Since we don't need to encode all of the PTE flags, we have enough bits in the shadow entry to store the full GFN. Don't use literal numbers - instead derive the involved values. Or, where derivation would become too ugly, sanity-check the result (invoking #error to identify failure).
This then allows dropping from sh_l1e_mmio() again the guarding against too large GFNs. Signed-off-by: Jan Beulich <[email protected]> --- I wonder if the respective check in sh_audit_l1_table() is actually useful to retain with these changes. --- a/xen/arch/x86/mm/shadow/types.h +++ b/xen/arch/x86/mm/shadow/types.h @@ -283,9 +283,17 @@ shadow_put_page_from_l1e(shadow_l1e_t sl * This is only feasible for PAE and 64bit Xen: 32-bit non-PAE PTEs don't * have reserved bits that we can use for this. And even there it can only * be used if we can be certain the processor doesn't use all 52 address bits. + * + * For the MMIO encoding (see below) we need the bottom 4 bits for + * identifying the kind of entry and a full GFN's worth of bits to encode + * the originating frame number. Set all remaining bits to trigger + * reserved bit faults, if (see above) the hardware permits triggering such. */ -#define SH_L1E_MAGIC 0xffffffff00000001ULL +#define SH_L1E_MAGIC_NR_META_BITS 4 +#define SH_L1E_MAGIC_MASK ((~0ULL << (PADDR_BITS - PAGE_SHIFT + \ + SH_L1E_MAGIC_NR_META_BITS)) | \ + _PAGE_PRESENT) static inline bool sh_have_pte_rsvd_bits(void) { @@ -294,7 +302,8 @@ static inline bool sh_have_pte_rsvd_bits static inline bool sh_l1e_is_magic(shadow_l1e_t sl1e) { - return (sl1e.l1 & SH_L1E_MAGIC) == SH_L1E_MAGIC; + BUILD_BUG_ON(!(PADDR_MASK & SH_L1E_MAGIC_MASK)); + return (sl1e.l1 & SH_L1E_MAGIC_MASK) == SH_L1E_MAGIC_MASK; } /* Guest not present: a single magic value */ @@ -320,20 +329,26 @@ static inline bool sh_l1e_is_gnp(shadow_ /* * MMIO: an invalid PTE that contains the GFN of the equivalent guest l1e. - * We store 28 bits of GFN in bits 4:32 of the entry. + * We store the GFN in bits 4:43 of the entry. * The present bit is set, and the U/S and R/W bits are taken from the guest. * Bit 3 is always 0, to differentiate from gnp above. */ -#define SH_L1E_MMIO_MAGIC 0xffffffff00000001ULL -#define SH_L1E_MMIO_MAGIC_MASK 0xffffffff00000009ULL -#define SH_L1E_MMIO_GFN_MASK 0x00000000fffffff0ULL +#define SH_L1E_MMIO_MAGIC SH_L1E_MAGIC_MASK +#define SH_L1E_MMIO_MAGIC_BIT ((_PAGE_PRESENT | _PAGE_RW | _PAGE_USER) + 1) +#if SH_L1E_MMIO_MAGIC_BIT & (SH_L1E_MMIO_MAGIC_BIT - 1) +# error SH_L1E_MMIO_MAGIC_BIT needs to be a power of 2 +#endif +#if SH_L1E_MMIO_MAGIC_BIT >> SH_L1E_MAGIC_NR_META_BITS +# error SH_L1E_MMIO_MAGIC_BIT and SH_L1E_MAGIC_NR_META_BITS are out of sync +#endif +#define SH_L1E_MMIO_MAGIC_MASK (SH_L1E_MAGIC_MASK | SH_L1E_MMIO_MAGIC_BIT) +#define SH_L1E_MMIO_GFN_MASK ~(SH_L1E_MMIO_MAGIC_MASK | _PAGE_RW | _PAGE_USER) static inline shadow_l1e_t sh_l1e_mmio(gfn_t gfn, u32 gflags) { unsigned long gfn_val = MASK_INSR(gfn_x(gfn), SH_L1E_MMIO_GFN_MASK); - if ( !sh_have_pte_rsvd_bits() || - gfn_x(gfn) != MASK_EXTR(gfn_val, SH_L1E_MMIO_GFN_MASK) ) + if ( !sh_have_pte_rsvd_bits() ) return shadow_l1e_empty(); return (shadow_l1e_t) { (SH_L1E_MMIO_MAGIC | gfn_val |
