rangeset_{xxx}_range() functions are invoked with 'start' and 'size' as
arguments which are either 'uint64_t' or 'paddr_t'. However, the function
accepts 'unsigned long' for 'start' and 'size'. 'unsigned long' is 32 bits for
Arm32. Thus, there is an implicit downcasting from 'uint64_t'/'paddr_t' to
'unsigned long' when invoking rangeset_{xxx}_range().
So, it may seem there is a possibility of lose of data due to truncation.
In reality, 'start' and 'size' are always page aligned. And Arm32 currently
supports 40 bits as the width of physical address.
So if the addresses are page aligned, the last 12 bits contain zeroes.
Thus, we could instead pass page frame number which will contain 28 bits (40-12
on Arm32) and this can be represented using 'unsigned long'.
On Arm64, this change will not induce any adverse side effect as the width of
physical address is 48 bits. Thus, the width of 'gfn' (ie 48 - 12 = 36) can be
represented using 'unsigned long' (which is 64 bits wide).
Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
---
Changes from -
v3 - 1. Extracted the patch from https://lists.xenproject.org/archives/html/xen-devel/2023-02/msg00657.html
and added it to this series.
2. Modified add_ext_regions(). This accepts a frame number instead of physical
address.
v4 - 1. Reworded the commit message to use Arm32/Arm64
(32-bit/64-bit Arm architecture).
2. Replaced pfn with gfn to denote guest frame number in add_ext_regions().
3. Use pfn_to_paddr() to return a physical address from the guest frame number.
xen/arch/arm/domain_build.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
index 4f9d4f9d88..c8f08d8ee2 100644
--- a/xen/arch/arm/domain_build.c
+++ b/xen/arch/arm/domain_build.c
@@ -1500,10 +1500,13 @@ static int __init make_resv_memory_node(const struct domain *d,
return res;
}
-static int __init add_ext_regions(unsigned long s, unsigned long e, void *data)
+static int __init add_ext_regions(unsigned long s_gfn, unsigned long e_gfn,
+ void *data)
{
struct meminfo *ext_regions = data;
paddr_t start, size;
+ paddr_t s = pfn_to_paddr(s_gfn);
+ paddr_t e = pfn_to_paddr(e_gfn);
if ( ext_regions->nr_banks >= ARRAY_SIZE(ext_regions->bank) )
return 0;
@@ -1566,7 +1569,8 @@ static int __init find_unallocated_memory(const struct kernel_info *kinfo,
{
start = bootinfo.mem.bank[i].start;
end = bootinfo.mem.bank[i].start + bootinfo.mem.bank[i].size;
- res = rangeset_add_range(unalloc_mem, start, end - 1);
+ res = rangeset_add_range(unalloc_mem, PFN_DOWN(start),
+ PFN_DOWN(end - 1));
if ( res )
{
printk(XENLOG_ERR "Failed to add: %#"PRIpaddr"->%#"PRIpaddr"\n",
@@ -1580,7 +1584,8 @@ static int __init find_unallocated_memory(const struct kernel_info *kinfo,
{
start = assign_mem->bank[i].start;
end = assign_mem->bank[i].start + assign_mem->bank[i].size;
- res = rangeset_remove_range(unalloc_mem, start, end - 1);
+ res = rangeset_remove_range(unalloc_mem, PFN_DOWN(start),
+ PFN_DOWN(end - 1));
if ( res )
{
printk(XENLOG_ERR "Failed to remove: %#"PRIpaddr"->%#"PRIpaddr"\n",
@@ -1595,7 +1600,8 @@ static int __init find_unallocated_memory(const struct kernel_info *kinfo,
start = bootinfo.reserved_mem.bank[i].start;
end = bootinfo.reserved_mem.bank[i].start +
bootinfo.reserved_mem.bank[i].size;
- res = rangeset_remove_range(unalloc_mem, start, end - 1);
+ res = rangeset_remove_range(unalloc_mem, PFN_DOWN(start),
+ PFN_DOWN(end - 1));
if ( res )
{
printk(XENLOG_ERR "Failed to remove: %#"PRIpaddr"->%#"PRIpaddr"\n",
@@ -1607,7 +1613,7 @@ static int __init find_unallocated_memory(const struct kernel_info *kinfo,
/* Remove grant table region */
start = kinfo->gnttab_start;
end = kinfo->gnttab_start + kinfo->gnttab_size;
- res = rangeset_remove_range(unalloc_mem, start, end - 1);
+ res = rangeset_remove_range(unalloc_mem, PFN_DOWN(start), PFN_DOWN(end - 1));
if ( res )
{
printk(XENLOG_ERR "Failed to remove: %#"PRIpaddr"->%#"PRIpaddr"\n",
@@ -1617,7 +1623,7 @@ static int __init find_unallocated_memory(const struct kernel_info *kinfo,
start = 0;
end = (1ULL << p2m_ipa_bits) - 1;
- res = rangeset_report_ranges(unalloc_mem, start, end,
+ res = rangeset_report_ranges(unalloc_mem, PFN_DOWN(start), PFN_DOWN(end),
add_ext_regions, ext_regions);
if ( res )
ext_regions->nr_banks = 0;
@@ -1639,7 +1645,7 @@ static int __init handle_pci_range(const struct dt_device_node *dev,
start = addr & PAGE_MASK;
end = PAGE_ALIGN(addr + len);
- res = rangeset_remove_range(mem_holes, start, end - 1);
+ res = rangeset_remove_range(mem_holes, PFN_DOWN(start), PFN_DOWN(end - 1));
if ( res )
{
printk(XENLOG_ERR "Failed to remove: %#"PRIpaddr"->%#"PRIpaddr"\n",
@@ -1677,7 +1683,7 @@ static int __init find_memory_holes(const struct kernel_info *kinfo,
/* Start with maximum possible addressable physical memory range */
start = 0;
end = (1ULL << p2m_ipa_bits) - 1;
- res = rangeset_add_range(mem_holes, start, end);
+ res = rangeset_add_range(mem_holes, PFN_DOWN(start), PFN_DOWN(end));
if ( res )
{
printk(XENLOG_ERR "Failed to add: %#"PRIpaddr"->%#"PRIpaddr"\n",
@@ -1708,7 +1714,8 @@ static int __init find_memory_holes(const struct kernel_info *kinfo,
start = addr & PAGE_MASK;
end = PAGE_ALIGN(addr + size);
- res = rangeset_remove_range(mem_holes, start, end - 1);
+ res = rangeset_remove_range(mem_holes, PFN_DOWN(start),
+ PFN_DOWN(end - 1));
if ( res )
{
printk(XENLOG_ERR "Failed to remove: %#"PRIpaddr"->%#"PRIpaddr"\n",
@@ -1735,7 +1742,7 @@ static int __init find_memory_holes(const struct kernel_info *kinfo,
start = 0;
end = (1ULL << p2m_ipa_bits) - 1;
- res = rangeset_report_ranges(mem_holes, start, end,
+ res = rangeset_report_ranges(mem_holes, PFN_DOWN(start), PFN_DOWN(end),
add_ext_regions, ext_regions);
if ( res )
ext_regions->nr_banks = 0;
--
2.17.1Hi Ayan,
On 13/04/2023 19:37, Ayan Kumar Halder wrote:
>
>
> rangeset_{xxx}_range() functions are invoked with 'start' and 'size' as
> arguments which are either 'uint64_t' or 'paddr_t'. However, the function
> accepts 'unsigned long' for 'start' and 'size'. 'unsigned long' is 32 bits for
> Arm32. Thus, there is an implicit downcasting from 'uint64_t'/'paddr_t' to
> 'unsigned long' when invoking rangeset_{xxx}_range().
>
> So, it may seem there is a possibility of lose of data due to truncation.
>
> In reality, 'start' and 'size' are always page aligned. And Arm32 currently
> supports 40 bits as the width of physical address.
> So if the addresses are page aligned, the last 12 bits contain zeroes.
> Thus, we could instead pass page frame number which will contain 28 bits (40-12
> on Arm32) and this can be represented using 'unsigned long'.
>
> On Arm64, this change will not induce any adverse side effect as the width of
> physical address is 48 bits.
NIT: This reads as const, so it would be better to write: "as the max supported width of ..."
Thus, the width of 'gfn' (ie 48 - 12 = 36) can be
> represented using 'unsigned long' (which is 64 bits wide).
>
> Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
With or without (after all this is just a commit msg):
Reviewed-by: Michal Orzel <michal.orzel@amd.com>
~Michal
Hi,
On 19/04/2023 13:05, Michal Orzel wrote:
> On 13/04/2023 19:37, Ayan Kumar Halder wrote:
>>
>>
>> rangeset_{xxx}_range() functions are invoked with 'start' and 'size' as
>> arguments which are either 'uint64_t' or 'paddr_t'. However, the function
>> accepts 'unsigned long' for 'start' and 'size'. 'unsigned long' is 32 bits for
>> Arm32. Thus, there is an implicit downcasting from 'uint64_t'/'paddr_t' to
>> 'unsigned long' when invoking rangeset_{xxx}_range().
>>
>> So, it may seem there is a possibility of lose of data due to truncation.
>>
>> In reality, 'start' and 'size' are always page aligned. And Arm32 currently
>> supports 40 bits as the width of physical address.
>> So if the addresses are page aligned, the last 12 bits contain zeroes.
>> Thus, we could instead pass page frame number which will contain 28 bits (40-12
>> on Arm32) and this can be represented using 'unsigned long'.
>>
>> On Arm64, this change will not induce any adverse side effect as the width of
>> physical address is 48 bits.
> NIT: This reads as const, so it would be better to write: "as the max supported width of ..."
>
> Thus, the width of 'gfn' (ie 48 - 12 = 36) can be
>> represented using 'unsigned long' (which is 64 bits wide).
>>
>> Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@amd.com>
>
> With or without (after all this is just a commit msg):
It is always good to have accurate commit message for the future reader.
> Reviewed-by: Michal Orzel <michal.orzel@amd.com>
Acked-by: Julien Grall <jgrall@amazon.com>
--
Julien Grall
© 2016 - 2024 Red Hat, Inc.