Xen project Mailing List

Re: [PATCH] x86/ioapic: sanitize IO-APIC pins before enabling the local APIC

To: Roger Pau Monne <roger.pau@xxxxxxxxxx>

Date: Mon, 10 Jul 2023 12:56:27 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mQvb+1kLVWdEgkiCAJ3I7xIPXIljQ4Ub1kVaTTH+OFA=; b=ZP4YLxdWQ3qwBn8/C04OpSVSeNRaS1PIPNehOyq7ByVcGaslGkqgmUzjKRIkVWMlfaIUh1rQC2DrELSF/2PcoVXpxAeEkuBYB/LOLLEZokbMGAwCBI9hT2ncCpnh5qxCk+RKMVBPEv33XhAtTMSfGOZdBa+Ibv7MSvS4oZQwtbdmZAwIJv/93L58rayZ+bRIsh1GMxdE3VkpyIaXmshNcrm2zaTFOGX69Di9zJ90rVqY9JU9ZTFyqATwB5Q60iRKWbKMLiPhrI6LoOcW+rva3DYAmMJp6Jy1Y8oecCmnhMrmJRRukYfPtvX0oSWnCeN9t06r3yXMVKgUvoRtD7RhDg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QTdWwhYKxUi7Kt2PSn9XSuulNe8g+yRwlnJIRK/CsKdNs0b+wLzS514TH2u7zYfZbNYthdND1j6Gkc3lyezka2af+2f7YlFm/Hx5Tv99IhV5HMs8Y558yHmbB8gO45SoeRKFGzoHaXpgd28EVLYHyewiCH9lR9yjgISJiZzRed5eokF4Qc8Nqzqx2n3ntsFYyBv/1u6O8SMosG5pFQGLYzyTxGv7TFbqA+WiRbxZcaKEMEJFC4g1J/zNlnc9YLCt6XC4yVg/ztegrPT1wuuqDcD1RKAdm0Wt4hoLUUkddfCLH7mZHFEBBGtCySND3Wd+ndbTJNCSXu3cLsvdYtjJhg==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Mon, 10 Jul 2023 10:56:48 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 07.07.2023 11:53, Roger Pau Monne wrote: > The current logic to init the local APIC and the IO-APIC does init the > former first before doing any kind of sanitation on the IO-APIC pin > configuration. It's already noted on enable_IO_APIC() that Xen > shouldn't trust the IO-APIC being empty at bootup. > > At XenServer we have a system where the IO-APIC 0 is handed to Xen > with pin 0 unmasked, set to Fixed delivery mode, edge triggered and > with a vector of 0 (all fields of the RTE are zeroed). Once the local > APIC is enabled periodic injections from such pin cause a storm of > errors: > > APIC error on CPU0: 00(40), Received illegal vector > APIC error on CPU0: 40(40), Received illegal vector > APIC error on CPU0: 40(40), Received illegal vector > APIC error on CPU0: 40(40), Received illegal vector > APIC error on CPU0: 40(40), Received illegal vector > APIC error on CPU0: 40(40), Received illegal vector > > That prevents Xen from booting. And I expect no RTE is in ExtInt mode, so one might conclude that firmware meant to set up RTE 0 that way. Mainly as a remark, albeit of course there's then the question whether to change the RTE rather than masking it. What do ACPI tables say? > Fix this by moving the masking of IO-APIC pins ahead of the enabling > of the local APIC. Note that before doing such masking Xen attempts > to detect the pin where the legacy i8259 is connected, and that logic > relies on the pin being unmasked, hence the logic is also moved ahead > of enabling the local APIC. A comma after "masking" might help readers here. > --- a/xen/arch/x86/apic.c > +++ b/xen/arch/x86/apic.c > @@ -1476,6 +1476,10 @@ int __init APIC_init_uniprocessor (void) > return -1; > } > > + if ( smp_found_config && !skip_ioapic_setup && nr_ioapics ) > + /* Sanitize the IO-APIC pins before enabling the local APIC. */ > + sanitize_IO_APIC(); I'm a little puzzled by the smp_found_config part of the check here, but not in smp_prepare_cpus(). What's the reason for (a) the check and (b) the difference? Isn't checking nr_ioapics sufficient in this regard? (b) probably could be addressed by moving the code to the beginning of verify_local_APIC(), immediately ahead of which you insert both call sites. (At which point the function may want naming verify_IO_APIC() for consistency, but that's surely minor.) As to also checking skip_ioapic_setup - wouldn't the unmasked pin be similarly troublesome in that case? Aiui it would not hurt only if the LAPIC also isn't (going to be) set up. Then again the flag, among other things, signals a zero base address found in the ACPI or MP tables, so I guess this is a (largely) separate issue anyway. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.