Xen project Mailing List

Re: [PATCH] iommu/vtd: fix address translation for superpages

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Wed, 10 May 2023 17:19:47 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xHH4CRqUzr0Tqny5FLwoqq2KFzM5tgVW9+7FUQNsDAo=; b=Fbf8XsrTAIxHwwz0gHOcif8D9DRxHoUE/T76X8XT2Uw/qGQLfVxAub2+v5IsMYnFF945tg9KgNZCVgyIHWYPV4oQe0S+SOchFoaUx0iQQS33Q80rWtInTRP9uKxIF+L9RyJQgUjQJzTY1Zt1dmCTmKc8FvWVNPe1REy3nQQMdA0XaK7k+HWiLIUekDRnusA64XRXAqSTtuQFPLQA9TZe1qPfnbSkiy2BoY+vye4LpXbQDLU0RG4V3/Vn8Md5ZJY50BAuraOGbJtB/RN61xdZ9/Jz7Xiq6McGOJoid+ZaNIk0bIiT+zKRM7Rfp6v0DkDDEw+sTSEk0IUaCwurZ7nsuA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CSV+KpxG0Y55juAPMDlxgN6k2Q+KAfEaLbO4L97B2j0p+/qTBMTVkfbzPfzmv/fPnWRYsmfi8V6wp+cbbbPLCEpMcOjlQ1GM05wiNKRDUcI3cUIeX4zkzQRLVWdh3JKNOPwpDSJRXG3sdBrjPaei6OwRriGfnzxHtvyeKfYyUh+VKybOJgxbwR8IgLYHYtuG/wLo43oLPb57jPxHtpqgdsGspQvOGXMEFYpRIk8tZP+iYyjjdS62XmpH/m/NbkxYEdQVQFB99RXPnJGEs9xqmykgt9RX4J0Wk3y3cFRvjFbKffmzHAZpHJ4bJ2vSxKZnTYy2RuOVteBFAH6pbV3n+w==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Kevin Tian <kevin.tian@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Wed, 10 May 2023 15:20:11 +0000

Ironport-data: A9a23:db2eIa3Omuo3WsWw4vbD5fpwkn2cJEfYwER7XKvMYLTBsI5bp2cCx 2VODzyFbPvZZ2PyLdwlO4i2/BsD6MfQzoI2TAE/pC1hF35El5HIVI+TRqvS04F+DeWYFR46s J9OAjXkBJppJpMJjk71atANlVEliefTAOK6ULWeUsxIbVcMYD87jh5+kPIOjIdtgNyoayuAo tq3qMDEULOf82cc3lk8tuTS+XuDgNyo4GlD5gFnPagR1LPjvyJ94Kw3dPnZw0TQGuG4LsbiL 87fwbew+H/u/htFIrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRrukoPD9IOaF8/ttm8t4sZJ OOhF3CHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqFvnrSFL/hGVSkL0YMkFulfByJXx MUkNS82bCuojeaczbSadPtlr5F2RCXrFNt3VnBI6xj8VaxjbbWYBqLA6JlfwSs6gd1IEbDGf c0FZDFzbRPGJRpSJlMQD5F4l+Ct7pX9W2QA9BTJ+uxqvS6PlGSd05C0WDbRUsaNSshP2F6Ru 0rN/njjAwFcP9uaodaA2iv01r6TzX+iA+r+EpXp7ftn2w2h6FAsLycNWxihgcub20yHDoc3x 0s8v3BGQbIJ3E6hQ8T5Xha4iGWZpRNaUN1Ve8U55R+MzOzI4g+fLmkCUjNFLtchsaceVTEsk 1OEgd7tLThuq6GOD2KQ8K+OqjG/MjRTKnUNDRLoViMA6tjn5Y021RTGS445FLbv1oGtXzbt3 zqNsS4ywa0JitIG3Lm6+laBhC+wop/OTUg+4QC/sn+Z0z6VrbWNP+SAgWU3J94bRGpFZjFtZ EQ5pvU=

Ironport-hdrordr: A9a23:08T5j6AKelmFxHzlHelo55DYdb4zR+YMi2TDt3oddfU1SL38qy nKpp4mPHDP5wr5NEtPpTniAtjjfZq/z/5ICOAqVN/PYOCPggCVxepZnOjfKlPbehEX9oRmpN 1dm6oVMqyMMbCt5/yKnDVRELwbsaa6GLjDv5a785/0JzsaE52J6W1Ce2GmO3wzfiZqL7wjGq GR48JWzgDQAkj+PqyAdx84t/GonayzqK7b

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, May 10, 2023 at 03:30:21PM +0200, Jan Beulich wrote: > On 10.05.2023 12:22, Roger Pau Monné wrote: > > On Wed, May 10, 2023 at 12:00:51PM +0200, Jan Beulich wrote: > >> On 10.05.2023 10:27, Roger Pau Monné wrote: > >>> On Tue, May 09, 2023 at 06:06:45PM +0200, Jan Beulich wrote: > >>>> On 09.05.2023 12:41, Roger Pau Monne wrote: > >>>>> When translating an address that falls inside of a superpage in the > >>>>> IOMMU page tables the fetching of the PTE physical address field > >>>>> wasn't using dma_pte_addr(), which caused the returned data to be > >>>>> corrupt as it would contain bits not related to the address field. > >>>> > >>>> I'm afraid I don't understand: > >>>> > >>>>> --- a/xen/drivers/passthrough/vtd/iommu.c > >>>>> +++ b/xen/drivers/passthrough/vtd/iommu.c > >>>>> @@ -359,16 +359,18 @@ static uint64_t addr_to_dma_page_maddr(struct > >>>>> domain *domain, daddr_t addr, > >>>>> > >>>>> if ( !alloc ) > >>>>> { > >>>>> - pte_maddr = 0; > >>>>> if ( !dma_pte_present(*pte) ) > >>>>> + { > >>>>> + pte_maddr = 0; > >>>>> break; > >>>>> + } > >>>>> > >>>>> /* > >>>>> * When the leaf entry was requested, pass back the > >>>>> full PTE, > >>>>> * with the address adjusted to account for the > >>>>> residual of > >>>>> * the walk. > >>>>> */ > >>>>> - pte_maddr = pte->val + > >>>>> + pte_maddr += > >>>>> (addr & ((1UL << level_to_offset_bits(level)) - 1) > >>>>> & > >>>>> PAGE_MASK); > >>>> > >>>> With this change you're now violating what the comment says (plus what > >>>> the comment ahead of the function says). And it says what it says for > >>>> a reason - see intel_iommu_lookup_page(), which I think your change is > >>>> breaking. > >>> > >>> Hm, but the code in intel_iommu_lookup_page() is now wrong as it takes > >>> the bits in DMA_PTE_CONTIG_MASK as part of the physical address when > >>> doing the conversion to mfn? maddr_to_mfn() doesn't perform a any > >>> masking to remove the bits above PADDR_BITS. > >> > >> Oh, right. But that's a missing dma_pte_addr() in intel_iommu_lookup_page() > >> then. (It would likely be better anyway to switch "uint64_t val" to > >> "struct dma_pte pte" there, to make more visible that it's a PTE we're > >> dealing with.) I indeed overlooked this aspect when doing the earlier > >> change. > > > > I guess I'm still confused, as the other return value for target == 0 > > (when the address is not part of a superpage) does return > > dma_pte_addr(pte). I think that needs further fixing then. > > Hmm, indeed. But I think it's worse than this: addr_to_dma_page_maddr() > also does one too many iterations in that case. All "normal" callers > supply a positive "target". We need to terminate the walk at level 1 > also when target == 0. Don't we do that already due to the following check: if ( --level == target ) break; Which prevents mapping the PTE address as a page table directory? Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.