From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Richard Henderson <richard.henderson@linaro.org>,
Paolo Bonzini <pbonzini@redhat.com>,
philmd@linaro.org, alex.bennee@linaro.org, qemu-arm@nongnu.org,
Yannis Bolliger <yannis.bolliger@protonmail.com>,
Pierrick Bouvier <pierrick.bouvier@linaro.org>
Subject: [PATCH 0/4] target/arm: fix arm_cpu_get_phys_page_attrs_debug
Date: Thu, 10 Apr 2025 14:00:18 -0700 [thread overview]
Message-ID: <20250410210022.809905-1-pierrick.bouvier@linaro.org> (raw)
It was reported that QEMU monitor command gva2gpa was reporting unmapped
memory for a valid access (qemu-system-aarch64), during a copy from
kernel to user space (__arch_copy_to_user symbol in Linux) [1].
This was affecting cpu_memory_rw_debug also, which
is used in numerous places in our codebase. After investigating, the
problem was specific to arm_cpu_get_phys_page_attrs_debug.
[1] https://lists.nongnu.org/archive/html/qemu-discuss/2025-04/msg00013.html
When performing user access from a privileged space, we need to do a
second lookup for user mmu idx, following what get_a64_user_mem_index is
doing at translation time.
This series first extract some functions, and then perform the second lookup
expected using extracted functions.
Besides running all QEMU tests, it was explicitely checked that during a linux
boot sequence, accesses now report a valid physical address inconditionnally
using this (non sent) patch:
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -997,9 +997,7 @@ static inline void tlb_set_compare(CPUTLBEntryFull *full, CPUTLBEntry *ent,
if (enable) {
address |= flags & TLB_FLAGS_MASK;
flags &= TLB_SLOW_FLAGS_MASK;
- if (flags) {
address |= TLB_FORCE_SLOW;
- }
} else {
address = -1;
flags = 0;
@@ -1658,6 +1656,10 @@ static bool mmu_lookup1(CPUState *cpu, MMULookupPageData *data, MemOp memop,
tlb_addr = tlb_read_idx(entry, access_type) & ~TLB_INVALID_MASK;
}
+ vaddr page = addr & TARGET_PAGE_MASK;
+ hwaddr physaddr = cpu_get_phys_page_debug(cpu, page);
+ g_assert(physaddr != -1);
+
full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index];
flags = tlb_addr & (TLB_FLAGS_MASK & ~TLB_FORCE_SLOW);
flags |= full->slow_flags[access_type];
Pierrick Bouvier (4):
target/arm/ptw: extract arm_mmu_idx_to_security_space
target/arm/ptw: get current security_space for current mmu_idx
target/arm/ptw: extract arm_cpu_get_phys_page
target/arm/ptw: fix arm_cpu_get_phys_page_attrs_debug
target/arm/ptw.c | 65 +++++++++++++++++++++++++++++++++++-------------
1 file changed, 48 insertions(+), 17 deletions(-)
--
2.39.5
next reply other threads:[~2025-04-10 21:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-10 21:00 Pierrick Bouvier [this message]
2025-04-10 21:00 ` [PATCH 1/4] target/arm/ptw: extract arm_mmu_idx_to_security_space Pierrick Bouvier
2025-04-11 13:44 ` Philippe Mathieu-Daudé
2025-04-11 16:43 ` Pierrick Bouvier
2025-04-10 21:00 ` [PATCH 2/4] target/arm/ptw: get current security_space for current mmu_idx Pierrick Bouvier
2025-04-10 21:00 ` [PATCH 3/4] target/arm/ptw: extract arm_cpu_get_phys_page Pierrick Bouvier
2025-04-11 13:45 ` Philippe Mathieu-Daudé
2025-04-10 21:00 ` [PATCH 4/4] target/arm/ptw: fix arm_cpu_get_phys_page_attrs_debug Pierrick Bouvier
2025-04-12 17:11 ` [PATCH 0/4] target/arm: " Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250410210022.809905-1-pierrick.bouvier@linaro.org \
--to=pierrick.bouvier@linaro.org \
--cc=alex.bennee@linaro.org \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=yannis.bolliger@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).