accel/tcg: Relax va restrictions on 64-bit guests

qemu with hax to log dma reads & writes jcs.org/2018/11/12/vfio

We cannot at present limit a 64-bit guest to a virtual address
space smaller than the host. It will mostly work to ignore this
limitation, except if the guest uses high bits of the address
space for tags. But it will certainly work better, as presently
we can wind up failing to allocate the guest stack.

Widen our user-only page tree to the host or abi pointer width.
Remove the workaround for this problem from target/alpha.
Always validate guest addresses vs reserved_va, as there we
control allocation ourselves.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

Message-Id: <20200513175134.19619-7-alex.bennee@linaro.org>

authored by

Richard Henderson and committed by

Alex Bennée 5 years ago 7d8cbbab e307c192

+30 -23

3 changed files

expand all

accel

tcg

translate-all.c

include

exec

cpu-all.h

target

alpha

cpu-param.h

+9 -6

accel/tcg/translate-all.c

··· 173 173 #define TB_FOR_EACH_JMP(head_tb, tb, n) \ 174 174 TB_FOR_EACH_TAGGED((head_tb)->jmp_list_head, tb, n, jmp_list_next) 175 175 176 - /* In system mode we want L1_MAP to be based on ram offsets, 177 - while in user mode we want it to be based on virtual addresses. */ 176 + /* 177 + * In system mode we want L1_MAP to be based on ram offsets, 178 + * while in user mode we want it to be based on virtual addresses. 179 + * 180 + * TODO: For user mode, see the caveat re host vs guest virtual 181 + * address spaces near GUEST_ADDR_MAX. 182 + */ 178 183 #if !defined(CONFIG_USER_ONLY) 179 184 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS 180 185 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS ··· 182 187 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS 183 188 #endif 184 189 #else 185 - # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS 190 + # define L1_MAP_ADDR_SPACE_BITS MIN(HOST_LONG_BITS, TARGET_ABI_BITS) 186 191 #endif 187 192 188 193 /* Size of the L2 (and L3, etc) page tables. */ ··· 2497 2502 /* This function should never be called with addresses outside the 2498 2503 guest address space. If this assert fires, it probably indicates 2499 2504 a missing call to h2g_valid. */ 2500 - #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2501 - assert(end <= ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2502 - #endif 2505 + assert(end - 1 <= GUEST_ADDR_MAX); 2503 2506 assert(start < end); 2504 2507 assert_memory_lock(); 2505 2508

+19 -4

include/exec/cpu-all.h

··· 162 162 extern bool have_guest_base; 163 163 extern unsigned long reserved_va; 164 164 165 - #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS 166 - #define GUEST_ADDR_MAX (~0ul) 165 + /* 166 + * Limit the guest addresses as best we can. 167 + * 168 + * When not using -R reserved_va, we cannot really limit the guest 169 + * to less address space than the host. For 32-bit guests, this 170 + * acts as a sanity check that we're not giving the guest an address 171 + * that it cannot even represent. For 64-bit guests... the address 172 + * might not be what the real kernel would give, but it is at least 173 + * representable in the guest. 174 + * 175 + * TODO: Improve address allocation to avoid this problem, and to 176 + * avoid setting bits at the top of guest addresses that might need 177 + * to be used for tags. 178 + */ 179 + #if MIN(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32 180 + # define GUEST_ADDR_MAX_ UINT32_MAX 167 181 #else 168 - #define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : \ 169 - (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) 182 + # define GUEST_ADDR_MAX_ (~0ul) 170 183 #endif 184 + #define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_) 185 + 171 186 #else 172 187 173 188 #include "exec/hwaddr.h"

+2 -13

target/alpha/cpu-param.h

··· 10 10 11 11 #define TARGET_LONG_BITS 64 12 12 #define TARGET_PAGE_BITS 13 13 - #ifdef CONFIG_USER_ONLY 14 - /* 15 - * ??? The kernel likes to give addresses in high memory. If the host has 16 - * more virtual address space than the guest, this can lead to impossible 17 - * allocations. Honor the long-standing assumption that only kernel addrs 18 - * are negative, but otherwise allow allocations anywhere. This could lead 19 - * to tricky emulation problems for programs doing tagged addressing, but 20 - * that's far fewer than encounter the impossible allocation problem. 21 - */ 22 - #define TARGET_PHYS_ADDR_SPACE_BITS 63 23 - #define TARGET_VIRT_ADDR_SPACE_BITS 63 24 - #else 13 + 25 14 /* ??? EV4 has 34 phys addr bits, EV5 has 40, EV6 has 44. */ 26 15 #define TARGET_PHYS_ADDR_SPACE_BITS 44 27 16 #define TARGET_VIRT_ADDR_SPACE_BITS (30 + TARGET_PAGE_BITS) 28 - #endif 17 + 29 18 #define NB_MMU_MODES 3 30 19 31 20 #endif