From patchwork Thu Feb 4 01:43:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Henderson X-Patchwork-Id: 376142 Delivered-To: patch@linaro.org Received: by 2002:a02:b18a:0:0:0:0:0 with SMTP id t10csp831723jah; Wed, 3 Feb 2021 17:49:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJx4epIYTrNANNhGiACmirEvQBA/abpdZ8helzOEQgcbie6/ylZVucKK8U2PPydPhGKeAwPV X-Received: by 2002:a25:2fcf:: with SMTP id v198mr9273355ybv.149.1612403368879; Wed, 03 Feb 2021 17:49:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612403368; cv=none; d=google.com; s=arc-20160816; b=HiLrIb5dDDNY+ZhFV5RUh82Tp+8LX4BqXLiuKJ0ZQcaiyQAkl+J/wNjBxCdB36KoCI jVERjIrPTn98Tbvek5r+vWe4x+oeRm2AVBhu3WdsBVnmahBBI2AWb0iXLMZH+RjQ6gvV Qch9ieMVT0Eyslsygu2K4EgmzWG2mJR32rboYqHy+oFJi4wh6R3chL35Det+xihicc7L lEeSLgSm2u9DaC4Q/Yo1ZUs/RwfTGrYGvoxrnaIt/PQssYwHXzArYYF9HmHOQd3J6Iw0 PohPetlfR2i8FccHrwYN+5jiSwYgcrW36r3c03FnJpDsWAEN4wTPLRh1UmwRkpk7MyUY N0Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=xzKpOz1dnkvT+2F/uu8BRDtdRIBrUsrfNHwaFpPfXw4=; b=giW+ksyccCfStoBgwMqPLYHM/OHXMEd8N6ZckCdqwscHPLQPXaGgx2Lfn072I80/7K WduiWfBBHiSM2tyTb+ltUbfwD1oj9t1aPc4uV2bOEt6ph1y+WvQGT2nVN5ngaUfDLMTt fskTELQDzbrLHlO+Uo4nlab7LPm42Gny65uOzHGRXMcHQ6yaX6+49ERgpFXkd4gTCpGA ko+vmBiV4hv6t7oTKabVnh7QPmkxfKnfUXI3nA8/h9FzIsHJ/JvOTjv2v2SZEoyjfimq Pg4IRgP9P0Tg54Q+zoAe55EGAszNUgHrgye9zkMU7J7V/oeMql+0Tz6VtgVaTjuDBP+G Sxhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IhdIKzEl; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id x6si4129147ybm.239.2021.02.03.17.49.28 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 03 Feb 2021 17:49:28 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IhdIKzEl; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:38482 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l7Tlw-0000Aq-Bk for patch@linaro.org; Wed, 03 Feb 2021 20:49:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:44144) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l7Ti1-0004YA-AC for qemu-devel@nongnu.org; Wed, 03 Feb 2021 20:45:25 -0500 Received: from mail-pf1-x436.google.com ([2607:f8b0:4864:20::436]:42751) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l7Thz-0003YX-Ie for qemu-devel@nongnu.org; Wed, 03 Feb 2021 20:45:24 -0500 Received: by mail-pf1-x436.google.com with SMTP id w18so1063748pfu.9 for ; Wed, 03 Feb 2021 17:45:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xzKpOz1dnkvT+2F/uu8BRDtdRIBrUsrfNHwaFpPfXw4=; b=IhdIKzElpOv0lQMryl8M6dS4hOA9665UbHINzDX6dQgUWFLXpvS5GD+tAehApDxpQO CU5f5DpxEYOrUr+TePx40CTXMKbyN4Kkpk1O0toxJ8g7ivMjCb7GHUHjdkb6tJ4KZ3Te leb9UmzXh6XkwrJD3cTrKHYGCBxqTr4oyt5UwZGQw7ZFa3e8GH/gOk5C8B+hhjm0Y17A ijVWPoeZQYRYwY7zp/j9gVoLm5lfDLIQMZ3FicrGKW2LUub35SYTvQ96I1ikh0ddKq38 C8wdnppL2Nat+o2d44N0kLjbREAQ+MqNqUqBX39iEuTcsTDlPfqzDbynnzZyvvjLu6ag SHzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xzKpOz1dnkvT+2F/uu8BRDtdRIBrUsrfNHwaFpPfXw4=; b=EuEJAi2TaO6qxUUU45yVzIsernznU02KRw+o1PIdqvkWkyOtYWykduHwllQ2nVm/IV Wq+/k/V2lemab072q9kDD3usj7O2qRgBIqduH1eq6dsnQ9ebDtWimrcA6D04VXwN4FCe g//evMsRQDZOn6tUCYgyYWev8k0EpQJZfJufTUaubA2OGIe79OwKKuP7B3ufrj0WU3kn cgExEpDS9SU9i+yhx7wE4lBs0WGjoY++H/CQId3d5mLF+KZS4SLrkNmYKjt1hzyerR2H 2X7nnB4CaGgRjsnbUTZvyGvtBPSBJrM+fli+K3Yge/JvmAJZqx8RnrVx6jg356q63x7U ffvA== X-Gm-Message-State: AOAM5318ijGpNbuJpDm4OdFtHcp8TjKVWI+QgKuYLc2y3wA6Vi7pntuU P7Tufk5wwczq53Q1TXuU7mJRGTkbtBRldHnH X-Received: by 2002:a05:6a00:1385:b029:1be:ac19:3a9d with SMTP id t5-20020a056a001385b02901beac193a9dmr5727605pfg.65.1612403122266; Wed, 03 Feb 2021 17:45:22 -0800 (PST) Received: from localhost.localdomain (cpe-66-27-222-29.hawaii.res.rr.com. [66.27.222.29]) by smtp.gmail.com with ESMTPSA id q132sm3835462pfq.171.2021.02.03.17.45.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Feb 2021 17:45:21 -0800 (PST) From: Richard Henderson To: qemu-devel@nongnu.org Subject: [PATCH v2 04/93] tcg: Manage splitwx in tc_ptr_to_region_tree by hand Date: Wed, 3 Feb 2021 15:43:40 -1000 Message-Id: <20210204014509.882821-5-richard.henderson@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210204014509.882821-1-richard.henderson@linaro.org> References: <20210204014509.882821-1-richard.henderson@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::436; envelope-from=richard.henderson@linaro.org; helo=mail-pf1-x436.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sw@weilnetz.de Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" The use in tcg_tb_lookup is given a random pc that comes from the pc of a signal handler. Do not assert that the pointer is already within the code gen buffer at all, much less the writable mirror of it. Fixes: db0c51a3803 Signed-off-by: Richard Henderson --- For TCI, this indicates a bug in handle_cpu_signal, in that we are taking PC from the host signal frame. Which is, nearly, unrelated to TCI at all. The TCI "pc" is tci_tb_ptr (fixed in the next patch to at least be thread-local). We update this only on calls, since we don't expect SEGV during the interpretation loop. Which works ok for softmmu, in which we pass down pc by hand to the helpers, but is not ok for user-only, where we simply perform the raw memory operation. I don't know how to fix this, exactly. Probably by storing to tci_tb_ptr before each qemu_ld/qemu_st operation, with barriers. Then Doing the Right Thing in handle_cpu_signal. And perhaps by clearing tci_tb_ptr whenever we're not expecting a SEGV on behalf of the guest (and thus anything left is a qemu host bug). --- v2: Retain full struct initialization --- tcg/tcg.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) -- 2.25.1 diff --git a/tcg/tcg.c b/tcg/tcg.c index bbe3dcee03..2991112829 100644 --- a/tcg/tcg.c +++ b/tcg/tcg.c @@ -513,11 +513,21 @@ static void tcg_region_trees_init(void) } } -static struct tcg_region_tree *tc_ptr_to_region_tree(const void *cp) +static struct tcg_region_tree *tc_ptr_to_region_tree(const void *p) { - void *p = tcg_splitwx_to_rw(cp); size_t region_idx; + /* + * Like tcg_splitwx_to_rw, with no assert. The pc may come from + * a signal handler over which the caller has no control. + */ + if (!in_code_gen_buffer(p)) { + p -= tcg_splitwx_diff; + if (!in_code_gen_buffer(p)) { + return NULL; + } + } + if (p < region.start_aligned) { region_idx = 0; } else { @@ -536,6 +546,7 @@ void tcg_tb_insert(TranslationBlock *tb) { struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr); + g_assert(rt != NULL); qemu_mutex_lock(&rt->lock); g_tree_insert(rt->tree, &tb->tc, tb); qemu_mutex_unlock(&rt->lock); @@ -545,6 +556,7 @@ void tcg_tb_remove(TranslationBlock *tb) { struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr); + g_assert(rt != NULL); qemu_mutex_lock(&rt->lock); g_tree_remove(rt->tree, &tb->tc); qemu_mutex_unlock(&rt->lock); @@ -561,6 +573,10 @@ TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr) TranslationBlock *tb; struct tb_tc s = { .ptr = (void *)tc_ptr }; + if (rt == NULL) { + return NULL; + } + qemu_mutex_lock(&rt->lock); tb = g_tree_lookup(rt->tree, &s); qemu_mutex_unlock(&rt->lock);