qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug 1880355] [NEW] Length restrictions for fw_cfg_dma_transfer?

From: Philippe Mathieu-Daudé
Subject: Re: [Bug 1880355] [NEW] Length restrictions for fw_cfg_dma_transfer?
Date: Sun, 24 May 2020 12:30:07 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 
On 5/24/20 6:12 AM, Alexander Bulekov wrote:
> Public bug reported:
> 
> For me, this takes close to 3 minutes at 100% CPU:
> echo "outl 0x518 0x9596ffff" | ./i386-softmmu/qemu-system-i386 -M q35 -m 32 
> -nographic -accel qtest -monitor none -serial none -qtest stdio
> 
> #0  phys_page_find (d=0x606000035d80, addr=136728041144404) at /exec.c:338
> #1  address_space_lookup_region (d=0x606000035d80, addr=136728041144404, 
> resolve_subpage=true) at /exec.c:363
> #2  address_space_translate_internal (d=0x606000035d80, addr=136728041144404, 
> xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, resolve_subpage=true) at /exec.c:382
> #3  flatview_do_translate (fv=0x606000035d20, addr=136728041144404, 
> xlat=0x7fff1fc0d070, plen_out=0x7fff1fc0d090, page_mask_out=0x0, 
> is_write=true, is_mmio=true, target_as=0x7fff1fc0ce10, attrs=...)
>     pment/qemu/exec.c:520
> #4  flatview_translate (fv=0x606000035d20, addr=136728041144404, 
> xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, is_write=true, attrs=...) at 
> /exec.c:586
> #5  flatview_write_continue (fv=0x606000035d20, addr=136728041144404, 
> attrs=..., ptr=0x7fff1fc0d660, len=172, addr1=136728041144400, l=172, 
> mr=0x557fd54e77e0 <io_mem_unassigned>)
>     pment/qemu/exec.c:3160
> #6  flatview_write (fv=0x606000035d20, addr=136728041144064, attrs=..., 
> buf=0x7fff1fc0d660, len=512) at /exec.c:3177
> #7  address_space_write (as=0x557fd54e7a00 <address_space_memory>, 
> addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3271
> #8  dma_memory_set (as=0x557fd54e7a00 <address_space_memory>, 
> addr=136728041144064, c=0 '\000', len=1378422272) at /dma-helpers.c:31
> #9  fw_cfg_dma_transfer (s=0x61a000001e80) at /hw/nvram/fw_cfg.c:400
> #10 fw_cfg_dma_mem_write (opaque=0x61a000001e80, addr=4, value=4294940309, 
> size=4) at /hw/nvram/fw_cfg.c:467
> #11 memory_region_write_accessor (mr=0x61a000002200, addr=4, 
> value=0x7fff1fc0e3d0, size=4, shift=0, mask=4294967295, attrs=...) at 
> /memory.c:483
> #12 access_with_adjusted_size (addr=4, value=0x7fff1fc0e3d0, size=4, 
> access_size_min=1, access_size_max=8, access_fn=0x557fd2288c80 
> <memory_region_write_accessor>, mr=0x61a000002200, attrs=...)
>     pment/qemu/memory.c:539
> #13 memory_region_dispatch_write (mr=0x61a000002200, addr=4, data=4294940309, 
> op=MO_32, attrs=...) at /memory.c:1476
> #14 flatview_write_continue (fv=0x606000035f00, addr=1304, attrs=..., 
> ptr=0x7fff1fc0ec40, len=4, addr1=4, l=4, mr=0x61a000002200) at /exec.c:3137
> #15 flatview_write (fv=0x606000035f00, addr=1304, attrs=..., 
> buf=0x7fff1fc0ec40, len=4) at /exec.c:3177
> #16 address_space_write (as=0x557fd54e7bc0 <address_space_io>, addr=1304, 
> attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3271
> 
> 
> It looks like fw_cfg_dma_transfer gets the address(136728041144064) and 
> length(1378422272) for the read from the value provided as input 4294940309 
> (0xFFFF9695) which lands in pcbios. Should there be any limits on the length 
> of guest-memory that fw_cfg should populate?

It looks to me a normal behavior for a DMA device. DMA devices have a
different address space view than the CPUs.
Also note the fw_cfg is a generic device, not restricted to the x86 arch.

Maybe this function could use dma_memory_valid() to skip unassigned regions?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]