On Fri, 2020-01-31 at 13:28:29 UTC, Michal Suchanek wrote:
>
> From: Libor Pechacek
>
> In guests without hotplugagble memory drmem structure is only zero
> initialized. Trying to manipulate DLPAR parameters results in a crash.
>
> $ echo "memory add count 1" > /sys/kernel/dlpar
> Oops: Kernel access of bad area, sig: 11 [#1]
> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
> Modules linked in: af_packet(E) rfkill(E) nvram(E) vmx_crypto(E)
> gf128mul(E) e1000(E) virtio_balloon(E) rtc_generic(E) crct10dif_vpmsum(E)
> btrfs(E) blake2b_generic(E) libcrc32c(E) xor(E) raid6_pq(E) virtio_rng(E)
> virtio_blk(E) ohci_pci(E) ehci_pci(E) ohci_hcd(E) ehci_hcd(E)
> crc32c_vpmsum(E) usbcore(E) virtio_pci(E) virtio_ring(E) virtio(E) sg(E)
> dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E)
> scsi_mod(E)
> CPU: 1 PID: 4114 Comm: bash Kdump: loaded Tainted: GE
> 5.5.0-rc6-2-default #1
> NIP: c00ff294 LR: c00ff248 CTR:
> REGS: c000fb9d3880 TRAP: 0300 Tainted: GE
> (5.5.0-rc6-2-default)
> MSR: 80009033 CR: 28242428 XER: 2000
> CFAR: c09a6c10 DAR: 0010 DSISR: 4000 IRQMASK: 0
> GPR00: c00ff248 c000fb9d3b10 c1682e00 0033
> GPR04: c000ff30bf90 c000ff394800 5110 ffe8
> GPR08: fe1c
> GPR12: 2200 c0003fffee00 00011cbc37c0
> GPR16: 00011cb27ed0 00011cb6dd10
> GPR20: 00011cb7db28 01003ce035f0 00011cbc7828 00011cbc6c70
> GPR24: 01003cf01210 c000ffade4e0 c2d7216b
> GPR28: 0001 c2d78560 c15458d0
> NIP [c00ff294] dlpar_memory+0x6e4/0xd00
> LR [c00ff248] dlpar_memory+0x698/0xd00
> Call Trace:
> [c000fb9d3b10] [c00ff248] dlpar_memory+0x698/0xd00 (unreliable)
> [c000fb9d3ba0] [c00f5990] handle_dlpar_errorlog+0xc0/0x190
> [c000fb9d3c10] [c00f5c58] dlpar_store+0x198/0x4a0
> [c000fb9d3cd0] [c0c4cb00] kobj_attr_store+0x30/0x50
> [c000fb9d3cf0] [c05a37b4] sysfs_kf_write+0x64/0x90
> [c000fb9d3d10] [c05a2c90] kernfs_fop_write+0x1b0/0x290
> [c000fb9d3d60] [c04a2bec] __vfs_write+0x3c/0x70
> [c000fb9d3d80] [c04a6560] vfs_write+0xd0/0x260
> [c000fb9d3dd0] [c04a69ac] ksys_write+0xdc/0x130
> [c000fb9d3e20] [c000b478] system_call+0x5c/0x68
> Instruction dump:
> ebc9 1ce70018 38e7ffe8 7cfe3a14 7fbe3840 419dff14 fb610068 7fc9f378
> 3900 480c 6000 4195fef4 <81490010> 39290018 38c80001 7ea93840
> ---[ end trace cc2dd8152608c295 ]---
>
> Taking closer look at the code, I can see that for_each_drmem_lmb is a
> macro expanding into `for (lmb = &drmem_info->lmbs[0]; lmb <=
> &drmem_info->lmbs[drmem_info->n_lmbs - 1]; lmb++)`. When drmem_info->lmbs
> is NULL, the loop would iterate through the whole address range if it
> weren't stopped by the NULL pointer dereference on the next line.
>
> This patch aligns for_each_drmem_lmb and for_each_drmem_lmb_in_range macro
> behavior with the common C semantics, where the end marker does not belong
> to the scanned range, and alters get_lmb_range() semantics. As a side
> effect, the wraparound observed in the crash is prevented.
>
> Fixes: 6c6ea53725b3 ("powerpc/mm: Separate ibm, dynamic-memory data from DT
> format")
> Cc: Michal Suchanek
> Cc: sta...@vger.kernel.org
> Signed-off-by: Libor Pechacek
> Signed-off-by: Michal Suchanek
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/a83836dbc53e96f13fec248ecc201d18e1e3111d
cheers
