From: Ricardo Koller <ricarkol@google.com>
To: Eric Auger <eric.auger@redhat.com>
Cc: kvm@vger.kernel.org, andre.przywara@arm.com, pshier@google.com,
maz@kernel.org, pbonzini@redhat.com,
kvmarm@lists.cs.columbia.edu
Subject: Re: [PATCH v2 1/4] KVM: arm64: vgic: Check that new ITEs could be saved in guest memory
Date: Wed, 4 May 2022 09:39:24 -0700 [thread overview]
Message-ID: <YnKsPFnQCcEpX0qC@google.com> (raw)
In-Reply-To: <da752e67-1fff-e27f-bcaf-e29aaa536532@redhat.com>
On Tue, May 03, 2022 at 07:14:24PM +0200, Eric Auger wrote:
> Hi Ricardo,
>
> On 4/27/22 20:48, Ricardo Koller wrote:
> > Try to improve the predictability of ITS save/restores by failing
> > commands that would lead to failed saves. More specifically, fail any
> > command that adds an entry into an ITS table that is not in guest
> > memory, which would otherwise lead to a failed ITS save ioctl. There
> > are already checks for collection and device entries, but not for
> > ITEs. Add the corresponding check for the ITT when adding ITEs.
> >
> > Signed-off-by: Ricardo Koller <ricarkol@google.com>
> > ---
> > arch/arm64/kvm/vgic/vgic-its.c | 51 ++++++++++++++++++++++++----------
> > 1 file changed, 37 insertions(+), 14 deletions(-)
> >
> > diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
> > index 2e13402be3bd..e14790750958 100644
> > --- a/arch/arm64/kvm/vgic/vgic-its.c
> > +++ b/arch/arm64/kvm/vgic/vgic-its.c
> > @@ -894,6 +894,18 @@ static int vgic_its_cmd_handle_movi(struct kvm *kvm, struct vgic_its *its,
> > return update_affinity(ite->irq, vcpu);
> > }
> >
> > +static bool __is_visible_gfn_locked(struct vgic_its *its, gpa_t gpa)
> > +{
> > + gfn_t gfn = gpa >> PAGE_SHIFT;
> > + int idx;
> > + bool ret;
> > +
> > + idx = srcu_read_lock(&its->dev->kvm->srcu);
> > + ret = kvm_is_visible_gfn(its->dev->kvm, gfn);
> > + srcu_read_unlock(&its->dev->kvm->srcu, idx);
> > + return ret;
> > +}
> > +
> > /*
> > * Check whether an ID can be stored into the corresponding guest table.
> > * For a direct table this is pretty easy, but gets a bit nasty for
> > @@ -908,9 +920,7 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
> > u64 indirect_ptr, type = GITS_BASER_TYPE(baser);
> > phys_addr_t base = GITS_BASER_ADDR_48_to_52(baser);
> > int esz = GITS_BASER_ENTRY_SIZE(baser);
> > - int index, idx;
> > - gfn_t gfn;
> > - bool ret;
> > + int index;
> >
> > switch (type) {
> > case GITS_BASER_TYPE_DEVICE:
> > @@ -933,12 +943,11 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
> > return false;
> >
> > addr = base + id * esz;
> > - gfn = addr >> PAGE_SHIFT;
> >
> > if (eaddr)
> > *eaddr = addr;
> >
> > - goto out;
> > + return __is_visible_gfn_locked(its, addr);
> > }
> >
> > /* calculate and check the index into the 1st level */
> > @@ -964,16 +973,30 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
> > /* Find the address of the actual entry */
> > index = id % (SZ_64K / esz);
> > indirect_ptr += index * esz;
> > - gfn = indirect_ptr >> PAGE_SHIFT;
> >
> > if (eaddr)
> > *eaddr = indirect_ptr;
> >
> > -out:
> > - idx = srcu_read_lock(&its->dev->kvm->srcu);
> > - ret = kvm_is_visible_gfn(its->dev->kvm, gfn);
> > - srcu_read_unlock(&its->dev->kvm->srcu, idx);
> > - return ret;
> > + return __is_visible_gfn_locked(its, indirect_ptr);
> > +}
> > +
> > +/*
> > + * Check whether an event ID can be stored in the corresponding Interrupt
> > + * Translation Table, which starts at device->itt_addr.
> > + */
> > +static bool vgic_its_check_event_id(struct vgic_its *its, struct its_device *device,
> > + u32 event_id)
> > +{
> > + const struct vgic_its_abi *abi = vgic_its_get_abi(its);
> > + int ite_esz = abi->ite_esz;
> > + gpa_t gpa;
> > +
> > + /* max table size is: BIT_ULL(device->num_eventid_bits) * ite_esz */
> > + if (event_id >= BIT_ULL(device->num_eventid_bits))
> > + return false;
> > +
> > + gpa = device->itt_addr + event_id * ite_esz;
> > + return __is_visible_gfn_locked(its, gpa);
> > }
> >
> > static int vgic_its_alloc_collection(struct vgic_its *its,
> > @@ -1061,9 +1084,6 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its,
> > if (!device)
> > return E_ITS_MAPTI_UNMAPPED_DEVICE;
> >
> > - if (event_id >= BIT_ULL(device->num_eventid_bits))
> > - return E_ITS_MAPTI_ID_OOR;
> I would put
> if (!vgic_its_check_event_id(its, device, event_id))
> return E_ITS_MAPTI_ID_OOR;
> here instead of after since if the evend_id not correct, no use to look
> the ite for instance.
Thanks Eric. Will fix in v2.
> > -
> > if (its_cmd_get_command(its_cmd) == GITS_CMD_MAPTI)
> > lpi_nr = its_cmd_get_physical_id(its_cmd);
> > else
> > @@ -1076,6 +1096,9 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its,
> > if (find_ite(its, device_id, event_id))
> > return 0;
> >
> > + if (!vgic_its_check_event_id(its, device, event_id))
> > + return E_ITS_MAPTI_ID_OOR;
> > +
> > collection = find_collection(its, coll_id);
> > if (!collection) {
> > int ret = vgic_its_alloc_collection(its, &collection, coll_id);
> Besides look good to me
> Reviewed-by: Eric Auger <eric.auger@redhat.com>
>
> Eric
>
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Ricardo Koller <ricarkol@google.com>
To: Eric Auger <eric.auger@redhat.com>
Cc: kvm@vger.kernel.org, kvmarm@lists.cs.columbia.edu,
pbonzini@redhat.com, maz@kernel.org, andre.przywara@arm.com,
drjones@redhat.com, alexandru.elisei@arm.com, oupton@google.com,
reijiw@google.com, pshier@google.com
Subject: Re: [PATCH v2 1/4] KVM: arm64: vgic: Check that new ITEs could be saved in guest memory
Date: Wed, 4 May 2022 09:39:24 -0700 [thread overview]
Message-ID: <YnKsPFnQCcEpX0qC@google.com> (raw)
In-Reply-To: <da752e67-1fff-e27f-bcaf-e29aaa536532@redhat.com>
On Tue, May 03, 2022 at 07:14:24PM +0200, Eric Auger wrote:
> Hi Ricardo,
>
> On 4/27/22 20:48, Ricardo Koller wrote:
> > Try to improve the predictability of ITS save/restores by failing
> > commands that would lead to failed saves. More specifically, fail any
> > command that adds an entry into an ITS table that is not in guest
> > memory, which would otherwise lead to a failed ITS save ioctl. There
> > are already checks for collection and device entries, but not for
> > ITEs. Add the corresponding check for the ITT when adding ITEs.
> >
> > Signed-off-by: Ricardo Koller <ricarkol@google.com>
> > ---
> > arch/arm64/kvm/vgic/vgic-its.c | 51 ++++++++++++++++++++++++----------
> > 1 file changed, 37 insertions(+), 14 deletions(-)
> >
> > diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
> > index 2e13402be3bd..e14790750958 100644
> > --- a/arch/arm64/kvm/vgic/vgic-its.c
> > +++ b/arch/arm64/kvm/vgic/vgic-its.c
> > @@ -894,6 +894,18 @@ static int vgic_its_cmd_handle_movi(struct kvm *kvm, struct vgic_its *its,
> > return update_affinity(ite->irq, vcpu);
> > }
> >
> > +static bool __is_visible_gfn_locked(struct vgic_its *its, gpa_t gpa)
> > +{
> > + gfn_t gfn = gpa >> PAGE_SHIFT;
> > + int idx;
> > + bool ret;
> > +
> > + idx = srcu_read_lock(&its->dev->kvm->srcu);
> > + ret = kvm_is_visible_gfn(its->dev->kvm, gfn);
> > + srcu_read_unlock(&its->dev->kvm->srcu, idx);
> > + return ret;
> > +}
> > +
> > /*
> > * Check whether an ID can be stored into the corresponding guest table.
> > * For a direct table this is pretty easy, but gets a bit nasty for
> > @@ -908,9 +920,7 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
> > u64 indirect_ptr, type = GITS_BASER_TYPE(baser);
> > phys_addr_t base = GITS_BASER_ADDR_48_to_52(baser);
> > int esz = GITS_BASER_ENTRY_SIZE(baser);
> > - int index, idx;
> > - gfn_t gfn;
> > - bool ret;
> > + int index;
> >
> > switch (type) {
> > case GITS_BASER_TYPE_DEVICE:
> > @@ -933,12 +943,11 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
> > return false;
> >
> > addr = base + id * esz;
> > - gfn = addr >> PAGE_SHIFT;
> >
> > if (eaddr)
> > *eaddr = addr;
> >
> > - goto out;
> > + return __is_visible_gfn_locked(its, addr);
> > }
> >
> > /* calculate and check the index into the 1st level */
> > @@ -964,16 +973,30 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
> > /* Find the address of the actual entry */
> > index = id % (SZ_64K / esz);
> > indirect_ptr += index * esz;
> > - gfn = indirect_ptr >> PAGE_SHIFT;
> >
> > if (eaddr)
> > *eaddr = indirect_ptr;
> >
> > -out:
> > - idx = srcu_read_lock(&its->dev->kvm->srcu);
> > - ret = kvm_is_visible_gfn(its->dev->kvm, gfn);
> > - srcu_read_unlock(&its->dev->kvm->srcu, idx);
> > - return ret;
> > + return __is_visible_gfn_locked(its, indirect_ptr);
> > +}
> > +
> > +/*
> > + * Check whether an event ID can be stored in the corresponding Interrupt
> > + * Translation Table, which starts at device->itt_addr.
> > + */
> > +static bool vgic_its_check_event_id(struct vgic_its *its, struct its_device *device,
> > + u32 event_id)
> > +{
> > + const struct vgic_its_abi *abi = vgic_its_get_abi(its);
> > + int ite_esz = abi->ite_esz;
> > + gpa_t gpa;
> > +
> > + /* max table size is: BIT_ULL(device->num_eventid_bits) * ite_esz */
> > + if (event_id >= BIT_ULL(device->num_eventid_bits))
> > + return false;
> > +
> > + gpa = device->itt_addr + event_id * ite_esz;
> > + return __is_visible_gfn_locked(its, gpa);
> > }
> >
> > static int vgic_its_alloc_collection(struct vgic_its *its,
> > @@ -1061,9 +1084,6 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its,
> > if (!device)
> > return E_ITS_MAPTI_UNMAPPED_DEVICE;
> >
> > - if (event_id >= BIT_ULL(device->num_eventid_bits))
> > - return E_ITS_MAPTI_ID_OOR;
> I would put
> if (!vgic_its_check_event_id(its, device, event_id))
> return E_ITS_MAPTI_ID_OOR;
> here instead of after since if the evend_id not correct, no use to look
> the ite for instance.
Thanks Eric. Will fix in v2.
> > -
> > if (its_cmd_get_command(its_cmd) == GITS_CMD_MAPTI)
> > lpi_nr = its_cmd_get_physical_id(its_cmd);
> > else
> > @@ -1076,6 +1096,9 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its,
> > if (find_ite(its, device_id, event_id))
> > return 0;
> >
> > + if (!vgic_its_check_event_id(its, device, event_id))
> > + return E_ITS_MAPTI_ID_OOR;
> > +
> > collection = find_collection(its, coll_id);
> > if (!collection) {
> > int ret = vgic_its_alloc_collection(its, &collection, coll_id);
> Besides look good to me
> Reviewed-by: Eric Auger <eric.auger@redhat.com>
>
> Eric
>
next prev parent reply other threads:[~2022-05-04 16:39 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-27 18:48 [PATCH v2 0/4] KVM: arm64: vgic: Misc ITS fixes Ricardo Koller
2022-04-27 18:48 ` Ricardo Koller
2022-04-27 18:48 ` [PATCH v2 1/4] KVM: arm64: vgic: Check that new ITEs could be saved in guest memory Ricardo Koller
2022-04-27 18:48 ` Ricardo Koller
2022-05-03 17:14 ` Eric Auger
2022-05-03 17:14 ` Eric Auger
2022-05-04 16:39 ` Ricardo Koller [this message]
2022-05-04 16:39 ` Ricardo Koller
2022-04-27 18:48 ` [PATCH v2 2/4] KVM: arm64: vgic: Add more checks when restoring ITS tables Ricardo Koller
2022-04-27 18:48 ` Ricardo Koller
2022-05-03 17:14 ` Eric Auger
2022-05-03 17:14 ` Eric Auger
2022-05-04 17:01 ` Ricardo Koller
2022-05-04 17:01 ` Ricardo Koller
2022-05-09 12:40 ` Eric Auger
2022-05-09 12:40 ` Eric Auger
2022-04-27 18:48 ` [PATCH v2 3/4] KVM: arm64: vgic: Do not ignore vgic_its_restore_cte failures Ricardo Koller
2022-04-27 18:48 ` Ricardo Koller
2022-05-03 17:40 ` Eric Auger
2022-05-03 17:40 ` Eric Auger
2022-05-04 17:25 ` Ricardo Koller
2022-05-04 17:25 ` Ricardo Koller
2022-04-27 18:48 ` [PATCH v2 4/4] KVM: arm64: vgic: Undo work in failed ITS restores Ricardo Koller
2022-04-27 18:48 ` Ricardo Koller
2022-05-03 19:40 ` Eric Auger
2022-05-03 19:40 ` Eric Auger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YnKsPFnQCcEpX0qC@google.com \
--to=ricarkol@google.com \
--cc=andre.przywara@arm.com \
--cc=eric.auger@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=maz@kernel.org \
--cc=pbonzini@redhat.com \
--cc=pshier@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.