[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 0/8] target/riscv: Fix PMP related problem
From: |
Weiwei Li |
Subject: |
[PATCH v2 0/8] target/riscv: Fix PMP related problem |
Date: |
Tue, 18 Apr 2023 22:06:24 +0800 |
This patchset tries to fix the PMP bypass problem issue
https://gitlab.com/qemu-project/qemu/-/issues/1542:
- TLB will be cached if the matched PMP entry cover the whole page. However
PMP entries with higher priority may cover part of the page (but not match the
access address), which means different regions in this page may have different
permission rights. So the TLB also cannot be cached in this case (patch 1).
- Writing to pmpaddr didn't trigger tlb flush (patch 3).
- The tb isn't flushed when PMP permission changes, so It also may hit the tb
and bypass the changed PMP check for instruction fetch (patch 5).
- We set the tlb_size to 1 to make the TLB_INVALID_MASK set, and and the next
access will again go through tlb_fill. However, this way will not work in
tb_gen_code() => get_page_addr_code_hostp(): the TLB host address will be
cached, and the following instructions can use this host address directly which
may lead to the bypass of PMP related check (patch 6).
The port is available here:
https://github.com/plctlab/plct-qemu/tree/plct-pmp-fix-v2
v2:
- Update commit message for patch 1
- Add default tlb_size when pmp is diabled or there is no rules and only get
the tlb size when translation success in patch 2
- Update get_page_addr_code_hostp instead of probe_access_internal to fix the
cached host address for instruction fetch in patch 6
- Add patch 7 to make the short up really work in pmp_hart_has_privs
- Add patch 8 to use pmp_update_rule_addr() and pmp_update_rule_nums()
separately
Weiwei Li (8):
target/riscv: Update pmp_get_tlb_size()
target/riscv: Move pmp_get_tlb_size apart from
get_physical_address_pmp
target/riscv: flush tlb when pmpaddr is updated
target/riscv: Flush TLB only when pmpcfg/pmpaddr really changes
target/riscv: flush tb when PMP entry changes
accel/tcg: Uncache the host address for instruction fetch when tlb
size < 1
target/riscv: Make the short cut really work in pmp_hart_has_privs
target/riscv: Separate pmp_update_rule() in pmpcfg_csr_write Use
pmp_update_rule_addr() and pmp_update_rule_nums() separately to
update rule nums only once for each pmpcfg_csr_write. Then we can
also move tlb_flush and tb_flush into pmp_update_rule_nums().
accel/tcg/cputlb.c | 5 +
target/riscv/cpu_helper.c | 24 +--
target/riscv/pmp.c | 316 ++++++++++++++++++++------------------
target/riscv/pmp.h | 3 +-
4 files changed, 181 insertions(+), 167 deletions(-)
--
2.25.1
- [PATCH v2 0/8] target/riscv: Fix PMP related problem,
Weiwei Li <=
- [PATCH v2 1/8] target/riscv: Update pmp_get_tlb_size(), Weiwei Li, 2023/04/18
- [PATCH v2 4/8] target/riscv: Flush TLB only when pmpcfg/pmpaddr really changes, Weiwei Li, 2023/04/18
- [PATCH v2 6/8] accel/tcg: Uncache the host address for instruction fetch when tlb size < 1, Weiwei Li, 2023/04/18
- [PATCH v2 8/8] target/riscv: Separate pmp_update_rule() in pmpcfg_csr_write Use pmp_update_rule_addr() and pmp_update_rule_nums() separately to update rule nums only once for each pmpcfg_csr_write. Then we can also move tlb_flush and tb_flush into pmp_update_rule_nums()., Weiwei Li, 2023/04/18
- [PATCH v2 3/8] target/riscv: flush tlb when pmpaddr is updated, Weiwei Li, 2023/04/18
- [PATCH v2 7/8] target/riscv: Make the short cut really work in pmp_hart_has_privs, Weiwei Li, 2023/04/18
- [PATCH v2 5/8] target/riscv: flush tb when PMP entry changes, Weiwei Li, 2023/04/18
- [PATCH v2 2/8] target/riscv: Move pmp_get_tlb_size apart from get_physical_address_pmp, Weiwei Li, 2023/04/18