From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 23/32] tcg: Support MMU protection regions smaller than TARGET_PAGE_SIZE
Date: Tue, 26 Jun 2018 17:56:49 +0100 [thread overview]
Message-ID: <20180626165658.31394-24-peter.maydell@linaro.org> (raw)
In-Reply-To: <20180626165658.31394-1-peter.maydell@linaro.org>
Add support for MMU protection regions that are smaller than
TARGET_PAGE_SIZE. We do this by marking the TLB entry for those
pages with a flag TLB_RECHECK. This flag causes us to always
take the slow-path for accesses. In the slow path we can then
special case them to always call tlb_fill() again, so we have
the correct information for the exact address being accessed.
This change allows us to handle reading and writing from small
regions; we cannot deal with execution from the small region.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180620130619.11362-2-peter.maydell@linaro.org
---
accel/tcg/softmmu_template.h | 24 ++++---
include/exec/cpu-all.h | 5 +-
accel/tcg/cputlb.c | 131 +++++++++++++++++++++++++++++------
3 files changed, 130 insertions(+), 30 deletions(-)
diff --git a/accel/tcg/softmmu_template.h b/accel/tcg/softmmu_template.h
index 239ea6692b4..c47591c9709 100644
--- a/accel/tcg/softmmu_template.h
+++ b/accel/tcg/softmmu_template.h
@@ -98,10 +98,12 @@
static inline DATA_TYPE glue(io_read, SUFFIX)(CPUArchState *env,
size_t mmu_idx, size_t index,
target_ulong addr,
- uintptr_t retaddr)
+ uintptr_t retaddr,
+ bool recheck)
{
CPUIOTLBEntry *iotlbentry = &env->iotlb[mmu_idx][index];
- return io_readx(env, iotlbentry, mmu_idx, addr, retaddr, DATA_SIZE);
+ return io_readx(env, iotlbentry, mmu_idx, addr, retaddr, recheck,
+ DATA_SIZE);
}
#endif
@@ -138,7 +140,8 @@ WORD_TYPE helper_le_ld_name(CPUArchState *env, target_ulong addr,
/* ??? Note that the io helpers always read data in the target
byte ordering. We should push the LE/BE request down into io. */
- res = glue(io_read, SUFFIX)(env, mmu_idx, index, addr, retaddr);
+ res = glue(io_read, SUFFIX)(env, mmu_idx, index, addr, retaddr,
+ tlb_addr & TLB_RECHECK);
res = TGT_LE(res);
return res;
}
@@ -205,7 +208,8 @@ WORD_TYPE helper_be_ld_name(CPUArchState *env, target_ulong addr,
/* ??? Note that the io helpers always read data in the target
byte ordering. We should push the LE/BE request down into io. */
- res = glue(io_read, SUFFIX)(env, mmu_idx, index, addr, retaddr);
+ res = glue(io_read, SUFFIX)(env, mmu_idx, index, addr, retaddr,
+ tlb_addr & TLB_RECHECK);
res = TGT_BE(res);
return res;
}
@@ -259,10 +263,12 @@ static inline void glue(io_write, SUFFIX)(CPUArchState *env,
size_t mmu_idx, size_t index,
DATA_TYPE val,
target_ulong addr,
- uintptr_t retaddr)
+ uintptr_t retaddr,
+ bool recheck)
{
CPUIOTLBEntry *iotlbentry = &env->iotlb[mmu_idx][index];
- return io_writex(env, iotlbentry, mmu_idx, val, addr, retaddr, DATA_SIZE);
+ return io_writex(env, iotlbentry, mmu_idx, val, addr, retaddr,
+ recheck, DATA_SIZE);
}
void helper_le_st_name(CPUArchState *env, target_ulong addr, DATA_TYPE val,
@@ -298,7 +304,8 @@ void helper_le_st_name(CPUArchState *env, target_ulong addr, DATA_TYPE val,
/* ??? Note that the io helpers always read data in the target
byte ordering. We should push the LE/BE request down into io. */
val = TGT_LE(val);
- glue(io_write, SUFFIX)(env, mmu_idx, index, val, addr, retaddr);
+ glue(io_write, SUFFIX)(env, mmu_idx, index, val, addr,
+ retaddr, tlb_addr & TLB_RECHECK);
return;
}
@@ -375,7 +382,8 @@ void helper_be_st_name(CPUArchState *env, target_ulong addr, DATA_TYPE val,
/* ??? Note that the io helpers always read data in the target
byte ordering. We should push the LE/BE request down into io. */
val = TGT_BE(val);
- glue(io_write, SUFFIX)(env, mmu_idx, index, val, addr, retaddr);
+ glue(io_write, SUFFIX)(env, mmu_idx, index, val, addr, retaddr,
+ tlb_addr & TLB_RECHECK);
return;
}
diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 7fa726b8e36..7338f57062f 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -330,11 +330,14 @@ CPUArchState *cpu_copy(CPUArchState *env);
#define TLB_NOTDIRTY (1 << (TARGET_PAGE_BITS - 2))
/* Set if TLB entry is an IO callback. */
#define TLB_MMIO (1 << (TARGET_PAGE_BITS - 3))
+/* Set if TLB entry must have MMU lookup repeated for every access */
+#define TLB_RECHECK (1 << (TARGET_PAGE_BITS - 4))
/* Use this mask to check interception with an alignment mask
* in a TCG backend.
*/
-#define TLB_FLAGS_MASK (TLB_INVALID_MASK | TLB_NOTDIRTY | TLB_MMIO)
+#define TLB_FLAGS_MASK (TLB_INVALID_MASK | TLB_NOTDIRTY | TLB_MMIO \
+ | TLB_RECHECK)
void dump_exec_info(FILE *f, fprintf_function cpu_fprintf);
void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf);
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index 719cca2268b..eebe97dabb7 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -613,27 +613,42 @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
target_ulong code_address;
uintptr_t addend;
CPUTLBEntry *te, *tv, tn;
- hwaddr iotlb, xlat, sz;
+ hwaddr iotlb, xlat, sz, paddr_page;
+ target_ulong vaddr_page;
unsigned vidx = env->vtlb_index++ % CPU_VTLB_SIZE;
int asidx = cpu_asidx_from_attrs(cpu, attrs);
assert_cpu_is_self(cpu);
- assert(size >= TARGET_PAGE_SIZE);
- if (size != TARGET_PAGE_SIZE) {
- tlb_add_large_page(env, vaddr, size);
- }
- sz = size;
- section = address_space_translate_for_iotlb(cpu, asidx, paddr, &xlat, &sz,
- attrs, &prot);
+ if (size < TARGET_PAGE_SIZE) {
+ sz = TARGET_PAGE_SIZE;
+ } else {
+ if (size > TARGET_PAGE_SIZE) {
+ tlb_add_large_page(env, vaddr, size);
+ }
+ sz = size;
+ }
+ vaddr_page = vaddr & TARGET_PAGE_MASK;
+ paddr_page = paddr & TARGET_PAGE_MASK;
+
+ section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
+ &xlat, &sz, attrs, &prot);
assert(sz >= TARGET_PAGE_SIZE);
tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx
" prot=%x idx=%d\n",
vaddr, paddr, prot, mmu_idx);
- address = vaddr;
- if (!memory_region_is_ram(section->mr) && !memory_region_is_romd(section->mr)) {
+ address = vaddr_page;
+ if (size < TARGET_PAGE_SIZE) {
+ /*
+ * Slow-path the TLB entries; we will repeat the MMU check and TLB
+ * fill on every access.
+ */
+ address |= TLB_RECHECK;
+ }
+ if (!memory_region_is_ram(section->mr) &&
+ !memory_region_is_romd(section->mr)) {
/* IO memory case */
address |= TLB_MMIO;
addend = 0;
@@ -643,10 +658,10 @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
}
code_address = address;
- iotlb = memory_region_section_get_iotlb(cpu, section, vaddr, paddr, xlat,
- prot, &address);
+ iotlb = memory_region_section_get_iotlb(cpu, section, vaddr_page,
+ paddr_page, xlat, prot, &address);
- index = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
+ index = (vaddr_page >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
te = &env->tlb_table[mmu_idx][index];
/* do not discard the translation in te, evict it into a victim tlb */
tv = &env->tlb_v_table[mmu_idx][vidx];
@@ -662,18 +677,18 @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
* TARGET_PAGE_BITS, and either
* + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM)
* + the offset within section->mr of the page base (otherwise)
- * We subtract the vaddr (which is page aligned and thus won't
+ * We subtract the vaddr_page (which is page aligned and thus won't
* disturb the low bits) to give an offset which can be added to the
* (non-page-aligned) vaddr of the eventual memory access to get
* the MemoryRegion offset for the access. Note that the vaddr we
* subtract here is that of the page base, and not the same as the
* vaddr we add back in io_readx()/io_writex()/get_page_addr_code().
*/
- env->iotlb[mmu_idx][index].addr = iotlb - vaddr;
+ env->iotlb[mmu_idx][index].addr = iotlb - vaddr_page;
env->iotlb[mmu_idx][index].attrs = attrs;
/* Now calculate the new entry */
- tn.addend = addend - vaddr;
+ tn.addend = addend - vaddr_page;
if (prot & PAGE_READ) {
tn.addr_read = address;
} else {
@@ -694,7 +709,7 @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
tn.addr_write = address | TLB_MMIO;
} else if (memory_region_is_ram(section->mr)
&& cpu_physical_memory_is_clean(
- memory_region_get_ram_addr(section->mr) + xlat)) {
+ memory_region_get_ram_addr(section->mr) + xlat)) {
tn.addr_write = address | TLB_NOTDIRTY;
} else {
tn.addr_write = address;
@@ -767,7 +782,8 @@ static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
int mmu_idx,
- target_ulong addr, uintptr_t retaddr, int size)
+ target_ulong addr, uintptr_t retaddr,
+ bool recheck, int size)
{
CPUState *cpu = ENV_GET_CPU(env);
hwaddr mr_offset;
@@ -777,6 +793,29 @@ static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
bool locked = false;
MemTxResult r;
+ if (recheck) {
+ /*
+ * This is a TLB_RECHECK access, where the MMU protection
+ * covers a smaller range than a target page, and we must
+ * repeat the MMU check here. This tlb_fill() call might
+ * longjump out if this access should cause a guest exception.
+ */
+ int index;
+ target_ulong tlb_addr;
+
+ tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
+
+ index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
+ tlb_addr = env->tlb_table[mmu_idx][index].addr_read;
+ if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
+ /* RAM access */
+ uintptr_t haddr = addr + env->tlb_table[mmu_idx][index].addend;
+
+ return ldn_p((void *)haddr, size);
+ }
+ /* Fall through for handling IO accesses */
+ }
+
section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
mr = section->mr;
mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
@@ -811,7 +850,7 @@ static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
int mmu_idx,
uint64_t val, target_ulong addr,
- uintptr_t retaddr, int size)
+ uintptr_t retaddr, bool recheck, int size)
{
CPUState *cpu = ENV_GET_CPU(env);
hwaddr mr_offset;
@@ -820,6 +859,30 @@ static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
bool locked = false;
MemTxResult r;
+ if (recheck) {
+ /*
+ * This is a TLB_RECHECK access, where the MMU protection
+ * covers a smaller range than a target page, and we must
+ * repeat the MMU check here. This tlb_fill() call might
+ * longjump out if this access should cause a guest exception.
+ */
+ int index;
+ target_ulong tlb_addr;
+
+ tlb_fill(cpu, addr, size, MMU_DATA_STORE, mmu_idx, retaddr);
+
+ index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
+ tlb_addr = env->tlb_table[mmu_idx][index].addr_write;
+ if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
+ /* RAM access */
+ uintptr_t haddr = addr + env->tlb_table[mmu_idx][index].addend;
+
+ stn_p((void *)haddr, size, val);
+ return;
+ }
+ /* Fall through for handling IO accesses */
+ }
+
section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
mr = section->mr;
mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
@@ -903,6 +966,32 @@ tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
}
}
+
+ if (unlikely(env->tlb_table[mmu_idx][index].addr_code & TLB_RECHECK)) {
+ /*
+ * This is a TLB_RECHECK access, where the MMU protection
+ * covers a smaller range than a target page, and we must
+ * repeat the MMU check here. This tlb_fill() call might
+ * longjump out if this access should cause a guest exception.
+ */
+ int index;
+ target_ulong tlb_addr;
+
+ tlb_fill(cpu, addr, 0, MMU_INST_FETCH, mmu_idx, 0);
+
+ index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
+ tlb_addr = env->tlb_table[mmu_idx][index].addr_code;
+ if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
+ /* RAM access. We can't handle this, so for now just stop */
+ cpu_abort(cpu, "Unable to handle guest executing from RAM within "
+ "a small MPU region at 0x" TARGET_FMT_lx, addr);
+ }
+ /*
+ * Fall through to handle IO accesses (which will almost certainly
+ * also result in failure)
+ */
+ }
+
iotlbentry = &env->iotlb[mmu_idx][index];
section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
mr = section->mr;
@@ -1011,8 +1100,8 @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
tlb_addr = tlbe->addr_write & ~TLB_INVALID_MASK;
}
- /* Notice an IO access */
- if (unlikely(tlb_addr & TLB_MMIO)) {
+ /* Notice an IO access or a needs-MMU-lookup access */
+ if (unlikely(tlb_addr & (TLB_MMIO | TLB_RECHECK))) {
/* There's really nothing that can be done to
support this apart from stop-the-world. */
goto stop_the_world;
--
2.17.1
next prev parent reply other threads:[~2018-06-26 16:57 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-26 16:56 [Qemu-devel] [PULL 00/32] target-arm queue Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 01/32] aspeed/smc: fix dummy cycles count when in dual IO mode Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 02/32] aspeed/smc: fix HW strapping Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 03/32] aspeed/smc: rename aspeed_smc_flash_send_addr() to aspeed_smc_flash_setup() Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 04/32] MAINTAINERS: Adopt the Gumstix computers-on-module machines Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 05/32] xilinx_spips: Make dma transactions as per dma_burst_size Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 06/32] MAINTAINERS: Add ASPEED BMCs Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 07/32] hw/input/pckbd: Use qemu_log_mask(GUEST_ERROR) instead of fprintf Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 08/32] hw/input/tsc2005: " Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 09/32] hw/dma/omap_dma: Use qemu_log_mask(UNIMP) instead of printf Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 10/32] hw/dma/omap_dma: Use qemu_log_mask(GUEST_ERROR) instead of fprintf Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 11/32] hw/ssi/omap_spi: " Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 12/32] hw/sd/omap_mmc: Use qemu_log_mask(UNIMP) instead of printf Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 13/32] hw/i2c/omap_i2c: Use qemu_log_mask(UNIMP) instead of fprintf Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 14/32] hw/arm/omap1: Use qemu_log_mask(GUEST_ERROR) " Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 15/32] hw/arm/omap: " Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 16/32] hw/arm/stellaris: Use qemu_log_mask(UNIMP) " Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 17/32] hw/net/stellaris_enet: Fix a typo Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 18/32] hw/net/stellaris_enet: Use qemu_log_mask(GUEST_ERROR) instead of hw_error Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 19/32] hw/net/smc91c111: " Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 20/32] hw/net/smc91c111: Use qemu_log_mask(UNIMP) instead of fprintf Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 21/32] hw/arm/stellaris: Fix gptm_write() error message Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 22/32] hw/arm/stellaris: Use HWADDR_PRIx to display register address Peter Maydell
2018-06-26 16:56 ` Peter Maydell [this message]
2018-06-28 13:03 ` [Qemu-devel] [PULL 23/32] tcg: Support MMU protection regions smaller than TARGET_PAGE_SIZE Laurent Vivier
2018-06-28 13:23 ` Peter Maydell
2018-06-28 19:23 ` Laurent Vivier
2018-06-28 20:05 ` Peter Maydell
2018-06-28 22:26 ` Laurent Vivier
2018-06-29 12:14 ` Peter Maydell
2018-06-29 14:07 ` Alex Bennée
2018-06-29 15:28 ` Peter Maydell
2018-06-29 15:52 ` Laurent Vivier
2018-06-26 16:56 ` [Qemu-devel] [PULL 24/32] target/arm: Set page (region) size in get_phys_addr_pmsav7() Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 25/32] target/arm: Handle small regions in get_phys_addr_pmsav8() Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 26/32] hw/arm/smmuv3: Fix translate error handling Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 27/32] hw/arm/smmuv3: Cache/invalidate config data Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 28/32] hw/arm/smmuv3: IOTLB emulation Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 29/32] hw/arm/smmuv3: Add notifications on invalidation Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 30/32] aspeed/scu: introduce clock frequencies Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 31/32] aspeed: initialize the SCU controller first Peter Maydell
2018-06-26 16:56 ` [Qemu-devel] [PULL 32/32] aspeed/timer: use the APB frequency from the SCU Peter Maydell
2018-06-26 18:19 ` [Qemu-devel] [PULL 00/32] target-arm queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180626165658.31394-24-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.