From: Marc Zyngier <marc.zyngier@arm.com>
To: "marek.majtyka" <marek.majtyka@tieto.com>, christoffer.dall@linaro.org
Cc: kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] kvm: arm: LPAE: Incorrect device to IPA mapping
Date: Wed, 16 Sep 2015 11:33:37 +0100 [thread overview]
Message-ID: <55F94581.2060002@arm.com> (raw)
In-Reply-To: <1442397895-2124-1-git-send-email-marek.majtyka@tieto.com>
Hi Marek,
On 16/09/15 11:04, marek.majtyka wrote:
> From: Marek Majtyka <marek.majtyka@tieto.com>
>
> A critical bug has been found in device memory stage1 translation for machines
> with more then 4GB of RAM. Once vm_pgoff size is smaller then pa (which is true
> for LPAE case, u32 and u64 respectively) some more significant bits of pa may
> be lost as a shift operation is performed on u32 and later cast onto u64.
>
> Example: vm_pgoff(u32)=0x00210030, PAGE_SHIFT=12
> expected pa(u64): 0x0000002010030000
> produced pa(u64): 0x0000000010030000
>
> A suggested fix is changing the order of operations (casting first onto
> phys_addr_t and then shifting), which works for both alternatives
> (with and without LPAE).
Well, you can't use KVM without LPAE, so that's a moot point. Also, the
issue is when you place things above 4GB, not when you have more than
4GB of RAM (I cannot see how you allocate that amount of memory from
userspace on 32bit).
>
> A bug has been found, fixed and tested on kernel v3.19. However, it seems to be
> valid for most, if not all, newer version starting from v3.18.
>
> Signed-off-by: Marek Majtyka <marek.majtyka@tieto.com>
> ---
> arch/arm/kvm/mmu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
> index 1366625..602bc63 100644
> --- a/arch/arm/kvm/mmu.c
> +++ b/arch/arm/kvm/mmu.c
> @@ -1408,7 +1408,8 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
> if (vma->vm_flags & VM_PFNMAP) {
> gpa_t gpa = mem->guest_phys_addr +
> (vm_start - mem->userspace_addr);
> - phys_addr_t pa = (vma->vm_pgoff << PAGE_SHIFT) +
> + phys_addr_t pa =
> + ((phys_addr_t) vma->vm_pgoff << PAGE_SHIFT) +
> vm_start - vma->vm_start;
>
> ret = kvm_phys_addr_ioremap(kvm, gpa, pa,
>
Looks perfectly valid to me (the formatting is horrible, but I can fix
that - I can only guess you've followed checkpatch's silly advise).
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Christoffer: if you're OK with that one, I'll add it to the next batch
of fixes.
Thanks,
M.
--
Jazz is not dead. It just smells funny...
WARNING: multiple messages have this Message-ID (diff)
From: marc.zyngier@arm.com (Marc Zyngier)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] kvm: arm: LPAE: Incorrect device to IPA mapping
Date: Wed, 16 Sep 2015 11:33:37 +0100 [thread overview]
Message-ID: <55F94581.2060002@arm.com> (raw)
In-Reply-To: <1442397895-2124-1-git-send-email-marek.majtyka@tieto.com>
Hi Marek,
On 16/09/15 11:04, marek.majtyka wrote:
> From: Marek Majtyka <marek.majtyka@tieto.com>
>
> A critical bug has been found in device memory stage1 translation for machines
> with more then 4GB of RAM. Once vm_pgoff size is smaller then pa (which is true
> for LPAE case, u32 and u64 respectively) some more significant bits of pa may
> be lost as a shift operation is performed on u32 and later cast onto u64.
>
> Example: vm_pgoff(u32)=0x00210030, PAGE_SHIFT=12
> expected pa(u64): 0x0000002010030000
> produced pa(u64): 0x0000000010030000
>
> A suggested fix is changing the order of operations (casting first onto
> phys_addr_t and then shifting), which works for both alternatives
> (with and without LPAE).
Well, you can't use KVM without LPAE, so that's a moot point. Also, the
issue is when you place things above 4GB, not when you have more than
4GB of RAM (I cannot see how you allocate that amount of memory from
userspace on 32bit).
>
> A bug has been found, fixed and tested on kernel v3.19. However, it seems to be
> valid for most, if not all, newer version starting from v3.18.
>
> Signed-off-by: Marek Majtyka <marek.majtyka@tieto.com>
> ---
> arch/arm/kvm/mmu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
> index 1366625..602bc63 100644
> --- a/arch/arm/kvm/mmu.c
> +++ b/arch/arm/kvm/mmu.c
> @@ -1408,7 +1408,8 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
> if (vma->vm_flags & VM_PFNMAP) {
> gpa_t gpa = mem->guest_phys_addr +
> (vm_start - mem->userspace_addr);
> - phys_addr_t pa = (vma->vm_pgoff << PAGE_SHIFT) +
> + phys_addr_t pa =
> + ((phys_addr_t) vma->vm_pgoff << PAGE_SHIFT) +
> vm_start - vma->vm_start;
>
> ret = kvm_phys_addr_ioremap(kvm, gpa, pa,
>
Looks perfectly valid to me (the formatting is horrible, but I can fix
that - I can only guess you've followed checkpatch's silly advise).
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Christoffer: if you're OK with that one, I'll add it to the next batch
of fixes.
Thanks,
M.
--
Jazz is not dead. It just smells funny...
next prev parent reply other threads:[~2015-09-16 10:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-16 10:04 [PATCH] kvm: arm: LPAE: Incorrect device to IPA mapping marek.majtyka
2015-09-16 10:04 ` marek.majtyka
2015-09-16 10:33 ` Marc Zyngier [this message]
2015-09-16 10:33 ` Marc Zyngier
2015-09-16 13:43 ` Christoffer Dall
2015-09-16 13:43 ` Christoffer Dall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55F94581.2060002@arm.com \
--to=marc.zyngier@arm.com \
--cc=christoffer.dall@linaro.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=marek.majtyka@tieto.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.