[Qemu-devel] [PULL 15/44] spapr/xive: fix EQ page addresses above 64GB

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 15/44] spapr/xive: fix EQ page addresses above 64GB

From:	David Gibson
Subject:	[Qemu-devel] [PULL 15/44] spapr/xive: fix EQ page addresses above 64GB
Date:	Wed, 29 May 2019 16:49:48 +1000

From: Cédric Le Goater <address@hidden>

The high order bits of the address of the OS event queue is stored in
bits [4-31] of word2 of the XIVE END internal structures and the low
order bits in word3. This structure is using Big Endian ordering and
computing the value requires some simple arithmetic which happens to
be wrong. The mask removing bits [0-3] of word2 is applied to the
wrong value and the resulting address is bogus when above 64GB.

Guests with more than 64GB of RAM will allocate pages for the OS event
queues which will reside above the 64GB limit. In this case, the XIVE
device model will wake up the CPUs in case of a notification, such as
IPIs, but the update of the event queue will be written at the wrong
place in memory. The result is uncertain as the guest memory is
trashed and IPI are not delivered.

Introduce a helper xive_end_qaddr() to compute this value correctly in
all places where it is used.

Signed-off-by: Cédric Le Goater <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Greg Kurz <address@hidden>
Signed-off-by: David Gibson <address@hidden>
---
 hw/intc/spapr_xive.c       | 3 +--
 hw/intc/xive.c             | 9 +++------
 include/hw/ppc/xive_regs.h | 6 ++++++
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c
index 33da1a52c6..a19e998093 100644
--- a/hw/intc/spapr_xive.c
+++ b/hw/intc/spapr_xive.c
@@ -1150,8 +1150,7 @@ static target_ulong h_int_get_queue_config(PowerPCCPU 
*cpu,
     }
 
     if (xive_end_is_enqueue(end)) {
-        args[1] = (uint64_t) be32_to_cpu(end->w2 & 0x0fffffff) << 32
-            | be32_to_cpu(end->w3);
+        args[1] = xive_end_qaddr(end);
         args[2] = xive_get_field32(END_W0_QSIZE, end->w0) + 12;
     } else {
         args[1] = 0;
diff --git a/hw/intc/xive.c b/hw/intc/xive.c
index a0b87001da..dcf2fcd108 100644
--- a/hw/intc/xive.c
+++ b/hw/intc/xive.c
@@ -1042,8 +1042,7 @@ static const TypeInfo xive_source_info = {
 
 void xive_end_queue_pic_print_info(XiveEND *end, uint32_t width, Monitor *mon)
 {
-    uint64_t qaddr_base = (uint64_t) be32_to_cpu(end->w2 & 0x0fffffff) << 32
-        | be32_to_cpu(end->w3);
+    uint64_t qaddr_base = xive_end_qaddr(end);
     uint32_t qsize = xive_get_field32(END_W0_QSIZE, end->w0);
     uint32_t qindex = xive_get_field32(END_W1_PAGE_OFF, end->w1);
     uint32_t qentries = 1 << (qsize + 10);
@@ -1072,8 +1071,7 @@ void xive_end_queue_pic_print_info(XiveEND *end, uint32_t 
width, Monitor *mon)
 
 void xive_end_pic_print_info(XiveEND *end, uint32_t end_idx, Monitor *mon)
 {
-    uint64_t qaddr_base = (uint64_t) be32_to_cpu(end->w2 & 0x0fffffff) << 32
-        | be32_to_cpu(end->w3);
+    uint64_t qaddr_base = xive_end_qaddr(end);
     uint32_t qindex = xive_get_field32(END_W1_PAGE_OFF, end->w1);
     uint32_t qgen = xive_get_field32(END_W1_GENERATION, end->w1);
     uint32_t qsize = xive_get_field32(END_W0_QSIZE, end->w0);
@@ -1101,8 +1099,7 @@ void xive_end_pic_print_info(XiveEND *end, uint32_t 
end_idx, Monitor *mon)
 
 static void xive_end_enqueue(XiveEND *end, uint32_t data)
 {
-    uint64_t qaddr_base = (uint64_t) be32_to_cpu(end->w2 & 0x0fffffff) << 32
-        | be32_to_cpu(end->w3);
+    uint64_t qaddr_base = xive_end_qaddr(end);
     uint32_t qsize = xive_get_field32(END_W0_QSIZE, end->w0);
     uint32_t qindex = xive_get_field32(END_W1_PAGE_OFF, end->w1);
     uint32_t qgen = xive_get_field32(END_W1_GENERATION, end->w1);
diff --git a/include/hw/ppc/xive_regs.h b/include/hw/ppc/xive_regs.h
index bf36678a24..1a8c5b5e64 100644
--- a/include/hw/ppc/xive_regs.h
+++ b/include/hw/ppc/xive_regs.h
@@ -208,6 +208,12 @@ typedef struct XiveEND {
 #define xive_end_is_backlog(end)  (be32_to_cpu((end)->w0) & END_W0_BACKLOG)
 #define xive_end_is_escalate(end) (be32_to_cpu((end)->w0) & 
END_W0_ESCALATE_CTL)
 
+static inline uint64_t xive_end_qaddr(XiveEND *end)
+{
+    return ((uint64_t) be32_to_cpu(end->w2) & 0x0fffffff) << 32 |
+        be32_to_cpu(end->w3);
+}
+
 /* Notification Virtual Target (NVT) */
 typedef struct XiveNVT {
         uint32_t        w0;
-- 
2.21.0

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL 01/44] tests: Fix up docker cross builds for ppc64 (BE) targets, (continued)
- [Qemu-devel] [PULL 01/44] tests: Fix up docker cross builds for ppc64 (BE) targets, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 12/44] target/ppc: Fix vsum2sws, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 16/44] spapr/xive: print out the EQ page address in the monitor, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 11/44] target/ppc: Fix vslv and vsrv, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 24/44] spapr: Fix phb_placement backwards compatibility, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 07/44] hw/ppc/40p: use 1900 as a base year, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 09/44] target/ppc: Fix xvxsigdp, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 17/44] Fix typo on "info pic" monitor cmd output for xive, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 06/44] hw/ppc/40p: Move the MC146818 RTC to the board where it belongs, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 05/44] hw/ppc/prep: use TYPE_MC146818_RTC instead of a hardcoded string, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 15/44] spapr/xive: fix EQ page addresses above 64GB, David Gibson <=
- [Qemu-devel] [PULL 20/44] spapr/xive: Sanity checks of OV5 during CAS, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 26/44] spapr/xive: add KVM support, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 28/44] spapr/xive: add state synchronization with KVM, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 25/44] spapr: Print out extra hints when CAS negotiation of interrupt mode fails, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 19/44] target/ppc: Fix xvabs[sd]p, xvnabs[sd]p, xvneg[sd]p, xvcpsgn[sd]p, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 21/44] target/ppc: Set PSSCR_EC on cpu halt to prevent spurious wakeup, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 23/44] target/ppc: Use vector variable shifts for VSL, VSR, VSRA, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 18/44] target/ppc: Optimise VSX_LOAD_SCALAR_DS and VSX_VECTOR_LOAD_STORE, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 34/44] spapr: check for the activation of the KVM IRQ device, David Gibson, 2019/05/29
- [Qemu-devel] [PULL 29/44] spapr/xive: introduce a VM state change handler, David Gibson, 2019/05/29

Prev by Date: [Qemu-devel] [PULL 05/44] hw/ppc/prep: use TYPE_MC146818_RTC instead of a hardcoded string
Next by Date: [Qemu-devel] [PULL 20/44] spapr/xive: Sanity checks of OV5 during CAS
Previous by thread: [Qemu-devel] [PULL 05/44] hw/ppc/prep: use TYPE_MC146818_RTC instead of a hardcoded string
Next by thread: [Qemu-devel] [PULL 20/44] spapr/xive: Sanity checks of OV5 during CAS
Index(es):
- Date
- Thread