1 /*
2  *  mmap support for qemu
3  *
4  *  Copyright (c) 2003 Fabrice Bellard
5  *
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 2 of the License, or
9  *  (at your option) any later version.
10  *
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19 #include "qemu/osdep.h"
20 #include "trace.h"
21 #include "exec/log.h"
22 #include "qemu.h"
23 #include "user-internals.h"
24 #include "user-mmap.h"
25 
26 static pthread_mutex_t mmap_mutex = PTHREAD_MUTEX_INITIALIZER;
27 static __thread int mmap_lock_count;
28 
mmap_lock(void)29 void mmap_lock(void)
30 {
31     if (mmap_lock_count++ == 0) {
32         pthread_mutex_lock(&mmap_mutex);
33     }
34 }
35 
mmap_unlock(void)36 void mmap_unlock(void)
37 {
38     if (--mmap_lock_count == 0) {
39         pthread_mutex_unlock(&mmap_mutex);
40     }
41 }
42 
have_mmap_lock(void)43 bool have_mmap_lock(void)
44 {
45     return mmap_lock_count > 0 ? true : false;
46 }
47 
48 /* Grab lock to make sure things are in a consistent state after fork().  */
mmap_fork_start(void)49 void mmap_fork_start(void)
50 {
51     if (mmap_lock_count)
52         abort();
53     pthread_mutex_lock(&mmap_mutex);
54 }
55 
mmap_fork_end(int child)56 void mmap_fork_end(int child)
57 {
58     if (child)
59         pthread_mutex_init(&mmap_mutex, NULL);
60     else
61         pthread_mutex_unlock(&mmap_mutex);
62 }
63 
64 /*
65  * Validate target prot bitmask.
66  * Return the prot bitmask for the host in *HOST_PROT.
67  * Return 0 if the target prot bitmask is invalid, otherwise
68  * the internal qemu page_flags (which will include PAGE_VALID).
69  */
validate_prot_to_pageflags(int * host_prot,int prot)70 static int validate_prot_to_pageflags(int *host_prot, int prot)
71 {
72     int valid = PROT_READ | PROT_WRITE | PROT_EXEC | TARGET_PROT_SEM;
73     int page_flags = (prot & PAGE_BITS) | PAGE_VALID;
74 
75     /*
76      * For the host, we need not pass anything except read/write/exec.
77      * While PROT_SEM is allowed by all hosts, it is also ignored, so
78      * don't bother transforming guest bit to host bit.  Any other
79      * target-specific prot bits will not be understood by the host
80      * and will need to be encoded into page_flags for qemu emulation.
81      *
82      * Pages that are executable by the guest will never be executed
83      * by the host, but the host will need to be able to read them.
84      */
85     *host_prot = (prot & (PROT_READ | PROT_WRITE))
86                | (prot & PROT_EXEC ? PROT_READ : 0);
87 
88 #ifdef TARGET_AARCH64
89     {
90         ARMCPU *cpu = ARM_CPU(thread_cpu);
91 
92         /*
93          * The PROT_BTI bit is only accepted if the cpu supports the feature.
94          * Since this is the unusual case, don't bother checking unless
95          * the bit has been requested.  If set and valid, record the bit
96          * within QEMU's page_flags.
97          */
98         if ((prot & TARGET_PROT_BTI) && cpu_isar_feature(aa64_bti, cpu)) {
99             valid |= TARGET_PROT_BTI;
100             page_flags |= PAGE_BTI;
101         }
102         /* Similarly for the PROT_MTE bit. */
103         if ((prot & TARGET_PROT_MTE) && cpu_isar_feature(aa64_mte, cpu)) {
104             valid |= TARGET_PROT_MTE;
105             page_flags |= PAGE_MTE;
106         }
107     }
108 #endif
109 
110     return prot & ~valid ? 0 : page_flags;
111 }
112 
113 /* NOTE: all the constants are the HOST ones, but addresses are target. */
target_mprotect(abi_ulong start,abi_ulong len,int target_prot)114 int target_mprotect(abi_ulong start, abi_ulong len, int target_prot)
115 {
116     abi_ulong end, host_start, host_end, addr;
117     int prot1, ret, page_flags, host_prot;
118 
119     trace_target_mprotect(start, len, target_prot);
120 
121     if ((start & ~TARGET_PAGE_MASK) != 0) {
122         return -TARGET_EINVAL;
123     }
124     page_flags = validate_prot_to_pageflags(&host_prot, target_prot);
125     if (!page_flags) {
126         return -TARGET_EINVAL;
127     }
128     len = TARGET_PAGE_ALIGN(len);
129     end = start + len;
130     if (!guest_range_valid_untagged(start, len)) {
131         return -TARGET_ENOMEM;
132     }
133     if (len == 0) {
134         return 0;
135     }
136 
137     mmap_lock();
138     host_start = start & qemu_host_page_mask;
139     host_end = HOST_PAGE_ALIGN(end);
140     if (start > host_start) {
141         /* handle host page containing start */
142         prot1 = host_prot;
143         for (addr = host_start; addr < start; addr += TARGET_PAGE_SIZE) {
144             prot1 |= page_get_flags(addr);
145         }
146         if (host_end == host_start + qemu_host_page_size) {
147             for (addr = end; addr < host_end; addr += TARGET_PAGE_SIZE) {
148                 prot1 |= page_get_flags(addr);
149             }
150             end = host_end;
151         }
152         ret = mprotect(g2h_untagged(host_start), qemu_host_page_size,
153                        prot1 & PAGE_BITS);
154         if (ret != 0) {
155             goto error;
156         }
157         host_start += qemu_host_page_size;
158     }
159     if (end < host_end) {
160         prot1 = host_prot;
161         for (addr = end; addr < host_end; addr += TARGET_PAGE_SIZE) {
162             prot1 |= page_get_flags(addr);
163         }
164         ret = mprotect(g2h_untagged(host_end - qemu_host_page_size),
165                        qemu_host_page_size, prot1 & PAGE_BITS);
166         if (ret != 0) {
167             goto error;
168         }
169         host_end -= qemu_host_page_size;
170     }
171 
172     /* handle the pages in the middle */
173     if (host_start < host_end) {
174         ret = mprotect(g2h_untagged(host_start),
175                        host_end - host_start, host_prot);
176         if (ret != 0) {
177             goto error;
178         }
179     }
180     page_set_flags(start, start + len, page_flags);
181     mmap_unlock();
182     return 0;
183 error:
184     mmap_unlock();
185     return ret;
186 }
187 
188 /* map an incomplete host page */
mmap_frag(abi_ulong real_start,abi_ulong start,abi_ulong end,int prot,int flags,int fd,abi_ulong offset)189 static int mmap_frag(abi_ulong real_start,
190                      abi_ulong start, abi_ulong end,
191                      int prot, int flags, int fd, abi_ulong offset)
192 {
193     abi_ulong real_end, addr;
194     void *host_start;
195     int prot1, prot_new;
196 
197     real_end = real_start + qemu_host_page_size;
198     host_start = g2h_untagged(real_start);
199 
200     /* get the protection of the target pages outside the mapping */
201     prot1 = 0;
202     for(addr = real_start; addr < real_end; addr++) {
203         if (addr < start || addr >= end)
204             prot1 |= page_get_flags(addr);
205     }
206 
207     if (prot1 == 0) {
208         /* no page was there, so we allocate one */
209         void *p = mmap(host_start, qemu_host_page_size, prot,
210                        flags | MAP_ANONYMOUS, -1, 0);
211         if (p == MAP_FAILED)
212             return -1;
213         prot1 = prot;
214     }
215     prot1 &= PAGE_BITS;
216 
217     prot_new = prot | prot1;
218     if (!(flags & MAP_ANONYMOUS)) {
219         /* msync() won't work here, so we return an error if write is
220            possible while it is a shared mapping */
221         if ((flags & MAP_TYPE) == MAP_SHARED &&
222             (prot & PROT_WRITE))
223             return -1;
224 
225         /* adjust protection to be able to read */
226         if (!(prot1 & PROT_WRITE))
227             mprotect(host_start, qemu_host_page_size, prot1 | PROT_WRITE);
228 
229         /* read the corresponding file data */
230         if (pread(fd, g2h_untagged(start), end - start, offset) == -1)
231             return -1;
232 
233         /* put final protection */
234         if (prot_new != (prot1 | PROT_WRITE))
235             mprotect(host_start, qemu_host_page_size, prot_new);
236     } else {
237         if (prot_new != prot1) {
238             mprotect(host_start, qemu_host_page_size, prot_new);
239         }
240         if (prot_new & PROT_WRITE) {
241             memset(g2h_untagged(start), 0, end - start);
242         }
243     }
244     return 0;
245 }
246 
247 #if HOST_LONG_BITS == 64 && TARGET_ABI_BITS == 64
248 #ifdef TARGET_AARCH64
249 # define TASK_UNMAPPED_BASE  0x5500000000
250 #else
251 # define TASK_UNMAPPED_BASE  (1ul << 38)
252 #endif
253 #else
254 # define TASK_UNMAPPED_BASE  0x40000000
255 #endif
256 abi_ulong mmap_next_start = TASK_UNMAPPED_BASE;
257 
258 unsigned long last_brk;
259 
260 /* Subroutine of mmap_find_vma, used when we have pre-allocated a chunk
261    of guest address space.  */
mmap_find_vma_reserved(abi_ulong start,abi_ulong size,abi_ulong align)262 static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
263                                         abi_ulong align)
264 {
265     abi_ulong addr, end_addr, incr = qemu_host_page_size;
266     int prot;
267     bool looped = false;
268 
269     if (size > reserved_va) {
270         return (abi_ulong)-1;
271     }
272 
273     /* Note that start and size have already been aligned by mmap_find_vma. */
274 
275     end_addr = start + size;
276     if (start > reserved_va - size) {
277         /* Start at the top of the address space.  */
278         end_addr = ((reserved_va - size) & -align) + size;
279         looped = true;
280     }
281 
282     /* Search downward from END_ADDR, checking to see if a page is in use.  */
283     addr = end_addr;
284     while (1) {
285         addr -= incr;
286         if (addr > end_addr) {
287             if (looped) {
288                 /* Failure.  The entire address space has been searched.  */
289                 return (abi_ulong)-1;
290             }
291             /* Re-start at the top of the address space.  */
292             addr = end_addr = ((reserved_va - size) & -align) + size;
293             looped = true;
294         } else {
295             prot = page_get_flags(addr);
296             if (prot) {
297                 /* Page in use.  Restart below this page.  */
298                 addr = end_addr = ((addr - size) & -align) + size;
299             } else if (addr && addr + size == end_addr) {
300                 /* Success!  All pages between ADDR and END_ADDR are free.  */
301                 if (start == mmap_next_start) {
302                     mmap_next_start = addr;
303                 }
304                 return addr;
305             }
306         }
307     }
308 }
309 
310 /*
311  * Find and reserve a free memory area of size 'size'. The search
312  * starts at 'start'.
313  * It must be called with mmap_lock() held.
314  * Return -1 if error.
315  */
mmap_find_vma(abi_ulong start,abi_ulong size,abi_ulong align)316 abi_ulong mmap_find_vma(abi_ulong start, abi_ulong size, abi_ulong align)
317 {
318     void *ptr, *prev;
319     abi_ulong addr;
320     int wrapped, repeat;
321 
322     align = MAX(align, qemu_host_page_size);
323 
324     /* If 'start' == 0, then a default start address is used. */
325     if (start == 0) {
326         start = mmap_next_start;
327     } else {
328         start &= qemu_host_page_mask;
329     }
330     start = ROUND_UP(start, align);
331 
332     size = HOST_PAGE_ALIGN(size);
333 
334     if (reserved_va) {
335         return mmap_find_vma_reserved(start, size, align);
336     }
337 
338     addr = start;
339     wrapped = repeat = 0;
340     prev = 0;
341 
342     for (;; prev = ptr) {
343         /*
344          * Reserve needed memory area to avoid a race.
345          * It should be discarded using:
346          *  - mmap() with MAP_FIXED flag
347          *  - mremap() with MREMAP_FIXED flag
348          *  - shmat() with SHM_REMAP flag
349          */
350         ptr = mmap(g2h_untagged(addr), size, PROT_NONE,
351                    MAP_ANONYMOUS|MAP_PRIVATE|MAP_NORESERVE, -1, 0);
352 
353         /* ENOMEM, if host address space has no memory */
354         if (ptr == MAP_FAILED) {
355             return (abi_ulong)-1;
356         }
357 
358         /* Count the number of sequential returns of the same address.
359            This is used to modify the search algorithm below.  */
360         repeat = (ptr == prev ? repeat + 1 : 0);
361 
362         if (h2g_valid(ptr + size - 1)) {
363             addr = h2g(ptr);
364 
365             if ((addr & (align - 1)) == 0) {
366                 /* Success.  */
367                 if (start == mmap_next_start && addr >= TASK_UNMAPPED_BASE) {
368                     mmap_next_start = addr + size;
369                 }
370                 return addr;
371             }
372 
373             /* The address is not properly aligned for the target.  */
374             switch (repeat) {
375             case 0:
376                 /* Assume the result that the kernel gave us is the
377                    first with enough free space, so start again at the
378                    next higher target page.  */
379                 addr = ROUND_UP(addr, align);
380                 break;
381             case 1:
382                 /* Sometimes the kernel decides to perform the allocation
383                    at the top end of memory instead.  */
384                 addr &= -align;
385                 break;
386             case 2:
387                 /* Start over at low memory.  */
388                 addr = 0;
389                 break;
390             default:
391                 /* Fail.  This unaligned block must the last.  */
392                 addr = -1;
393                 break;
394             }
395         } else {
396             /* Since the result the kernel gave didn't fit, start
397                again at low memory.  If any repetition, fail.  */
398             addr = (repeat ? -1 : 0);
399         }
400 
401         /* Unmap and try again.  */
402         munmap(ptr, size);
403 
404         /* ENOMEM if we checked the whole of the target address space.  */
405         if (addr == (abi_ulong)-1) {
406             return (abi_ulong)-1;
407         } else if (addr == 0) {
408             if (wrapped) {
409                 return (abi_ulong)-1;
410             }
411             wrapped = 1;
412             /* Don't actually use 0 when wrapping, instead indicate
413                that we'd truly like an allocation in low memory.  */
414             addr = (mmap_min_addr > TARGET_PAGE_SIZE
415                      ? TARGET_PAGE_ALIGN(mmap_min_addr)
416                      : TARGET_PAGE_SIZE);
417         } else if (wrapped && addr >= start) {
418             return (abi_ulong)-1;
419         }
420     }
421 }
422 
423 /* NOTE: all the constants are the HOST ones */
target_mmap(abi_ulong start,abi_ulong len,int target_prot,int flags,int fd,abi_ulong offset)424 abi_long target_mmap(abi_ulong start, abi_ulong len, int target_prot,
425                      int flags, int fd, abi_ulong offset)
426 {
427     abi_ulong ret, end, real_start, real_end, retaddr, host_offset, host_len;
428     int page_flags, host_prot;
429 
430     mmap_lock();
431     trace_target_mmap(start, len, target_prot, flags, fd, offset);
432 
433     if (!len) {
434         errno = EINVAL;
435         goto fail;
436     }
437 
438     page_flags = validate_prot_to_pageflags(&host_prot, target_prot);
439     if (!page_flags) {
440         errno = EINVAL;
441         goto fail;
442     }
443 
444     /* Also check for overflows... */
445     len = TARGET_PAGE_ALIGN(len);
446     if (!len) {
447         errno = ENOMEM;
448         goto fail;
449     }
450 
451     if (offset & ~TARGET_PAGE_MASK) {
452         errno = EINVAL;
453         goto fail;
454     }
455 
456     /*
457      * If we're mapping shared memory, ensure we generate code for parallel
458      * execution and flush old translations.  This will work up to the level
459      * supported by the host -- anything that requires EXCP_ATOMIC will not
460      * be atomic with respect to an external process.
461      */
462     if (flags & MAP_SHARED) {
463         CPUState *cpu = thread_cpu;
464         if (!(cpu->tcg_cflags & CF_PARALLEL)) {
465             cpu->tcg_cflags |= CF_PARALLEL;
466             tb_flush(cpu);
467         }
468     }
469 
470     real_start = start & qemu_host_page_mask;
471     host_offset = offset & qemu_host_page_mask;
472 
473     /* If the user is asking for the kernel to find a location, do that
474        before we truncate the length for mapping files below.  */
475     if (!(flags & MAP_FIXED)) {
476         host_len = len + offset - host_offset;
477         host_len = HOST_PAGE_ALIGN(host_len);
478         start = mmap_find_vma(real_start, host_len, TARGET_PAGE_SIZE);
479         if (start == (abi_ulong)-1) {
480             errno = ENOMEM;
481             goto fail;
482         }
483     }
484 
485     /* When mapping files into a memory area larger than the file, accesses
486        to pages beyond the file size will cause a SIGBUS.
487 
488        For example, if mmaping a file of 100 bytes on a host with 4K pages
489        emulating a target with 8K pages, the target expects to be able to
490        access the first 8K. But the host will trap us on any access beyond
491        4K.
492 
493        When emulating a target with a larger page-size than the hosts, we
494        may need to truncate file maps at EOF and add extra anonymous pages
495        up to the targets page boundary.  */
496 
497     if ((qemu_real_host_page_size < qemu_host_page_size) &&
498         !(flags & MAP_ANONYMOUS)) {
499         struct stat sb;
500 
501        if (fstat (fd, &sb) == -1)
502            goto fail;
503 
504        /* Are we trying to create a map beyond EOF?.  */
505        if (offset + len > sb.st_size) {
506            /* If so, truncate the file map at eof aligned with
507               the hosts real pagesize. Additional anonymous maps
508               will be created beyond EOF.  */
509            len = REAL_HOST_PAGE_ALIGN(sb.st_size - offset);
510        }
511     }
512 
513     if (!(flags & MAP_FIXED)) {
514         unsigned long host_start;
515         void *p;
516 
517         host_len = len + offset - host_offset;
518         host_len = HOST_PAGE_ALIGN(host_len);
519 
520         /* Note: we prefer to control the mapping address. It is
521            especially important if qemu_host_page_size >
522            qemu_real_host_page_size */
523         p = mmap(g2h_untagged(start), host_len, host_prot,
524                  flags | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
525         if (p == MAP_FAILED) {
526             goto fail;
527         }
528         /* update start so that it points to the file position at 'offset' */
529         host_start = (unsigned long)p;
530         if (!(flags & MAP_ANONYMOUS)) {
531             p = mmap(g2h_untagged(start), len, host_prot,
532                      flags | MAP_FIXED, fd, host_offset);
533             if (p == MAP_FAILED) {
534                 munmap(g2h_untagged(start), host_len);
535                 goto fail;
536             }
537             host_start += offset - host_offset;
538         }
539         start = h2g(host_start);
540     } else {
541         if (start & ~TARGET_PAGE_MASK) {
542             errno = EINVAL;
543             goto fail;
544         }
545         end = start + len;
546         real_end = HOST_PAGE_ALIGN(end);
547 
548         /*
549          * Test if requested memory area fits target address space
550          * It can fail only on 64-bit host with 32-bit target.
551          * On any other target/host host mmap() handles this error correctly.
552          */
553         if (end < start || !guest_range_valid_untagged(start, len)) {
554             errno = ENOMEM;
555             goto fail;
556         }
557 
558         /* worst case: we cannot map the file because the offset is not
559            aligned, so we read it */
560         if (!(flags & MAP_ANONYMOUS) &&
561             (offset & ~qemu_host_page_mask) != (start & ~qemu_host_page_mask)) {
562             /* msync() won't work here, so we return an error if write is
563                possible while it is a shared mapping */
564             if ((flags & MAP_TYPE) == MAP_SHARED &&
565                 (host_prot & PROT_WRITE)) {
566                 errno = EINVAL;
567                 goto fail;
568             }
569             retaddr = target_mmap(start, len, target_prot | PROT_WRITE,
570                                   MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS,
571                                   -1, 0);
572             if (retaddr == -1)
573                 goto fail;
574             if (pread(fd, g2h_untagged(start), len, offset) == -1)
575                 goto fail;
576             if (!(host_prot & PROT_WRITE)) {
577                 ret = target_mprotect(start, len, target_prot);
578                 assert(ret == 0);
579             }
580             goto the_end;
581         }
582 
583         /* handle the start of the mapping */
584         if (start > real_start) {
585             if (real_end == real_start + qemu_host_page_size) {
586                 /* one single host page */
587                 ret = mmap_frag(real_start, start, end,
588                                 host_prot, flags, fd, offset);
589                 if (ret == -1)
590                     goto fail;
591                 goto the_end1;
592             }
593             ret = mmap_frag(real_start, start, real_start + qemu_host_page_size,
594                             host_prot, flags, fd, offset);
595             if (ret == -1)
596                 goto fail;
597             real_start += qemu_host_page_size;
598         }
599         /* handle the end of the mapping */
600         if (end < real_end) {
601             ret = mmap_frag(real_end - qemu_host_page_size,
602                             real_end - qemu_host_page_size, end,
603                             host_prot, flags, fd,
604                             offset + real_end - qemu_host_page_size - start);
605             if (ret == -1)
606                 goto fail;
607             real_end -= qemu_host_page_size;
608         }
609 
610         /* map the middle (easier) */
611         if (real_start < real_end) {
612             void *p;
613             unsigned long offset1;
614             if (flags & MAP_ANONYMOUS)
615                 offset1 = 0;
616             else
617                 offset1 = offset + real_start - start;
618             p = mmap(g2h_untagged(real_start), real_end - real_start,
619                      host_prot, flags, fd, offset1);
620             if (p == MAP_FAILED)
621                 goto fail;
622         }
623     }
624  the_end1:
625     if (flags & MAP_ANONYMOUS) {
626         page_flags |= PAGE_ANON;
627     }
628     page_flags |= PAGE_RESET;
629     page_set_flags(start, start + len, page_flags);
630  the_end:
631     trace_target_mmap_complete(start);
632     if (qemu_loglevel_mask(CPU_LOG_PAGE)) {
633         log_page_dump(__func__);
634     }
635     tb_invalidate_phys_range(start, start + len);
636     mmap_unlock();
637     return start;
638 fail:
639     mmap_unlock();
640     return -1;
641 }
642 
mmap_reserve(abi_ulong start,abi_ulong size)643 static void mmap_reserve(abi_ulong start, abi_ulong size)
644 {
645     abi_ulong real_start;
646     abi_ulong real_end;
647     abi_ulong addr;
648     abi_ulong end;
649     int prot;
650 
651     real_start = start & qemu_host_page_mask;
652     real_end = HOST_PAGE_ALIGN(start + size);
653     end = start + size;
654     if (start > real_start) {
655         /* handle host page containing start */
656         prot = 0;
657         for (addr = real_start; addr < start; addr += TARGET_PAGE_SIZE) {
658             prot |= page_get_flags(addr);
659         }
660         if (real_end == real_start + qemu_host_page_size) {
661             for (addr = end; addr < real_end; addr += TARGET_PAGE_SIZE) {
662                 prot |= page_get_flags(addr);
663             }
664             end = real_end;
665         }
666         if (prot != 0)
667             real_start += qemu_host_page_size;
668     }
669     if (end < real_end) {
670         prot = 0;
671         for (addr = end; addr < real_end; addr += TARGET_PAGE_SIZE) {
672             prot |= page_get_flags(addr);
673         }
674         if (prot != 0)
675             real_end -= qemu_host_page_size;
676     }
677     if (real_start != real_end) {
678         mmap(g2h_untagged(real_start), real_end - real_start, PROT_NONE,
679                  MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE,
680                  -1, 0);
681     }
682 }
683 
target_munmap(abi_ulong start,abi_ulong len)684 int target_munmap(abi_ulong start, abi_ulong len)
685 {
686     abi_ulong end, real_start, real_end, addr;
687     int prot, ret;
688 
689     trace_target_munmap(start, len);
690 
691     if (start & ~TARGET_PAGE_MASK)
692         return -TARGET_EINVAL;
693     len = TARGET_PAGE_ALIGN(len);
694     if (len == 0 || !guest_range_valid_untagged(start, len)) {
695         return -TARGET_EINVAL;
696     }
697 
698     mmap_lock();
699     end = start + len;
700     real_start = start & qemu_host_page_mask;
701     real_end = HOST_PAGE_ALIGN(end);
702 
703     if (start > real_start) {
704         /* handle host page containing start */
705         prot = 0;
706         for(addr = real_start; addr < start; addr += TARGET_PAGE_SIZE) {
707             prot |= page_get_flags(addr);
708         }
709         if (real_end == real_start + qemu_host_page_size) {
710             for(addr = end; addr < real_end; addr += TARGET_PAGE_SIZE) {
711                 prot |= page_get_flags(addr);
712             }
713             end = real_end;
714         }
715         if (prot != 0)
716             real_start += qemu_host_page_size;
717     }
718     if (end < real_end) {
719         prot = 0;
720         for(addr = end; addr < real_end; addr += TARGET_PAGE_SIZE) {
721             prot |= page_get_flags(addr);
722         }
723         if (prot != 0)
724             real_end -= qemu_host_page_size;
725     }
726 
727     ret = 0;
728     /* unmap what we can */
729     if (real_start < real_end) {
730         if (reserved_va) {
731             mmap_reserve(real_start, real_end - real_start);
732         } else {
733             ret = munmap(g2h_untagged(real_start), real_end - real_start);
734         }
735     }
736 
737     if (ret == 0) {
738         page_set_flags(start, start + len, 0);
739         tb_invalidate_phys_range(start, start + len);
740     }
741     mmap_unlock();
742     return ret;
743 }
744 
target_mremap(abi_ulong old_addr,abi_ulong old_size,abi_ulong new_size,unsigned long flags,abi_ulong new_addr)745 abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
746                        abi_ulong new_size, unsigned long flags,
747                        abi_ulong new_addr)
748 {
749     int prot;
750     void *host_addr;
751 
752     if (!guest_range_valid_untagged(old_addr, old_size) ||
753         ((flags & MREMAP_FIXED) &&
754          !guest_range_valid_untagged(new_addr, new_size)) ||
755         ((flags & MREMAP_MAYMOVE) == 0 &&
756          !guest_range_valid_untagged(old_addr, new_size))) {
757         errno = ENOMEM;
758         return -1;
759     }
760 
761     mmap_lock();
762 
763     if (flags & MREMAP_FIXED) {
764         host_addr = mremap(g2h_untagged(old_addr), old_size, new_size,
765                            flags, g2h_untagged(new_addr));
766 
767         if (reserved_va && host_addr != MAP_FAILED) {
768             /* If new and old addresses overlap then the above mremap will
769                already have failed with EINVAL.  */
770             mmap_reserve(old_addr, old_size);
771         }
772     } else if (flags & MREMAP_MAYMOVE) {
773         abi_ulong mmap_start;
774 
775         mmap_start = mmap_find_vma(0, new_size, TARGET_PAGE_SIZE);
776 
777         if (mmap_start == -1) {
778             errno = ENOMEM;
779             host_addr = MAP_FAILED;
780         } else {
781             host_addr = mremap(g2h_untagged(old_addr), old_size, new_size,
782                                flags | MREMAP_FIXED,
783                                g2h_untagged(mmap_start));
784             if (reserved_va) {
785                 mmap_reserve(old_addr, old_size);
786             }
787         }
788     } else {
789         int prot = 0;
790         if (reserved_va && old_size < new_size) {
791             abi_ulong addr;
792             for (addr = old_addr + old_size;
793                  addr < old_addr + new_size;
794                  addr++) {
795                 prot |= page_get_flags(addr);
796             }
797         }
798         if (prot == 0) {
799             host_addr = mremap(g2h_untagged(old_addr),
800                                old_size, new_size, flags);
801 
802             if (host_addr != MAP_FAILED) {
803                 /* Check if address fits target address space */
804                 if (!guest_range_valid_untagged(h2g(host_addr), new_size)) {
805                     /* Revert mremap() changes */
806                     host_addr = mremap(g2h_untagged(old_addr),
807                                        new_size, old_size, flags);
808                     errno = ENOMEM;
809                     host_addr = MAP_FAILED;
810                 } else if (reserved_va && old_size > new_size) {
811                     mmap_reserve(old_addr + old_size, old_size - new_size);
812                 }
813             }
814         } else {
815             errno = ENOMEM;
816             host_addr = MAP_FAILED;
817         }
818     }
819 
820     if (host_addr == MAP_FAILED) {
821         new_addr = -1;
822     } else {
823         new_addr = h2g(host_addr);
824         prot = page_get_flags(old_addr);
825         page_set_flags(old_addr, old_addr + old_size, 0);
826         page_set_flags(new_addr, new_addr + new_size,
827                        prot | PAGE_VALID | PAGE_RESET);
828     }
829     tb_invalidate_phys_range(new_addr, new_addr + new_size);
830     mmap_unlock();
831     return new_addr;
832 }
833