: 802c570c 80595a1c 802c5698 00000000 00000002 001042a8 a9439f78
001042a8
9f20: a9439f44 a9439f30 80268078 802c56a4 a9439f78 a901d6c0 a9439f74
a9439f48
9f40: 80269598 8026805c 80286cac 80286c1c 00000000 00000000 a901d6c0
a901d6c0
9f60: 00000002 001042a8 a9439fa4 a9439f78 8026982c 802694e4 00000000
00000000
9f80: 00000002 001042a8 76f19da8 00000004 80107f68 00000000 00000000
a9439fa8
9fa0: 80107d60 802697ec 00000002 001042a8 00000001 001042a8 00000002
00000000
9fc0: 00000002 001042a8 76f19da8 00000004 00000002 00000002 00000000
00000000
9fe0: 00000444 7e9d4980 76e466f0 76e9e41c 600e0010 00000001 3dbfa0e8
a39746c6
[<8059576c>] (sysrq_handle_crash) from [<80595968>]
(__handle_sysrq+0xb0/0x158)
[<80595968>] (__handle_sysrq) from [<80595a78>]
(write_sysrq_trigger+0x68/0x78)
[<80595a78>] (write_sysrq_trigger) from [<802c570c>]
(proc_reg_write+0x74/0xa4)
[<802c570c>] (proc_reg_write) from [<80268078>] (__vfs_write+0x28/0x48)
[<80268078>] (__vfs_write) from [<80269598>] (vfs_write+0xc0/0x164)
[<80269598>] (vfs_write) from [<8026982c>] (SyS_write+0x4c/0x8c)
[<8026982c>] (SyS_write) from [<80107d60>] (ret_fast_syscall+0x0/0x3c)
Code: e5834000 f57ff04e ebee0bee e3a03000 (e5c34000)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 369 at
/export/disk1T/linux-yocto-4.12/drivers/pci/msi.c:230
msi_set_mask_bit+0x50/0xb0
NULL MSI descriptor!
Modules linked in:
CPU: 0 PID: 369 Comm: sh Not tainted 4.12.14-yocto-standard+ #98
Hardware name: Freescale i.MX7 Dual (Device Tree)
[<80111a50>] (unwind_backtrace) from [<8010c110>] (show_stack+0x20/0x24)
[<8010c110>] (show_stack) from [<804cb3dc>] (dump_stack+0x80/0xa0)
[<804cb3dc>] (dump_stack) from [<8012a2f4>] (__warn+0xe4/0x114)
[<8012a2f4>] (__warn) from [<8012a3f4>] (warn_slowpath_fmt+0x48/0x50)
[<8012a3f4>] (warn_slowpath_fmt) from [<8052f380>]
(msi_set_mask_bit+0x50/0xb0)
[<8052f380>] (msi_set_mask_bit) from [<8052f41c>]
(pci_msi_mask_irq+0x1c/0x20)
[<8052f41c>] (pci_msi_mask_irq) from [<80110224>]
(machine_crash_shutdown+0x108/0x174)
[<80110224>] (machine_crash_shutdown) from [<801a7244>]
(__crash_kexec+0x88/0xac)
[<801a7244>] (__crash_kexec) from [<801a72d0>] (crash_kexec+0x68/0x78)
[<801a72d0>] (crash_kexec) from [<8010c46c>] (die+0x358/0x47c)
[<8010c46c>] (die) from [<8011ccbc>]
(__do_kernel_fault.part.0+0x64/0x1f4)
[<8011ccbc>] (__do_kernel_fault.part.0) from [<80ade250>]
(do_page_fault+0x348/0x3d4)
[<80ade250>] (do_page_fault) from [<801011f8>] (do_DataAbort+0x44/0xc4)
[<801011f8>] (do_DataAbort) from [<80add5b8>] (__dabt_svc+0x58/0x80)
Exception stack(0xa9439e68 to 0xa9439eb0)
9e60:ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 00000063 ab615434 a9439ea0 00000000 00000001
00000007
9e80: 00000063 00000000 00000001 a9438000 00000000 a9439ecc a9439eb8
a9439eb8
9ea0: 80595768 8059576c 600e0013 ffffffff
[<80add5b8>] (__dabt_svc) from [<8059576c>]
(sysrq_handle_crash+0x30/0x3c)
[<8059576c>] (sysrq_handle_crash) from [<80595968>]
(__handle_sysrq+0xb0/0x158)
[<80595968>] (__handle_sysrq) from [<80595a78>]
(write_sysrq_trigger+0x68/0x78)
[<80595a78>] (write_sysrq_trigger) from [<802c570c>]
(proc_reg_write+0x74/0xa4)
[<802c570c>] (proc_reg_write) from [<80268078>] (__vfs_write+0x28/0x48)
[<80268078>] (__vfs_write) from [<80269598>] (vfs_write+0xc0/0x164)
[<80269598>] (vfs_write) from [<8026982c>] (SyS_write+0x4c/0x8c)
[<8026982c>] (SyS_write) from [<80107d60>] (ret_fast_syscall+0x0/0x3c)
---[ end trace 7a853bb920d02801 ]---
Loading crashdump kernel...
Bye!
Booting Linux on physical CPU 0x0
Linux version 4.12.14-yocto-standard+ (czou@pek-czou-u14) (gcc version
4.7.3 20130226 (prerelease) (crosstool-NG
linaro-1.13.1-4.7-2013.03-20130313 - Linaro GCC 2013.03) ) #98 SMP
PREEMPT Fri Dec 22 10:59:43 CST7
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
CPU: div instructions available: patching division code
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
OF: fdt: Machine model: Freescale i.MX7 SabreSD Board
OF: fdt: Ignoring memory range 0x80000000 - 0x88000000
Memory policy: Data cache writealloc
OF: reserved mem: failed to allocate memory for node 'linux,cma'
cma: Failed to reserve 320 MiB
percpu: Embedded 17 pages/cpu @8fc75000 s38016 r8192 d23424 u69632
Built 1 zonelists in Zone order, mobility grouping on. Total pages:
64706
Kernel command line: console=ttymxc0,115200 root=/dev/nfs ip=dhcp
nfsroot=128.224.162.234:/var/lib/tftp/nfs/rootfs_imx7wrl10,v3
maxcpus=1 elfcorehdr=0x9cf00000 mem=261120K
PID hash table entries: 1024 (order: 0, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 241716K/261120K available (10240K kernel code, 778K rwdata,
2388K rodata, 1024K init, 364K bss, 19404K reserved, 0K cma-reserved,
0K highmem)
Virtual kernel memory layout:
 vector : 0xffff0000 - 0xffff1000 ( 4 kB)
 fixmap : 0xffc00000 - 0xfff00000 (3072 kB)
ÂÂÂ vmalloc : 0x90000000 - 0xff800000ÂÂ (1784 MB)
 lowmem : 0x80000000 - 0x8ff00000 ( 255 MB)
ÂÂÂ pkmapÂÂ : 0x7fe00000 - 0x80000000ÂÂ (ÂÂ 2 MB)

Regards,
czou

Hi Marc:
 I have a better way to fix it, just use dynamic allocate the irq_desc
in MSI irq setup,
remove the irq_desc allocate in dw_pcie_host_init, how do you think

patch as follow:
diff --git a/drivers/pci/dwc/pcie-designware-host.c
b/drivers/pci/dwc/pcie-designware-host.c
index 5006d55..0426120 100644
--- a/drivers/pci/dwc/pcie-designware-host.c
+++ b/drivers/pci/dwc/pcie-designware-host.c
@@ -168,8 +168,12 @@ static int assign_irq(int no_irqs, struct msi_desc
*desc, int *pos)
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ goto no_valid_irq;

ÂÂÂÂÂÂÂ irq = irq_find_mapping(pp->irq_domain, pos0);
-ÂÂÂÂÂÂ if (!irq)
-ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ goto no_valid_irq;
+
+ÂÂÂÂÂÂ if (!irq) {
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ irq = irq_create_mapping(pp->irq_domain, pos0);
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ if (!irq)
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ goto no_valid_irq;
+ÂÂÂÂÂÂ }

ÂÂÂÂÂÂÂ /*
ÂÂÂÂÂÂÂÂ * irq_create_mapping (called from dw_pcie_host_init) pre-allocates
@@ -408,9 +412,6 @@ int dw_pcie_host_init(struct pcie_port *pp)
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ret = -ENXIO;
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ goto error;
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ }
-
-ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ for (i = 0; i < MAX_MSI_IRQS; i++)
- irq_create_mapping(pp->irq_domain, i);
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ } else {
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ret = pp->ops->msi_host_init(pp,
&dw_pcie_msi_chip);
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ if (ret < 0)

That's an option for *this* driver, but I'd rather you help Joao getting
rid of this code altogether. It also ignores all the other drivers which
suffer from the same defect.

Joao, can you please point Cao to your existing patches?

Thanks,

M.