The interrupt presenters are currently parented to their associated
VCPU, and we rely on CPU_FOREACH() when we need to perform a specific
task with them. Like exposing their state with 'info pic', or finding
the target VCPU for an interrupt when using the XIVE controller.
We recently realized that the latter could crash QEMU because CPU_FOREACH()
can race with CPU hotplug. This got fixed by checking the presenter pointer
under the CPU was set (commit 627fa61746f7) but this is still fragile. And
we still can crash QEMU with 'info pic' while doing CPU hotplug/unplug:
With XIVE:
Thread 1 "qemu-system-ppc" received signal SIGSEGV, Segmentation fault.
0x00000001003d2848 in xive_tctx_pic_print_info (tctx=0x101ae5280,
mon=0x7fffffffe180) at /home/greg/Work/qemu/qemu-spapr/hw/intc/xive.c:526
526 int cpu_index = tctx->cs ? tctx->cs->cpu_index : -1;
(gdb) p tctx
$1 = (XiveTCTX *) 0x101ae5280
(gdb) p tctx->cs
$2 = (CPUState *) 0x2057512020203a5d
(gdb) p tctx->cs->cpu_index
Cannot access memory at address 0x205751202020bead
With XICS:
Thread 1 "qemu-system-ppc" received signal SIGSEGV, Segmentation fault.
0x00000001003cc39c in icp_pic_print_info (icp=0x10244ccf0, mon=0x7fffffffe940)
at /home/greg/Work/qemu/qemu-spapr/hw/intc/xics.c:47
47 int cpu_index = icp->cs ? icp->cs->cpu_index : -1;
(gdb) p icp
$1 = (ICPState *) 0x10244ccf0
(gdb) p icp->cs
$2 = (CPUState *) 0x524958203220
(gdb) p icp->cs->cpu_index
Cannot access memory at address 0x52495820b670
This series fixes the issue globally by moving the presenter objects under
the interrupt controller and to loop on them with object_child_foreach()
instead of CPU_FOREACH().
It is based on Cédric Le Goater's series:
[v5,0/7] ppc: reset the interrupt presenter from the CPU reset handler
https://patchwork.ozlabs.org/cover/1181522/
--
Greg
---
Greg Kurz (6):
ppc: Add intc_destroy() handlers to SpaprInterruptController/PnvChip
xive, xics: Fix reference counting on CPU objects
ppc: Reparent presenter objects to the interrupt controller object
qom: Add object_child_foreach_type() helper function
spapr: Don't use CPU_FOREACH() in 'info pic'
xive: Don't use CPU_FOREACH() to perform CAM line matching
hw/intc/spapr_xive.c | 19 ++++---
hw/intc/xics.c | 30 ++++++++++-
hw/intc/xics_spapr.c | 21 +++++--
hw/intc/xive.c | 125 ++++++++++++++++++++++++++++++--------------
hw/ppc/pnv.c | 28 +++++++++-
hw/ppc/pnv_core.c | 7 +-
hw/ppc/spapr_cpu_core.c | 7 --
hw/ppc/spapr_irq.c | 14 +++++
include/hw/ppc/pnv.h | 1
include/hw/ppc/spapr_irq.h | 2 +
include/hw/ppc/xics.h | 4 +
include/hw/ppc/xive.h | 3 +
include/qom/object.h | 35 ++++++++++++
qom/object.c | 30 ++++++++---
14 files changed, 251 insertions(+), 75 deletions(-)
