[v2] target/i386: Fix physical address masking bugs

[PATCH v2 3/7] target/i386: introduce function to query MMU indices

Posted by Paolo Bonzini 9 months ago

Remove knowledge of specific MMU indexes (other than MMU_NESTED_IDX and
MMU_PHYS_IDX) from mmu_translate().  This will make it possible to split
32-bit and 64-bit MMU indexes.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/cpu.h                    | 10 ++++++++++
 target/i386/tcg/sysemu/excp_helper.c |  4 ++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index dfe43b82042..8c271ca62e5 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -2305,6 +2305,16 @@ uint64_t cpu_get_tsc(CPUX86State *env);
 #define MMU_NESTED_IDX  3
 #define MMU_PHYS_IDX    4
 
+static inline bool is_mmu_index_smap(int mmu_index)
+{
+    return mmu_index == MMU_KSMAP_IDX;
+}
+
+static inline bool is_mmu_index_user(int mmu_index)
+{
+    return mmu_index == MMU_USER_IDX;
+}
+
 static inline int cpu_mmu_index_kernel(CPUX86State *env)
 {
     return !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP_IDX :
diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
index 11126c860d4..a0d5ce39300 100644
--- a/target/i386/tcg/sysemu/excp_helper.c
+++ b/target/i386/tcg/sysemu/excp_helper.c
@@ -137,7 +137,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
     const int32_t a20_mask = x86_get_a20_mask(env);
     const target_ulong addr = in->addr;
     const int pg_mode = in->pg_mode;
-    const bool is_user = (in->mmu_idx == MMU_USER_IDX);
+    const bool is_user = is_mmu_index_user(in->mmu_idx);
     const MMUAccessType access_type = in->access_type;
     uint64_t ptep, pte, rsvd_mask;
     PTETranslate pte_trans = {
@@ -363,7 +363,7 @@ do_check_protect_pse36:
     }
 
     int prot = 0;
-    if (in->mmu_idx != MMU_KSMAP_IDX || !(ptep & PG_USER_MASK)) {
+    if (!is_mmu_index_smap(in->mmu_idx) || !(ptep & PG_USER_MASK)) {
         prot |= PAGE_READ;
         if ((ptep & PG_RW_MASK) || !(is_user || (pg_mode & PG_MODE_WP))) {
             prot |= PAGE_WRITE;
-- 
2.43.0

Re: [PATCH v2 3/7] target/i386: introduce function to query MMU indices

Posted by Zhao Liu 9 months ago

On Fri, Feb 23, 2024 at 02:09:44PM +0100, Paolo Bonzini wrote:
> Date: Fri, 23 Feb 2024 14:09:44 +0100
> From: Paolo Bonzini <pbonzini@redhat.com>
> Subject: [PATCH v2 3/7] target/i386: introduce function to query MMU indices
> X-Mailer: git-send-email 2.43.0
> 
> Remove knowledge of specific MMU indexes (other than MMU_NESTED_IDX and
> MMU_PHYS_IDX) from mmu_translate().  This will make it possible to split
> 32-bit and 64-bit MMU indexes.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  target/i386/cpu.h                    | 10 ++++++++++
>  target/i386/tcg/sysemu/excp_helper.c |  4 ++--
>  2 files changed, 12 insertions(+), 2 deletions(-)

Reviewed-by: Zhao Liu <zhao1.liu@intel.com>

> 
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index dfe43b82042..8c271ca62e5 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -2305,6 +2305,16 @@ uint64_t cpu_get_tsc(CPUX86State *env);
>  #define MMU_NESTED_IDX  3
>  #define MMU_PHYS_IDX    4
>  
> +static inline bool is_mmu_index_smap(int mmu_index)
> +{
> +    return mmu_index == MMU_KSMAP_IDX;
> +}
> +
> +static inline bool is_mmu_index_user(int mmu_index)
> +{
> +    return mmu_index == MMU_USER_IDX;
> +}
> +
>  static inline int cpu_mmu_index_kernel(CPUX86State *env)
>  {
>      return !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP_IDX :
> diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
> index 11126c860d4..a0d5ce39300 100644
> --- a/target/i386/tcg/sysemu/excp_helper.c
> +++ b/target/i386/tcg/sysemu/excp_helper.c
> @@ -137,7 +137,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
>      const int32_t a20_mask = x86_get_a20_mask(env);
>      const target_ulong addr = in->addr;
>      const int pg_mode = in->pg_mode;
> -    const bool is_user = (in->mmu_idx == MMU_USER_IDX);
> +    const bool is_user = is_mmu_index_user(in->mmu_idx);
>      const MMUAccessType access_type = in->access_type;
>      uint64_t ptep, pte, rsvd_mask;
>      PTETranslate pte_trans = {
> @@ -363,7 +363,7 @@ do_check_protect_pse36:
>      }
>  
>      int prot = 0;
> -    if (in->mmu_idx != MMU_KSMAP_IDX || !(ptep & PG_USER_MASK)) {
> +    if (!is_mmu_index_smap(in->mmu_idx) || !(ptep & PG_USER_MASK)) {
>          prot |= PAGE_READ;
>          if ((ptep & PG_RW_MASK) || !(is_user || (pg_mode & PG_MODE_WP))) {
>              prot |= PAGE_WRITE;
> -- 
> 2.43.0
> 
>

[PATCH v2 1/7] target/i386: mask high bits of CR3 in 32-bit mode
[PATCH v2 2/7] target/i386: check validity of VMCB addresses
[PATCH v2 3/7] target/i386: introduce function to query MMU indices
[PATCH v2 4/7] target/i386: use separate MMU indexes for 32-bit accesses
[PATCH v2 5/7] target/i386: Fix physical address truncation
[PATCH v2 6/7] target/i386: remove unnecessary/wrong application of the A20 mask
[PATCH v2 7/7] target/i386: leave the A20 bit set in the final NPT walk