qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Laszlo Ersek <lersek@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>
Cc: qemu devel list <qemu-devel@nongnu.org>,
	Ani Sinha <ani@anisinha.ca>, Ard Biesheuvel <ardb@kernel.org>,
	Igor Mammedov <imammedo@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	qemu-stable@nongnu.org
Subject: Re: [PATCH] acpi: cpuhp: fix guest-visible maximum access size to the legacy reg block
Date: Thu, 5 Jan 2023 10:00:00 +0100	[thread overview]
Message-ID: <2f32e669-2263-01c5-28d4-5721b3144b32@linaro.org> (raw)
In-Reply-To: <7122894b-ccbf-9d30-ee54-c23c25c0f82b@redhat.com>

On 5/1/23 08:13, Laszlo Ersek wrote:
> On 1/4/23 13:35, Michael S. Tsirkin wrote:
>> On Wed, Jan 04, 2023 at 10:01:38AM +0100, Laszlo Ersek wrote:
[...]

>>> To make things *even more* complicated, the breakage was (and remains, as
>>> of today) visible with TCG acceleration only.  Commit 5d971f9e6725 makes
>>> no difference with KVM acceleration -- the DWORD accesses still work,
>>> despite "valid.max_access_size = 1".
>>
>> BTW do you happen to know why that's the case for KVM? Because if kvm
>> ignores valid.max_access_size generally then commit 5d971f9e6725 is
>> incomplete, and we probably have some related kvm-only bugs.
> 
> It remains a mystery for me why KVM accel does not enforce
> "valid.max_access_size".
> 
> In the thread I started earlier (which led to this patch), at
> 
>    "IO port write width clamping differs between TCG and KVM"
>    https://lists.gnu.org/archive/html/qemu-devel/2023-01/msg00199.html

[...]

> So, I think the bug is somehow "distributed" between
> flatview_write_continue(), flatview_access_allowed(), and
> memory_access_size(). flatview_access_allowed() does not care about "l"
> at all, when it should (maybe?) compare it against
> "mr->ops->valid.max_access_size". In turn, memory_access_size()
> *silently* reduces the access width, based on
> "->ops->valid.max_access_size".
> 
> And all this this *precedes* the call to memory_region_access_valid(),
> which is only called from within memory_region_dispatch_write(), which
> already gets the reduced width only.
> 
> Now, flatview_access_allowed() is from commit 3ab6fdc91b72
> ("softmmu/physmem: Introduce MemTxAttrs::memory field and
> MEMTX_ACCESS_ERROR", 2022-03-21), and the fact it does not check "len"
> seems intentional -- it only takes "len" for logging.
> 
> Hmm. After digging a lot more, I find the issue may have been introduced
> over three commits:
> 
> - 82f2563fc815 ("exec: introduce memory_access_size", 2013-05-29), which
>    (IIUC) was the first step towards automatically reducing the address
>    width, but at first only based on alignment,
> 
> - 23326164ae6f ("exec: Support 64-bit operations in address_space_rw",
>    2013-07-14), which extended the splitting based on
>    "MemoryRegionOps.impl",
> 
> - e1622f4b1539 ("exec: fix incorrect assumptions in memory_access_size",
>    2013-07-18), which flipped the splitting basis to
>    "MemoryRegionOps.valid".
> 
> To me, 23326164ae6f seems *vaguely* correct ("vague" is not criticism
> for the commit, it's criticism for my understanding :)); after all we're
> on our way towards the device model, and the device model exposes via
> "MemoryRegionOps.impl" what it can handle. Plus, commit 5d971f9e6725
> does direct us towards "MemoryRegionOps.impl"!
> 
> But clearly there must have been something wrong with 23326164ae6f,
> according to e1622f4b1539...

Maybe the long-standing unaligned access problem? Could be fixed by:
https://lore.kernel.org/qemu-devel/20210619172626.875885-15-richard.henderson@linaro.org/

> The latter is what introduced the current "silent splitting of access
> based on 'valid'". The message of commit e1622f4b1539 says, almost like
> an afterthought:
> 
>>      access_size_max can be mr->ops->valid.max_access_size because memory.c
>>      can and will still break accesses bigger than
>>      mr->ops->impl.max_access_size.
> 
> I think this argument may have been wrong: if "impl.max_access_size" is
> large (such as: unset), but "valid.max_access_size" is small, that just
> means:
> 
>    the implementation is flexible and can deal with any access widths (so
>    "memory.c" *need not* break up accesses for the device model's sake),
>    but the device should restrict the *guest* to small accesses. So if
>    the guest tries something larger, we shouldn't silently accommodate
>    that.

Indeed. '.impl' is a software thing for the device modeller, ideally one
will chose a value that allows the simplest implementation. I.e. if a
device only allows 8-bit access, use 8-bit registers aligned on a 64-bit
boundary, the model might use:

   .impl.min_access_size = 8,
   .impl.max_access_size = 1,

Also we need to keep in mind that even if most MemoryRegionOps structs
are 'static const', such structure can be dynamically created. I.e.:
https://lore.kernel.org/qemu-devel/20200817161853.593247-5-f4bug@amsat.org/

> I have zero idea how to fix this, but I feel that the quoted argument
> from commit e1622f4b1539 is the reason why KVM accel is so lenient that
> it sort of "de-fangs" commit 5d971f9e6725.
> 
> Laszlo
> 



  reply	other threads:[~2023-01-05  9:01 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-04  9:01 [PATCH] acpi: cpuhp: fix guest-visible maximum access size to the legacy reg block Laszlo Ersek
2023-01-04  9:33 ` Ard Biesheuvel
2023-01-04 10:26   ` Laszlo Ersek
2023-01-04  9:34 ` Philippe Mathieu-Daudé
2023-01-04 10:29   ` Laszlo Ersek
2023-01-04 10:38   ` Igor Mammedov
2023-01-04 12:27     ` Philippe Mathieu-Daudé
2023-01-04 10:35 ` Igor Mammedov
2023-01-04 12:13   ` Laszlo Ersek
2023-01-04 12:35 ` Michael S. Tsirkin
2023-01-05  7:13   ` Laszlo Ersek
2023-01-05  9:00     ` Philippe Mathieu-Daudé [this message]
2023-01-05  9:51       ` Michael S. Tsirkin
2023-03-01  7:17     ` Christian Ehrhardt
2023-03-01  8:03       ` Laszlo Ersek
2023-03-02  8:32         ` Christian Ehrhardt
2023-03-02 10:38           ` Laszlo Ersek
  -- strict thread matches above, loose matches on Subject: below --
2023-01-05 16:18 Laszlo Ersek
2023-01-05 16:21 ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2f32e669-2263-01c5-28d4-5721b3144b32@linaro.org \
    --to=philmd@linaro.org \
    --cc=ani@anisinha.ca \
    --cc=ardb@kernel.org \
    --cc=imammedo@redhat.com \
    --cc=lersek@redhat.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).