From nobody Sat Apr 27 02:12:13 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1593445616; cv=none; d=zohomail.com; s=zohoarc; b=ed0j4NfdI8uv02ptL+tCS0SU/6wv+7AIoQAkNqISSO009/h+8JEa94cVPlUj2+IzkJdd9ndaAhaXyIrtaAZEqOfluXTUeLvv/AlTZ/OY1mj5DLcxuhdgTjG1g7qYAw2d2b2j7kdxm4ORx1mQyAX1ImJ8ybq0RLp4QH4TWg7IaPk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1593445616; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=mSJdnbPdHXfgRaHLt7gIw1fMHbT20CjL66DRqYCPq/I=; b=Cxyl9bhUuJd/63aQA4fuvkFVsmGmndRxUm752X3WUyyDHJigM9htlM9ZxcxpxrMxKz3OD5ID6uPJ+pQCK0mmxf46wgVZ2Hj7nvFnWtImlGN8qI7WQJQ1k2cU2vyz4KZQ4lZaZOXKkFSne2SyRSkVFCpblh1/w7XFUCot3FevbLc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1593445615296216.9906312420684; Mon, 29 Jun 2020 08:46:55 -0700 (PDT) Received: from localhost ([::1]:34432 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jpvzh-0008UL-LG for importer@patchew.org; Mon, 29 Jun 2020 11:46:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60530) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jpu2b-0001vo-2M for qemu-devel@nongnu.org; Mon, 29 Jun 2020 09:41:45 -0400 Received: from mail.genode-labs.com ([94.130.141.206]:56394 helo=genode.genode-labs.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jpu2Y-0000Sk-9l for qemu-devel@nongnu.org; Mon, 29 Jun 2020 09:41:44 -0400 Received: by mail.genode-labs.com (Exim 4.89) with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (envelope-from ) id 1jptmS-0002xH-7l ; Mon, 29 Jun 2020 15:25:07 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=genode-labs.com; s=2018-03; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Date:Message-ID:To:Subject:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mSJdnbPdHXfgRaHLt7gIw1fMHbT20CjL66DRqYCPq/I=; b=KvatqGqtfBiLCvp1rbGD+P6qDJ hgCkozj73zEVaDSFMxckG6X5Zw0b5e5zQ7hUitPd546j2h+R1oTDwXlitDEs26AVMMIuD1V9cefbh G4DMgYQndJ2DrE8Z9n67+KKykexVE/oZ1/mLpXbu+N7wMpPuI3ByxiwrbOgDqCOyJa63xbRJu/Fol SxohWkEChmqsJXCdj8sm92e1xuHprBVXi5CuenNnC/v/qc/wErBZ6+FL22qVk0+PHvmPadrqdtDh/ ODHslgLVpGpcJkLLYIlAlWd3dh8Cd8k7RDo17fMwP3QbsOp1ZyoBvQW43l7yZxpEBYEmT0tAuMFmI eSVTssNQ==; From: Alexander Boettcher Subject: [PATCH] tcg/svm: use host cr4 during NPT page table walk To: Paolo Bonzini , Richard Henderson , Eduardo Habkost , qemu-devel@nongnu.org Message-ID: Date: Mon, 29 Jun 2020 15:25:03 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: none client-ip=94.130.141.206; envelope-from=alexander.boettcher@genode-labs.com; helo=genode.genode-labs.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/29 09:25:08 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-Mailman-Approved-At: Mon, 29 Jun 2020 11:45:06 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Hello, during a page table walk of TCG+SVM the code in target/i386/excp_helper.c g= et_hphys() uses the cr4 register of the guest instead of the hypervisor to = check for the PSE bit. In the test case we have, the guest have not enabled= (yet) the PSE bit and so the page table walk results in a wrong host physi= cal address resolution and wrong content read by the guest. Attached patch is against 4.2.1, but works also on 3.1.0. It fixes the issu= e for our automated testcase, which is a 32bit hypervisor w/o PAE support r= unning a guest VM with tcg+svm. The test worked beforehand up to qemu 2.12, started to fail with qemu 3.0 a= nd later. The added TCG/SVM NPT commit seems to introduce the regression. In case someone want to try to reproduce it, the iso is at [0], the good ca= se is [1] and the failing case is [2]. The used commandline is: qemu-system-i386 -no-kvm -nographic -cpu phenom -m 512 -machine q35 -cdrom = seoul-vmm-test.iso [0] https://depot.genode.org/alex-ab/images/seoul-vmm-test.iso [1] https://depot.genode.org/alex-ab/images/seoul-vmm-good.txt [2] https://depot.genode.org/alex-ab/images/seoul-vmm-bad.txt --=20 Alexander Boettcher Genode Labs https://www.genode-labs.com - https://www.genode.org Genode Labs GmbH - Amtsgericht Dresden - HRB 28424 - Sitz Dresden Gesch=C3=A4ftsf=C3=BChrer: Dr.-Ing. Norman Feske, Christian Helmuth Signed-off-by: Alexander Boettcher --- target/i386/excp_helper.c | 4 ++-- target/i386/svm.h | 1 + target/i386/svm_helper.c | 7 ++++++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/target/i386/excp_helper.c b/target/i386/excp_helper.c index 1447bda7a9..b10c7ecbcc 100644 --- a/target/i386/excp_helper.c +++ b/target/i386/excp_helper.c @@ -262,8 +262,8 @@ static hwaddr get_hphys(CPUState *cs, hwaddr gphys, MMU= AccessType access_type, } ptep =3D pde | PG_NX_MASK; =20 - /* if PSE bit is set, then we use a 4MB page */ - if ((pde & PG_PSE_MASK) && (env->cr[4] & CR4_PSE_MASK)) { + /* if host cr4 PSE bit is set, then we use a 4MB page */ + if ((pde & PG_PSE_MASK) && (env->nested_pg_mode & SVM_NPT_PSE)) { page_size =3D 4096 * 1024; pte_addr =3D pde_addr; =20 diff --git a/target/i386/svm.h b/target/i386/svm.h index 23a3a040b8..ae30fc6f79 100644 --- a/target/i386/svm.h +++ b/target/i386/svm.h @@ -135,6 +135,7 @@ #define SVM_NPT_PAE (1 << 0) #define SVM_NPT_LMA (1 << 1) #define SVM_NPT_NXE (1 << 2) +#define SVM_NPT_PSE (1 << 3) =20 #define SVM_NPTEXIT_P (1ULL << 0) #define SVM_NPTEXIT_RW (1ULL << 1) diff --git a/target/i386/svm_helper.c b/target/i386/svm_helper.c index 7b8105a1c3..6224387eab 100644 --- a/target/i386/svm_helper.c +++ b/target/i386/svm_helper.c @@ -209,16 +209,21 @@ void helper_vmrun(CPUX86State *env, int aflag, int ne= xt_eip_addend) =20 nested_ctl =3D x86_ldq_phys(cs, env->vm_vmcb + offsetof(struct vmcb, control.nested_c= tl)); + + env->nested_pg_mode =3D 0; + if (nested_ctl & SVM_NPT_ENABLED) { env->nested_cr3 =3D x86_ldq_phys(cs, env->vm_vmcb + offsetof(struct vmcb, control.nested_cr3= )); env->hflags2 |=3D HF2_NPT_MASK; =20 - env->nested_pg_mode =3D 0; if (env->cr[4] & CR4_PAE_MASK) { env->nested_pg_mode |=3D SVM_NPT_PAE; } + if (env->cr[4] & CR4_PSE_MASK) { + env->nested_pg_mode |=3D SVM_NPT_PSE; + } if (env->hflags & HF_LMA_MASK) { env->nested_pg_mode |=3D SVM_NPT_LMA; } --=20 2.17.1