Re: [PATCH v5 04/10] hw/intc: GICv3 ITS Command processing

[shashi . mallela]

On Tue, 2021-07-06 at 10:19 +0100, Peter Maydell wrote:
> On Tue, 6 Jul 2021 at 04:25, <shashi.mallela@linaro.org> wrote:
> > On Mon, 2021-07-05 at 20:47 -0400, shashi.mallela@linaro.org wrote:
> > > On Mon, 2021-07-05 at 15:54 +0100, Peter Maydell wrote:
> > > > I missed this the first time around, but I don't think this is
> > > > right.
> > > > Different CPUs could have different GICR_PROPBASER values, so
> > > > checking
> > > > against just one of them is wrong. The pseudocode only tests
> > > > LPIOutOfRange()
> > > > which is documented as testing "larger than GICD_TYPER.IDbits
> > > > or
> > > > not
> > > > in
> > > > the LPI range and not 1023". So I don't think we should be
> > > > looking
> > > > at the GICR_PROPBASER field here.
> > > > 
> > > > More generally, "s->gicv3->cpu->something" is usually going to
> > > > be
> > > > wrong, because it is implicitly looking at CPU 0; often either
> > > > there
> > > > should be something else telling is which CPU to use (as in
> > > > &s->gicv3->cpu[rdbase] where the CTE told us which
> > > > redistributor),
> > > > or we might need to operate on all CPUs/redistributors. The
> > > > only
> > > > exception is where we can guarantee that all the CPUs are the
> > > > same
> > > > (eg when looking at GICR_TYPER.PLPIS.)
> > Please ignore my last comment.
> > 
> > To address this scenario,i think the feasible option would be to
> > call
> > get_cte() to get the rdbase corresponding to icid value passed to
> > mapti
> > command.Since each icid is mapped to a rdbase(by virtue of calling
> > MAPC
> > command),if the collection table has a valid mapping for this icid
> > we
> > continue processing this MAPTI command using &s->gicv3->cpu[rdbase]
> > applicable propbaser value to validate idbits, else return without
> > further processing.
> 
> But the pseudocode for MAPTI does not say anywhere that we should
> be checking the pIntID against any CPU's GICR_PROPBASER field.
> It is checked only by the checks in LPIOutOfRange(), which tests:
>  * is it larger than permitted by GICD_TYPER.IDbits
>  * is it not in the LPI range and not 1023
> 
> Checking whether the intID is too big and would cause us to index
> off the end of the redistributor's configuration table should be done
> later, only when the ITS actually sends the interrupt to a particular
> redistributor, I think.
> 
> (You can't rely on the guest having done the MAPC before the MAPTI;
> and in any case the guest could choose to do a MAPC to a different
> redistributor after it's done the MAPTI.)
> 
> thanks
> -- PMM
We already have the "intID too big check" in place within the
redistributor processing when ITS sends the interrupt trigger.
"the LPI range and not 1023" is also handled in this function,but for
validating "is it larger than permitted by GICD_TYPER.IDbits",the
source of GICD_TYPER.IDbits is GICR_PROPBASER because we pick up min of
GICR_PROPBASER.IDbits and GICD_TYPER.IDBits.

If we are to not use gicr_propbaser,then are we good to just accept the
intID value here since we are validating the same during interrupt
processing?