[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v5 00/13] target/riscv: Fix PMP related problem
From: |
Weiwei Li |
Subject: |
[PATCH v5 00/13] target/riscv: Fix PMP related problem |
Date: |
Fri, 28 Apr 2023 22:36:08 +0800 |
This patchset tries to fix the PMP bypass problem issue
https://gitlab.com/qemu-project/qemu/-/issues/1542:
TLB will be cached if the matched PMP entry cover the whole page. However PMP
entries with higher priority may cover part of the page (but not match the
access address), which means different regions in this page may have different
permission rights. So it also cannot be cached (patch 1).
Writing to pmpaddr didn't trigger tlb flush (patch 3).
We set the tlb_size to 1 to make the TLB_INVALID_MASK set, and and the next
access will again go through tlb_fill. However, this way will not work in
tb_gen_code() => get_page_addr_code_hostp(): the TLB host address will be
cached, and the following instructions can use this host address directly which
may lead to the bypass of PMP related check (patch 5).
The port is available here:
https://github.com/plctlab/plct-qemu/tree/plct-pmp-fix-v5
v5:
Mov the original Patch 6 to Patch 3
add Patch 4 to change the return type of pmp_hart_has_privs() to bool
add Patch 5 to make RLB/MML/MMWP bits writable only when Smepmp is enabled
add Patch 6 to remove unused paramters in pmp_hart_has_privs_default()
add Patch 7 to flush tlb when MMWP or MML bits are changed
add Patch 8 to update the next rule addr in pmpaddr_csr_write()
add Patch 13 to deny access if access is partially inside the PMP entry
v4:
Update comments for Patch 1, and move partial check code from Patch 2 to Patch 1
Restore log message change in Patch 2
Update commit message and the way to improve the problem in Patch 6
v3:
Ignore disabled PMP entry in pmp_get_tlb_size() in Patch 1
Drop Patch 5, since tb jmp cache have been flushed in tlb_flush, so flush tb
seems unnecessary.
Fix commit message problems in Patch 8 (Patch 7 in new patchset)
v2:
Update commit message for patch 1
Add default tlb_size when pmp is diabled or there is no rules and only get the
tlb size when translation success in patch 2
Update get_page_addr_code_hostp instead of probe_access_internal to fix the
cached host address for instruction fetch in patch 6
Add patch 7 to make the short up really work in pmp_hart_has_privs
Add patch 8 to use pmp_update_rule_addr() and pmp_update_rule_nums() separately
Weiwei Li (13):
target/riscv: Update pmp_get_tlb_size()
target/riscv: Move pmp_get_tlb_size apart from
get_physical_address_pmp
target/riscv: Make the short cut really work in pmp_hart_has_privs
target/riscv: Change the return type of pmp_hart_has_privs() to bool
target/riscv: Make RLB/MML/MMWP bits writable only when Smepmp is
enabled
target/riscv: Remove unused paramters in pmp_hart_has_privs_default()
target/riscv: Flush TLB when MMWP or MML bits are changed
target/riscv: Update the next rule addr in pmpaddr_csr_write()
target/riscv: Flush TLB when pmpaddr is updated
target/riscv: Flush TLB only when pmpcfg/pmpaddr really changes
accel/tcg: Uncache the host address for instruction fetch when tlb
size < 1
target/riscv: Separate pmp_update_rule() in pmpcfg_csr_write
target/riscv: Deny access if access is partially inside the PMP entry
accel/tcg/cputlb.c | 5 +
target/riscv/cpu_helper.c | 27 ++----
target/riscv/pmp.c | 198 ++++++++++++++++++++++----------------
target/riscv/pmp.h | 11 +--
4 files changed, 135 insertions(+), 106 deletions(-)
--
2.25.1
- [PATCH v5 00/13] target/riscv: Fix PMP related problem,
Weiwei Li <=
- [PATCH v5 02/13] target/riscv: Move pmp_get_tlb_size apart from get_physical_address_pmp, Weiwei Li, 2023/04/28
- [PATCH v5 07/13] target/riscv: Flush TLB when MMWP or MML bits are changed, Weiwei Li, 2023/04/28
- [PATCH v5 04/13] target/riscv: Change the return type of pmp_hart_has_privs() to bool, Weiwei Li, 2023/04/28
- [PATCH v5 03/13] target/riscv: Make the short cut really work in pmp_hart_has_privs, Weiwei Li, 2023/04/28
- [PATCH v5 06/13] target/riscv: Remove unused paramters in pmp_hart_has_privs_default(), Weiwei Li, 2023/04/28
- [PATCH v5 05/13] target/riscv: Make RLB/MML/MMWP bits writable only when Smepmp is enabled, Weiwei Li, 2023/04/28
- [PATCH v5 01/13] target/riscv: Update pmp_get_tlb_size(), Weiwei Li, 2023/04/28
- [PATCH v5 10/13] target/riscv: Flush TLB only when pmpcfg/pmpaddr really changes, Weiwei Li, 2023/04/28
- [PATCH v5 08/13] target/riscv: Update the next rule addr in pmpaddr_csr_write(), Weiwei Li, 2023/04/28
- [PATCH v5 13/13] target/riscv: Deny access if access is partially inside the PMP entry, Weiwei Li, 2023/04/28