From: Hesham Almatary <hesham.almatary@cl.cam.ac.uk>
To: Jonathan Behrens <fintelia@gmail.com>
Cc: "open list:RISC-V" <qemu-riscv@nongnu.org>,
Sagar Karandikar <sagark@eecs.berkeley.edu>,
Bastian Koppelmann <kbastian@mail.uni-paderborn.de>,
Palmer Dabbelt <palmer@sifive.com>,
"qemu-devel@nongnu.org Developers" <qemu-devel@nongnu.org>,
Alistair Francis <Alistair.Francis@wdc.com>,
Alistair Francis <alistair23@gmail.com>
Subject: Re: [Qemu-devel] [Qemu-riscv] [PATCHv3 5/5] RISC-V: Fix a PMP check with the correct access size
Date: Wed, 22 May 2019 09:55:01 +0100 [thread overview]
Message-ID: <CA+wsVCAiJ9i4yDooV3ZsAFM87m75Jx-hLbAMupfJdJvP-S-PGg@mail.gmail.com> (raw)
In-Reply-To: <CANnJOVG-fqEsRqOu3e8Jd=OanGwi2eEKPK0_AqGcMV28QzVz+g@mail.gmail.com>
On Wed, 22 May 2019 at 03:25, Jonathan Behrens <fintelia@gmail.com> wrote:
>
> Hesham,
>
> I don't think this is quite right. If I understand correctly, PMP permissions are only validated on TLB fills, not on all accesses. (Is anyone able to confirm this?) If so, this function can't just validate the range of a single access and then place the entire page into the TLB. However, the current code is also wrong because an access should succeed/fail based on the permissions only for the range it actually touches even regardless of the permissions on the rest of the page. Now that I think about it, I'd also expect that somewhere in the PMP logic would flush the TLB every time any of the related control registers change though I can't find anywhere that this is happening...
>
I believe the TLB fill function is called on all accesses, but I might
be wrong. I will wait for someone to confirm otherwise.
It's mentioned in the spec that sfence.vma has to be executed after
changing PMP configs, so it's a SW concern (i.e., not QEMU's).
> Sorry to keep raising complaints about this patch set, the interaction between physical memory protection and paging is very subtle. Even some real hardware has had errata related to it!
>
> Jonathan
>
> On Tue, May 21, 2019 at 6:33 PM Alistair Francis <alistair23@gmail.com> wrote:
>>
>> On Tue, May 21, 2019 at 3:45 AM Hesham Almatary
>> <Hesham.Almatary@cl.cam.ac.uk> wrote:
>> >
>> > The PMP check should be of the memory access size rather
>> > than TARGET_PAGE_SIZE.
>> >
>> > Signed-off-by: Hesham Almatary <Hesham.Almatary@cl.cam.ac.uk>
>>
>> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
>>
>> Alistair
>>
>> > ---
>> > target/riscv/cpu_helper.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
>> > index d0b0f9cf88..ce1f47e4e3 100644
>> > --- a/target/riscv/cpu_helper.c
>> > +++ b/target/riscv/cpu_helper.c
>> > @@ -410,7 +410,7 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
>> >
>> > if (riscv_feature(env, RISCV_FEATURE_PMP) &&
>> > (ret == TRANSLATE_SUCCESS) &&
>> > - !pmp_hart_has_privs(env, pa, TARGET_PAGE_SIZE, 1 << access_type)) {
>> > + !pmp_hart_has_privs(env, pa, size, 1 << access_type)) {
>> > ret = TRANSLATE_PMP_FAIL;
>> > }
>> > if (ret == TRANSLATE_PMP_FAIL) {
>> > --
>> > 2.17.1
>> >
>> >
>>
WARNING: multiple messages have this Message-ID (diff)
From: Hesham Almatary <hesham.almatary@cl.cam.ac.uk>
To: Jonathan Behrens <fintelia@gmail.com>
Cc: Alistair Francis <alistair23@gmail.com>,
"open list:RISC-V" <qemu-riscv@nongnu.org>,
Sagar Karandikar <sagark@eecs.berkeley.edu>,
Bastian Koppelmann <kbastian@mail.uni-paderborn.de>,
Palmer Dabbelt <palmer@sifive.com>,
"qemu-devel@nongnu.org Developers" <qemu-devel@nongnu.org>,
Alistair Francis <Alistair.Francis@wdc.com>
Subject: Re: [Qemu-riscv] [Qemu-devel] [PATCHv3 5/5] RISC-V: Fix a PMP check with the correct access size
Date: Wed, 22 May 2019 09:55:01 +0100 [thread overview]
Message-ID: <CA+wsVCAiJ9i4yDooV3ZsAFM87m75Jx-hLbAMupfJdJvP-S-PGg@mail.gmail.com> (raw)
In-Reply-To: <CANnJOVG-fqEsRqOu3e8Jd=OanGwi2eEKPK0_AqGcMV28QzVz+g@mail.gmail.com>
On Wed, 22 May 2019 at 03:25, Jonathan Behrens <fintelia@gmail.com> wrote:
>
> Hesham,
>
> I don't think this is quite right. If I understand correctly, PMP permissions are only validated on TLB fills, not on all accesses. (Is anyone able to confirm this?) If so, this function can't just validate the range of a single access and then place the entire page into the TLB. However, the current code is also wrong because an access should succeed/fail based on the permissions only for the range it actually touches even regardless of the permissions on the rest of the page. Now that I think about it, I'd also expect that somewhere in the PMP logic would flush the TLB every time any of the related control registers change though I can't find anywhere that this is happening...
>
I believe the TLB fill function is called on all accesses, but I might
be wrong. I will wait for someone to confirm otherwise.
It's mentioned in the spec that sfence.vma has to be executed after
changing PMP configs, so it's a SW concern (i.e., not QEMU's).
> Sorry to keep raising complaints about this patch set, the interaction between physical memory protection and paging is very subtle. Even some real hardware has had errata related to it!
>
> Jonathan
>
> On Tue, May 21, 2019 at 6:33 PM Alistair Francis <alistair23@gmail.com> wrote:
>>
>> On Tue, May 21, 2019 at 3:45 AM Hesham Almatary
>> <Hesham.Almatary@cl.cam.ac.uk> wrote:
>> >
>> > The PMP check should be of the memory access size rather
>> > than TARGET_PAGE_SIZE.
>> >
>> > Signed-off-by: Hesham Almatary <Hesham.Almatary@cl.cam.ac.uk>
>>
>> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
>>
>> Alistair
>>
>> > ---
>> > target/riscv/cpu_helper.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
>> > index d0b0f9cf88..ce1f47e4e3 100644
>> > --- a/target/riscv/cpu_helper.c
>> > +++ b/target/riscv/cpu_helper.c
>> > @@ -410,7 +410,7 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
>> >
>> > if (riscv_feature(env, RISCV_FEATURE_PMP) &&
>> > (ret == TRANSLATE_SUCCESS) &&
>> > - !pmp_hart_has_privs(env, pa, TARGET_PAGE_SIZE, 1 << access_type)) {
>> > + !pmp_hart_has_privs(env, pa, size, 1 << access_type)) {
>> > ret = TRANSLATE_PMP_FAIL;
>> > }
>> > if (ret == TRANSLATE_PMP_FAIL) {
>> > --
>> > 2.17.1
>> >
>> >
>>
next prev parent reply other threads:[~2019-05-22 9:04 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-21 10:43 [Qemu-devel] [PATCHv3 1/5] RISC-V: Only Check PMP if MMU translation succeeds Hesham Almatary
2019-05-21 10:43 ` [Qemu-riscv] " Hesham Almatary
2019-05-21 10:43 ` [Qemu-devel] [PATCHv3 2/5] RISC-V: Raise access fault exceptions on PMP violations Hesham Almatary
2019-05-21 10:43 ` [Qemu-riscv] " Hesham Almatary
2019-05-21 10:43 ` [Qemu-devel] [PATCHv3 3/5] RISC-V: Check PMP during Page Table Walks Hesham Almatary
2019-05-21 10:43 ` [Qemu-riscv] " Hesham Almatary
2019-05-21 22:37 ` [Qemu-devel] " Alistair Francis
2019-05-21 22:37 ` [Qemu-riscv] " Alistair Francis
2019-05-22 9:26 ` Hesham Almatary
2019-05-22 9:26 ` [Qemu-riscv] " Hesham Almatary
2019-05-29 18:25 ` Hesham Almatary
2019-05-29 18:25 ` [Qemu-riscv] " Hesham Almatary
2019-05-30 3:07 ` Alistair Francis
2019-05-30 3:07 ` [Qemu-riscv] " Alistair Francis
2019-05-30 13:09 ` Hesham Almatary
2019-05-30 13:09 ` [Qemu-riscv] " Hesham Almatary
2019-05-21 10:43 ` [Qemu-devel] [PATCHv3 4/5] RISC-V: Fix a PMP bug where it succeeds even if PMP entry is off Hesham Almatary
2019-05-21 10:43 ` [Qemu-riscv] " Hesham Almatary
2019-05-21 22:38 ` [Qemu-devel] " Alistair Francis
2019-05-21 22:38 ` [Qemu-riscv] " Alistair Francis
2019-05-21 10:43 ` [Qemu-devel] [PATCHv3 5/5] RISC-V: Fix a PMP check with the correct access size Hesham Almatary
2019-05-21 10:43 ` [Qemu-riscv] " Hesham Almatary
2019-05-21 22:31 ` [Qemu-devel] " Alistair Francis
2019-05-21 22:31 ` [Qemu-riscv] " Alistair Francis
2019-05-22 2:24 ` [Qemu-devel] [Qemu-riscv] " Jonathan Behrens
2019-05-22 2:24 ` [Qemu-riscv] [Qemu-devel] " Jonathan Behrens
2019-05-22 8:55 ` Hesham Almatary [this message]
2019-05-22 8:55 ` Hesham Almatary
2019-05-21 22:27 ` [Qemu-devel] [PATCHv3 1/5] RISC-V: Only Check PMP if MMU translation succeeds Alistair Francis
2019-05-21 22:27 ` [Qemu-riscv] " Alistair Francis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+wsVCAiJ9i4yDooV3ZsAFM87m75Jx-hLbAMupfJdJvP-S-PGg@mail.gmail.com \
--to=hesham.almatary@cl.cam.ac.uk \
--cc=Alistair.Francis@wdc.com \
--cc=alistair23@gmail.com \
--cc=fintelia@gmail.com \
--cc=kbastian@mail.uni-paderborn.de \
--cc=palmer@sifive.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=sagark@eecs.berkeley.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.