[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN v2] GICv3: Emulate GICR_PENDBASER correctly for 32 bit guests

To: Ayan Kumar Halder <ayankuma@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Julien Grall <julien@xxxxxxx>
Date: Tue, 25 Oct 2022 20:48:34 +0100
Cc: sstabellini@xxxxxxxxxx, stefanos@xxxxxxxxxx, Volodymyr_Babchuk@xxxxxxxx, bertrand.marquis@xxxxxxx, andre.przywara@xxxxxxx, Henry Wang <Henry.Wang@xxxxxxx>
Delivery-date: Tue, 25 Oct 2022 19:48:48 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

(+Henry)

Hi Ayan,

Adding Henry because this is something we probably want to fix in Xen4.17. AFAIU, the value is not used at all in Xen, so the risk is mostlyreturning a wrong value to a domain using GICv3 ITS (not officiallysupported and only expose to dom0 so far). Therefore, I would say thisshould be OK to ingest in Xen 4.17.


Anyway back to the review...

Title: Technically a 64-bit guest is equally affected because it isallowed to do 32-bit access. Furthermore, I would prefer if you prefixthe title with "xen/arm" so it is clear which component you aretouching. So I would suggest the following title:


xen/arm: vGICv3: Emulate properly 32-bit access on GICR_PENDBASER

Note that I appended a "v" to "GICv3" to make clear this is referring tothe virtual GICv3 rather than host GICv3.


On 24/10/2022 20:30, Ayan Kumar Halder wrote:

If a guest is running in 32 bit mode and it tries to access
"GICR_PENDBASER + 4" mmio reg, it will be trapped to Xen. vreg_reg64_extract()
will return the value stored "v->arch.vgic.rdist_pendbase + 4".
This will be stored in a 32bit register.

Not really, the result will be stored in a 64-bit register for AArch64host (even if for 32-bit guest). The main part is the top 32-bit ofPENDBASER will be returned in the low 32-bit.


The 32bit register is then modified bitwise with a mask (ie GICR_PENDBASER_PTZ,
it clears the 62nd bit) which is greater than 32 bits. This will give an
incorrect result.

I would be explicit and say that "the bit PTZ will not be cleared asexpected by the specification".


The correct thing to do here is to store the value of
"v->arch.vgic.rdist_pendbase" in a temporary 64 bit variable. This variable is
then modified bitwise with GICR_PENDBASER_PTZ mask. It is then passed to
vreg_reg64_extract() which will extract 32 bits from the given offset.

Fixes: fe7fa1332dabd9ce4 ("ARM: vGICv3: handle virtual LPI pending and property 
tables")
Signed-off-by: Ayan Kumar Halder <ayankuma@xxxxxxx>
---

Changes from:-

v1 - 1. Extracted this fix from "[RFC PATCH v1 05/12] Arm: GICv3: Emulate
GICR_PENDBASER and GICR_PROPBASER on AArch32" into a separate patch with an
appropriate commit message.

  xen/arch/arm/vgic-v3.c | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xen/arch/arm/vgic-v3.c b/xen/arch/arm/vgic-v3.c
index 0c23f6df9d..7930ab6330 100644
--- a/xen/arch/arm/vgic-v3.c
+++ b/xen/arch/arm/vgic-v3.c
@@ -250,14 +250,16 @@ static int __vgic_v3_rdistr_rd_mmio_read(struct vcpu *v, 
mmio_info_t *info,
      case VREG64(GICR_PENDBASER):
      {
          unsigned long flags;
+        uint64_t val;

if ( !v->domain->arch.vgic.has_its )

              goto read_as_zero_64;
          if ( !vgic_reg64_check_access(dabt) ) goto bad_width;

spin_lock_irqsave(&v->arch.vgic.lock, flags);

-        *r = vreg_reg64_extract(v->arch.vgic.rdist_pendbase, info);
-        *r &= ~GICR_PENDBASER_PTZ;       /* WO, reads as 0 */
+        val = v->arch.vgic.rdist_pendbase;
+        val &= ~GICR_PENDBASER_PTZ;      /* WO, reads as 0 */
+        *r = vreg_reg64_extract(val, info);

As you store v->arch.vgic.rdist_pendbase, the lock can be reduced to thefirst assignment. IOW:


val = v->arch....;
spin_unlock_irq_restore();
val &= ~GIC_PENDBASER_PTZ;

That said, I think the lock could now be completely dropped in favor ofusing read_atomic() (and write_atomic()).

I am saying this even with in mind that, IIUC, R52 may not support64-bit atomics (see [1]). There are a few places in Xen that expect64-bit access to be atomic. For instance the IOREQ code is usingguest_cmpxchg64() and a 32-build of Xen with the "case 8" commentedwrite_atomic_size() will fail. So there are some rework necessary for R52.

I would also rather not want to keep a bigger hammer (i.e. the lock) forarchitecture that support 64-bit atomic access.


Cheers,

[1] 20221025145506.5708839c@xxxxxxxxxxxxxxxxxxxxxxxxxx

--
Julien Grall

Follow-Ups:
- RE: [XEN v2] GICv3: Emulate GICR_PENDBASER correctly for 32 bit guests
  - From: Henry Wang

References:
- [XEN v2] GICv3: Emulate GICR_PENDBASER correctly for 32 bit guests
  - From: Ayan Kumar Halder

Prev by Date: Re: [PATCH V4 1/2] xen/virtio: Optimize the setup of "xen-grant-dma" devices
Next by Date: [libvirt test] 174380: tolerable all pass - PUSHED
Previous by thread: Re: [XEN v2] GICv3: Emulate GICR_PENDBASER correctly for 32 bit guests
Next by thread: RE: [XEN v2] GICv3: Emulate GICR_PENDBASER correctly for 32 bit guests
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.