From nobody Fri Nov 1 08:22:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1708007403; cv=none; d=zohomail.com; s=zohoarc; b=dPm0aspq2AEuAybfxBZNlHDESQ3aBPGbnQu86q4AUPI46JPgezfxl5FC9YF9/7yaHr5NKY2aqi4wX8Z8ErGDORTHuwhKSHqLmc07OO9QAxSrQtEvq7oF715Ar+15NAFStuKBxZUnHrkw56h02JvHCBH32s2MS+fJzvs/bkAlR44= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1708007403; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=63ztVuCJ5c4ThhvAeOWHntnaThA9AQdPIu2oEsPOrrs=; b=NtFhZq1vxj7NUVxrgf57XgPQbEqS36XE2d7imf13mF3RovfZ2rFZQAXOQ8rmnbbmBwXU5KNm388HZs3MSN8M2OojZq4W0Vr9mGbscm7bfo/4hD7/+4Q5+J64uep/OR2XBF9RNYMrWUODax3iVTDp7Nos7i2QLvHslbqpveQhxBc= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1708007403721668.1650682209238; Thu, 15 Feb 2024 06:30:03 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rackM-000583-Et; Thu, 15 Feb 2024 09:29:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rackK-000571-Tk for qemu-devel@nongnu.org; Thu, 15 Feb 2024 09:29:52 -0500 Received: from frasgout.his.huawei.com ([185.176.79.56]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rackJ-0001us-4J for qemu-devel@nongnu.org; Thu, 15 Feb 2024 09:29:52 -0500 Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4TbHRc754hz67ZyK; Thu, 15 Feb 2024 22:26:04 +0800 (CST) Received: from lhrpeml500005.china.huawei.com (unknown [7.191.163.240]) by mail.maildlp.com (Postfix) with ESMTPS id 61A48141D69; Thu, 15 Feb 2024 22:29:49 +0800 (CST) Received: from SecurePC-101-06.china.huawei.com (10.122.247.231) by lhrpeml500005.china.huawei.com (7.191.163.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 15 Feb 2024 14:29:49 +0000 To: Paolo Bonzini , Peter Xu , David Hildenbrand , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , CC: Subject: [PATCH 3/3] physmem: Fix wrong MR in large address_space_read/write_cached_slow() Date: Thu, 15 Feb 2024 14:28:17 +0000 Message-ID: <20240215142817.1904-4-Jonathan.Cameron@huawei.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240215142817.1904-1-Jonathan.Cameron@huawei.com> References: <20240215142817.1904-1-Jonathan.Cameron@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.122.247.231] X-ClientProxiedBy: lhrpeml100002.china.huawei.com (7.191.160.241) To lhrpeml500005.china.huawei.com (7.191.163.240) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=185.176.79.56; envelope-from=jonathan.cameron@huawei.com; helo=frasgout.his.huawei.com X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Jonathan Cameron From: Jonathan Cameron via Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1708007405499100003 Content-Type: text/plain; charset="utf-8" If the access is bigger than the MemoryRegion supports, flatview_read/write_continue() will attempt to update the Memory Region. but the address passed to flatview_translate() is relative to the cache, not to the FlatView. On arm/virt with interleaved CXL memory emulation and virtio-blk-pci this lead to the first part of descriptor being read from the CXL memory and the second part from PA 0x8 which happens to be a blank region of a flash chip and all ffs on this particular configuration. Note this test requires the out of tree ARM support for CXL, but the problem is more general. Avoid this by adding new address_space_read_continue_cached() and address_space_write_continue_cached() which share all the logic with the flatview versions except for the MemoryRegion lookup. Signed-off-by: Jonathan Cameron --- system/physmem.c | 78 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 72 insertions(+), 6 deletions(-) diff --git a/system/physmem.c b/system/physmem.c index 74f92bb3b8..43b37942cf 100644 --- a/system/physmem.c +++ b/system/physmem.c @@ -3377,6 +3377,72 @@ static inline MemoryRegion *address_space_translate_= cached( return section.mr; } =20 +/* Called within RCU critical section. */ +static MemTxResult address_space_write_continue_cached(MemoryRegionCache *= cache, + hwaddr addr, + MemTxAttrs attrs, + const void *ptr, + hwaddr len, hwaddr = addr1, + hwaddr l, + MemoryRegion *mr) +{ + MemTxResult result =3D MEMTX_OK; + const uint8_t *buf =3D ptr; + + for (;;) { + + result |=3D flatview_write_continue_step(addr, attrs, buf, len, ad= dr1, &l, + mr); + + len -=3D l; + buf +=3D l; + addr +=3D l; + + if (!len) { + break; + } + + l =3D len; + + mr =3D address_space_translate_cached(cache, addr, &addr1, &l, tru= e, + attrs); + } + + return result; +} + +/* Called within RCU critical section. */ +static MemTxResult address_space_read_continue_cached(MemoryRegionCache *c= ache, + hwaddr addr, + MemTxAttrs attrs, + void *ptr, hwaddr le= n, + hwaddr addr1, hwaddr= l, + MemoryRegion *mr) +{ + MemTxResult result =3D MEMTX_OK; + uint8_t *buf =3D ptr; + + fuzz_dma_read_cb(addr, len, mr); + for (;;) { + + result |=3D flatview_read_continue_step(addr, attrs, buf, len, add= r1, + &l, mr); + len -=3D l; + buf +=3D l; + addr +=3D l; + + if (!len) { + break; + } + l =3D len; + + mr =3D address_space_translate_cached(cache, addr, &addr1, &l, fal= se, + attrs); + } + + return result; +} + /* Called from RCU critical section. address_space_read_cached uses this * out of line function when the target is an MMIO or IOMMU region. */ @@ -3390,9 +3456,9 @@ address_space_read_cached_slow(MemoryRegionCache *cac= he, hwaddr addr, l =3D len; mr =3D address_space_translate_cached(cache, addr, &addr1, &l, false, MEMTXATTRS_UNSPECIFIED); - return flatview_read_continue(cache->fv, - addr, MEMTXATTRS_UNSPECIFIED, buf, len, - addr1, l, mr); + return address_space_read_continue_cached(cache, addr, + MEMTXATTRS_UNSPECIFIED, buf,= len, + addr1, l, mr); } =20 /* Called from RCU critical section. address_space_write_cached uses this @@ -3408,9 +3474,9 @@ address_space_write_cached_slow(MemoryRegionCache *ca= che, hwaddr addr, l =3D len; mr =3D address_space_translate_cached(cache, addr, &addr1, &l, true, MEMTXATTRS_UNSPECIFIED); - return flatview_write_continue(cache->fv, - addr, MEMTXATTRS_UNSPECIFIED, buf, len, - addr1, l, mr); + return address_space_write_continue_cached(cache, addr, + MEMTXATTRS_UNSPECIFIED, + buf, len, addr1, l, mr); } =20 #define ARG1_DECL MemoryRegionCache *cache --=20 2.39.2