Re: [PULL 19/45] memory: clamp cached translation in case it points to an MMIO region

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-stable@nongnu.org
Subject: Re: [PULL 19/45] memory: clamp cached translation in case it points to an MMIO region
Date: Wed, 13 Jan 2021 08:27:49 -0500	[thread overview]
Message-ID: <20210113072048-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20201215175445.1272776-20-pbonzini@redhat.com>

On Tue, Dec 15, 2020 at 12:54:19PM -0500, Paolo Bonzini wrote:
> In using the address_space_translate_internal API, address_space_cache_init
> forgot one piece of advice that can be found in the code for
> address_space_translate_internal:
> 
>     /* MMIO registers can be expected to perform full-width accesses based only
>      * on their address, without considering adjacent registers that could
>      * decode to completely different MemoryRegions.  When such registers
>      * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
>      * regions overlap wildly.  For this reason we cannot clamp the accesses
>      * here.
>      *
>      * If the length is small (as is the case for address_space_ldl/stl),
>      * everything works fine.  If the incoming length is large, however,
>      * the caller really has to do the clamping through memory_access_size.
>      */
> 
> address_space_cache_init is exactly one such case where "the incoming length
> is large", therefore we need to clamp the resulting length---not to
> memory_access_size though, since we are not doing an access yet, but to
> the size of the resulting section.  This ensures that subsequent accesses
> to the cached MemoryRegionSection will be in range.
> 
> With this patch, the enclosed testcase notices that the used ring does
> not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
> error.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Cc: qemu-stable@nongnu.org

> ---
>  softmmu/physmem.c       | 10 ++++++++
>  tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 61 insertions(+)
> 
> diff --git a/softmmu/physmem.c b/softmmu/physmem.c
> index 3027747c03..2cd1de4a2c 100644
> --- a/softmmu/physmem.c
> +++ b/softmmu/physmem.c
> @@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
>      AddressSpaceDispatch *d;
>      hwaddr l;
>      MemoryRegion *mr;
> +    Int128 diff;
>  
>      assert(len > 0);
>  
> @@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
>      d = flatview_to_dispatch(cache->fv);
>      cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
>  
> +    /*
> +     * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
> +     * Take that into account to compute how many bytes are there between
> +     * cache->xlat and the end of the section.
> +     */
> +    diff = int128_sub(cache->mrs.size,
> +		      int128_make64(cache->xlat - cache->mrs.offset_within_region));
> +    l = int128_get64(int128_min(diff, int128_make64(l)));
> +
>      mr = cache->mrs.mr;
>      memory_region_ref(mr);
>      if (memory_access_is_direct(mr, is_write)) {
> diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
> index 87b72307a5..cdb1100a0b 100644
> --- a/tests/qtest/fuzz-test.c
> +++ b/tests/qtest/fuzz-test.c
> @@ -48,6 +48,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
>      qtest_quit(s);
>  }
>  
> +/*
> + * Here a MemoryRegionCache pointed to an MMIO region but had a
> + * larger size than the underlying region.
> + */
> +static void test_mmio_oob_from_memory_region_cache(void)
> +{
> +    QTestState *s;
> +
> +    s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
> +		   "-device virtio-scsi,num_queues=8,addr=03.0 ");
> +
> +    qtest_outl(s, 0xcf8, 0x80001811);
> +    qtest_outb(s, 0xcfc, 0x6e);
> +    qtest_outl(s, 0xcf8, 0x80001824);
> +    qtest_outl(s, 0xcf8, 0x80001813);
> +    qtest_outl(s, 0xcfc, 0xa080000);
> +    qtest_outl(s, 0xcf8, 0x80001802);
> +    qtest_outl(s, 0xcfc, 0x5a175a63);
> +    qtest_outb(s, 0x6e08, 0x9e);
> +    qtest_writeb(s, 0x9f003, 0xff);
> +    qtest_writeb(s, 0x9f004, 0x01);
> +    qtest_writeb(s, 0x9e012, 0x0e);
> +    qtest_writeb(s, 0x9e01b, 0x0e);
> +    qtest_writeb(s, 0x9f006, 0x01);
> +    qtest_writeb(s, 0x9f008, 0x01);
> +    qtest_writeb(s, 0x9f00a, 0x01);
> +    qtest_writeb(s, 0x9f00c, 0x01);
> +    qtest_writeb(s, 0x9f00e, 0x01);
> +    qtest_writeb(s, 0x9f010, 0x01);
> +    qtest_writeb(s, 0x9f012, 0x01);
> +    qtest_writeb(s, 0x9f014, 0x01);
> +    qtest_writeb(s, 0x9f016, 0x01);
> +    qtest_writeb(s, 0x9f018, 0x01);
> +    qtest_writeb(s, 0x9f01a, 0x01);
> +    qtest_writeb(s, 0x9f01c, 0x01);
> +    qtest_writeb(s, 0x9f01e, 0x01);
> +    qtest_writeb(s, 0x9f020, 0x01);
> +    qtest_writeb(s, 0x9f022, 0x01);
> +    qtest_writeb(s, 0x9f024, 0x01);
> +    qtest_writeb(s, 0x9f026, 0x01);
> +    qtest_writeb(s, 0x9f028, 0x01);
> +    qtest_writeb(s, 0x9f02a, 0x01);
> +    qtest_writeb(s, 0x9f02c, 0x01);
> +    qtest_writeb(s, 0x9f02e, 0x01);
> +    qtest_writeb(s, 0x9f030, 0x01);
> +    qtest_outb(s, 0x6e10, 0x00);
> +    qtest_quit(s);
> +}
> +
>  int main(int argc, char **argv)
>  {
>      const char *arch = qtest_get_arch();
> @@ -59,6 +108,8 @@ int main(int argc, char **argv)
>                         test_lp1878263_megasas_zero_iov_cnt);
>          qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
>                         test_lp1878642_pci_bus_get_irq_level_assert);
> +        qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
> +                       test_mmio_oob_from_memory_region_cache);
>      }
>  
>      return g_test_run();
> -- 
> 2.26.2
> 
> 
>

next prev parent reply	other threads:[~2021-01-13 13:32 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-15 17:54 [PULL 00/45] Misc patches for 2020-12-15 Paolo Bonzini
2020-12-15 17:54 ` [PULL 01/45] remove preconfig state Paolo Bonzini
2020-12-15 17:54 ` [PULL 02/45] vl: remove separate preconfig main_loop Paolo Bonzini
2020-12-19 21:30   ` Laurent Vivier
2020-12-20  8:52     ` Paolo Bonzini
2020-12-15 17:54 ` [PULL 03/45] vl: allow -incoming defer with -preconfig Paolo Bonzini
2020-12-15 17:54 ` [PULL 04/45] vl: extract softmmu/runstate.c Paolo Bonzini
2020-12-15 17:54 ` [PULL 05/45] vl: extract softmmu/globals.c Paolo Bonzini
2020-12-15 17:54 ` [PULL 06/45] vl: move all generic initialization out of vl.c Paolo Bonzini
2020-12-15 17:54 ` [PULL 07/45] chardev: do not use machine_init_done Paolo Bonzini
2020-12-15 17:54 ` [PULL 08/45] machine: introduce MachineInitPhase Paolo Bonzini
2020-12-15 17:54 ` [PULL 09/45] ppc/spapr: cleanup -machine pseries,nvdimm=X handling Paolo Bonzini
2020-12-15 17:54 ` [PULL 10/45] vl: make qemu_get_machine_opts static Paolo Bonzini
2020-12-15 17:54 ` [PULL 11/45] plugin: propagate errors Paolo Bonzini
2020-12-15 17:54 ` [PULL 12/45] memory: allow creating MemoryRegions before accelerators Paolo Bonzini
2020-12-15 17:54 ` [PULL 13/45] monitor: allow quitting while in preconfig state Paolo Bonzini
2020-12-15 17:54 ` [PULL 14/45] qmp: generalize watchdog-set-action to -no-reboot/-no-shutdown Paolo Bonzini
2020-12-15 17:54 ` [PULL 15/45] vl: Add an -action option specifying response to guest events Paolo Bonzini
2020-12-15 17:54 ` [PULL 16/45] vl: Add option to avoid stopping VM upon guest panic Paolo Bonzini
2021-01-19 21:34   ` Peter Maydell
2021-01-20  5:28     ` Alejandro Jimenez
2021-01-20 13:47       ` Peter Maydell
2021-01-20 13:54       ` Daniel P. Berrangé
2021-01-20 14:47         ` Paolo Bonzini
2021-01-20 13:58     ` Paolo Bonzini
2020-12-15 17:54 ` [PULL 17/45] qtest/pvpanic: Test panic option that allows VM to continue Paolo Bonzini
2020-12-15 17:54 ` [PULL 18/45] msix: assert that accesses are within bounds Paolo Bonzini
2020-12-15 17:54 ` [PULL 19/45] memory: clamp cached translation in case it points to an MMIO region Paolo Bonzini
2021-01-13 13:27   ` Michael S. Tsirkin [this message]
2020-12-15 17:54 ` [PULL 20/45] accel/tcg: Remove deprecated '-tb-size' option Paolo Bonzini
2020-12-15 17:54 ` [PULL 21/45] docs/system: Move the list of removed features to a separate file Paolo Bonzini
2020-12-15 17:54 ` [PULL 22/45] Remove the deprecated -realtime option Paolo Bonzini
2020-12-15 17:54 ` [PULL 23/45] Remove the deprecated -show-cursor option Paolo Bonzini
2020-12-15 17:54 ` [PULL 24/45] icount: improve exec nocache usage Paolo Bonzini
2020-12-15 17:54 ` [PULL 25/45] scsi: fix device removal race vs IO restart callback on resume Paolo Bonzini
2020-12-15 17:54 ` [PULL 26/45] kvm: Take into account the unaligned section size when preparing bitmap Paolo Bonzini
2020-12-15 17:54 ` [PULL 27/45] qemu-option: simplify search for end of key Paolo Bonzini
2020-12-15 17:54 ` [PULL 28/45] qemu-option: pass QemuOptsList to opts_accepts_any Paolo Bonzini
2020-12-15 17:54 ` [PULL 29/45] vl: rename local variable in configure_accelerators Paolo Bonzini
2020-12-15 17:54 ` [PULL 30/45] docs: set CONFDIR when running sphinx Paolo Bonzini
2020-12-15 17:54 ` [PULL 31/45] hw/core: Restrict 'fw-path-provider.c' to system mode emulation Paolo Bonzini
2020-12-15 17:54 ` [PULL 32/45] qemu/atomic: Drop special case for unsupported compiler Paolo Bonzini
2020-12-15 17:54 ` [PULL 33/45] accel/tcg: Remove special case for GCC < 4.6 Paolo Bonzini
2020-12-15 17:54 ` [PULL 34/45] compiler.h: remove GCC < 3 __builtin_expect fallback Paolo Bonzini
2020-12-15 17:54 ` [PULL 35/45] qemu-plugin.h: remove GCC < 4 Paolo Bonzini
2020-12-15 17:54 ` [PULL 36/45] tests: remove GCC < 4 fallbacks Paolo Bonzini
2020-12-15 17:54 ` [PULL 37/45] virtiofsd: replace _Static_assert with QEMU_BUILD_BUG_ON Paolo Bonzini
2020-12-15 17:54 ` [PULL 38/45] compiler.h: explicit case for Clang printf attribute Paolo Bonzini
2020-12-15 17:54 ` [PULL 39/45] poison: remove GNUC check Paolo Bonzini
2020-12-15 17:54 ` [PULL 40/45] xen: " Paolo Bonzini
2020-12-15 17:54 ` [PULL 41/45] compiler: " Paolo Bonzini
2020-12-15 17:54 ` [PULL 42/45] linux-user: " Paolo Bonzini
2020-12-15 17:54 ` [PULL 43/45] compiler.h: remove QEMU_GNUC_PREREQ Paolo Bonzini
2020-12-15 17:54 ` [PULL 44/45] scripts/git.orderfile: Keep files with .inc extension sorted Paolo Bonzini
2020-12-15 17:54 ` [PULL 45/45] build: -no-pie is no functional linker flag Paolo Bonzini
2020-12-16 10:55 ` [PULL 00/45] Misc patches for 2020-12-15 Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210113072048-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).