From patchwork Tue Dec  4 20:26:39 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Grall <julien.grall@arm.com>
X-Patchwork-Id: 152854
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp8503423ljp;
 Tue, 4 Dec 2018 12:29:28 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Vcs5QXDTPvUFpTOTNF/Y2/r4MvSv5EofnBX7XFmE9FgmnrgJtj0EgoHMAdSJvxUSEgPXAh
X-Received: by 2002:a25:1486:: with SMTP id
 128-v6mr20368321ybu.97.1543955368211; 
 Tue, 04 Dec 2018 12:29:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543955368; cv=none;
 d=google.com; s=arc-20160816;
 b=PBmOiugQWybrwHPy5/R3hpAtX0ZTu02+kT+i/u3cMfXeltRzflzCGX386O5jvBzhsF
 lfYV0Ni9a6p7Xe15EH5iZUJjo0BonJVBPBuDW+1shu8Pq4MznAtMkk7LbcJuJXt78ctI
 XgQ4sP+YbR0gkUTVW/klyMADpF5NdVEpV+TkfE2ei/R4vajU8OvOXiHD8bgxEazDmotx
 Pc86VCZVRdB8JqWZXio8GYSCSPYBOG8oFWHWfattF7B9AOBzD+05avKCI7uXwlc0J9B1
 DTI/nSoajbOL0DiOHNExT1RDEXwud3tV2D6IlpKho2D4zoRgOuFS8y6aUNUHc2FKP2ub
 vTwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:mime-version:cc
 :list-subscribe:list-help:list-post:list-unsubscribe:list-id
 :precedence:subject:references:in-reply-to:message-id:date:to:from;
 bh=hJ2CwD6aSnXOGXB3l6ZnqWs1MVMsUD8BH8r1cEoQaI4=;
 b=kYq45syBAxDwPIxWGwmU+L6jI+2GWHuqALKlo0W6fIcoiKZ7SBJdoyY1Qi8RPMhPyA
 7co+KuhvSq8V9ShgsmU/iPglUaeRqyONy33pMICgy7fVgSc1iCsyxzk0sY3k8ZOt+U3H
 SdFlTtlOrMHYwiUvxNMOTLaRydQC3CSPPs3YnQclnmZyntvTNwhuO8fokBy8Z5JIrKhD
 f2m3MASu16aB59t5enf9ndUdNdM5LqPMxeL/owjj1e2Ru+VzgK0dmIDxqr7DMzxVDTXx
 NVU4G56wKaHsNyfb5gZWxHPx4W03vnprIYxYoAY2IbAYlrIigd8lt7e8YmSaX1AUl2oR
 nJHA==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120])
 by mx.google.com with ESMTPS id
 t8-v6si10114781ybb.191.2018.12.04.12.29.28
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 04 Dec 2018 12:29:28 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
 by lists.xenproject.org with esmtp (Exim 4.89)
 (envelope-from <xen-devel-bounces@lists.xenproject.org>)
 id 1gUHHx-00086i-D2; Tue, 04 Dec 2018 20:27:25 +0000
Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]
 helo=us1-amaz-eas2.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from
 <SRS0=aD1Q=ON=arm.com=julien.grall@srs-us1.protection.inumbo.net>)
 id 1gUHHv-00086J-Vy
 for xen-devel@lists.xenproject.org; Tue, 04 Dec 2018 20:27:24 +0000
X-Inumbo-ID: 017e2a48-f803-11e8-9b20-5fe4980ec26a
Received: from foss.arm.com (unknown [217.140.101.70])
 by us1-amaz-eas2.inumbo.com (Halon) with ESMTP
 id 017e2a48-f803-11e8-9b20-5fe4980ec26a;
 Tue, 04 Dec 2018 20:27:22 +0000 (UTC)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id BE82915BE;
 Tue,  4 Dec 2018 12:27:22 -0800 (PST)
Received: from e108454-lin.cambridge.arm.com (e108454-lin.cambridge.arm.com
 [10.1.196.50])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id
 0205F3F614; Tue,  4 Dec 2018 12:27:21 -0800 (PST)
From: Julien Grall <julien.grall@arm.com>
To: xen-devel@lists.xenproject.org
Date: Tue,  4 Dec 2018 20:26:39 +0000
Message-Id: <20181204202651.8836-6-julien.grall@arm.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20181204202651.8836-1-julien.grall@arm.com>
References: <20181204202651.8836-1-julien.grall@arm.com>
Subject: [Xen-devel] [PATCH for-4.12 v2 05/17] xen/arm: p2m: Handle
 translation fault in get_page_from_gva
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>, 
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Cc: Julien Grall <julien.grall@arm.com>, sstabellini@kernel.org
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

A follow-up patch will re-purpose the valid bit of LPAE entries to
generate fault even on entry containing valid information.

This means that when translating a guest VA to guest PA (e.g IPA) will
fail if the Stage-2 entries used have the valid bit unset. Because of
that, we need to fallback to walk the page-table in software to check
whether the fault was expected.

This patch adds the software page-table walk on all the translation
fault. It would be possible in the future to avoid pointless walk when
the fault in PAR_EL1 is not a translation fault.

Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---

There are a couple of TODO in the code. They are clean-up and performance
improvement (e.g when the fault cannot be handled) that could be delayed after
the series has been merged.

    Changes in v2:
        - Check stage-2 permission during software lookup
        - Fix typoes
---
 xen/arch/arm/p2m.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 59 insertions(+), 7 deletions(-)

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 47b54c792e..39680eeb6e 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -6,6 +6,7 @@
 
 #include <asm/event.h>
 #include <asm/flushtlb.h>
+#include <asm/guest_walk.h>
 #include <asm/page.h>
 
 #define MAX_VMID_8_BIT  (1UL << 8)
@@ -1430,6 +1431,8 @@ struct page_info *get_page_from_gva(struct vcpu *v, vaddr_t va,
     struct page_info *page = NULL;
     paddr_t maddr = 0;
     uint64_t par;
+    mfn_t mfn;
+    p2m_type_t t;
 
     /*
      * XXX: To support a different vCPU, we would need to load the
@@ -1446,8 +1449,29 @@ struct page_info *get_page_from_gva(struct vcpu *v, vaddr_t va,
     par = gvirt_to_maddr(va, &maddr, flags);
     p2m_read_unlock(p2m);
 
+    /*
+     * gvirt_to_maddr may fail if the entry does not have the valid bit
+     * set. Fallback to the second method:
+     *  1) Translate the VA to IPA using software lookup -> Stage-1 page-table
+     *  may not be accessible because the stage-2 entries may have valid
+     *  bit unset.
+     *  2) Software lookup of the MFN
+     *
+     * Note that when memaccess is enabled, we instead call directly
+     * p2m_mem_access_check_and_get_page(...). Because the function is a
+     * a variant of the methods described above, it will be able to
+     * handle entries with valid bit unset.
+     *
+     * TODO: Integrate more nicely memaccess with the rest of the
+     * function.
+     * TODO: Use the fault error in PAR_EL1 to avoid pointless
+     *  translation.
+     */
     if ( par )
     {
+        paddr_t ipa;
+        unsigned int s1_perms;
+
         /*
          * When memaccess is enabled, the translation GVA to MADDR may
          * have failed because of a permission fault.
@@ -1455,20 +1479,48 @@ struct page_info *get_page_from_gva(struct vcpu *v, vaddr_t va,
         if ( p2m->mem_access_enabled )
             return p2m_mem_access_check_and_get_page(va, flags, v);
 
-        dprintk(XENLOG_G_DEBUG,
-                "%pv: gvirt_to_maddr failed va=%#"PRIvaddr" flags=0x%lx par=%#"PRIx64"\n",
-                v, va, flags, par);
-        return NULL;
+        /*
+         * The software stage-1 table walk can still fail, e.g, if the
+         * GVA is not mapped.
+         */
+        if ( !guest_walk_tables(v, va, &ipa, &s1_perms) )
+        {
+            dprintk(XENLOG_G_DEBUG,
+                    "%pv: Failed to walk page-table va %#"PRIvaddr"\n", v, va);
+            return NULL;
+        }
+
+        mfn = p2m_lookup(d, gaddr_to_gfn(ipa), &t);
+        if ( mfn_eq(INVALID_MFN, mfn) || !p2m_is_ram(t) )
+            return NULL;
+
+        /*
+         * Check permission that are assumed by the caller. For instance
+         * in case of guestcopy, the caller assumes that the translated
+         * page can be accessed with the requested permissions. If this
+         * is not the case, we should fail.
+         *
+         * Please note that we do not check for the GV2M_EXEC
+         * permission. This is fine because the hardware-based translation
+         * instruction does not test for execute permissions.
+         */
+        if ( (flags & GV2M_WRITE) && !(s1_perms & GV2M_WRITE) )
+            return NULL;
+
+        if ( (flags & GV2M_WRITE) && t != p2m_ram_rw )
+            return NULL;
     }
+    else
+        mfn = maddr_to_mfn(maddr);
 
-    if ( !mfn_valid(maddr_to_mfn(maddr)) )
+    if ( !mfn_valid(mfn) )
     {
         dprintk(XENLOG_G_DEBUG, "%pv: Invalid MFN %#"PRI_mfn"\n",
-                v, mfn_x(maddr_to_mfn(maddr)));
+                v, mfn_x(mfn));
         return NULL;
     }
 
-    page = mfn_to_page(maddr_to_mfn(maddr));
+    page = mfn_to_page(mfn);
     ASSERT(page);
 
     if ( unlikely(!get_page(page, d)) )