From 064565e76b986a42d9cdcba72965887528cea90a Mon Sep 17 00:00:00 2001

From: Maxim Levitsky <mlevitsk@redhat.com>

Date: Sun, 22 Dec 2019 11:02:06 +0100

Subject: [PATCH 1/7] exec: Fix MAP_RAM for cached access

RH-Author: Maxim Levitsky <mlevitsk@redhat.com>

Message-id: <20191222110207.21384-2-mlevitsk@redhat.com>

Patchwork-id: 93207

O-Subject: [RHEL-8.2.0 qemu-kvm PATCH 1/2] exec: Fix MAP_RAM for cached access

Bugzilla: 1769613

RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>

RH-Acked-by: Cornelia Huck <cohuck@redhat.com>

RH-Acked-by: Peter Xu <peterx@redhat.com>

From: Eric Auger <eric.auger@redhat.com>

When an IOMMUMemoryRegion is in front of a virtio device,

address_space_cache_init does not set cache->ptr as the memory

region is not RAM. However when the device performs an access,

we end up in glue() which performs the translation and then uses

MAP_RAM. This latter uses the unset ptr and returns a wrong value

which leads to a SIGSEV in address_space_lduw_internal_cached_slow,

for instance.

In slow path cache->ptr is NULL and MAP_RAM must redirect to

qemu_map_ram_ptr((mr)->ram_block, ofs).

As MAP_RAM, IS_DIRECT and INVALIDATE are the same in _cached_slow

and non cached mode, let's remove those macros.

This fixes the use cases featuring vIOMMU (Intel and ARM SMMU)

which lead to a SIGSEV.

Fixes: 48564041a73a (exec: reintroduce MemoryRegion caching)

Signed-off-by: Eric Auger <eric.auger@redhat.com>

Message-Id: <1528895946-28677-1-git-send-email-eric.auger@redhat.com>

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

(cherry picked from commit a99761d3c85679da380c0f597468acd3dc1b53b3)

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 exec.c            |  6 ------

 memory_ldst.inc.c | 47 ++++++++++++++++++++++-------------------------

 2 files changed, 22 insertions(+), 31 deletions(-)

diff --git a/exec.c b/exec.c

index 9112d8b..86218ef 100644

--- a/exec.c

+++ b/exec.c

@@ -3608,9 +3608,6 @@ void cpu_physical_memory_unmap(void *buffer, hwaddr len,

 #define ARG1                     as

 #define SUFFIX

 #define TRANSLATE(...)           address_space_translate(as, __VA_ARGS__)

-#define IS_DIRECT(mr, is_write)  memory_access_is_direct(mr, is_write)

-#define MAP_RAM(mr, ofs)         qemu_map_ram_ptr((mr)->ram_block, ofs)

-#define INVALIDATE(mr, ofs, len) invalidate_and_set_dirty(mr, ofs, len)

 #define RCU_READ_LOCK(...)       rcu_read_lock()

 #define RCU_READ_UNLOCK(...)     rcu_read_unlock()

 #include "memory_ldst.inc.c"

@@ -3643,9 +3640,6 @@ void address_space_cache_destroy(MemoryRegionCache *cache)

 #define SUFFIX                   _cached

 #define TRANSLATE(addr, ...)     \

     address_space_translate(cache->as, cache->xlat + (addr), __VA_ARGS__)

-#define IS_DIRECT(mr, is_write)  true

-#define MAP_RAM(mr, ofs)         qemu_map_ram_ptr((mr)->ram_block, ofs)

-#define INVALIDATE(mr, ofs, len) invalidate_and_set_dirty(mr, ofs, len)

 #define RCU_READ_LOCK()          rcu_read_lock()

 #define RCU_READ_UNLOCK()        rcu_read_unlock()

 #include "memory_ldst.inc.c"

diff --git a/memory_ldst.inc.c b/memory_ldst.inc.c

index 5dbff9c..a30060c 100644

--- a/memory_ldst.inc.c

+++ b/memory_ldst.inc.c

@@ -34,7 +34,7 @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, false);

-    if (l < 4 || !IS_DIRECT(mr, false)) {

+    if (l < 4 || !memory_access_is_direct(mr, false)) {

         release_lock |= prepare_mmio_access(mr);

         /* I/O case */

@@ -50,7 +50,7 @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,

 #endif

     } else {

         /* RAM case */

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         switch (endian) {

         case DEVICE_LITTLE_ENDIAN:

             val = ldl_le_p(ptr);

@@ -128,7 +128,7 @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, false);

-    if (l < 8 || !IS_DIRECT(mr, false)) {

+    if (l < 8 || !memory_access_is_direct(mr, false)) {

         release_lock |= prepare_mmio_access(mr);

         /* I/O case */

@@ -144,7 +144,7 @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,

 #endif

     } else {

         /* RAM case */

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         switch (endian) {

         case DEVICE_LITTLE_ENDIAN:

             val = ldq_le_p(ptr);

@@ -220,14 +220,14 @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, false);

-    if (!IS_DIRECT(mr, false)) {

+    if (!memory_access_is_direct(mr, false)) {

         release_lock |= prepare_mmio_access(mr);

         /* I/O case */

         r = memory_region_dispatch_read(mr, addr1, &val, 1, attrs);

     } else {

         /* RAM case */

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         val = ldub_p(ptr);

         r = MEMTX_OK;

     }

@@ -262,7 +262,7 @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, false);

-    if (l < 2 || !IS_DIRECT(mr, false)) {

+    if (l < 2 || !memory_access_is_direct(mr, false)) {

         release_lock |= prepare_mmio_access(mr);

         /* I/O case */

@@ -278,7 +278,7 @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,

 #endif

     } else {

         /* RAM case */

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         switch (endian) {

         case DEVICE_LITTLE_ENDIAN:

             val = lduw_le_p(ptr);

@@ -357,12 +357,12 @@ void glue(address_space_stl_notdirty, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, true);

-    if (l < 4 || !IS_DIRECT(mr, true)) {

+    if (l < 4 || !memory_access_is_direct(mr, true)) {

         release_lock |= prepare_mmio_access(mr);

         r = memory_region_dispatch_write(mr, addr1, val, 4, attrs);

     } else {

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         stl_p(ptr, val);

         dirty_log_mask = memory_region_get_dirty_log_mask(mr);

@@ -400,7 +400,7 @@ static inline void glue(address_space_stl_internal, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, true);

-    if (l < 4 || !IS_DIRECT(mr, true)) {

+    if (l < 4 || !memory_access_is_direct(mr, true)) {

         release_lock |= prepare_mmio_access(mr);

 #if defined(TARGET_WORDS_BIGENDIAN)

@@ -415,7 +415,7 @@ static inline void glue(address_space_stl_internal, SUFFIX)(ARG1_DECL,

         r = memory_region_dispatch_write(mr, addr1, val, 4, attrs);

     } else {

         /* RAM case */

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         switch (endian) {

         case DEVICE_LITTLE_ENDIAN:

             stl_le_p(ptr, val);

@@ -427,7 +427,7 @@ static inline void glue(address_space_stl_internal, SUFFIX)(ARG1_DECL,

             stl_p(ptr, val);

             break;

         }

-        INVALIDATE(mr, addr1, 4);

+        invalidate_and_set_dirty(mr, addr1, 4);

         r = MEMTX_OK;

     }

     if (result) {

@@ -490,14 +490,14 @@ void glue(address_space_stb, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, true);

-    if (!IS_DIRECT(mr, true)) {

+    if (!memory_access_is_direct(mr, true)) {

         release_lock |= prepare_mmio_access(mr);

         r = memory_region_dispatch_write(mr, addr1, val, 1, attrs);

     } else {

         /* RAM case */

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         stb_p(ptr, val);

-        INVALIDATE(mr, addr1, 1);

+        invalidate_and_set_dirty(mr, addr1, 1);

         r = MEMTX_OK;

     }

     if (result) {

@@ -529,7 +529,7 @@ static inline void glue(address_space_stw_internal, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, true);

-    if (l < 2 || !IS_DIRECT(mr, true)) {

+    if (l < 2 || !memory_access_is_direct(mr, true)) {

         release_lock |= prepare_mmio_access(mr);

 #if defined(TARGET_WORDS_BIGENDIAN)

@@ -544,7 +544,7 @@ static inline void glue(address_space_stw_internal, SUFFIX)(ARG1_DECL,

         r = memory_region_dispatch_write(mr, addr1, val, 2, attrs);

     } else {

         /* RAM case */

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         switch (endian) {

         case DEVICE_LITTLE_ENDIAN:

             stw_le_p(ptr, val);

@@ -556,7 +556,7 @@ static inline void glue(address_space_stw_internal, SUFFIX)(ARG1_DECL,

             stw_p(ptr, val);

             break;

         }

-        INVALIDATE(mr, addr1, 2);

+        invalidate_and_set_dirty(mr, addr1, 2);

         r = MEMTX_OK;

     }

     if (result) {

@@ -620,7 +620,7 @@ static void glue(address_space_stq_internal, SUFFIX)(ARG1_DECL,

     RCU_READ_LOCK();

     mr = TRANSLATE(addr, &addr1, &l, true);

-    if (l < 8 || !IS_DIRECT(mr, true)) {

+    if (l < 8 || !memory_access_is_direct(mr, true)) {

         release_lock |= prepare_mmio_access(mr);

 #if defined(TARGET_WORDS_BIGENDIAN)

@@ -635,7 +635,7 @@ static void glue(address_space_stq_internal, SUFFIX)(ARG1_DECL,

         r = memory_region_dispatch_write(mr, addr1, val, 8, attrs);

     } else {

         /* RAM case */

-        ptr = MAP_RAM(mr, addr1);

+        ptr = qemu_map_ram_ptr(mr->ram_block, addr1);

         switch (endian) {

         case DEVICE_LITTLE_ENDIAN:

             stq_le_p(ptr, val);

@@ -647,7 +647,7 @@ static void glue(address_space_stq_internal, SUFFIX)(ARG1_DECL,

             stq_p(ptr, val);

             break;

         }

-        INVALIDATE(mr, addr1, 8);

+        invalidate_and_set_dirty(mr, addr1, 8);

         r = MEMTX_OK;

     }

     if (result) {

@@ -702,8 +702,5 @@ void glue(stq_be_phys, SUFFIX)(ARG1_DECL, hwaddr addr, uint64_t val)

 #undef ARG1

 #undef SUFFIX

 #undef TRANSLATE

-#undef IS_DIRECT

-#undef MAP_RAM

-#undef INVALIDATE

 #undef RCU_READ_LOCK

 #undef RCU_READ_UNLOCK

-- 

1.8.3.1