Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
MIME-Version: 1.0
References: <CACT4Y+beyZ7rjmy7im0KdSU-Pcqd4Rud3xsxonBbYVk0wU-B9g@mail.gmail.com>
 <CAK8P3a1xBt6ucpVMhQrw4fGiLDZaJZ4_kn+qy9xAuykRRih6FA@mail.gmail.com>
 <CACT4Y+YeeEkF65O40DMLB=cggiowZUxXDs++BNTrDMO94j=NvA@mail.gmail.com>
 <CAK8P3a0HVu+x0T6+K3d0v1bvU-Pes0F0CSjqm5x=bxFgv5Y3mA@mail.gmail.com>
 <CACT4Y+aWMD283vYMfoGM1fir_fPF7MPqe+vLjaoQD2iZUV4c-A@mail.gmail.com>
 <CAK8P3a2NEcHG+nOUCc6-DPeFKkc-GF-LEOkynhNdgxiXBHdQaw@mail.gmail.com>
 <CACT4Y+bLdCw+nWndwnv6W9=0EhNNxi=n5Zp032hZE1j0QBMkaA@mail.gmail.com> <CAK8P3a0yxbeY0z=6EQhvBN8NWF++1Cww4tRaSwrUQFt3A-BMaw@mail.gmail.com>
In-Reply-To: <CAK8P3a0yxbeY0z=6EQhvBN8NWF++1Cww4tRaSwrUQFt3A-BMaw@mail.gmail.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Fri, 12 Mar 2021 11:38:58 +0100
Message-ID: <CACT4Y+aTbdE1CeUOgCKLJ3XpjazN5=yTmToXN_03M9EQ_hhayg@mail.gmail.com>
Subject: Re: arm64 syzbot instances
To:     Arnd Bergmann <arnd@arndb.de>
Cc:     Mark Rutland <mark.rutland@arm.com>, Marc Zyngier <maz@kernel.org>,
        Will Deacon <will@kernel.org>,
        Ard Biesheuvel <ardb@kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        syzkaller <syzkaller@googlegroups.com>,
        LKML <linux-kernel@vger.kernel.org>,
        John Garry <john.garry@huawei.com>,
        Peter Maydell <peter.maydell@linaro.org>,
        =?UTF-8?B?QWxleCBCZW5uw6ll?= <alex.bennee@linaro.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Fri, Mar 12, 2021 at 11:11 AM Arnd Bergmann <arnd@arndb.de> wrote:
> > > On Fri, Mar 12, 2021 at 9:46 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> > > > On Fri, Mar 12, 2021 at 9:40 AM Arnd Bergmann <arnd@arndb.de> wrote:
> > > > > On Thu, Mar 11, 2021 at 6:57 PM Dmitry Vyukov <dvyukov@google.com> wrote:
> > > > > a) accessing a legacy ISA/LPC port should not result in an oops,
> > > > >     but should instead return values with all bits set. There could
> > > > >     be a ratelimited console warning about broken drivers, but we
> > > > >     can't assume that all drivers work correctly, as some ancient
> > > > >     PC style drivers still rely on this.
> > > > >     John Garry has recently worked on a related bugfix, so maybe
> > > > >     either this is the same bug he encountered (and hasn't merged
> > > > >     yet), or if his fix got merged there is still a remaining problem.
> > >
> > > > > b) It should not be possible to open /dev/ttyS3 if the device is
> > > > >     not initialized. What is the output of 'cat /proc/tty/driver/serial'
> > > > >     on this machine? Do you see any messages from the serial
> > > > >     driver in the boot log?
> > > > >     Unfortunately there are so many different ways to probe devices
> > > > >     in the 8250 driver that I don't know where this comes from.
> > > > >     Your config file has
> > > > >    CONFIG_SERIAL_8250_PNP=y
> > > > >    CONFIG_SERIAL_8250_NR_UARTS=32
> > > > >    CONFIG_SERIAL_8250_RUNTIME_UARTS=4
> > > > >    CONFIG_SERIAL_8250_EXTENDED=y
> > > > >    I guess it's probably the preconfigured uarts that somehow
> > > > >    become probed without initialization, but it could also be
> > > > >    an explicit device incorrectly described by qemu.
> > > >
> > > >
> > > > Here is fool boot log, /proc/tty/driver/serial and the crash:
> > > > https://gist.githubusercontent.com/dvyukov/084890d9b4aa7cd54f468e652a9b5881/raw/54c12248ff6a4885ba6c530d56b3adad59bc6187/gistfile1.txt
> > >
> > > Ok, so there are four 8250 ports, and none of them are initialized,
> > > while the console is on /dev/ttyAMA0 using a different driver.
> > >
> > > I'm fairly sure this is a bug in the kernel then, not in qemu.
> > >
> > >
> > > I also see that the PCI I/O space gets mapped to a physical address:
> > > [    3.974309][    T1] pci-host-generic 4010000000.pcie:       IO
> > > 0x003eff0000..0x003effffff -> 0x0000000000
> > >
> > > So it's probably qemu that triggers the 'synchronous external
> > > abort' when accessing the PCI I/O space, which in turn hints
> > > towards a bug in qemu. Presumably it only returns data from
> > > I/O ports that are actually mapped to a device when real hardware
> > > is supposed to return 0xffffffff when reading from unused I/O ports.
> > > This would be separate from the work that John did, which only
> > > fixed the kernel for accessing I/O port ranges that do not have
> > > a corresponding MMU mapping to hardware ports.
> >
> > Will John's patch fix this crash w/o any changes in qemu? That would
> > be good enough for syzbot. Otherwise we need to report the issue to
> > qemu.
>
> No, this was a third issue. As far as I remember, this would result in
> a similar problem in the case where there is no PCI bus at all, or
> where no PCI host has an I/O port range, so the inb() from the serial
> driver would cause a page fault. The problem you ran into happens
> in qemu when the PCI I/O ports are mapped to hardware registers
> that cause an exception when accessed.
>
> If you just want to work around the problem for now, it should
> go away if you set CONFIG_SERIAL_8250_RUNTIME_UARTS
> to zero.

It does not happen too often on syzbot so far, so let's try to do the
right thing first.
I've filed: https://bugs.launchpad.net/qemu/+bug/1918917
with a link to this thread. To be fair, I don't fully understand what
I am talking about, I hope I proxied your description properly.