projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b22b824) | patch
xen/vgic: Implement write to ISPENDR in vGICv{2, 3}
authorJulien Grall <jgrall@amazon.com>
Sat, 20 Feb 2021 14:04:12 +0000 (14:04 +0000)
committerStefano Stabellini <sstabellini@kernel.org>
Fri, 19 Mar 2021 19:34:43 +0000 (12:34 -0700)
commit679907201145ad9b74984cce961f1706b07cb0ac
tree9a1b3b053ecae20b68d689aba823b98ceb6c50c8tree | snapshot
parentb22b824f2eac90e1f2cac1df407c2e853aa997edcommit | diff
xen/vgic: Implement write to ISPENDR in vGICv{2, 3}

Currently, Xen will send a data abort to a guest trying to write to the
ISPENDR.

Unfortunately, recent version of Linux (at least 5.9+) will start
writing to the register if the interrupt needs to be re-triggered
(see the callback irq_retrigger). This can happen when a driver (such as
the xgbe network driver on AMD Seattle) re-enable an interrupt:

(XEN) d0v0: vGICD: unhandled word write 0x00000004000000 to ISPENDR44
[...]
[   25.635837] Unhandled fault at 0xffff80001000522c
[...]
[   25.818716]  gic_retrigger+0x2c/0x38
[   25.822361]  irq_startup+0x78/0x138
[   25.825920]  __enable_irq+0x70/0x80
[   25.829478]  enable_irq+0x50/0xa0
[   25.832864]  xgbe_one_poll+0xc8/0xd8
[   25.836509]  net_rx_action+0x110/0x3a8
[   25.840328]  __do_softirq+0x124/0x288
[   25.844061]  irq_exit+0xe0/0xf0
[   25.847272]  __handle_domain_irq+0x68/0xc0
[   25.851442]  gic_handle_irq+0xa8/0xe0
[   25.855171]  el1_irq+0xb0/0x180
[   25.858383]  arch_cpu_idle+0x18/0x28
[   25.862028]  default_idle_call+0x24/0x5c
[   25.866021]  do_idle+0x204/0x278
[   25.869319]  cpu_startup_entry+0x24/0x68
[   25.873313]  rest_init+0xd4/0xe4
[   25.876611]  arch_call_rest_init+0x10/0x1c
[   25.880777]  start_kernel+0x5b8/0x5ec

As a consequence, the OS may become unusable.

Implementing the write part of ISPENDR is somewhat easy. For
virtual interrupt, we only need to inject the interrupt again.

For physical interrupt, we need to be more careful as the de-activation
of the virtual interrupt will be propagated to the physical distributor.
For simplicity, the physical interrupt will be set pending so the
workflow will not differ from a "real" interrupt.

Longer term, we could possible directly activate the physical interrupt
and avoid taking an exception to inject the interrupt to the domain.
(This is the approach taken by the new vGIC based on KVM).

Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Release-Acked-by: Ian Jackson <iwj@xenproject.org>
(cherry picked from commit 067935804a8e7a33ff7170a2db8ce94bb46d9a63)
xen/arch/arm/vgic-v2.c diff | blob | history
xen/arch/arm/vgic-v3.c diff | blob | history
xen/arch/arm/vgic.c diff | blob | history
xen/include/asm-arm/vgic.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.