| Message ID | 1564577101-29020-1-git-send-email-bmeng.cn@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | riscv: rv32: Root page table address can be larger than 32-bit | expand |
On 7/31/19 5:45 AM, Bin Meng wrote: > - target_ulong base; > + hwaddr base; ... > - target_ulong pte_addr = base + idx * ptesize; > + hwaddr pte_addr = base + idx * ptesize; I believe that you either need base + (hwaddr)idx * ptesize or change the type of idx to hwaddr above. Otherwise the multiply overflows before it gets promoted with the add. r~
Hi Richard, On Thu, Aug 1, 2019 at 1:35 AM Richard Henderson <richard.henderson@linaro.org> wrote: > > On 7/31/19 5:45 AM, Bin Meng wrote: > > - target_ulong base; > > + hwaddr base; > ... > > - target_ulong pte_addr = base + idx * ptesize; > > + hwaddr pte_addr = base + idx * ptesize; > > I believe that you either need > > base + (hwaddr)idx * ptesize > > or change the type of idx to hwaddr above. > > Otherwise the multiply overflows before it gets promoted with the add. > I am not sure how (idx * ptesize) could overflow. It represents the offset by a page table which is [0, 4096). Regards, Bin
On 7/31/19 6:53 PM, Bin Meng wrote: > I am not sure how (idx * ptesize) could overflow. It represents the > offset by a page table which is [0, 4096). You're right, I mis-read what was going on there. However, lower down, "target_ulong ppn" needs to be promoted to hwaddr, so that ppn = pte >> PTE_PPN_SHIFT; ... base = ppn << PGSHIFT; does not overflow. (Which is the part of the page table walk that I thought I had gleaned from the patch without actually reading the entire function.) r~
On Thu, Aug 1, 2019 at 10:16 PM Richard Henderson <richard.henderson@linaro.org> wrote: > > On 7/31/19 6:53 PM, Bin Meng wrote: > > I am not sure how (idx * ptesize) could overflow. It represents the > > offset by a page table which is [0, 4096). > > You're right, I mis-read what was going on there. > > However, lower down, "target_ulong ppn" needs to be promoted to hwaddr, so that > > ppn = pte >> PTE_PPN_SHIFT; > ... > base = ppn << PGSHIFT; > > does not overflow. (Which is the part of the page table walk that I thought I > had gleaned from the patch without actually reading the entire function.) Ah, yes. ppn should be promoted. Thanks for the review! Regards, Bin
On Thu, Aug 1, 2019 at 7:58 AM Bin Meng <bmeng.cn@gmail.com> wrote: > On Thu, Aug 1, 2019 at 10:16 PM Richard Henderson > <richard.henderson@linaro.org> wrote: > > > > On 7/31/19 6:53 PM, Bin Meng wrote: > > > I am not sure how (idx * ptesize) could overflow. It represents the > > > offset by a page table which is [0, 4096). > > > > You're right, I mis-read what was going on there. > > > > However, lower down, "target_ulong ppn" needs to be promoted to hwaddr, > so that > > > > ppn = pte >> PTE_PPN_SHIFT; > > ... > > base = ppn << PGSHIFT; > > > > does not overflow. (Which is the part of the page table walk that I > thought I > > had gleaned from the patch without actually reading the entire function.) > > Ah, yes. ppn should be promoted. Thanks for the review! > Did I miss a v2?
Hi Palmer, On Thu, Aug 8, 2019 at 4:55 AM Palmer Dabbelt <palmer@sifive.com> wrote: > > On Thu, Aug 1, 2019 at 7:58 AM Bin Meng <bmeng.cn@gmail.com> wrote: >> >> On Thu, Aug 1, 2019 at 10:16 PM Richard Henderson >> <richard.henderson@linaro.org> wrote: >> > >> > On 7/31/19 6:53 PM, Bin Meng wrote: >> > > I am not sure how (idx * ptesize) could overflow. It represents the >> > > offset by a page table which is [0, 4096). >> > >> > You're right, I mis-read what was going on there. >> > >> > However, lower down, "target_ulong ppn" needs to be promoted to hwaddr, so that >> > >> > ppn = pte >> PTE_PPN_SHIFT; >> > ... >> > base = ppn << PGSHIFT; >> > >> > does not overflow. (Which is the part of the page table walk that I thought I >> > had gleaned from the patch without actually reading the entire function.) >> >> Ah, yes. ppn should be promoted. Thanks for the review! > > > Did I miss a v2? No, I will send a v2 soon. Regards, Bin
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index e32b612..3150a6a 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -176,7 +176,7 @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical, *prot = 0; - target_ulong base; + hwaddr base; int levels, ptidxbits, ptesize, vm, sum; int mxr = get_field(env->mstatus, MSTATUS_MXR); @@ -239,7 +239,7 @@ restart: ((1 << ptidxbits) - 1); /* check that physical address of PTE is legal */ - target_ulong pte_addr = base + idx * ptesize; + hwaddr pte_addr = base + idx * ptesize; if (riscv_feature(env, RISCV_FEATURE_PMP) && !pmp_hart_has_privs(env, pte_addr, sizeof(target_ulong),
For RV32, the root page table's PPN has 22 bits hence its address bits could be larger than the maximum bits that target_ulong is able to represent. Use hwaddr instead. Signed-off-by: Bin Meng <bmeng.cn@gmail.com> --- target/riscv/cpu_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)