From 25bcb45d1b81d22634daa2b1a2d8bee746ac129b Mon Sep 17 00:00:00 2001 From: David Hildenbrand Date: Wed, 14 Aug 2019 17:12:42 +0200 Subject: [PATCH 1/7] s390x/tcg: Fix VERIM with 32/64 bit elements Wrong order of operands. The constant always comes last. Makes QEMU crash reliably on specific git fetch invocations. Reported-by: Stefano Brivio Signed-off-by: David Hildenbrand Message-Id: <20190814151242.27199-1-david@redhat.com> Reviewed-by: Cornelia Huck Fixes: 5c4b0ab460ef ("s390x/tcg: Implement VECTOR ELEMENT ROTATE AND INSERT UNDER MASK") Cc: qemu-stable@nongnu.org Signed-off-by: Cornelia Huck --- target/s390x/translate_vx.inc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/s390x/translate_vx.inc.c b/target/s390x/translate_vx.inc.c index 41d5cf869f..0caddb3958 100644 --- a/target/s390x/translate_vx.inc.c +++ b/target/s390x/translate_vx.inc.c @@ -213,7 +213,7 @@ static void get_vec_element_ptr_i64(TCGv_ptr ptr, uint8_t reg, TCGv_i64 enr, vec_full_reg_offset(v3), ptr, 16, 16, data, fn) #define gen_gvec_3i(v1, v2, v3, c, gen) \ tcg_gen_gvec_3i(vec_full_reg_offset(v1), vec_full_reg_offset(v2), \ - vec_full_reg_offset(v3), c, 16, 16, gen) + vec_full_reg_offset(v3), 16, 16, c, gen) #define gen_gvec_4(v1, v2, v3, v4, gen) \ tcg_gen_gvec_4(vec_full_reg_offset(v1), vec_full_reg_offset(v2), \ vec_full_reg_offset(v3), vec_full_reg_offset(v4), \ From 24332523f15aca16d974a9e4a353a6e09043815d Mon Sep 17 00:00:00 2001 From: David Hildenbrand Date: Fri, 16 Aug 2019 10:47:03 +0200 Subject: [PATCH 2/7] s390x/mmu: Trace the right value if setting/getting the storage key fails We want to trace the actual return value, not "0". Fixes: 0f5f669147b5 ("s390x: Enable new s390-storage-keys device") Reviewed-by: Cornelia Huck Reviewed-by: Thomas Huth Signed-off-by: David Hildenbrand Message-Id: <20190816084708.602-2-david@redhat.com> Signed-off-by: Cornelia Huck --- target/s390x/mmu_helper.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c index 7a563110f0..6cf74502ef 100644 --- a/target/s390x/mmu_helper.c +++ b/target/s390x/mmu_helper.c @@ -423,7 +423,8 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, *raddr = mmu_real2abs(env, *raddr); if (r == 0 && *raddr < ram_size) { - if (skeyclass->get_skeys(ss, *raddr / TARGET_PAGE_SIZE, 1, &key)) { + r = skeyclass->get_skeys(ss, *raddr / TARGET_PAGE_SIZE, 1, &key); + if (r) { trace_get_skeys_nonzero(r); return 0; } @@ -436,7 +437,8 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, key |= SK_C; } - if (skeyclass->set_skeys(ss, *raddr / TARGET_PAGE_SIZE, 1, &key)) { + r = skeyclass->set_skeys(ss, *raddr / TARGET_PAGE_SIZE, 1, &key); + if (r) { trace_set_skeys_nonzero(r); return 0; } From c36709e45d5f636bcdf6bfb78f95e27260018ef5 Mon Sep 17 00:00:00 2001 From: David Hildenbrand Date: Fri, 16 Aug 2019 10:47:04 +0200 Subject: [PATCH 3/7] s390x/mmu: ASC selection in s390_cpu_get_phys_page_debug() Let's select the ASC before calling the function. This is a prepararion to remove the ASC magic depending on the access mode from mmu_translate. There is currently no way to distinguish if we have code or data access. For now, we were using code access, because especially when debugging with the gdbstub, we want to read and disassemble what we single-step. Note: KVM guest can now no longer be crashed using qmp/hmp/gdbstub if they happen to be in AR mode. Reviewed-by: Thomas Huth Reviewed-by: Cornelia Huck Signed-off-by: David Hildenbrand Message-Id: <20190816084708.602-3-david@redhat.com> Signed-off-by: Cornelia Huck --- target/s390x/helper.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target/s390x/helper.c b/target/s390x/helper.c index 1350ad319a..948c0398d4 100644 --- a/target/s390x/helper.c +++ b/target/s390x/helper.c @@ -58,6 +58,11 @@ hwaddr s390_cpu_get_phys_page_debug(CPUState *cs, vaddr vaddr) vaddr &= 0x7fffffff; } + /* We want to read the code (e.g., see what we are single-stepping).*/ + if (asc != PSW_ASC_HOME) { + asc = PSW_ASC_PRIMARY; + } + if (mmu_translate(env, vaddr, MMU_INST_FETCH, asc, &raddr, &prot, false)) { return -1; } From 3096ffd3684684a91a9190d3f93c0fc45dd2b856 Mon Sep 17 00:00:00 2001 From: David Hildenbrand Date: Fri, 16 Aug 2019 10:47:05 +0200 Subject: [PATCH 4/7] s390x/tcg: Rework MMU selection for instruction fetches Instructions are always fetched from primary address space, except when in home address mode. Perform the selection directly in cpu_mmu_index(). get_mem_index() is only used to perform data access, instructions are fetched via cpu_lduw_code(), which translates to cpu_mmu_index(env, true). We don't care about restricting the access permissions of the TLB entries anymore, as we no longer enter PRIMARY entries into the SECONDARY MMU. Cleanup related code a bit. Reviewed-by: Thomas Huth Signed-off-by: David Hildenbrand Reviewed-by: Cornelia Huck Message-Id: <20190816084708.602-4-david@redhat.com> Signed-off-by: Cornelia Huck --- target/s390x/cpu.h | 7 +++++++ target/s390x/mmu_helper.c | 38 +++++++++++++++----------------------- 2 files changed, 22 insertions(+), 23 deletions(-) diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h index 3d9de25f7c..79202c0980 100644 --- a/target/s390x/cpu.h +++ b/target/s390x/cpu.h @@ -332,6 +332,13 @@ static inline int cpu_mmu_index(CPUS390XState *env, bool ifetch) return MMU_REAL_IDX; } + if (ifetch) { + if ((env->psw.mask & PSW_MASK_ASC) == PSW_ASC_HOME) { + return MMU_HOME_IDX; + } + return MMU_PRIMARY_IDX; + } + switch (env->psw.mask & PSW_MASK_ASC) { case PSW_ASC_PRIMARY: return MMU_PRIMARY_IDX; diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c index 6cf74502ef..40b6c1fc36 100644 --- a/target/s390x/mmu_helper.c +++ b/target/s390x/mmu_helper.c @@ -350,8 +350,9 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, { static S390SKeysState *ss; static S390SKeysClass *skeyclass; - int r = -1; + uint64_t asce; uint8_t key; + int r; if (unlikely(!ss)) { ss = s390_get_skeys_device(); @@ -381,36 +382,21 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, if (!(env->psw.mask & PSW_MASK_DAT)) { *raddr = vaddr; - r = 0; - goto out; + goto nodat; } switch (asc) { case PSW_ASC_PRIMARY: PTE_DPRINTF("%s: asc=primary\n", __func__); - r = mmu_translate_asce(env, vaddr, asc, env->cregs[1], raddr, flags, - rw, exc); + asce = env->cregs[1]; break; case PSW_ASC_HOME: PTE_DPRINTF("%s: asc=home\n", __func__); - r = mmu_translate_asce(env, vaddr, asc, env->cregs[13], raddr, flags, - rw, exc); + asce = env->cregs[13]; break; case PSW_ASC_SECONDARY: PTE_DPRINTF("%s: asc=secondary\n", __func__); - /* - * Instruction: Primary - * Data: Secondary - */ - if (rw == MMU_INST_FETCH) { - r = mmu_translate_asce(env, vaddr, PSW_ASC_PRIMARY, env->cregs[1], - raddr, flags, rw, exc); - *flags &= ~(PAGE_READ | PAGE_WRITE); - } else { - r = mmu_translate_asce(env, vaddr, PSW_ASC_SECONDARY, env->cregs[7], - raddr, flags, rw, exc); - *flags &= ~(PAGE_EXEC); - } + asce = env->cregs[7]; break; case PSW_ASC_ACCREG: default: @@ -418,11 +404,17 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, break; } - out: + /* perform the DAT translation */ + r = mmu_translate_asce(env, vaddr, asc, asce, raddr, flags, rw, exc); + if (r) { + return r; + } + +nodat: /* Convert real address -> absolute address */ *raddr = mmu_real2abs(env, *raddr); - if (r == 0 && *raddr < ram_size) { + if (*raddr < ram_size) { r = skeyclass->get_skeys(ss, *raddr / TARGET_PAGE_SIZE, 1, &key); if (r) { trace_get_skeys_nonzero(r); @@ -444,7 +436,7 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, } } - return r; + return 0; } /** From 5b773a1107e7ca6f51e3447cc066f255a7fd8cca Mon Sep 17 00:00:00 2001 From: David Hildenbrand Date: Fri, 16 Aug 2019 10:47:06 +0200 Subject: [PATCH 5/7] s390x/tcg: Flush the TLB of all CPUs on SSKE and RRBE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Whenever we modify a storage key, we should flush the TLBs of all CPUs, so the MMU fault handling code can properly consider the changed storage key (to e.g., properly set the reference and change bit on the next accesses). These functions are barely used in modern Linux guests, so the performance implications are neglectable for now. This is a preparation for better reference and change bit handling for TCG, which will require more MMU changes. Reviewed-by: Cornelia Huck Signed-off-by: David Hildenbrand Message-Id: <20190816084708.602-5-david@redhat.com> Acked-by: Alex Bennée Signed-off-by: Cornelia Huck --- target/s390x/mem_helper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c index 29d9eaa5b7..91ba2e03d9 100644 --- a/target/s390x/mem_helper.c +++ b/target/s390x/mem_helper.c @@ -1815,6 +1815,11 @@ void HELPER(sske)(CPUS390XState *env, uint64_t r1, uint64_t r2) key = (uint8_t) r1; skeyclass->set_skeys(ss, addr / TARGET_PAGE_SIZE, 1, &key); + /* + * As we can only flush by virtual address and not all the entries + * that point to a physical address we have to flush the whole TLB. + */ + tlb_flush_all_cpus_synced(env_cpu(env)); } /* reset reference bit extended */ @@ -1843,6 +1848,11 @@ uint32_t HELPER(rrbe)(CPUS390XState *env, uint64_t r2) if (skeyclass->set_skeys(ss, r2 / TARGET_PAGE_SIZE, 1, &key)) { return 0; } + /* + * As we can only flush by virtual address and not all the entries + * that point to a physical address we have to flush the whole TLB. + */ + tlb_flush_all_cpus_synced(env_cpu(env)); /* * cc From 2d3bb388ad93dce9a9454af67f43d3aaaa5b9b1a Mon Sep 17 00:00:00 2001 From: David Hildenbrand Date: Fri, 16 Aug 2019 10:47:07 +0200 Subject: [PATCH 6/7] s390x/mmu: Better storage key reference and change bit handling Any access sets the reference bit. In case we have a read-fault, we should not allow writes to the TLB entry if the change bit was not already set. This is a preparation for proper storage-key reference/change bit handling in TCG and a fix for KVM whereby read accesses would set the change bit (old KVM versions without the ioctl to carry out the translation). Reviewed-by: Cornelia Huck Signed-off-by: David Hildenbrand Message-Id: <20190816084708.602-6-david@redhat.com> Signed-off-by: Cornelia Huck --- target/s390x/mmu_helper.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c index 40b6c1fc36..61654e07de 100644 --- a/target/s390x/mmu_helper.c +++ b/target/s390x/mmu_helper.c @@ -421,13 +421,27 @@ nodat: return 0; } - if (*flags & PAGE_READ) { - key |= SK_R; + switch (rw) { + case MMU_DATA_LOAD: + case MMU_INST_FETCH: + /* + * The TLB entry has to remain write-protected on read-faults if + * the storage key does not indicate a change already. Otherwise + * we might miss setting the change bit on write accesses. + */ + if (!(key & SK_C)) { + *flags &= ~PAGE_WRITE; + } + break; + case MMU_DATA_STORE: + key |= SK_C; + break; + default: + g_assert_not_reached(); } - if (*flags & PAGE_WRITE) { - key |= SK_C; - } + /* Any store/fetch sets the reference bit */ + key |= SK_R; r = skeyclass->set_skeys(ss, *raddr / TARGET_PAGE_SIZE, 1, &key); if (r) { From 065fe80fe03ff0f36a0cbebbd2d4b3c05110d96d Mon Sep 17 00:00:00 2001 From: David Hildenbrand Date: Fri, 16 Aug 2019 10:47:08 +0200 Subject: [PATCH 7/7] s390x/mmu: Factor out storage key handling Factor it out, add a comment how it all works, and also use it in the REAL MMU. Reviewed-by: Cornelia Huck Reviewed-by: Thomas Huth Signed-off-by: David Hildenbrand Message-Id: <20190816084708.602-7-david@redhat.com> Signed-off-by: Cornelia Huck --- target/s390x/mmu_helper.c | 115 +++++++++++++++++++++++--------------- 1 file changed, 71 insertions(+), 44 deletions(-) diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c index 61654e07de..7e6b0d0508 100644 --- a/target/s390x/mmu_helper.c +++ b/target/s390x/mmu_helper.c @@ -335,6 +335,75 @@ static int mmu_translate_asce(CPUS390XState *env, target_ulong vaddr, return r; } +static void mmu_handle_skey(target_ulong addr, int rw, int *flags) +{ + static S390SKeysClass *skeyclass; + static S390SKeysState *ss; + uint8_t key; + int rc; + + if (unlikely(addr >= ram_size)) { + return; + } + + if (unlikely(!ss)) { + ss = s390_get_skeys_device(); + skeyclass = S390_SKEYS_GET_CLASS(ss); + } + + /* + * Whenever we create a new TLB entry, we set the storage key reference + * bit. In case we allow write accesses, we set the storage key change + * bit. Whenever the guest changes the storage key, we have to flush the + * TLBs of all CPUs (the whole TLB or all affected entries), so that the + * next reference/change will result in an MMU fault and make us properly + * update the storage key here. + * + * Note 1: "record of references ... is not necessarily accurate", + * "change bit may be set in case no storing has occurred". + * -> We can set reference/change bits even on exceptions. + * Note 2: certain accesses seem to ignore storage keys. For example, + * DAT translation does not set reference bits for table accesses. + * + * TODO: key-controlled protection. Only CPU accesses make use of the + * PSW key. CSS accesses are different - we have to pass in the key. + * + * TODO: we have races between getting and setting the key. + */ + rc = skeyclass->get_skeys(ss, addr / TARGET_PAGE_SIZE, 1, &key); + if (rc) { + trace_get_skeys_nonzero(rc); + return; + } + + switch (rw) { + case MMU_DATA_LOAD: + case MMU_INST_FETCH: + /* + * The TLB entry has to remain write-protected on read-faults if + * the storage key does not indicate a change already. Otherwise + * we might miss setting the change bit on write accesses. + */ + if (!(key & SK_C)) { + *flags &= ~PAGE_WRITE; + } + break; + case MMU_DATA_STORE: + key |= SK_C; + break; + default: + g_assert_not_reached(); + } + + /* Any store/fetch sets the reference bit */ + key |= SK_R; + + rc = skeyclass->set_skeys(ss, addr / TARGET_PAGE_SIZE, 1, &key); + if (rc) { + trace_set_skeys_nonzero(rc); + } +} + /** * Translate a virtual (logical) address into a physical (absolute) address. * @param vaddr the virtual address @@ -348,16 +417,9 @@ static int mmu_translate_asce(CPUS390XState *env, target_ulong vaddr, int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, target_ulong *raddr, int *flags, bool exc) { - static S390SKeysState *ss; - static S390SKeysClass *skeyclass; uint64_t asce; - uint8_t key; int r; - if (unlikely(!ss)) { - ss = s390_get_skeys_device(); - skeyclass = S390_SKEYS_GET_CLASS(ss); - } *flags = PAGE_READ | PAGE_WRITE | PAGE_EXEC; if (is_low_address(vaddr & TARGET_PAGE_MASK) && lowprot_enabled(env, asc)) { @@ -414,42 +476,7 @@ nodat: /* Convert real address -> absolute address */ *raddr = mmu_real2abs(env, *raddr); - if (*raddr < ram_size) { - r = skeyclass->get_skeys(ss, *raddr / TARGET_PAGE_SIZE, 1, &key); - if (r) { - trace_get_skeys_nonzero(r); - return 0; - } - - switch (rw) { - case MMU_DATA_LOAD: - case MMU_INST_FETCH: - /* - * The TLB entry has to remain write-protected on read-faults if - * the storage key does not indicate a change already. Otherwise - * we might miss setting the change bit on write accesses. - */ - if (!(key & SK_C)) { - *flags &= ~PAGE_WRITE; - } - break; - case MMU_DATA_STORE: - key |= SK_C; - break; - default: - g_assert_not_reached(); - } - - /* Any store/fetch sets the reference bit */ - key |= SK_R; - - r = skeyclass->set_skeys(ss, *raddr / TARGET_PAGE_SIZE, 1, &key); - if (r) { - trace_set_skeys_nonzero(r); - return 0; - } - } - + mmu_handle_skey(*raddr, rw, flags); return 0; } @@ -567,6 +594,6 @@ int mmu_translate_real(CPUS390XState *env, target_ulong raddr, int rw, *addr = mmu_real2abs(env, raddr & TARGET_PAGE_MASK); - /* TODO: storage key handling */ + mmu_handle_skey(*addr, rw, flags); return 0; }