[Qemu-devel] [PATCH 1/2] exec.c: Fix off-by-one error in register_subpage

[Qemu-devel] [PATCH 1/2] exec.c: Fix off-by-one error in register_subpage

[Tyler Hall]

subpage_register() expects "end" to be the last byte in the mapping.
Registering a non-page-aligned memory region that extends up to or
beyond a page boundary causes subpage_register() to silently fail
through the (end >= PAGE_SIZE) check.

This bug does not cause noticeable problems for mappings that do not
extend to a page boundary, though they do register an extra byte.

Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
---
 exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/exec.c b/exec.c
index feb4795..27b100c 100644
--- a/exec.c
+++ b/exec.c
@@ -2271,7 +2271,7 @@ static void register_subpage(MemoryRegionSection *section)
         subpage = container_of(existing->mr, subpage_t, iomem);
     }
     start = section->offset_within_address_space & ~TARGET_PAGE_MASK;
-    end = start + section->size;
+    end = start + section->size - 1;
     subpage_register(subpage, start, end, phys_section_add(section));
 }
 
-- 
1.7.11

[Qemu-devel] [PATCH 2/2] exec.c: Use subpages for large unaligned mappings

[Tyler Hall]

Registering a multi-page memory region that is non-page-aligned results
in a subpage from the start to the page boundary, some number of full
pages, and possibly another subpage from the last page boundary to the
end. The full pages will have a value for offset_within_region that is
not a multiple of TARGET_PAGE_SIZE. Accesses through softmmu are unable
to handle this and will segfault.

Handling full pages through subpages is not optimal, but only
non-page-aligned mappings take the penalty.

Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
---
 exec.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/exec.c b/exec.c
index 27b100c..e6ac3e7 100644
--- a/exec.c
+++ b/exec.c
@@ -2305,10 +2305,15 @@ void cpu_register_physical_memory_log(MemoryRegionSection *section,
         remain.offset_within_address_space += now.size;
         remain.offset_within_region += now.size;
     }
-    now = remain;
-    now.size &= TARGET_PAGE_MASK;
-    if (now.size) {
-        register_multipage(&now);
+    while (remain.size >= TARGET_PAGE_SIZE) {
+        now = remain;
+        if (remain.offset_within_region & ~TARGET_PAGE_MASK) {
+            now.size = TARGET_PAGE_SIZE;
+            register_subpage(&now);
+        } else {
+            now.size &= TARGET_PAGE_MASK;
+            register_multipage(&now);
+        }
         remain.size -= now.size;
         remain.offset_within_address_space += now.size;
         remain.offset_within_region += now.size;
-- 
1.7.11

Re: [Qemu-devel] [Qemu-trivial] [PATCH 1/2] exec.c: Fix off-by-one error in register_subpage

[Stefan Hajnoczi]

On Wed, Jul 25, 2012 at 06:45:03PM -0400, Tyler Hall wrote:
> subpage_register() expects "end" to be the last byte in the mapping.
> Registering a non-page-aligned memory region that extends up to or
> beyond a page boundary causes subpage_register() to silently fail
> through the (end >= PAGE_SIZE) check.
> 
> This bug does not cause noticeable problems for mappings that do not
> extend to a page boundary, though they do register an extra byte.
> 
> Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
> ---
>  exec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/exec.c b/exec.c
> index feb4795..27b100c 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -2271,7 +2271,7 @@ static void register_subpage(MemoryRegionSection *section)
>          subpage = container_of(existing->mr, subpage_t, iomem);
>      }
>      start = section->offset_within_address_space & ~TARGET_PAGE_MASK;
> -    end = start + section->size;
> +    end = start + section->size - 1;
>      subpage_register(subpage, start, end, phys_section_add(section));
>  }

I would really like to see an Acked-by: or Signed-off-by: from Avi or
someone else who is familiar with the memory regions code.  Especially
for Patch 2/2.

Stefan

Re: [Qemu-devel] [Qemu-trivial] [PATCH 1/2] exec.c: Fix off-by-one error in register_subpage

[Peter Maydell]

On 1 August 2012 11:42, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> On Wed, Jul 25, 2012 at 06:45:03PM -0400, Tyler Hall wrote:
>> subpage_register() expects "end" to be the last byte in the mapping.
>> Registering a non-page-aligned memory region that extends up to or
>> beyond a page boundary causes subpage_register() to silently fail
>> through the (end >= PAGE_SIZE) check.
>>
>> This bug does not cause noticeable problems for mappings that do not
>> extend to a page boundary, though they do register an extra byte.
>>
>> Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
>> ---
>>  exec.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/exec.c b/exec.c
>> index feb4795..27b100c 100644
>> --- a/exec.c
>> +++ b/exec.c
>> @@ -2271,7 +2271,7 @@ static void register_subpage(MemoryRegionSection *section)
>>          subpage = container_of(existing->mr, subpage_t, iomem);
>>      }
>>      start = section->offset_within_address_space & ~TARGET_PAGE_MASK;
>> -    end = start + section->size;
>> +    end = start + section->size - 1;
>>      subpage_register(subpage, start, end, phys_section_add(section));
>>  }
>
> I would really like to see an Acked-by: or Signed-off-by: from Avi or
> someone else who is familiar with the memory regions code.  Especially
> for Patch 2/2.

I think this patch is OK (compare the subpage_register() call in
subpage_init(), the guards in subpage_register(), etc), so

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

though I dunno that I'd claim to be familiar with the memory region
code ;-)

2/2 is definitely not a trivial patch, though -- it's trying to fix
a long standing deficiency in qemu's mmio region handling. I gave 2/2
a quick test and it seems to pass the right offset through to the
read/write handlers, but Avi should definitely review it...

On a related note, the comment above register_subpage which includes
remarks about how this special case doesn't work seems to now be
rather out of date since it's still talking about function parameter
names which no longer exist.

-- PMM

Re: [Qemu-devel] [PATCH 1/2] exec.c: Fix off-by-one error in register_subpage

[Avi Kivity]

On 07/26/2012 01:45 AM, Tyler Hall wrote:
> subpage_register() expects "end" to be the last byte in the mapping.
> Registering a non-page-aligned memory region that extends up to or
> beyond a page boundary causes subpage_register() to silently fail
> through the (end >= PAGE_SIZE) check.
> 
> This bug does not cause noticeable problems for mappings that do not
> extend to a page boundary, though they do register an extra byte.

Reviewed-by: Avi Kivity <avi@redhat.com>


-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH 1/2] exec.c: Fix off-by-one error in register_subpage

[Stefan Hajnoczi]

On Wed, Aug 1, 2012 at 1:56 PM, Avi Kivity <avi@redhat.com> wrote:
> On 07/26/2012 01:45 AM, Tyler Hall wrote:
>> subpage_register() expects "end" to be the last byte in the mapping.
>> Registering a non-page-aligned memory region that extends up to or
>> beyond a page boundary causes subpage_register() to silently fail
>> through the (end >= PAGE_SIZE) check.
>>
>> This bug does not cause noticeable problems for mappings that do not
>> extend to a page boundary, though they do register an extra byte.
>
> Reviewed-by: Avi Kivity <avi@redhat.com>

Thanks Avi.  Does this include Patch 2/2 too?

https://lists.gnu.org/archive/html/qemu-devel/2012-07/msg03573.html

Stefan

Re: [Qemu-devel] [PATCH 2/2] exec.c: Use subpages for large unaligned mappings

[Avi Kivity]

On 07/26/2012 01:45 AM, Tyler Hall wrote:
> Registering a multi-page memory region that is non-page-aligned results
> in a subpage from the start to the page boundary, some number of full
> pages, and possibly another subpage from the last page boundary to the
> end. The full pages will have a value for offset_within_region that is
> not a multiple of TARGET_PAGE_SIZE. Accesses through softmmu are unable
> to handle this and will segfault.
> 
> Handling full pages through subpages is not optimal, but only
> non-page-aligned mappings take the penalty.

Reviewed-by: Avi Kivity <avi@redhat.com>



-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH 1/2] exec.c: Fix off-by-one error in register_subpage

[Avi Kivity]

On 08/01/2012 04:01 PM, Stefan Hajnoczi wrote:
> On Wed, Aug 1, 2012 at 1:56 PM, Avi Kivity <avi@redhat.com> wrote:
>> On 07/26/2012 01:45 AM, Tyler Hall wrote:
>>> subpage_register() expects "end" to be the last byte in the mapping.
>>> Registering a non-page-aligned memory region that extends up to or
>>> beyond a page boundary causes subpage_register() to silently fail
>>> through the (end >= PAGE_SIZE) check.
>>>
>>> This bug does not cause noticeable problems for mappings that do not
>>> extend to a page boundary, though they do register an extra byte.
>>
>> Reviewed-by: Avi Kivity <avi@redhat.com>
> 
> Thanks Avi.  Does this include Patch 2/2 too?

I reviewed that as well with similar results.


-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [Qemu-trivial] [PATCH 1/2] exec.c: Fix off-by-one error in register_subpage

[Stefan Hajnoczi]

On Wed, Jul 25, 2012 at 06:45:03PM -0400, Tyler Hall wrote:
> subpage_register() expects "end" to be the last byte in the mapping.
> Registering a non-page-aligned memory region that extends up to or
> beyond a page boundary causes subpage_register() to silently fail
> through the (end >= PAGE_SIZE) check.
> 
> This bug does not cause noticeable problems for mappings that do not
> extend to a page boundary, though they do register an extra byte.
> 
> Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
> ---
>  exec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Thanks, both applied to the trivial patches tree:
https://github.com/stefanha/qemu/commits/trivial-patches

Stefan