From patchwork Wed Apr 12 00:44:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andre Przywara X-Patchwork-Id: 9676285 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 52D9E60383 for ; Wed, 12 Apr 2017 00:49:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 398EB2857B for ; Wed, 12 Apr 2017 00:49:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2E35C2858A; Wed, 12 Apr 2017 00:49:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9639F2857B for ; Wed, 12 Apr 2017 00:49:01 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cy6QM-0000Rg-8E; Wed, 12 Apr 2017 00:46:18 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cy6QL-0000PP-1k for xen-devel@lists.xenproject.org; Wed, 12 Apr 2017 00:46:17 +0000 Received: from [85.158.143.35] by server-9.bemta-6.messagelabs.com id 91/A0-03420-8D87DE85; Wed, 12 Apr 2017 00:46:16 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOLMWRWlGSWpSXmKPExsVysyfVTfd6xds Ig2lfZCy+b5nM5MDocfjDFZYAxijWzLyk/IoE1owXC36zFKxwqZg5YQtzA+MNgy5GLg4hgU2M ErcO/GGHcPYyShzcN4+xi5GTg01AV2LHzdfMILaIQKjEnJ+PmEGKmAXWMEq0f3rKCpIQBkocm rkTrIFFQFWi4+1MNhCbV8BNYuGxBUBTOTgkBOQkrvxLAAlzCrhLbN89EaxVCKhk67TFzBMYuR cwMqxi1ChOLSpLLdI1NNRLKspMzyjJTczM0TU0MNPLTS0uTkxPzUlMKtZLzs/dxAj0MAMQ7GD 8tCzgEKMkB5OSKO9lhbcRQnxJ+SmVGYnFGfFFpTmpxYcYZTg4lCR4r5UD5QSLUtNTK9Iyc4Ch BpOW4OBREuFVBEnzFhck5hZnpkOkTjEqSonz3i0DSgiAJDJK8+DaYOF9iVFWSpiXEegQIZ6C1 KLczBJU+VeM4hyMSsK8M0HG82TmlcBNfwW0mAlo8ZldL0EWlyQipKQaGPlVFVLidy3b2MlzXN 2/pez6/TtnlASENL32fHQtP/Py6MtmzpLpVbIP+nhOqntMOvzm1lGDmyWTPxz4W+pzZ/dmkZp 4nad5HouWMbXriDYnxZ/fVL/Yqyf5VfxD9RPz55bxcrjK+E3/PeuBzMVel/AZJ52VOnynLiif EN06f/EkLrNVYqlMxUosxRmJhlrMRcWJAOwaJNJqAgAA X-Env-Sender: andre.przywara@arm.com X-Msg-Ref: server-4.tower-21.messagelabs.com!1491957974!57153179!1 X-Originating-IP: [217.140.101.70] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.4.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 57982 invoked from network); 12 Apr 2017 00:46:15 -0000 Received: from foss.arm.com (HELO foss.arm.com) (217.140.101.70) by server-4.tower-21.messagelabs.com with SMTP; 12 Apr 2017 00:46:15 -0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9B95CB16; Tue, 11 Apr 2017 17:46:14 -0700 (PDT) Received: from slackpad.lan (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 036053F575; Tue, 11 Apr 2017 17:46:12 -0700 (PDT) From: Andre Przywara To: Stefano Stabellini , Julien Grall Date: Wed, 12 Apr 2017 01:44:14 +0100 Message-Id: <1491957874-31600-8-git-send-email-andre.przywara@arm.com> X-Mailer: git-send-email 2.8.2 In-Reply-To: <1491957874-31600-1-git-send-email-andre.przywara@arm.com> References: <1491957874-31600-1-git-send-email-andre.przywara@arm.com> Cc: xen-devel@lists.xenproject.org, Vijaya Kumar K , Vijay Kilari , Shanker Donthineni Subject: [Xen-devel] [PATCH v8 07/27] ARM: vGICv3: handle virtual LPI pending and property tables X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP Allow a guest to provide the address and size for the memory regions it has reserved for the GICv3 pending and property tables. We sanitise the various fields of the respective redistributor registers. The MMIO read and write accesses are protected by locks, to avoid any changing of the property or pending table address while a redistributor is live and also to protect the non-atomic vgic_reg64_extract() function on the MMIO read side. Signed-off-by: Andre Przywara Reviewed-by: Julien Grall --- xen/arch/arm/vgic-v3.c | 164 +++++++++++++++++++++++++++++++++++++++---- xen/include/asm-arm/domain.h | 5 ++ 2 files changed, 157 insertions(+), 12 deletions(-) diff --git a/xen/arch/arm/vgic-v3.c b/xen/arch/arm/vgic-v3.c index c059dbd..e15c875 100644 --- a/xen/arch/arm/vgic-v3.c +++ b/xen/arch/arm/vgic-v3.c @@ -233,12 +233,29 @@ static int __vgic_v3_rdistr_rd_mmio_read(struct vcpu *v, mmio_info_t *info, goto read_reserved; case VREG64(GICR_PROPBASER): - /* LPI's not implemented */ - goto read_as_zero_64; + if ( !v->domain->arch.vgic.has_its ) + goto read_as_zero_64; + if ( !vgic_reg64_check_access(dabt) ) goto bad_width; + + vgic_lock(v); + *r = vgic_reg64_extract(v->domain->arch.vgic.rdist_propbase, info); + vgic_unlock(v); + return 1; case VREG64(GICR_PENDBASER): - /* LPI's not implemented */ - goto read_as_zero_64; + { + unsigned long flags; + + if ( !v->domain->arch.vgic.has_its ) + goto read_as_zero_64; + if ( !vgic_reg64_check_access(dabt) ) goto bad_width; + + spin_lock_irqsave(&v->arch.vgic.lock, flags); + *r = vgic_reg64_extract(v->arch.vgic.rdist_pendbase, info); + *r &= ~GICR_PENDBASER_PTZ; /* WO, reads as 0 */ + spin_unlock_irqrestore(&v->arch.vgic.lock, flags); + return 1; + } case 0x0080: goto read_reserved; @@ -335,11 +352,95 @@ read_unknown: return 1; } +static uint64_t vgic_sanitise_field(uint64_t reg, uint64_t field_mask, + int field_shift, + uint64_t (*sanitise_fn)(uint64_t)) +{ + uint64_t field = (reg & field_mask) >> field_shift; + + field = sanitise_fn(field) << field_shift; + + return (reg & ~field_mask) | field; +} + +/* We want to avoid outer shareable. */ +static uint64_t vgic_sanitise_shareability(uint64_t field) +{ + switch ( field ) + { + case GIC_BASER_OuterShareable: + return GIC_BASER_InnerShareable; + default: + return field; + } +} + +/* Avoid any inner non-cacheable mapping. */ +static uint64_t vgic_sanitise_inner_cacheability(uint64_t field) +{ + switch ( field ) + { + case GIC_BASER_CACHE_nCnB: + case GIC_BASER_CACHE_nC: + return GIC_BASER_CACHE_RaWb; + default: + return field; + } +} + +/* Non-cacheable or same-as-inner are OK. */ +static uint64_t vgic_sanitise_outer_cacheability(uint64_t field) +{ + switch ( field ) + { + case GIC_BASER_CACHE_SameAsInner: + case GIC_BASER_CACHE_nC: + return field; + default: + return GIC_BASER_CACHE_nC; + } +} + +static uint64_t sanitize_propbaser(uint64_t reg) +{ + reg = vgic_sanitise_field(reg, GICR_PROPBASER_SHAREABILITY_MASK, + GICR_PROPBASER_SHAREABILITY_SHIFT, + vgic_sanitise_shareability); + reg = vgic_sanitise_field(reg, GICR_PROPBASER_INNER_CACHEABILITY_MASK, + GICR_PROPBASER_INNER_CACHEABILITY_SHIFT, + vgic_sanitise_inner_cacheability); + reg = vgic_sanitise_field(reg, GICR_PROPBASER_OUTER_CACHEABILITY_MASK, + GICR_PROPBASER_OUTER_CACHEABILITY_SHIFT, + vgic_sanitise_outer_cacheability); + + reg &= ~GICR_PROPBASER_RES0_MASK; + + return reg; +} + +static uint64_t sanitize_pendbaser(uint64_t reg) +{ + reg = vgic_sanitise_field(reg, GICR_PENDBASER_SHAREABILITY_MASK, + GICR_PENDBASER_SHAREABILITY_SHIFT, + vgic_sanitise_shareability); + reg = vgic_sanitise_field(reg, GICR_PENDBASER_INNER_CACHEABILITY_MASK, + GICR_PENDBASER_INNER_CACHEABILITY_SHIFT, + vgic_sanitise_inner_cacheability); + reg = vgic_sanitise_field(reg, GICR_PENDBASER_OUTER_CACHEABILITY_MASK, + GICR_PENDBASER_OUTER_CACHEABILITY_SHIFT, + vgic_sanitise_outer_cacheability); + + reg &= ~GICR_PENDBASER_RES0_MASK; + + return reg; +} + static int __vgic_v3_rdistr_rd_mmio_write(struct vcpu *v, mmio_info_t *info, uint32_t gicr_reg, register_t r) { struct hsr_dabt dabt = info->dabt; + uint64_t reg; switch ( gicr_reg ) { @@ -370,36 +471,75 @@ static int __vgic_v3_rdistr_rd_mmio_write(struct vcpu *v, mmio_info_t *info, goto write_impl_defined; case VREG64(GICR_SETLPIR): - /* LPI is not implemented */ + /* LPIs without an ITS are not implemented */ goto write_ignore_64; case VREG64(GICR_CLRLPIR): - /* LPI is not implemented */ + /* LPIs without an ITS are not implemented */ goto write_ignore_64; case 0x0050: goto write_reserved; case VREG64(GICR_PROPBASER): - /* LPI is not implemented */ - goto write_ignore_64; + if ( !v->domain->arch.vgic.has_its ) + goto write_ignore_64; + if ( !vgic_reg64_check_access(dabt) ) goto bad_width; + + vgic_lock(v); + + /* + * Writing PROPBASER with any redistributor having LPIs enabled + * is UNPREDICTABLE. + */ + if ( !(v->domain->arch.vgic.rdists_enabled) ) + { + reg = v->domain->arch.vgic.rdist_propbase; + vgic_reg64_update(®, r, info); + reg = sanitize_propbaser(reg); + v->domain->arch.vgic.rdist_propbase = reg; + } + + vgic_unlock(v); + + return 1; case VREG64(GICR_PENDBASER): - /* LPI is not implemented */ - goto write_ignore_64; + { + unsigned long flags; + + if ( !v->domain->arch.vgic.has_its ) + goto write_ignore_64; + if ( !vgic_reg64_check_access(dabt) ) goto bad_width; + + spin_lock_irqsave(&v->arch.vgic.lock, flags); + + /* Writing PENDBASER with LPIs enabled is UNPREDICTABLE. */ + if ( !(v->arch.vgic.flags & VGIC_V3_LPIS_ENABLED) ) + { + reg = v->arch.vgic.rdist_pendbase; + vgic_reg64_update(®, r, info); + reg = sanitize_pendbaser(reg); + v->arch.vgic.rdist_pendbase = reg; + } + + spin_unlock_irqrestore(&v->arch.vgic.lock, false); + + return 1; + } case 0x0080: goto write_reserved; case VREG64(GICR_INVLPIR): - /* LPI is not implemented */ + /* LPIs without an ITS are not implemented */ goto write_ignore_64; case 0x00A8: goto write_reserved; case VREG64(GICR_INVALLR): - /* LPI is not implemented */ + /* LPIs without an ITS are not implemented */ goto write_ignore_64; case 0x00B8: diff --git a/xen/include/asm-arm/domain.h b/xen/include/asm-arm/domain.h index ebaea35..b2d98bb 100644 --- a/xen/include/asm-arm/domain.h +++ b/xen/include/asm-arm/domain.h @@ -109,11 +109,15 @@ struct arch_domain } *rdist_regions; int nr_regions; /* Number of rdist regions */ uint32_t rdist_stride; /* Re-Distributor stride */ + unsigned long int nr_lpis; + uint64_t rdist_propbase; struct rb_root its_devices; /* Devices mapped to an ITS */ spinlock_t its_devices_lock; /* Protects the its_devices tree */ struct radix_tree_root pend_lpi_tree; /* Stores struct pending_irq's */ rwlock_t pend_lpi_tree_lock; /* Protects the pend_lpi_tree */ unsigned int intid_bits; + bool rdists_enabled; /* Is any redistributor enabled? */ + bool has_its; #endif } vgic; @@ -260,6 +264,7 @@ struct arch_vcpu /* GICv3: redistributor base and flags for this vCPU */ paddr_t rdist_base; + uint64_t rdist_pendbase; #define VGIC_V3_RDIST_LAST (1 << 0) /* last vCPU of the rdist */ #define VGIC_V3_LPIS_ENABLED (1 << 1) uint8_t flags;