| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251209165019.2643142-2-mhonap@nvidia.com>
Date: Tue, 9 Dec 2025 22:20:05 +0530
From: <mhonap@...dia.com>
To: <aniketa@...dia.com>, <ankita@...dia.com>, <alwilliamson@...dia.com>,
<vsethi@...dia.com>, <jgg@...dia.com>, <mochs@...dia.com>,
<skolothumtho@...dia.com>, <alejandro.lucero-palau@....com>,
<dave@...olabs.net>, <jonathan.cameron@...wei.com>, <dave.jiang@...el.com>,
<alison.schofield@...el.com>, <vishal.l.verma@...el.com>,
<ira.weiny@...el.com>, <dan.j.williams@...el.com>, <jgg@...pe.ca>,
<yishaih@...dia.com>, <kevin.tian@...el.com>
CC: <cjia@...dia.com>, <kwankhede@...dia.com>, <targupta@...dia.com>,
<zhiw@...dia.com>, <kjaju@...dia.com>, <linux-kernel@...r.kernel.org>,
<linux-cxl@...r.kernel.org>, <kvm@...r.kernel.org>, <mhonap@...dia.com>, "Li
Ming" <ming.li@...omail.com>
Subject: [RFC v2 01/15] cxl: factor out cxl_await_range_active() and cxl_media_ready()
From: Zhi Wang <zhiw@...dia.com>
Before accessing the CXL device memory after reset/power-on, the driver
needs to ensure the device memory media is ready.
However, not every CXL device implements the CXL memory device register
groups. E.g. a CXL type-2 device. Thus calling cxl_await_media_ready()
on these device will lead to a kernel panic. This problem was found when
testing the emulated CXL type-2 device without a CXL memory device
register.
[ 97.662720] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 97.663963] #PF: supervisor read access in kernel mode
[ 97.664860] #PF: error_code(0x0000) - not-present page
[ 97.665753] PGD 0 P4D 0
[ 97.666198] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 97.667053] CPU: 8 UID: 0 PID: 7340 Comm: qemu-system-x86 Tainted: G E 6.11.0-rc2+ #52
[ 97.668656] Tainted: [E]=UNSIGNED_MODULE
[ 97.669340] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 97.671243] RIP: 0010:cxl_await_media_ready+0x1ac/0x1d0
[ 97.672157] Code: e9 03 ff ff ff 0f b7 1d d6 80 31 01 48 8b 7d b8 89 da 48 c7 c6 60 52 c6 b0 e8 00 46 f6 ff e9 27 ff ff ff 49 8b 86 a0 00 00 00 <48> 8b 00 83 e0 0c 48 83 f8 04 0f 94 c0 0f b6 c0 8d 44 80 fb e9 0c
[ 97.675391] RSP: 0018:ffffb5bac7627c20 EFLAGS: 00010246
[ 97.676298] RAX: 0000000000000000 RBX: 000000000000003c RCX: 0000000000000000
[ 97.677527] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 97.678733] RBP: ffffb5bac7627c70 R08: 0000000000000000 R09: 0000000000000000
[ 97.679951] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 97.681144] R13: ffff9ef9028a8000 R14: ffff9ef90c1d1a28 R15: 0000000000000000
[ 97.682370] FS: 00007386aa4f3d40(0000) GS:ffff9efa77200000(0000) knlGS:0000000000000000
[ 97.683721] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 97.684703] CR2: 0000000000000000 CR3: 0000000169a14003 CR4: 0000000000770ef0
[ 97.685909] PKRU: 55555554
[ 97.686397] Call Trace:
[ 97.686819] <TASK>
[ 97.687243] ? show_regs+0x6c/0x80
[ 97.687840] ? __die+0x24/0x80
[ 97.688391] ? page_fault_oops+0x155/0x570
[ 97.689090] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.689973] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.690848] ? __vunmap_range_noflush+0x420/0x4e0
[ 97.691700] ? do_user_addr_fault+0x4b2/0x870
[ 97.692606] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.693502] ? exc_page_fault+0x82/0x1b0
[ 97.694200] ? asm_exc_page_fault+0x27/0x30
[ 97.694975] ? cxl_await_media_ready+0x1ac/0x1d0
[ 97.695816] vfio_cxl_core_enable+0x386/0x800 [vfio_cxl_core]
[ 97.696829] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.697685] cxl_open_device+0xa6/0xd0 [cxl_accel_vfio_pci]
[ 97.698673] vfio_df_open+0xcb/0xf0
[ 97.699313] vfio_group_fops_unl_ioctl+0x294/0x720
[ 97.700149] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.701011] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.701858] __x64_sys_ioctl+0xa3/0xf0
[ 97.702536] x64_sys_call+0x11ad/0x25f0
[ 97.703214] do_syscall_64+0x7e/0x170
[ 97.703878] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.704726] ? do_syscall_64+0x8a/0x170
[ 97.705425] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.706282] ? kvm_device_ioctl+0xae/0x130 [kvm]
[ 97.707135] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.708001] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.708853] ? syscall_exit_to_user_mode+0x4e/0x250
[ 97.709724] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.710609] ? do_syscall_64+0x8a/0x170
[ 97.711300] ? srso_alias_return_thunk+0x5/0xfbef5
[ 97.712132] ? exc_page_fault+0x93/0x1b0
[ 97.712839] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 97.713735] RIP: 0033:0x7386ab124ded
[ 97.714382] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[ 97.717664] RSP: 002b:00007ffcda2a6480 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 97.718965] RAX: ffffffffffffffda RBX: 00006293226d9f20 RCX: 00007386ab124ded
[ 97.720222] RDX: 00006293226db730 RSI: 0000000000003b6a RDI: 0000000000000009
[ 97.721522] RBP: 00007ffcda2a64d0 R08: 00006293214e9010 R09: 0000000000000007
[ 97.722858] R10: 00006293226db730 R11: 0000000000000246 R12: 00006293226e0880
[ 97.724193] R13: 00006293226db730 R14: 00007ffcda2a7740 R15: 00006293226d94f0
[ 97.725491] </TASK>
[ 97.725883] Modules linked in: cxl_accel_vfio_pci(E) vfio_cxl_core(E) vfio_pci_core(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_seq_device(E) snd_timer(E) snd(E) soundcore(E) qrtr(E) intel_rapl_msr(E) intel_rapl_common(E) kvm_amd(E) ccp(E) binfmt_misc(E) kvm(E) crct10dif_pclmul(E) crc32_pclmul(E) polyval_clmulni(E) polyval_generic(E) ghash_clmulni_intel(E) sha256_ssse3(E) sha1_ssse3(E) aesni_intel(E) i2c_i801(E) crypto_simd(E) cryptd(E) i2c_smbus(E) lpc_ich(E) joydev(E) input_leds(E) mac_hid(E) serio_raw(E) msr(E) parport_pc(E) ppdev(E) lp(E) parport(E) efi_pstore(E) dmi_sysfs(E) qemu_fw_cfg(E) autofs4(E) bochs(E) e1000e(E) drm_vram_helper(E) psmouse(E) drm_ttm_helper(E) ahci(E) ttm(E) libahci(E)
[ 97.736690] CR2: 0000000000000000
[ 97.737285] ---[ end trace 0000000000000000 ]---
Factor out cxl_await_range_active() and cxl_media_ready(). Type-3 device
should call both for ensuring media ready while type-2 device should only
call cxl_await_range_active().
Cc: Dave Jiang <dave.jiang@...el.com>
Cc: Li Ming <ming.li@...omail.com>
Suggested-by: Dan Williams <dan.j.williams@...el.com>
Reviewed-by: Li Ming <ming.li@...omail.com>
Signed-off-by: Zhi Wang <zhiw@...dia.com>
Signed-off-by: Manish Honap <mhonap@...dia.com>
---
drivers/cxl/core/pci.c | 18 +++++++++++-------
drivers/cxl/core/pci_drv.c | 3 +--
drivers/cxl/cxlmem.h | 3 ++-
include/cxl/cxl.h | 1 +
tools/testing/cxl/Kbuild | 3 ++-
tools/testing/cxl/test/mock.c | 21 ++++++++++++++++++---
6 files changed, 35 insertions(+), 14 deletions(-)
diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c
index 90a0763e72c4..a0cda2a8fdba 100644
--- a/drivers/cxl/core/pci.c
+++ b/drivers/cxl/core/pci.c
@@ -225,12 +225,11 @@ static int cxl_dvsec_mem_range_active(struct cxl_dev_state *cxlds, int id)
* Wait up to @media_ready_timeout for the device to report memory
* active.
*/
-int cxl_await_media_ready(struct cxl_dev_state *cxlds)
+int cxl_await_range_active(struct cxl_dev_state *cxlds)
{
struct pci_dev *pdev = to_pci_dev(cxlds->dev);
int d = cxlds->cxl_dvsec;
int rc, i, hdm_count;
- u64 md_status;
u16 cap;
rc = pci_read_config_word(pdev,
@@ -251,13 +250,18 @@ int cxl_await_media_ready(struct cxl_dev_state *cxlds)
return rc;
}
- md_status = readq(cxlds->regs.memdev + CXLMDEV_STATUS_OFFSET);
- if (!CXLMDEV_READY(md_status))
- return -EIO;
-
return 0;
}
-EXPORT_SYMBOL_NS_GPL(cxl_await_media_ready, "CXL");
+EXPORT_SYMBOL_NS_GPL(cxl_await_range_active, "CXL");
+
+int cxl_media_ready(struct cxl_dev_state *cxlds)
+{
+ u64 md_status;
+
+ md_status = readq(cxlds->regs.memdev + CXLMDEV_STATUS_OFFSET);
+ return CXLMDEV_READY(md_status) ? 0 : -EIO;
+}
+EXPORT_SYMBOL_NS_GPL(cxl_media_ready, "CXL");
static int cxl_set_mem_enable(struct cxl_dev_state *cxlds, u16 val)
{
diff --git a/drivers/cxl/core/pci_drv.c b/drivers/cxl/core/pci_drv.c
index 4c767e2471b8..6e519b197f0d 100644
--- a/drivers/cxl/core/pci_drv.c
+++ b/drivers/cxl/core/pci_drv.c
@@ -899,8 +899,7 @@ static int cxl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
if (rc)
return rc;
- rc = cxl_await_media_ready(cxlds);
- if (rc == 0)
+ if (!cxl_await_range_active(cxlds) && !cxl_media_ready(cxlds))
cxlds->media_ready = true;
else
dev_warn(&pdev->dev, "Media not active (%d)\n", rc);
diff --git a/drivers/cxl/cxlmem.h b/drivers/cxl/cxlmem.h
index 918784edd23c..62ace404d681 100644
--- a/drivers/cxl/cxlmem.h
+++ b/drivers/cxl/cxlmem.h
@@ -767,7 +767,8 @@ enum {
int cxl_internal_send_cmd(struct cxl_mailbox *cxl_mbox,
struct cxl_mbox_cmd *cmd);
int cxl_dev_state_identify(struct cxl_memdev_state *mds);
-int cxl_await_media_ready(struct cxl_dev_state *cxlds);
+int cxl_await_range_active(struct cxl_dev_state *cxlds);
+int cxl_media_ready(struct cxl_dev_state *cxlds);
int cxl_enumerate_cmds(struct cxl_memdev_state *mds);
int cxl_mem_dpa_fetch(struct cxl_memdev_state *mds, struct cxl_dpa_info *info);
struct cxl_memdev_state *cxl_memdev_state_create(struct device *dev, u64 serial,
diff --git a/include/cxl/cxl.h b/include/cxl/cxl.h
index e5d1e5a20e06..f18194b9e3e2 100644
--- a/include/cxl/cxl.h
+++ b/include/cxl/cxl.h
@@ -262,6 +262,7 @@ int cxl_map_component_regs(const struct cxl_register_map *map,
struct cxl_component_regs *regs,
unsigned long map_mask);
int cxl_set_capacity(struct cxl_dev_state *cxlds, u64 capacity);
+int cxl_await_range_active(struct cxl_dev_state *cxlds);
struct cxl_memdev *devm_cxl_add_memdev(struct device *host,
struct cxl_dev_state *cxlds,
const struct cxl_memdev_ops *ops);
diff --git a/tools/testing/cxl/Kbuild b/tools/testing/cxl/Kbuild
index d422c81cefa3..4b05b21083ad 100644
--- a/tools/testing/cxl/Kbuild
+++ b/tools/testing/cxl/Kbuild
@@ -5,7 +5,8 @@ ldflags-y += --wrap=acpi_evaluate_integer
ldflags-y += --wrap=acpi_pci_find_root
ldflags-y += --wrap=nvdimm_bus_register
ldflags-y += --wrap=devm_cxl_port_enumerate_dports
-ldflags-y += --wrap=cxl_await_media_ready
+ldflags-y += --wrap=cxl_await_range_active
+ldflags-y += --wrap=cxl_media_ready
ldflags-y += --wrap=devm_cxl_add_rch_dport
ldflags-y += --wrap=cxl_endpoint_parse_cdat
ldflags-y += --wrap=cxl_dport_init_ras_reporting
diff --git a/tools/testing/cxl/test/mock.c b/tools/testing/cxl/test/mock.c
index 92fd5c69bef3..4f1f65e50e87 100644
--- a/tools/testing/cxl/test/mock.c
+++ b/tools/testing/cxl/test/mock.c
@@ -187,7 +187,7 @@ int __wrap_devm_cxl_port_enumerate_dports(struct cxl_port *port)
}
EXPORT_SYMBOL_NS_GPL(__wrap_devm_cxl_port_enumerate_dports, "CXL");
-int __wrap_cxl_await_media_ready(struct cxl_dev_state *cxlds)
+int __wrap_cxl_await_range_active(struct cxl_dev_state *cxlds)
{
int rc, index;
struct cxl_mock_ops *ops = get_cxl_mock_ops(&index);
@@ -195,12 +195,27 @@ int __wrap_cxl_await_media_ready(struct cxl_dev_state *cxlds)
if (ops && ops->is_mock_dev(cxlds->dev))
rc = 0;
else
- rc = cxl_await_media_ready(cxlds);
+ rc = cxl_await_range_active(cxlds);
put_cxl_mock_ops(index);
return rc;
}
-EXPORT_SYMBOL_NS_GPL(__wrap_cxl_await_media_ready, "CXL");
+EXPORT_SYMBOL_NS_GPL(__wrap_cxl_await_range_active, "CXL");
+
+int __wrap_cxl_media_ready(struct cxl_dev_state *cxlds)
+{
+ int rc, index;
+ struct cxl_mock_ops *ops = get_cxl_mock_ops(&index);
+
+ if (ops && ops->is_mock_dev(cxlds->dev))
+ rc = 0;
+ else
+ rc = cxl_media_ready(cxlds);
+ put_cxl_mock_ops(index);
+
+ return rc;
+}
+EXPORT_SYMBOL_NS_GPL(__wrap_cxl_media_ready, "CXL");
struct cxl_dport *__wrap_devm_cxl_add_rch_dport(struct cxl_port *port,
struct device *dport_dev,
--
2.25.1
Powered by blists - more mailing lists