From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Mark Cave-Ayland" <mark.cave-ayland@ilande.co.uk>,
qemu-devel@nongnu.org, "Peter Xu" <peterx@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Edgar E. Iglesias" <edgar.iglesias@gmail.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
qemu-block@nongnu.org, "Li Qiang" <liq3ea@163.com>,
"Emilio G . Cota" <cota@braap.org>,
"Peter Chubb" <peter.chubb@nicta.com.au>,
"Joel Stanley" <joel@jms.id.au>,
"Richard Henderson" <rth@twiddle.net>,
"Laszlo Ersek" <lersek@redhat.com>,
"Robert Foley" <robert.foley@linaro.org>,
"Alistair Francis" <alistair@alistair23.me>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Beniamino Galvani" <b.galvani@gmail.com>,
"Eric Auger" <eric.auger@redhat.com>,
qemu-arm@nongnu.org, "Jan Kiszka" <jan.kiszka@web.de>,
"Cédric Le Goater" <clg@kaod.org>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"John Snow" <jsnow@redhat.com>,
"David Gibson" <david@gibson.dropbear.id.au>,
"Tony Nguyen" <tony.nguyen@bt.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Andrew Jeffery" <andrew@aj.id.au>,
"Klaus Jensen" <k.jensen@samsung.com>,
"Emanuele Giuseppe Esposito" <e.emanuelegiuseppe@gmail.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Andrew Baumann" <Andrew.Baumann@microsoft.com>,
qemu-ppc@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>
Subject: Re: [RFC PATCH 12/12] dma: Assert when device writes to indirect memory (such MMIO regions)
Date: Thu, 3 Sep 2020 15:51:15 +0200 [thread overview]
Message-ID: <20200903135115.GZ14249@toto> (raw)
In-Reply-To: <20200903110831.353476-13-philmd@redhat.com>
On Thu, Sep 03, 2020 at 01:08:31PM +0200, Philippe Mathieu-Daudé wrote:
> Assert DMA accesses are done on direct memory (in particular
> to catch invalid accesses to MMIO regions).
Hi Philippe,
Is the motivation for this to make it easier to find DMA programming errors?
Shouldn't guest SW use the IOMMU/DMA-APIs to debug those?
There're valid use-cases where DMA devices target non-memory, in particular
in the embedded space but also on PCI systems.
Also, since guest SW programs the DMA registers, guest SW would be able to trig this assert at will...
Cheers,
Edgar
>
> Example with the reproducer from LP#1886362 (see previous commit):
>
> qemu-system-i386: include/sysemu/dma.h:111: int dma_memory_rw(AddressSpace *, dma_addr_t, void *, dma_addr_t, DMADirection, MemTxAttrs): Assertion `dir == DMA_DIRECTION_TO_DEVICE || attrs.direct_access' failed.
> (gdb) bt
> #0 0x00007ffff51d69e5 in raise () at /lib64/libc.so.6
> #1 0x00007ffff51bf895 in abort () at /lib64/libc.so.6
> #2 0x00007ffff51bf769 in _nl_load_domain.cold () at /lib64/libc.so.6
> #3 0x00007ffff51cee76 in annobin_assert.c_end () at /lib64/libc.so.6
> #4 0x0000555557b48a94 in dma_memory_rw (as=0x7fffddd3ca28, addr=4064, buf=0x7fffffff7780, len=16, dir=DMA_DIRECTION_FROM_DEVICE, attrs=...) at /home/phil/source/qemu/include/sysemu/dma.h:111
> #5 0x0000555557b487e0 in pci_dma_rw (dev=0x7fffddd3c800, addr=4064, buf=0x7fffffff7780, len=16, dir=DMA_DIRECTION_FROM_DEVICE) at /home/phil/source/qemu/include/hw/pci/pci.h:791
> #6 0x0000555557b47373 in pci_dma_write (dev=0x7fffddd3c800, addr=4064, buf=0x7fffffff7780, len=16) at /home/phil/source/qemu/include/hw/pci/pci.h:804
> #7 0x0000555557b340b4 in e1000e_write_packet_to_guest (core=0x7fffddd3f4e0, pkt=0x61100006c740, rxr=0x7fffffff7cf0, rss_info=0x7fffffff7d10) at hw/net/e1000e_core.c:1609
> #8 0x0000555557b30739 in e1000e_receive_iov (core=0x7fffddd3f4e0, iov=0x619000060e80, iovcnt=4) at hw/net/e1000e_core.c:1709
> #9 0x00005555576e2069 in e1000e_nc_receive_iov (nc=0x61400000a060, iov=0x619000060e80, iovcnt=4) at hw/net/e1000e.c:213
> #10 0x00005555572a3c34 in net_tx_pkt_sendv (pkt=0x631000028800, nc=0x61400000a060, iov=0x619000060e80, iov_cnt=4) at hw/net/net_tx_pkt.c:556
> #11 0x00005555572a23e2 in net_tx_pkt_send (pkt=0x631000028800, nc=0x61400000a060) at hw/net/net_tx_pkt.c:633
> #12 0x00005555572a4c67 in net_tx_pkt_send_loopback (pkt=0x631000028800, nc=0x61400000a060) at hw/net/net_tx_pkt.c:646
> #13 0x0000555557b70b05 in e1000e_tx_pkt_send (core=0x7fffddd3f4e0, tx=0x7fffddd5f748, queue_index=0) at hw/net/e1000e_core.c:664
> #14 0x0000555557b6eab8 in e1000e_process_tx_desc (core=0x7fffddd3f4e0, tx=0x7fffddd5f748, dp=0x7fffffff8680, queue_index=0) at hw/net/e1000e_core.c:743
> #15 0x0000555557b6d65d in e1000e_start_xmit (core=0x7fffddd3f4e0, txr=0x7fffffff88a0) at hw/net/e1000e_core.c:934
> #16 0x0000555557b5ea38 in e1000e_set_tctl (core=0x7fffddd3f4e0, index=256, val=255) at hw/net/e1000e_core.c:2431
> #17 0x0000555557b369ef in e1000e_core_write (core=0x7fffddd3f4e0, addr=1027, val=255, size=4) at hw/net/e1000e_core.c:3265
> #18 0x00005555576de3be in e1000e_mmio_write (opaque=0x7fffddd3c800, addr=1027, val=255, size=4) at hw/net/e1000e.c:109
> #19 0x0000555558e6b789 in memory_region_write_accessor (mr=0x7fffddd3f110, addr=1027, value=0x7fffffff8eb0, size=4, shift=0, mask=4294967295, attrs=...) at softmmu/memory.c:483
> #20 0x0000555558e6b05b in access_with_adjusted_size (addr=1027, value=0x7fffffff8eb0, size=1, access_size_min=4, access_size_max=4, access_fn= 0x555558e6b120 <memory_region_write_accessor>, mr=0x7fffddd3f110, attrs=...) at softmmu/memory.c:544
> #21 0x0000555558e69776 in memory_region_dispatch_write (mr=0x7fffddd3f110, addr=1027, data=255, op=MO_8, attrs=...) at softmmu/memory.c:1465
> #22 0x0000555558f60462 in flatview_write_continue (fv=0x60600003f9e0, addr=3775005699, attrs=..., ptr=0x6020000e3710, len=1, addr1=1027, l=1, mr=0x7fffddd3f110) at exec.c:3176
> #23 0x0000555558f4e38b in flatview_write (fv=0x60600003f9e0, addr=3775005699, attrs=..., buf=0x6020000e3710, len=1) at exec.c:3220
> #24 0x0000555558f4dd4f in address_space_write (as=0x60800000baa0, addr=3775005699, attrs=..., buf=0x6020000e3710, len=1) at exec.c:3315
> #25 0x000055555916b3e0 in qtest_process_command (chr=0x55555c03f300 <qtest_chr>, words=0x604000058150) at softmmu/qtest.c:567
> #26 0x000055555915f7f2 in qtest_process_inbuf (chr=0x55555c03f300 <qtest_chr>, inbuf=0x6190000200e0) at softmmu/qtest.c:710
>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
> include/sysemu/dma.h | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
> index 8a7dbf0b0f3..a4ba9438a56 100644
> --- a/include/sysemu/dma.h
> +++ b/include/sysemu/dma.h
> @@ -108,6 +108,8 @@ static inline int dma_memory_rw(AddressSpace *as, dma_addr_t addr,
> void *buf, dma_addr_t len,
> DMADirection dir, MemTxAttrs attrs)
> {
> + assert(dir == DMA_DIRECTION_TO_DEVICE || attrs.direct_access);
> +
> dma_barrier(as, dir);
>
> return dma_memory_rw_relaxed(as, addr, buf, len, dir, attrs);
> --
> 2.26.2
>
next prev parent reply other threads:[~2020-09-03 13:52 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-03 11:08 [RFC PATCH 00/12] hw: Forbid DMA write accesses to MMIO regions Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 01/12] pci: pass along the return value of dma_memory_rw Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 02/12] dma: Let dma_memory_valid() take MemTxAttrs argument Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 03/12] dma: Let dma_memory_set() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 04/12] dma: Let dma_memory_rw_relaxed() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 05/12] dma: Let dma_memory_rw() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 06/12] dma: Let dma_memory_read/write() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 07/12] dma: Let dma_memory_map() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 08/12] docs/devel/loads-stores: Add regexp for DMA functions Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 09/12] dma: Let load/store DMA functions take MemTxAttrs argument Philippe Mathieu-Daudé
2020-09-03 11:08 ` [RFC PATCH 10/12] exec/memattrs: Introduce MemTxAttrs::direct_access field Philippe Mathieu-Daudé
2020-09-03 11:08 ` [RFC PATCH 11/12] hw/pci: Only allow PCI slave devices to write to direct memory Philippe Mathieu-Daudé
2020-09-03 12:26 ` Paolo Bonzini
2020-09-03 13:18 ` Philippe Mathieu-Daudé
2020-09-03 21:43 ` Paolo Bonzini
2020-09-03 11:08 ` [RFC PATCH 12/12] dma: Assert when device writes to indirect memory (such MMIO regions) Philippe Mathieu-Daudé
2020-09-03 13:51 ` Edgar E. Iglesias [this message]
2020-09-03 13:37 ` [RFC PATCH 00/12] hw: Forbid DMA write accesses to MMIO regions Laszlo Ersek
2020-09-03 13:58 ` Peter Maydell
2020-09-03 14:24 ` Edgar E. Iglesias
2020-09-03 15:46 ` Paolo Bonzini
2020-09-03 15:50 ` Edgar E. Iglesias
2020-09-03 17:53 ` Paolo Bonzini
2020-09-03 19:46 ` Edgar E. Iglesias
2020-09-04 2:50 ` Jason Wang
2020-09-05 2:27 ` Li Qiang
2020-09-08 14:37 ` Stefan Hajnoczi
2020-09-09 13:23 ` Peter Maydell
2020-09-09 13:41 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200903135115.GZ14249@toto \
--to=edgar.iglesias@xilinx.com \
--cc=Andrew.Baumann@microsoft.com \
--cc=alistair@alistair23.me \
--cc=alxndr@bu.edu \
--cc=andrew@aj.id.au \
--cc=b.galvani@gmail.com \
--cc=clg@kaod.org \
--cc=cota@braap.org \
--cc=david@gibson.dropbear.id.au \
--cc=e.emanuelegiuseppe@gmail.com \
--cc=edgar.iglesias@gmail.com \
--cc=ehabkost@redhat.com \
--cc=eric.auger@redhat.com \
--cc=f4bug@amsat.org \
--cc=jan.kiszka@web.de \
--cc=jasowang@redhat.com \
--cc=joel@jms.id.au \
--cc=jsnow@redhat.com \
--cc=k.jensen@samsung.com \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=liq3ea@163.com \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.chubb@nicta.com.au \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=philmd@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=robert.foley@linaro.org \
--cc=rth@twiddle.net \
--cc=stefanha@redhat.com \
--cc=tony.nguyen@bt.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).