From nobody Tue Oct 28 20:24:41 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cx20n4kQqz6DQg0; Tue, 28 Oct 2025 20:24:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cx20n2klpz3c6l; Tue, 28 Oct 2025 20:24:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1761683081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pyIbWve2y/JkTKsZHbt0oIoCtQWRy2OwCRzQtqo1SJ0=; b=m82dbhQG74nCnrckDaUFN34YiAgnBj6LF+aOqs5oksbpGqXE9Sn+A8itdDCKOuW7agEJDo CdbdWWaRMNkqFSexcqmM3kj6gYlM6uiWKbjrJPmxFhlaTEw2wSb3l9SZE/oiG3NEYn1Hro tvcUTHvPRY59G/713BAgKmjlAMYkMz3vv9ZKE1W2M68OlZtfJ234Urv4KREeof+4jY7Sp+ F14aHMYUfvtnLU46o7HBlMjswSAewzX6YmH6eJbTkXevY3/MejUR6E+17PDnB1FJULPpJL ubYWRXmo2XeFqDMZ8EdvDOwEbkybcBDqKUjcRAjSr5RYWvE6muGqF6yNmHGOdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1761683081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pyIbWve2y/JkTKsZHbt0oIoCtQWRy2OwCRzQtqo1SJ0=; b=ilJs2g6zNOZvtUYOx/CsQNqDltM5DIrOQ9n3Q1aBHy/vh9Wh41M+wIB7WI2nN2rfdSSaNj Qb3I/IXBMubeNpKvH0iwv02XeR0Z6CxRyg/wAp3+7nmu8X4SUTJRPDKxGOYvkU5gTxtNqP l19/mW8x5gqLSuaWqUQKEsWPn0OqnypGj1PgNQfw1T6QW3bYHbk4XmpeqkQXF4DrYydIqv oxEGNtEOD6Vx15oKEbxXpwsjKEdOzpx5eeN2Og8apoItG8Xg2BfuXlDEstcset0MEs9TnB TsnGQqprqh78WLJIKq7s8A6RzB9nQymxZCBZ/6Y8226RKmk4+K7aBjc92dyVyg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761683081; a=rsa-sha256; cv=none; b=oUaH0uCifzwF6C2ektGkMvEC/bYPyR7BaSit4JHhdfMy0Lpi1visl6jXpVZMI7XI8W0QpU 7+IB3QnK4XM61mwyrVZlzk5KqXZjRdQIy63yQZonazPjtEV6niuwWNgqob9esbCF8OTUlR AXxQgewSjPfIRpbpQIaB7kSluJJgsJ+MiE34WyL91aFKs1mtEPrFOkh2n6e0y9HsRQdMDq gI/cnAeGVUlxENoBvlFnxq4hiA1sGiiQePxpU3akxvW5t5SwEiHFXRfRWqJRmYV7PGJ1lx d+LaULB8JxKWKqmlnyXPctssWkIejVBpe7GIpyiHNWh2iDioI1gYLiqVVhXSpg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cx20n2L4fz14xd; Tue, 28 Oct 2025 20:24:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59SKOf2P063688; Tue, 28 Oct 2025 20:24:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59SKOffx063686; Tue, 28 Oct 2025 20:24:41 GMT (envelope-from git) Date: Tue, 28 Oct 2025 20:24:41 GMT Message-Id: <202510282024.59SKOffx063686@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 20a38e847251 - main - vmm: Fix routines which create maps of the guest physical address space List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 20a38e847251076b12c173d7aa0b37eef261fd32 Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=20a38e847251076b12c173d7aa0b37eef261fd32 commit 20a38e847251076b12c173d7aa0b37eef261fd32 Author: Mark Johnston AuthorDate: 2025-10-28 20:15:13 +0000 Commit: Mark Johnston CommitDate: 2025-10-28 20:15:13 +0000 vmm: Fix routines which create maps of the guest physical address space In vm_mmap_memseg(), use vm_map_insert() instead of vm_map_find(). Existing callers expect to map the GPA that they passed, whereas vm_map_find() merely treats the GPA as a hint. Also check for overflow and remove a test for first < 0 since "first" is unsigned. In vmm_mmio_alloc(), return an error number instead of an object pointer, since the sole caller doesn't need the pointer. As in vm_mmap_memseg(), use vm_map_insert() instead of vm_map_find() and validate parameters. This function is not directly reachable via ioctl(), but we ought to be careful anyway. Reviewed by: corvink, kib MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D53246 --- sys/amd64/vmm/vmm.c | 7 +---- sys/amd64/vmm/vmm_mem.h | 5 ++-- sys/amd64/vmm/vmm_mem_machdep.c | 61 +++++++++++++++++++++++------------------ sys/dev/vmm/vmm_mem.c | 13 +++++---- 4 files changed, 46 insertions(+), 40 deletions(-) diff --git a/sys/amd64/vmm/vmm.c b/sys/amd64/vmm/vmm.c index 473887240b9b..f2bea0d82b5c 100644 --- a/sys/amd64/vmm/vmm.c +++ b/sys/amd64/vmm/vmm.c @@ -724,12 +724,7 @@ vm_name(struct vm *vm) int vm_map_mmio(struct vm *vm, vm_paddr_t gpa, size_t len, vm_paddr_t hpa) { - vm_object_t obj; - - if ((obj = vmm_mmio_alloc(vm_vmspace(vm), gpa, len, hpa)) == NULL) - return (ENOMEM); - else - return (0); + return (vmm_mmio_alloc(vm_vmspace(vm), gpa, len, hpa)); } int diff --git a/sys/amd64/vmm/vmm_mem.h b/sys/amd64/vmm/vmm_mem.h index 41b9bf07c4fc..d905fd37001d 100644 --- a/sys/amd64/vmm/vmm_mem.h +++ b/sys/amd64/vmm/vmm_mem.h @@ -30,10 +30,9 @@ #define _VMM_MEM_H_ struct vmspace; -struct vm_object; -struct vm_object *vmm_mmio_alloc(struct vmspace *, vm_paddr_t gpa, size_t len, - vm_paddr_t hpa); +int vmm_mmio_alloc(struct vmspace *, vm_paddr_t gpa, size_t len, + vm_paddr_t hpa); void vmm_mmio_free(struct vmspace *, vm_paddr_t gpa, size_t size); vm_paddr_t vmm_mem_maxaddr(void); diff --git a/sys/amd64/vmm/vmm_mem_machdep.c b/sys/amd64/vmm/vmm_mem_machdep.c index e96c9e4bdc66..afb3a0274e2a 100644 --- a/sys/amd64/vmm/vmm_mem_machdep.c +++ b/sys/amd64/vmm/vmm_mem_machdep.c @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -45,40 +46,48 @@ #include "vmm_mem.h" -vm_object_t +int vmm_mmio_alloc(struct vmspace *vmspace, vm_paddr_t gpa, size_t len, - vm_paddr_t hpa) + vm_paddr_t hpa) { - int error; - vm_object_t obj; struct sglist *sg; + vm_object_t obj; + int error; + + if (gpa + len < gpa || hpa + len < hpa || (gpa & PAGE_MASK) != 0 || + (hpa & PAGE_MASK) != 0 || (len & PAGE_MASK) != 0) + return (EINVAL); sg = sglist_alloc(1, M_WAITOK); error = sglist_append_phys(sg, hpa, len); KASSERT(error == 0, ("error %d appending physaddr to sglist", error)); obj = vm_pager_allocate(OBJT_SG, sg, len, VM_PROT_RW, 0, NULL); - if (obj != NULL) { - /* - * VT-x ignores the MTRR settings when figuring out the - * memory type for translations obtained through EPT. - * - * Therefore we explicitly force the pages provided by - * this object to be mapped as uncacheable. - */ - VM_OBJECT_WLOCK(obj); - error = vm_object_set_memattr(obj, VM_MEMATTR_UNCACHEABLE); - VM_OBJECT_WUNLOCK(obj); - if (error != KERN_SUCCESS) { - panic("vmm_mmio_alloc: vm_object_set_memattr error %d", - error); - } - error = vm_map_find(&vmspace->vm_map, obj, 0, &gpa, len, 0, - VMFS_NO_SPACE, VM_PROT_RW, VM_PROT_RW, 0); - if (error != KERN_SUCCESS) { - vm_object_deallocate(obj); - obj = NULL; - } + if (obj == NULL) + return (ENOMEM); + + /* + * VT-x ignores the MTRR settings when figuring out the memory type for + * translations obtained through EPT. + * + * Therefore we explicitly force the pages provided by this object to be + * mapped as uncacheable. + */ + VM_OBJECT_WLOCK(obj); + error = vm_object_set_memattr(obj, VM_MEMATTR_UNCACHEABLE); + VM_OBJECT_WUNLOCK(obj); + if (error != KERN_SUCCESS) + panic("vmm_mmio_alloc: vm_object_set_memattr error %d", error); + + vm_map_lock(&vmspace->vm_map); + error = vm_map_insert(&vmspace->vm_map, obj, 0, gpa, gpa + len, + VM_PROT_RW, VM_PROT_RW, 0); + vm_map_unlock(&vmspace->vm_map); + if (error != KERN_SUCCESS) { + error = vm_mmap_to_errno(error); + vm_object_deallocate(obj); + } else { + error = 0; } /* @@ -94,7 +103,7 @@ vmm_mmio_alloc(struct vmspace *vmspace, vm_paddr_t gpa, size_t len, */ sglist_free(sg); - return (obj); + return (error); } void diff --git a/sys/dev/vmm/vmm_mem.c b/sys/dev/vmm/vmm_mem.c index 9df31c9ba133..5ae944713c81 100644 --- a/sys/dev/vmm/vmm_mem.c +++ b/sys/dev/vmm/vmm_mem.c @@ -279,8 +279,10 @@ vm_mmap_memseg(struct vm *vm, vm_paddr_t gpa, int segid, vm_ooffset_t first, if (seg->object == NULL) return (EINVAL); + if (first + len < first || gpa + len < gpa) + return (EINVAL); last = first + len; - if (first < 0 || first >= last || last > seg->len) + if (first >= last || last > seg->len) return (EINVAL); if ((gpa | first | last) & PAGE_MASK) @@ -298,11 +300,12 @@ vm_mmap_memseg(struct vm *vm, vm_paddr_t gpa, int segid, vm_ooffset_t first, return (ENOSPC); vmmap = &mem->mem_vmspace->vm_map; - error = vm_map_find(vmmap, seg->object, first, &gpa, len, 0, - VMFS_NO_SPACE, prot, prot, 0); + vm_map_lock(vmmap); + error = vm_map_insert(vmmap, seg->object, first, gpa, gpa + len, + prot, prot, 0); + vm_map_unlock(vmmap); if (error != KERN_SUCCESS) - return (EFAULT); - + return (vm_mmap_to_errno(error)); vm_object_reference(seg->object); if (flags & VM_MEMMAP_F_WIRED) {