[Qemu-devel] Dump guest page table inside QEMU makes system hang

[Qemu-devel] Dump guest page table inside QEMU makes system hang

[陳韋任 (Wei-Ren Chen)]

Hi all,

  I want to dump guest page table when guest writes to cr3,
the code snipt below,

---
uint32_t pgd[1024][1024]; // guest page table
static void dump_guest_pgtable(target_ulong cr3)
{
    int i, j;
    uint32_t phyaddr = cr3;
    uint32_t val;

    for (i = 0; i < NUM_ENTRY; ++i)
    {
        phyaddr += i * 4;
        for (j = 0; j < NUM_ENTRY; ++j)
        {
            cpu_physical_memory_read(phyaddr, &val, 4);
            pgd[i][j] = val;
        }
    }
}

void cpu_x86_update_cr3(CPUX86State *env, target_ulong new_cr3)
{
    env->cr[3] = new_cr3; // guest cr3

    if (env->cr[0] & CR0_PG_MASK) {
        tlb_flush(env, 0);

        // dump guest page table by using guest cr3
        dump_guest_pgtable(new_cr3);
    }
}
---

  The system will hang while booting. However, if I comment 
cpu_physical_memory_read in function dump_guest_pgtable, there
is no problem. What I am missing here? Thanks.

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj

Re: [Qemu-devel] Dump guest page table inside QEMU makes system hang

[Blue Swirl]

On Tue, Aug 21, 2012 at 7:21 AM, 陳韋任 (Wei-Ren Chen)
<chenwj@iis.sinica.edu.tw> wrote:
> Hi all,
>
>   I want to dump guest page table when guest writes to cr3,
> the code snipt below,
>
> ---
> uint32_t pgd[1024][1024]; // guest page table
> static void dump_guest_pgtable(target_ulong cr3)
> {
>     int i, j;
>     uint32_t phyaddr = cr3;
>     uint32_t val;
>
>     for (i = 0; i < NUM_ENTRY; ++i)
>     {
>         phyaddr += i * 4;
>         for (j = 0; j < NUM_ENTRY; ++j)
>         {
>             cpu_physical_memory_read(phyaddr, &val, 4);
>             pgd[i][j] = val;
>         }
>     }
> }
>
> void cpu_x86_update_cr3(CPUX86State *env, target_ulong new_cr3)
> {
>     env->cr[3] = new_cr3; // guest cr3
>
>     if (env->cr[0] & CR0_PG_MASK) {
>         tlb_flush(env, 0);
>
>         // dump guest page table by using guest cr3
>         dump_guest_pgtable(new_cr3);
>     }
> }
> ---
>
>   The system will hang while booting. However, if I comment
> cpu_physical_memory_read in function dump_guest_pgtable, there
> is no problem. What I am missing here? Thanks.

cpu_physical_memory_read() can cause faults or other side effects like
MMIO. Using cpu_get_phys_page_debug() may help.

>
> Regards,
> chenwj
>
> --
> Wei-Ren Chen (陳韋任)
> Computer Systems Lab, Institute of Information Science,
> Academia Sinica, Taiwan (R.O.C.)
> Tel:886-2-2788-3799 #1667
> Homepage: http://people.cs.nctu.edu.tw/~chenwj
>

Re: [Qemu-devel] Dump guest page table inside QEMU makes system hang

[陳韋任 (Wei-Ren Chen)]

> >   The system will hang while booting. However, if I comment
> > cpu_physical_memory_read in function dump_guest_pgtable, there
> > is no problem. What I am missing here? Thanks.
> 
> cpu_physical_memory_read() can cause faults or other side effects like
> MMIO. Using cpu_get_phys_page_debug() may help.

  PMM also suggest me looking on cpu_get_phys_page_debug. When I read
the code, I found something suspicious.

---
target_phys_addr_t cpu_get_phys_page_debug(CPUX86State *env, target_ulong addr)
{
    target_ulong pde_addr, pte_addr;

    ...

    pde = ldq_phys(pde_addr);

    ...
}
---

  The address of pde and pte should be (guest) physical address, right?
If so, then target_ulong should be replaced with target_phys_addr_t.
The other clue is the type of ldq_phys's parameter is target_phys_addr_t.

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj

Re: [Qemu-devel] Dump guest page table inside QEMU makes system hang

[Max Filippov]

On Tue, Aug 21, 2012 at 10:19 PM, Blue Swirl <blauwirbel@gmail.com> wrote:
> On Tue, Aug 21, 2012 at 7:21 AM, 陳韋任 (Wei-Ren Chen)
> <chenwj@iis.sinica.edu.tw> wrote:
>> Hi all,
>>
>>   I want to dump guest page table when guest writes to cr3,
>> the code snipt below,
>>
>> ---
>> uint32_t pgd[1024][1024]; // guest page table
>> static void dump_guest_pgtable(target_ulong cr3)
>> {
>>     int i, j;
>>     uint32_t phyaddr = cr3;
>>     uint32_t val;
>>
>>     for (i = 0; i < NUM_ENTRY; ++i)
>>     {
>>         phyaddr += i * 4;
>>         for (j = 0; j < NUM_ENTRY; ++j)
>>         {
>>             cpu_physical_memory_read(phyaddr, &val, 4);
>>             pgd[i][j] = val;
>>         }
>>     }
>> }
>>
>> void cpu_x86_update_cr3(CPUX86State *env, target_ulong new_cr3)
>> {
>>     env->cr[3] = new_cr3; // guest cr3
>>
>>     if (env->cr[0] & CR0_PG_MASK) {
>>         tlb_flush(env, 0);
>>
>>         // dump guest page table by using guest cr3
>>         dump_guest_pgtable(new_cr3);
>>     }
>> }
>> ---
>>
>>   The system will hang while booting. However, if I comment
>> cpu_physical_memory_read in function dump_guest_pgtable, there
>> is no problem. What I am missing here? Thanks.
>
> cpu_physical_memory_read() can cause faults or other side effects like
> MMIO. Using cpu_get_phys_page_debug() may help.
>

Maybe you just need to avoid accessing unsuitable physical addresses?
Or maybe 'if (env->cr[0] & CR0_PG_MASK)' is not strong enough, may
(CR0_PG_MASK | CR0_PE_MASK) be better?

At what stage does it hang? What CR3 value changes are observed before
the hang?

-- 
Thanks.
-- Max

Re: [Qemu-devel] Dump guest page table inside QEMU makes system hang

[陳韋任 (Wei-Ren Chen)]

[-- Attachment #1: Type: text/plain, Size: 1258 bytes --]

> >>   The system will hang while booting. However, if I comment
> >> cpu_physical_memory_read in function dump_guest_pgtable, there
> >> is no problem. What I am missing here? Thanks.
> >
> > cpu_physical_memory_read() can cause faults or other side effects like
> > MMIO. Using cpu_get_phys_page_debug() may help.
> >
> 
> Maybe you just need to avoid accessing unsuitable physical addresses?
> Or maybe 'if (env->cr[0] & CR0_PG_MASK)' is not strong enough, may
> (CR0_PG_MASK | CR0_PE_MASK) be better?
> 
> At what stage does it hang? What CR3 value changes are observed before
> the hang?

  It's quite embarrassing. The code I posted before is buggy, and it dumps all
1024 * 1024 page table entries. It takes a lot of time, so that I think the
system hangs. Attach is the code snipt what I am using, which works fine now.
Another question is, I would like to know the hva corresponding to gpa (i.e.,
the guest page pointed by guest pte). Do you happen to know there is such
gpa2hva function in QEMU?

  Thanks.

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj

[-- Attachment #2: qemu.patch --]
[-- Type: text/x-diff, Size: 871 bytes --]

// we only consider x86 w/o pae 
static void dump_guest_pgtable(CPUX86State *env)
{
    int i, j;
    target_ulong pde_addr, pte_addr;
    target_ulong phyaddr, phyaddr2;
    uint32_t pde, pte;

    pde_addr = (env->cr[3] & ~0xfff) & env->a20_mask;
    // first level page directory, iterate pde
    for (i = 0; i < NUM_ENTRY; ++i)
    {
        phyaddr = (pde_addr + i * 4) & env->a20_mask;
        pde = ldl_phys(phyaddr);
        pd[i] = pde;
        if (!(pde & PG_PRESENT_MASK))
            continue;

        pte_addr = (pde & ~0xfff) & env->a20_mask;
        // second level page table, iterate pte
        for (j = 0; j < NUM_ENTRY; ++j)
        {
            phyaddr2 = (pte_addr + j * 4) & env->a20_mask;
            pte = ldl_phys(phyaddr2);
            if (!(pte & PG_PRESENT_MASK))
                pt[i][j] = 0;
            pt[i][j] = pte;
        }
    }
}

Re: [Qemu-devel] Dump guest page table inside QEMU makes system hang

[陳韋任 (Wei-Ren Chen)]

>   It's quite embarrassing. The code I posted before is buggy, and it dumps all
> 1024 * 1024 page table entries. It takes a lot of time, so that I think the
> system hangs. Attach is the code snipt what I am using, which works fine now.
> Another question is, I would like to know the hva corresponding to gpa (i.e.,
> the guest page pointed by guest pte). Do you happen to know there is such
> gpa2hva function in QEMU?

  I think I found one, cpu_physical_memory_map (exec.c). Below is how I
convert gpa to hva by using cpu_physical_memory_map.

    target_ulong pde_addr = (env->cr[3] + 32 * 4) & env->a20_mask;
    target_phys_addr_t len = 4;
    void *ptr = cpu_physical_memory_map(pde_addr, &len, 0);

The only thing I am not sure about is what value of len I should use.

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj