Message ID | 1369133851-1894-16-git-send-email-pbonzini@redhat.com |
---|---|
State | New |
Headers | show |
On Tue, May 21, 2013 at 12:57:16PM +0200, Paolo Bonzini wrote: > The old-style IOMMU lets you check whether an access is valid in a > given DMAContext. There is no equivalent for AddressSpace in the > memory API, implement it with a lookup of the dispatch tree. I don't love the name - "address_space_valid" suggests to me it tests the validity of the whole address space, not a specific range. But an obviously better name doesn't quickly occur to me. Obviously I like the functionality, since I wrote that into the DMAContext stuff specifically to support the spapr_llan driver :). > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > --- > dma-helpers.c | 5 +++++ > exec.c | 25 +++++++++++++++++++++++++ > include/exec/memory.h | 14 ++++++++++++++ > include/sysemu/dma.h | 3 ++- > 4 files changed, 46 insertions(+), 1 deletion(-) > > diff --git a/dma-helpers.c b/dma-helpers.c > index 272632f..2962b69 100644 > --- a/dma-helpers.c > +++ b/dma-helpers.c > @@ -298,6 +298,11 @@ bool iommu_dma_memory_valid(DMAContext *dma, dma_addr_t addr, dma_addr_t len, > plen = len; > } > > + if (!address_space_valid(dma->as, paddr, len, > + dir == DMA_DIRECTION_FROM_DEVICE)) { > + return false; > + } > + > len -= plen; > addr += plen; > } > diff --git a/exec.c b/exec.c > index 8d91221..8f1b507 100644 > --- a/exec.c > +++ b/exec.c > @@ -2079,6 +2079,31 @@ static void cpu_notify_map_clients(void) > } > } > > +bool address_space_valid(AddressSpace *as, hwaddr addr, int len, bool is_write) > +{ > + AddressSpaceDispatch *d = as->dispatch; > + MemoryRegionSection *section; > + int l; > + hwaddr page; > + > + while (len > 0) { > + page = addr & TARGET_PAGE_MASK; > + l = (page + TARGET_PAGE_SIZE) - addr; > + if (l > len) { > + l = len; > + } > + section = phys_page_find(d, addr >> TARGET_PAGE_BITS); > + if (section->mr == &io_mem_unassigned || > + (is_write && section->mr->readonly)) { > + return false; > + } > + > + len -= l; > + addr += l; > + } > + return true; > +} > + > /* Map a physical memory region into a host virtual address. > * May map a subset of the requested range, given by and returned in *plen. > * May return NULL if resources needed to perform the mapping are exhausted. > diff --git a/include/exec/memory.h b/include/exec/memory.h > index 6ed593c..2e5fd11 100644 > --- a/include/exec/memory.h > +++ b/include/exec/memory.h > @@ -860,6 +860,20 @@ void address_space_write(AddressSpace *as, hwaddr addr, > */ > void address_space_read(AddressSpace *as, hwaddr addr, uint8_t *buf, int len); > > +/* address_space_valid: check for validity of an address space range > + * > + * Check whether memory is assigned to the given address space range. > + * > + * For now, addr and len should be aligned to a page size. This limitation > + * will be lifted in the future. > + * > + * @as: #AddressSpace to be accessed > + * @addr: address within that address space > + * @len: length of the area to be checked > + * @is_write: indicates the transfer direction > + */ > +bool address_space_valid(AddressSpace *as, hwaddr addr, int len, bool is_write); > + > /* address_space_map: map a physical memory region into a host virtual address > * > * May map a subset of the requested range, given by and returned in @plen. > diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h > index a52c93a..2e239dc 100644 > --- a/include/sysemu/dma.h > +++ b/include/sysemu/dma.h > @@ -113,7 +113,8 @@ static inline bool dma_memory_valid(DMAContext *dma, > DMADirection dir) > { > if (!dma_has_iommu(dma)) { > - return true; > + return address_space_valid(dma->as, addr, len, > + dir == DMA_DIRECTION_FROM_DEVICE); > } else { > return iommu_dma_memory_valid(dma, addr, len, dir); > }
On 2013-05-23 14:05, David Gibson wrote: > On Tue, May 21, 2013 at 12:57:16PM +0200, Paolo Bonzini wrote: >> The old-style IOMMU lets you check whether an access is valid in a >> given DMAContext. There is no equivalent for AddressSpace in the >> memory API, implement it with a lookup of the dispatch tree. > > I don't love the name - "address_space_valid" suggests to me it tests > the validity of the whole address space, not a specific range. But > an obviously better name doesn't quickly occur to me. Not sure ATM if someone else suggested this earlier already, but what about something like address_space_access_valid? Jan
Il 23/05/2013 16:22, Jan Kiszka ha scritto: >>> >> The old-style IOMMU lets you check whether an access is valid in a >>> >> given DMAContext. There is no equivalent for AddressSpace in the >>> >> memory API, implement it with a lookup of the dispatch tree. >> > >> > I don't love the name - "address_space_valid" suggests to me it tests >> > the validity of the whole address space, not a specific range. But >> > an obviously better name doesn't quickly occur to me. > Not sure ATM if someone else suggested this earlier already, but what > about something like address_space_access_valid? Sure. Paolo
On 21 May 2013 11:57, Paolo Bonzini <pbonzini@redhat.com> wrote: > +bool address_space_valid(AddressSpace *as, hwaddr addr, int len, bool is_write) > +{ > + AddressSpaceDispatch *d = as->dispatch; > + MemoryRegionSection *section; > + int l; > + hwaddr page; > + > + while (len > 0) { > + page = addr & TARGET_PAGE_MASK; > + l = (page + TARGET_PAGE_SIZE) - addr; > + if (l > len) { > + l = len; > + } > + section = phys_page_find(d, addr >> TARGET_PAGE_BITS); > + if (section->mr == &io_mem_unassigned || > + (is_write && section->mr->readonly)) { It's kind of bogus that io_mem_unassigned is the only MemoryRegion that can be unreadable. Why is 'readonly' a MemoryRegion attribute and 'writeonly' not? Shouldn't we be calling the MemoryRegionOps accepts() callback here? What about access alignment constraints and access size restrictions? What if the validity of the range changes between the time you asked and when you actually do the access? The whole API is kind of unconvincing really, especially since the only thing we seem to use it for is some parameter checking in spapr_llan.c (via a huge pile of intermediate wrappers). thanks -- PMM
On 2013-05-23 20:04, Peter Maydell wrote: > On 21 May 2013 11:57, Paolo Bonzini <pbonzini@redhat.com> wrote: >> +bool address_space_valid(AddressSpace *as, hwaddr addr, int len, bool is_write) >> +{ >> + AddressSpaceDispatch *d = as->dispatch; >> + MemoryRegionSection *section; >> + int l; >> + hwaddr page; >> + >> + while (len > 0) { >> + page = addr & TARGET_PAGE_MASK; >> + l = (page + TARGET_PAGE_SIZE) - addr; >> + if (l > len) { >> + l = len; >> + } >> + section = phys_page_find(d, addr >> TARGET_PAGE_BITS); >> + if (section->mr == &io_mem_unassigned || >> + (is_write && section->mr->readonly)) { > > It's kind of bogus that io_mem_unassigned is the only MemoryRegion > that can be unreadable. Why is 'readonly' a MemoryRegion attribute > and 'writeonly' not? Shouldn't we be calling the MemoryRegionOps > accepts() callback here? What about access alignment constraints > and access size restrictions? What if the validity of the range > changes between the time you asked and when you actually do the > access? > > The whole API is kind of unconvincing really, especially since > the only thing we seem to use it for is some parameter checking > in spapr_llan.c (via a huge pile of intermediate wrappers). I'll also have a use for it: replace isa_is_ioport_assigned. Jan
Il 23/05/2013 20:04, Peter Maydell ha scritto: > Shouldn't we be calling the MemoryRegionOps > accepts() callback here? What about access alignment constraints > and access size restrictions? Yes, we should. > What if the validity of the range > changes between the time you asked and when you actually do the > access? If that's a concern, you shouldn't use this API, you should just do the access and rely on the return value of address_space_rw & friends. (Or, at least for the foreseeable future, do the checks under the BQL). Paolo
On 2013-05-24 08:13, Jan Kiszka wrote: > On 2013-05-23 20:04, Peter Maydell wrote: >> On 21 May 2013 11:57, Paolo Bonzini <pbonzini@redhat.com> wrote: >>> +bool address_space_valid(AddressSpace *as, hwaddr addr, int len, bool is_write) >>> +{ >>> + AddressSpaceDispatch *d = as->dispatch; >>> + MemoryRegionSection *section; >>> + int l; >>> + hwaddr page; >>> + >>> + while (len > 0) { >>> + page = addr & TARGET_PAGE_MASK; >>> + l = (page + TARGET_PAGE_SIZE) - addr; >>> + if (l > len) { >>> + l = len; >>> + } >>> + section = phys_page_find(d, addr >> TARGET_PAGE_BITS); >>> + if (section->mr == &io_mem_unassigned || >>> + (is_write && section->mr->readonly)) { >> >> It's kind of bogus that io_mem_unassigned is the only MemoryRegion >> that can be unreadable. Why is 'readonly' a MemoryRegion attribute >> and 'writeonly' not? Shouldn't we be calling the MemoryRegionOps >> accepts() callback here? What about access alignment constraints >> and access size restrictions? What if the validity of the range >> changes between the time you asked and when you actually do the >> access? >> >> The whole API is kind of unconvincing really, especially since >> the only thing we seem to use it for is some parameter checking >> in spapr_llan.c (via a huge pile of intermediate wrappers). > > I'll also have a use for it: replace isa_is_ioport_assigned. But for this use case, something like memory_region_access_valid(MemoryRegion *, ...) would be more helpful because pci_address_space_io returns a memory region, not an address space. Can we change it? dma_memory_valid could simply pass the address space's root region. Jan
On 24 May 2013 07:13, Jan Kiszka <jan.kiszka@web.de> wrote:
> I'll also have a use for it: replace isa_is_ioport_assigned.
That seems like it's something different: it's asking
"has some other bit of QEMU registered a handler for
this ioport?", not "at this moment in time if I make
an I/O access will it succeed?" (which in principle
should actually go all the way through and call a
registered ioport handler which might then say "no,
for this specific access we will fail").
thanks
-- PMM
On 24 May 2013 09:02, Paolo Bonzini <pbonzini@redhat.com> wrote: > Il 23/05/2013 20:04, Peter Maydell ha scritto: >> Shouldn't we be calling the MemoryRegionOps >> accepts() callback here? What about access alignment constraints >> and access size restrictions? > > Yes, we should. > >> What if the validity of the range >> changes between the time you asked and when you actually do the >> access? > > If that's a concern, you shouldn't use this API, you should just do the > access and rely on the return value of address_space_rw & friends. So when *is* it a good idea to use this API? In real hardware you don't usually get a "tell me whether this access would succeed if I did it" bus operation -- you just do the operation and the memory transaction either succeeds or it doesn't. Are we modelling something that really exists in hardware on spapr here? thanks -- PMM
On 2013-05-24 12:50, Peter Maydell wrote: > On 24 May 2013 07:13, Jan Kiszka <jan.kiszka@web.de> wrote: >> I'll also have a use for it: replace isa_is_ioport_assigned. > > That seems like it's something different: it's asking > "has some other bit of QEMU registered a handler for > this ioport?", not "at this moment in time if I make > an I/O access will it succeed?" (which in principle > should actually go all the way through and call a > registered ioport handler which might then say "no, > for this specific access we will fail"). Hmm... Paolo suggested to use it. But given the current arguments I guess it's better to stick with memory_region_find for that purpose. Jan
Il 24/05/2013 12:52, Peter Maydell ha scritto: > On 24 May 2013 09:02, Paolo Bonzini <pbonzini@redhat.com> wrote: >> Il 23/05/2013 20:04, Peter Maydell ha scritto: >>> Shouldn't we be calling the MemoryRegionOps >>> accepts() callback here? What about access alignment constraints >>> and access size restrictions? >> >> Yes, we should. >> >>> What if the validity of the range >>> changes between the time you asked and when you actually do the >>> access? >> >> If that's a concern, you shouldn't use this API, you should just do the >> access and rely on the return value of address_space_rw & friends. > > So when *is* it a good idea to use this API? In real > hardware you don't usually get a "tell me whether this > access would succeed if I did it" bus operation -- you > just do the operation and the memory transaction either > succeeds or it doesn't. Are we modelling something that > really exists in hardware on spapr here? Well, sPAPR is not hardware. :) It is a paravirtualized interface. Anyhow, I can eliminate all the references to unassigned and basically do this: bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_write) { MemoryRegionSection *section; hwaddr l, xlat; while (len > 0) { l = len; section = address_space_translate(as, addr, &xlat, &l, is_write); if (!memory_access_is_direct(section->mr, is_write)) { l = memory_access_size(l, addr); if (!memory_region_access_valid(section->mr, addr1, l) { return false; } } len -= l; addr += l; } return true; } It requires some more changes however. I'll drop this patch. If it's okay for you, I'll send a pull request up to "memory: clean up phys_page_find" and go on with the next series. Paolo
On 24 May 2013 13:58, Paolo Bonzini <pbonzini@redhat.com> wrote: > If it's okay > for you, I'll send a pull request up to "memory: clean up phys_page_find" > and go on with the next series. That's fine with me, but please don't forget to fix up the doc comment for memory_region_find() (see comments on patch 6/30). You can do that in a patch in the next series, though, I guess. thanks -- PMM
Il 24/05/2013 15:27, Peter Maydell ha scritto: > On 24 May 2013 13:58, Paolo Bonzini <pbonzini@redhat.com> wrote: >> If it's okay >> for you, I'll send a pull request up to "memory: clean up phys_page_find" >> and go on with the next series. > > That's fine with me, but please don't forget to fix up > the doc comment for memory_region_find() (see comments on > patch 6/30). You can do that in a patch in the next series, > though, I guess. What about this: /** * memory_region_find: translate an address/size relative to a * MemoryRegion into a #MemoryRegionSection. * * Locates the first #MemoryRegion within @mr that overlaps the range * given by @addr and @size. * * Returns a #MemoryRegionSection that describes a contiguous overlap. * It will have the following characteristics: * .@size = 0 iff no overlap was found * .@mr is non-%NULL iff an overlap was found * * Remember that in the return value the @offset_within_region is * relative to the returned region (in the .@mr field), not to the * @mr argument. * * Similarly, the .@offset_within_address_space is relative to the * address space that contains both regions, the passed and the * returned one. However, in the special case where the @mr argument * has no parent (and thus is the root of the address space), the * following will hold: * .@offset_within_address_space >= @addr * .@offset_within_address_space + .@size <= @addr + @size * * @mr: a MemoryRegion within which @addr is a relative address * @addr: start of the area within @as to be searched * @size: size of the area to be searched */ ? Paolo
On 24 May 2013 14:33, Paolo Bonzini <pbonzini@redhat.com> wrote: > Il 24/05/2013 15:27, Peter Maydell ha scritto: >> On 24 May 2013 13:58, Paolo Bonzini <pbonzini@redhat.com> wrote: >>> If it's okay >>> for you, I'll send a pull request up to "memory: clean up phys_page_find" >>> and go on with the next series. >> >> That's fine with me, but please don't forget to fix up >> the doc comment for memory_region_find() (see comments on >> patch 6/30). You can do that in a patch in the next series, >> though, I guess. > > What about this: > > /** > * memory_region_find: translate an address/size relative to a > * MemoryRegion into a #MemoryRegionSection. > * > * Locates the first #MemoryRegion within @mr that overlaps the range > * given by @addr and @size. > * > * Returns a #MemoryRegionSection that describes a contiguous overlap. > * It will have the following characteristics: > * .@size = 0 iff no overlap was found > * .@mr is non-%NULL iff an overlap was found > * > * Remember that in the return value the @offset_within_region is > * relative to the returned region (in the .@mr field), not to the > * @mr argument. > * > * Similarly, the .@offset_within_address_space is relative to the > * address space that contains both regions, the passed and the > * returned one. However, in the special case where the @mr argument > * has no parent (and thus is the root of the address space), the > * following will hold: > * .@offset_within_address_space >= @addr > * .@offset_within_address_space + .@size <= @addr + @size > * > * @mr: a MemoryRegion within which @addr is a relative address > * @addr: start of the area within @as to be searched > * @size: size of the area to be searched > */ Yes, that looks OK to me. thanks -- PMM
On Fri, May 24, 2013 at 11:52:17AM +0100, Peter Maydell wrote: > On 24 May 2013 09:02, Paolo Bonzini <pbonzini@redhat.com> wrote: > > Il 23/05/2013 20:04, Peter Maydell ha scritto: > >> Shouldn't we be calling the MemoryRegionOps > >> accepts() callback here? What about access alignment constraints > >> and access size restrictions? > > > > Yes, we should. > > > >> What if the validity of the range > >> changes between the time you asked and when you actually do the > >> access? > > > > If that's a concern, you shouldn't use this API, you should just do the > > access and rely on the return value of address_space_rw & friends. > > So when *is* it a good idea to use this API? In real > hardware you don't usually get a "tell me whether this > access would succeed if I did it" bus operation -- you > just do the operation and the memory transaction either > succeeds or it doesn't. Are we modelling something that > really exists in hardware on spapr here? So, as a general rule, you should just attempt the access and handle failures - this is a bad interface. The reason I added it, however, is that the PAPR specification mandates that the virtual LAN pre-check various buffers when they're registered, and return specific errors if they're not mapped to valid memory. Since we have nothing to read or write at that point, adding this interface was the only way I could see to implement that requirement. Or... a bit more charitably: You should always handle failures at the point of read or write, but using this interface can give you an earlier, and therefore potentially easier to analyze, error in the more common failure cases, even if there are more complex cases where the pre-check succeeds but the read/write still fails later.
On 25 May 2013 04:44, David Gibson <david@gibson.dropbear.id.au> wrote: > On Fri, May 24, 2013 at 11:52:17AM +0100, Peter Maydell wrote: >> So when *is* it a good idea to use this API? In real >> hardware you don't usually get a "tell me whether this >> access would succeed if I did it" bus operation -- you >> just do the operation and the memory transaction either >> succeeds or it doesn't. Are we modelling something that >> really exists in hardware on spapr here? > > So, as a general rule, you should just attempt the access and handle > failures - this is a bad interface. The reason I added it, however, > is that the PAPR specification mandates that the virtual LAN pre-check > various buffers when they're registered, and return specific errors if > they're not mapped to valid memory. Since we have nothing to read or > write at that point, adding this interface was the only way I could > see to implement that requirement. Would it work to just read and throw away the result of the read? > Or... a bit more charitably: You should always handle failures at the > point of read or write, but using this interface can give you an > earlier, and therefore potentially easier to analyze, error in the > more common failure cases, even if there are more complex cases where > the pre-check succeeds but the read/write still fails later. There's also the converse case where the pre-check fails but doing the operation at the proper time would succeed, in which case where we're modelling real hardware we would be doing it wrong. So the set of cases where it's OK to pre-check seems a bit limited. thanks -- PMM
On Sat, May 25, 2013 at 10:23:32AM +0100, Peter Maydell wrote: > On 25 May 2013 04:44, David Gibson <david@gibson.dropbear.id.au> wrote: > > On Fri, May 24, 2013 at 11:52:17AM +0100, Peter Maydell wrote: > >> So when *is* it a good idea to use this API? In real > >> hardware you don't usually get a "tell me whether this > >> access would succeed if I did it" bus operation -- you > >> just do the operation and the memory transaction either > >> succeeds or it doesn't. Are we modelling something that > >> really exists in hardware on spapr here? > > > > So, as a general rule, you should just attempt the access and handle > > failures - this is a bad interface. The reason I added it, however, > > is that the PAPR specification mandates that the virtual LAN pre-check > > various buffers when they're registered, and return specific errors if > > they're not mapped to valid memory. Since we have nothing to read or > > write at that point, adding this interface was the only way I could > > see to implement that requirement. > > Would it work to just read and throw away the result of the read? Not when checking for writability. > > Or... a bit more charitably: You should always handle failures at the > > point of read or write, but using this interface can give you an > > earlier, and therefore potentially easier to analyze, error in the > > more common failure cases, even if there are more complex cases where > > the pre-check succeeds but the read/write still fails later. > > There's also the converse case where the pre-check fails but > doing the operation at the proper time would succeed, in > which case where we're modelling real hardware we would > be doing it wrong. So the set of cases where it's OK to > pre-check seems a bit limited. Whether originally real or otherwise, this is a question of faithfully implementing what the hardware is supposed to do. In the case of the PAPR llan, the (virtual) hardware specification says that the buffer accessibility is checked at buffer add time, and the driver won't work if it only makes the buffers accessible between that point and the actual buffer access. It would be entirely possible to design real hardware with similar behaviour (probe buffer accessibility when a descriptor is added to a pool, say), although it's not the sort of thing hardware people generally do. So, certainly qemu should not go using this pre-check when the hardware it's emulating does not do such a check. Designing hardware that does do a pre-check is not, IMO, a good idea on balance, but the point is that there is a reason (albeit, not a great one) you might want to design the (possibly virtual) hardware that way. As an aside, when you consider devices with embedded firmware - which is practically everything these days - the distinction between "real" hardware and virtual hardware can get kind of blurry.
diff --git a/dma-helpers.c b/dma-helpers.c index 272632f..2962b69 100644 --- a/dma-helpers.c +++ b/dma-helpers.c @@ -298,6 +298,11 @@ bool iommu_dma_memory_valid(DMAContext *dma, dma_addr_t addr, dma_addr_t len, plen = len; } + if (!address_space_valid(dma->as, paddr, len, + dir == DMA_DIRECTION_FROM_DEVICE)) { + return false; + } + len -= plen; addr += plen; } diff --git a/exec.c b/exec.c index 8d91221..8f1b507 100644 --- a/exec.c +++ b/exec.c @@ -2079,6 +2079,31 @@ static void cpu_notify_map_clients(void) } } +bool address_space_valid(AddressSpace *as, hwaddr addr, int len, bool is_write) +{ + AddressSpaceDispatch *d = as->dispatch; + MemoryRegionSection *section; + int l; + hwaddr page; + + while (len > 0) { + page = addr & TARGET_PAGE_MASK; + l = (page + TARGET_PAGE_SIZE) - addr; + if (l > len) { + l = len; + } + section = phys_page_find(d, addr >> TARGET_PAGE_BITS); + if (section->mr == &io_mem_unassigned || + (is_write && section->mr->readonly)) { + return false; + } + + len -= l; + addr += l; + } + return true; +} + /* Map a physical memory region into a host virtual address. * May map a subset of the requested range, given by and returned in *plen. * May return NULL if resources needed to perform the mapping are exhausted. diff --git a/include/exec/memory.h b/include/exec/memory.h index 6ed593c..2e5fd11 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -860,6 +860,20 @@ void address_space_write(AddressSpace *as, hwaddr addr, */ void address_space_read(AddressSpace *as, hwaddr addr, uint8_t *buf, int len); +/* address_space_valid: check for validity of an address space range + * + * Check whether memory is assigned to the given address space range. + * + * For now, addr and len should be aligned to a page size. This limitation + * will be lifted in the future. + * + * @as: #AddressSpace to be accessed + * @addr: address within that address space + * @len: length of the area to be checked + * @is_write: indicates the transfer direction + */ +bool address_space_valid(AddressSpace *as, hwaddr addr, int len, bool is_write); + /* address_space_map: map a physical memory region into a host virtual address * * May map a subset of the requested range, given by and returned in @plen. diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h index a52c93a..2e239dc 100644 --- a/include/sysemu/dma.h +++ b/include/sysemu/dma.h @@ -113,7 +113,8 @@ static inline bool dma_memory_valid(DMAContext *dma, DMADirection dir) { if (!dma_has_iommu(dma)) { - return true; + return address_space_valid(dma->as, addr, len, + dir == DMA_DIRECTION_FROM_DEVICE); } else { return iommu_dma_memory_valid(dma, addr, len, dir); }
The old-style IOMMU lets you check whether an access is valid in a given DMAContext. There is no equivalent for AddressSpace in the memory API, implement it with a lookup of the dispatch tree. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- dma-helpers.c | 5 +++++ exec.c | 25 +++++++++++++++++++++++++ include/exec/memory.h | 14 ++++++++++++++ include/sysemu/dma.h | 3 ++- 4 files changed, 46 insertions(+), 1 deletion(-)