Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
MIME-Version: 1.0
References: <CACT4Y+beyZ7rjmy7im0KdSU-Pcqd4Rud3xsxonBbYVk0wU-B9g@mail.gmail.com>
 <CAK8P3a1xBt6ucpVMhQrw4fGiLDZaJZ4_kn+qy9xAuykRRih6FA@mail.gmail.com>
 <CACT4Y+YeeEkF65O40DMLB=cggiowZUxXDs++BNTrDMO94j=NvA@mail.gmail.com>
 <CAK8P3a0HVu+x0T6+K3d0v1bvU-Pes0F0CSjqm5x=bxFgv5Y3mA@mail.gmail.com>
 <CACT4Y+aWMD283vYMfoGM1fir_fPF7MPqe+vLjaoQD2iZUV4c-A@mail.gmail.com>
 <CAK8P3a2NEcHG+nOUCc6-DPeFKkc-GF-LEOkynhNdgxiXBHdQaw@mail.gmail.com>
 <CAFEAcA-s79=4VDSA3TO8tpLUMwJE=HcFT4eZO8L8CCkAAfj8PA@mail.gmail.com>
 <CAK8P3a26dWjbS8CjGwc7S5S0M4SonWh4afqdxpoa8Q9vQhC0TA@mail.gmail.com> <CAFEAcA-oH=9RLdzhsLcSTxNLBLcyEcJtO4L5EqRSiGWHdApgqA@mail.gmail.com>
In-Reply-To: <CAFEAcA-oH=9RLdzhsLcSTxNLBLcyEcJtO4L5EqRSiGWHdApgqA@mail.gmail.com>
From:   Arnd Bergmann <arnd@arndb.de>
Date:   Mon, 22 Mar 2021 16:42:55 +0100
Message-ID: <CAK8P3a2aQ0C7M2p3DBwjvK5mGyg2_8PQK2=FnkPFp3bVmt_xMw@mail.gmail.com>
Subject: Re: arm64 syzbot instances
To:     Peter Maydell <peter.maydell@linaro.org>
Cc:     Dmitry Vyukov <dvyukov@google.com>,
        Mark Rutland <mark.rutland@arm.com>,
        Marc Zyngier <maz@kernel.org>, Will Deacon <will@kernel.org>,
        Ard Biesheuvel <ardb@kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        syzkaller <syzkaller@googlegroups.com>,
        LKML <linux-kernel@vger.kernel.org>,
        John Garry <john.garry@huawei.com>,
        =?UTF-8?B?QWxleCBCZW5uw6ll?= <alex.bennee@linaro.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Mon, Mar 22, 2021 at 2:53 PM Peter Maydell <peter.maydell@linaro.org> wrote:
> On Sun, 21 Mar 2021 at 19:00, Arnd Bergmann <arnd@arndb.de> wrote:
> > On Sat, Mar 20, 2021 at 9:43 PM Peter Maydell <peter.maydell@linaro.org> wrote:
> > > On Fri, 12 Mar 2021 at 09:16, Arnd Bergmann <arnd@arndb.de> wrote:
> > > > So it's probably qemu that triggers the 'synchronous external
> > > > abort' when accessing the PCI I/O space, which in turn hints
> > > > towards a bug in qemu. Presumably it only returns data from
> > > > I/O ports that are actually mapped to a device when real hardware
> > > > is supposed to return 0xffffffff when reading from unused I/O ports.
> > >
> > > Do you have a reference to the bit of the PCI spec that mandates
> > > this -1/discard behaviour for attempted access to places where
> > > there isn't actually a PCI device mapped ? The spec is pretty
> > > long and hard to read...
> > >
> > > (Knowing to what extent this behaviour is mandatory for all
> > > PCI systems/host controllers vs just "it would be nice if the
> > > gpex host controller worked this way" would help in figuring
> > > out where in QEMU to change.)
> >
> > I spent some more time looking at both really old PCI specifications,
> > and new ones.
> > The old PCI specs seem to just leave this bit as out of scope because
> > it does not concern transactions on the bus. The PCI host controller
> > can either report a 'master abort' to the CPU, or ignore it, and each
> > bridge can decide to turn master aborts on reads into all 1s.
> > We do have support some SoCs in Linux that trigger a CPU exception,
> > but we tend to deal with those with an ugly hack that just ignores
> > all exceptions from the CPU. Most host bridges fortunately behave
> > like an x86 PC though, and do not trigger an exception here.
>
> There's apparently a bit in the PCI spec that reads:
>         The host bus bridge, in PC compatible systems, must return all
>         1's on a read transaction and discard data on a write transaction
>         when terminated with Master-Abort.
>
> which obviously applies only to "PC compatible systems".

Right. As far as I can tell, all ARMv8 and most ARMv7 based SoCs
do this to be more compatible with PC style operating systems like
Linux, but you are right that the specification here does not
mandate that, and the older ARMv5 SoCs seem to be compliant
as well based on this.

> > Linux has a driver for DPC, which apparently configures it to
> > cause an interrupt to log the event, but it does not hook up the
> > CPU exception handler to this. I don't see an implementation of DPC
> > in qemu, which I take as an indication that it should use the
> > default behavior and cause neither an interrupt nor a CPU exception.
>
> Hmm, maybe. We should probably also implement -1/discard just because
> we're not intending to have 'surprising' behaviour.
>
> TBH I'm having difficulty seeing why the kernel should be doing
> this at all, though. The device tree tells you you have a PCI
> controller; PCI supports enumeration of devices; you know exactly
> where everything is mapped because the BARs tell you that.
> I don't see anything that justifies the kernel in randomly
> dereferencing areas of the IO or memory windows where it hasn't
> mapped anything. You shouldn't be probing for legacy ISA-port
> devices unless you're on a system which might actually have them
> (eg an x86 PC).

It only happened in this case because there is also a bug in
the 8250 serial port driver that is configured to assume four ports
exist at port zero. On real arm64 hardware, this is apparently
harmless because the driver has coped with this for 30 years ;-)

There are a few other drivers that assume hardware is accessible
at the legacy addresses, and applications can also still open /dev/ioport
(if that is enabled at compile time) for the same purpose. Examples
could be PC-style mouse/keyboard (emulated by a server BMC),
PATA/SATA controllers in pre-AHCI mode, VGA console, and a
couple of industrial I/O drivers that have ISA devices behind a
PCI bridge.

Most other actual ISA add-on card drivers can only be enabled
on kernels that support machines with real slots, so you could
get them on an i386 kernel running a virtualized x86_64 machine,
but not on ARMv6 or later kernels, and you can't run pre-ARMv7
kernels on ARMv8 hardware.

        Arnd