[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 14/34] physmem: Fix wrong address in large address_space_read/writ
|
From: |
peterx |
|
Subject: |
[PULL 14/34] physmem: Fix wrong address in large address_space_read/write_cached_slow() |
|
Date: |
Mon, 11 Mar 2024 17:59:05 -0400 |
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
If the access is bigger than the MemoryRegion supports,
flatview_read/write_continue() will attempt to update the Memory Region.
but the address passed to flatview_translate() is relative to the cache, not
to the FlatView.
On arm/virt with interleaved CXL memory emulation and virtio-blk-pci this
lead to the first part of descriptor being read from the CXL memory and the
second part from PA 0x8 which happens to be a blank region
of a flash chip and all ffs on this particular configuration.
Note this test requires the out of tree ARM support for CXL, but
the problem is more general.
Avoid this by adding new address_space_read_continue_cached()
and address_space_write_continue_cached() which share all the logic
with the flatview versions except for the MemoryRegion lookup which
is unnecessary as the MemoryRegionCache only covers one MemoryRegion.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link:
20240307153710.30907-5-Jonathan.Cameron@huawei.com">https://lore.kernel.org/r/20240307153710.30907-5-Jonathan.Cameron@huawei.com
Signed-off-by: Peter Xu <peterx@redhat.com>
---
system/physmem.c | 63 +++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 57 insertions(+), 6 deletions(-)
diff --git a/system/physmem.c b/system/physmem.c
index 737869a3f5..6cfb7a80ab 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -3370,6 +3370,59 @@ static inline MemoryRegion
*address_space_translate_cached(
return section.mr;
}
+/* Called within RCU critical section. */
+static MemTxResult address_space_write_continue_cached(MemTxAttrs attrs,
+ const void *ptr,
+ hwaddr len,
+ hwaddr mr_addr,
+ hwaddr l,
+ MemoryRegion *mr)
+{
+ MemTxResult result = MEMTX_OK;
+ const uint8_t *buf = ptr;
+
+ for (;;) {
+ result |= flatview_write_continue_step(attrs, buf, len, mr_addr, &l,
+ mr);
+
+ len -= l;
+ buf += l;
+ mr_addr += l;
+
+ if (!len) {
+ break;
+ }
+
+ l = len;
+ }
+
+ return result;
+}
+
+/* Called within RCU critical section. */
+static MemTxResult address_space_read_continue_cached(MemTxAttrs attrs,
+ void *ptr, hwaddr len,
+ hwaddr mr_addr, hwaddr l,
+ MemoryRegion *mr)
+{
+ MemTxResult result = MEMTX_OK;
+ uint8_t *buf = ptr;
+
+ for (;;) {
+ result |= flatview_read_continue_step(attrs, buf, len, mr_addr, &l,
mr);
+ len -= l;
+ buf += l;
+ mr_addr += l;
+
+ if (!len) {
+ break;
+ }
+ l = len;
+ }
+
+ return result;
+}
+
/* Called from RCU critical section. address_space_read_cached uses this
* out of line function when the target is an MMIO or IOMMU region.
*/
@@ -3383,9 +3436,8 @@ address_space_read_cached_slow(MemoryRegionCache *cache,
hwaddr addr,
l = len;
mr = address_space_translate_cached(cache, addr, &mr_addr, &l, false,
MEMTXATTRS_UNSPECIFIED);
- return flatview_read_continue(cache->fv,
- addr, MEMTXATTRS_UNSPECIFIED, buf, len,
- mr_addr, l, mr);
+ return address_space_read_continue_cached(MEMTXATTRS_UNSPECIFIED,
+ buf, len, mr_addr, l, mr);
}
/* Called from RCU critical section. address_space_write_cached uses this
@@ -3401,9 +3453,8 @@ address_space_write_cached_slow(MemoryRegionCache *cache,
hwaddr addr,
l = len;
mr = address_space_translate_cached(cache, addr, &mr_addr, &l, true,
MEMTXATTRS_UNSPECIFIED);
- return flatview_write_continue(cache->fv,
- addr, MEMTXATTRS_UNSPECIFIED, buf, len,
- mr_addr, l, mr);
+ return address_space_write_continue_cached(MEMTXATTRS_UNSPECIFIED,
+ buf, len, mr_addr, l, mr);
}
#define ARG1_DECL MemoryRegionCache *cache
--
2.44.0
- [PULL 05/34] migration: Report error when shutdown fails, (continued)
- [PULL 05/34] migration: Report error when shutdown fails, peterx, 2024/03/11
- [PULL 06/34] migration: Remove SaveStateHandler and LoadStateHandler typedefs, peterx, 2024/03/11
- [PULL 07/34] migration: Add documentation for SaveVMHandlers, peterx, 2024/03/11
- [PULL 08/34] migration: Do not call PRECOPY_NOTIFY_SETUP notifiers in case of error, peterx, 2024/03/11
- [PULL 09/34] migration/multifd: Don't fsync when closing QIOChannelFile, peterx, 2024/03/11
- [PULL 10/34] migration/rdma: Fix a memory issue for migration, peterx, 2024/03/11
- [PULL 11/34] physmem: Rename addr1 to more informative mr_addr in flatview_read/write() and similar, peterx, 2024/03/11
- [PULL 13/34] physmem: Factor out body of flatview_read/write_continue() loop, peterx, 2024/03/11
- [PULL 12/34] physmem: Reduce local variable scope in flatview_read/write_continue(), peterx, 2024/03/11
- [PULL 16/34] migration: export fewer options, peterx, 2024/03/11
- [PULL 14/34] physmem: Fix wrong address in large address_space_read/write_cached_slow(),
peterx <=
- [PULL 27/34] migration: purge MigrationState from public interface, peterx, 2024/03/11
- [PULL 29/34] migration/multifd: Allow clearing of the file_bmap from multifd, peterx, 2024/03/11
- [PULL 34/34] migration/multifd: Add new migration test cases for legacy zero page checking., peterx, 2024/03/11
- [PULL 18/34] migration: export migration_is_setup_or_active, peterx, 2024/03/11
- [PULL 17/34] migration: remove migration.h references, peterx, 2024/03/11
- [PULL 21/34] migration: export vcpu_dirty_limit_period, peterx, 2024/03/11
- [PULL 15/34] migration: Fix format in error message, peterx, 2024/03/11
- [PULL 19/34] migration: export migration_is_active, peterx, 2024/03/11
- [PULL 20/34] migration: export migration_is_running, peterx, 2024/03/11
- [PULL 23/34] migration: migration_is_device, peterx, 2024/03/11