Xen project Mailing List

Re: [RFC PATCH] xen: privcmd: fix ioeventfd/ioreq crashing PV domain

To: Val Packett <val@xxxxxxxxxxxxxxxxxxxxxx>, Jürgen Groß <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>

From: Demi Marie Obenour <demiobenour@xxxxxxxxx>

Date: Wed, 5 Nov 2025 15:42:14 -0500

Autocrypt: addr=demiobenour@xxxxxxxxx; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx

Delivery-date: Wed, 05 Nov 2025 20:42:34 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11/4/25 20:16, Val Packett wrote: > > On 11/4/25 9:15 AM, Jürgen Groß wrote: >> On 15.10.25 21:57, Val Packett wrote: >>> Starting a virtio backend in a PV domain would panic the kernel in >>> alloc_ioreq, trying to dereference vma->vm_private_data as a pages >>> pointer when in reality it stayed as PRIV_VMA_LOCKED. >>> >>> Fix by allocating a pages array in mmap_resource in the PV case, >>> filling it with page info converted from the pfn array. This allows >>> ioreq to function successfully with a backend provided by a PV dom0. >>> >>> Signed-off-by: Val Packett <val@xxxxxxxxxxxxxxxxxxxxxx> >>> --- >>> I've been porting the xen-vhost-frontend[1] to Qubes, which runs on >>> amd64 >>> and we (still) use PV for dom0. The x86 part didn't give me much >>> trouble, >>> but the first thing I found was this crash due to using a PV domain >>> to host >>> the backend. alloc_ioreq was dereferencing the '1' constant and >>> panicking >>> the dom0 kernel. >>> >>> I figured out that I can make a pages array in the expected format >>> from the >>> pfn array where the actual memory mapping happens for the PV case, >>> and with >>> the fix, the ioreq part works: the vhost frontend replies to the probing >>> sequence and the guest recognizes which virtio device is being provided. >>> >>> I still have another thing to debug: the MMIO accesses from the inner >>> driver >>> (e.g. virtio_rng) don't get through to the vhost provider (ioeventfd >>> does >>> not get notified), and manually kicking the eventfd from the frontend >>> seems to crash... Xen itself?? (no Linux panic on console, just a >>> freeze and >>> quick reboot - will try to set up a serial console now) >> >> IMHO for making the MMIO accesses work you'd need to implement >> ioreq-server >> support for PV-domains in the hypervisor. This will be a major >> endeavor, so >> before taking your Linux kernel patch I'd like to see this covered. > > Sorry, I wasn't clear enough.. it's *not* that MMIO accesses don't work. > > I debugged this a bit more, and it turns out: > > 1. the reason why "ioeventfd does not get notified" is because accessing > the virtio page (allocated with this privcmd interface) from the kernel > was failing. The exchange between the guest driver and the userspace > ioreq server has been working perfectly, but the *kernel* access (which > is what needs this `struct page` allocation with the current code) was > returning nonsense and the check for the virtqueue readiness flag was > failing. > > I have noticed and fixed (locally) a bug in this patch: reusing the > `pfns` allocation for `errs` in `xen_remap_domain_mfn_array` meant that > the actual pfn value was overwritten with a zero ("success" error code), > and that's the `pfn` I was using. > > Still, the memory visible in the dom0 kernel at that pfn is not the same > allocation that's mapped into the process. Instead, it's some random > other memory. I've added a hexdump for it in the ioeventfd notifier and > it was returning random stuff from other userspace programs such as "// > SPDX-License-Identifier" from a text editor (haha). Actually, *once* it > did just work and I've managed to attach a virtio-rng driver and have it > fully work. > > Clearly I'm just struggling with the way memory mappings work under PV. > Do I need to specifically create a second mapping for the kernel using > the same `xen_remap_domain_mfn_array` call? > > 2. the reason why "manually kicking the eventfd from the frontend seems > to crash... Xen itself" was actually because that triggered the guest > interrupt and I was using the ISA interrupts that required the virtual > (IO)APIC to exist, and it doesn't in PVH domains. For now I switched my > test setup to HVM to get around that, but I'd need to.. figure out a > virq/pirq type setup to route XEN_DMOP_set_isa_irq_level calls over > event channels for PV(H) guests. Still, this should return an error rather than crashing the hypervisor. -- Sincerely, Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.