From patchwork Wed Feb 17 20:19:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Henderson X-Patchwork-Id: 383854 Delivered-To: patch@linaro.org Received: by 2002:a02:c80e:0:0:0:0:0 with SMTP id p14csp3111470jao; Wed, 17 Feb 2021 12:25:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJwWTTyX1uTxDU1iAHjItyU5mPdnLsreqmJ94/sHCz5tJxyNMYLndHuiKHnXsPFSAskuNP3/ X-Received: by 2002:a25:5cd6:: with SMTP id q205mr1805123ybb.489.1613593533559; Wed, 17 Feb 2021 12:25:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613593533; cv=none; d=google.com; s=arc-20160816; b=gvyVHC+m+v3bPEE/K67mnE4VQNwFHDEzA44Me+4gKP0cwDwL1SyZ+u+AKmlCD1Kjzp uOQ2JqbM0KqkmbYib4mphzLVQ9cIRIMYXTZiz+hvBjtGEGqolzMpVYtDcp2dii7JqgNm zibwvYpKEhgglfZ1xAqX2zDsv2OTGHbVjkwZO4cKAY++sF5ko8pitnHe06yS/dKSh+b6 X+CPORLh+E1ct0tzfC1cJYQruSqV0WxSBj42qjYg8nLqlhEpWwlltDO+jM1HSQEYMzKd +ciyLfTr4QDDY9KYsIgDLQUYAgnOm9sNRcwkySoVZi53JbdyGpYp72uSnO1rILJVWzv3 z82g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=xzKpOz1dnkvT+2F/uu8BRDtdRIBrUsrfNHwaFpPfXw4=; b=mnjHEdwHcnQC9dPt7j3M/bx5TCEB5SLhUjJpvLnciy0MZJP3/DDYuz1GPoBckOiNgb sHDgqMe6Hm0zgYbvyOdFf5tFkI/T9JzUoMhbrn0If9S5iAUKcQmydHhNZ5nALKAYZREu bfPclfBPGIBp9ebz2SBlpQyfaTWTOGGrl+v+JlFogJ3ha67W9Kp7n/QDeO21jkDO2Sp5 w9BHp+qRYZN4oKGisKxUUj9BO7NzTZe5KPgveXAnWAAN8fG1AsM6iYKh8csdJ2wi8R+x NsnfbrlrGetGx+aVVB2qUGZBpzc1+Gln0UnY1DXIl8B7QvNIB+zfGTZfQvC+LYmKZeNC Wvqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@linaro.org header.s=google header.b=nCwovk5b; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id w11si3274850ybp.477.2021.02.17.12.25.33 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 17 Feb 2021 12:25:33 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org header.s=google header.b=nCwovk5b; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:53248 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lCTO8-0001bB-Uy for patch@linaro.org; Wed, 17 Feb 2021 15:25:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60482) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lCTJv-0006aj-P2 for qemu-devel@nongnu.org; Wed, 17 Feb 2021 15:21:11 -0500 Received: from mail-pf1-x429.google.com ([2607:f8b0:4864:20::429]:46394) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lCTJt-0006qD-W4 for qemu-devel@nongnu.org; Wed, 17 Feb 2021 15:21:11 -0500 Received: by mail-pf1-x429.google.com with SMTP id k13so9139595pfh.13 for ; Wed, 17 Feb 2021 12:21:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xzKpOz1dnkvT+2F/uu8BRDtdRIBrUsrfNHwaFpPfXw4=; b=nCwovk5bxx/ea39Or3udTMgPAlfd296excywL8IkOEsJt9tTErRBp0Wzk10CyP1JN1 /TbYK0jtJiR1XNsZ9te6Gg8qRE5/YsZll7tzHc5wWT6Mmay+uuzVoDSTGSg7zcUTCxEg XfkqbcXkYpSySX7I5RrLg1zwSvJs7D5c5d5CAtkgSFj2oWAq+mFYqFsg2qW0fACM+tSU EDietScp6tzZrsrmvevUAKThOK+nQmvCRxdCfkqUUrhOYqrlxsp2NoeECFFCMqIKjQ64 ORVCTNJyODTM4V0VumO26yOPBFRrIM/wRQQo4bnSLLAICoy8teDb/w9pbxiWyd9Q+bXP kU9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xzKpOz1dnkvT+2F/uu8BRDtdRIBrUsrfNHwaFpPfXw4=; b=t+9Bi4WDK/tF18FtrmMuoklmVgIFj2lDtyyawf08uuEmxIgHnj749BcGUkx3yuIlgD TRZd5RPC0PvZzgsKE5xMogpRZUEdQe3YUX9hPdvFT6TGWiue8G2Fuf+s40KzsSdcNP1Z pu4GuqKilnSLAOCs05t3TKJOCCP2kRPhLbMZ1fWxcKFyOwgutGnsz0JivilTawN4QWr3 OWiGZQ1O4RICMSXCnvj3Di4wTATM01KpCaGsXJsrz4C59MyohsbGcMd0pnu6eyKk30Ks /RwddcBK+PBiMonXgv/qgvj31akt3peKPih0+RsXhW4dpa7FV+RCA853lZc5WuI82mcv th6A== X-Gm-Message-State: AOAM532fG7nwlw5uFjwvt/Z70hsSkYwiQ9lARO2jdCDx0oMyJZCs7uPR r96rgD1P8Sy5mkBW2qwV4yydAs40ZxDA0g== X-Received: by 2002:a63:fc07:: with SMTP id j7mr937993pgi.401.1613593268687; Wed, 17 Feb 2021 12:21:08 -0800 (PST) Received: from localhost.localdomain (047-051-160-125.biz.spectrum.com. [47.51.160.125]) by smtp.gmail.com with ESMTPSA id 3sm3001576pjk.26.2021.02.17.12.21.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Feb 2021 12:21:08 -0800 (PST) From: Richard Henderson To: qemu-devel@nongnu.org Subject: [PATCH v4 03/71] tcg: Manage splitwx in tc_ptr_to_region_tree by hand Date: Wed, 17 Feb 2021 12:19:28 -0800 Message-Id: <20210217202036.1724901-4-richard.henderson@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210217202036.1724901-1-richard.henderson@linaro.org> References: <20210217202036.1724901-1-richard.henderson@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::429; envelope-from=richard.henderson@linaro.org; helo=mail-pf1-x429.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sw@weilnetz.de, alex.bennee@linaro.org, f4bug@amsat.org Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" The use in tcg_tb_lookup is given a random pc that comes from the pc of a signal handler. Do not assert that the pointer is already within the code gen buffer at all, much less the writable mirror of it. Fixes: db0c51a3803 Signed-off-by: Richard Henderson --- For TCI, this indicates a bug in handle_cpu_signal, in that we are taking PC from the host signal frame. Which is, nearly, unrelated to TCI at all. The TCI "pc" is tci_tb_ptr (fixed in the next patch to at least be thread-local). We update this only on calls, since we don't expect SEGV during the interpretation loop. Which works ok for softmmu, in which we pass down pc by hand to the helpers, but is not ok for user-only, where we simply perform the raw memory operation. I don't know how to fix this, exactly. Probably by storing to tci_tb_ptr before each qemu_ld/qemu_st operation, with barriers. Then Doing the Right Thing in handle_cpu_signal. And perhaps by clearing tci_tb_ptr whenever we're not expecting a SEGV on behalf of the guest (and thus anything left is a qemu host bug). --- v2: Retain full struct initialization --- tcg/tcg.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) -- 2.25.1 diff --git a/tcg/tcg.c b/tcg/tcg.c index bbe3dcee03..2991112829 100644 --- a/tcg/tcg.c +++ b/tcg/tcg.c @@ -513,11 +513,21 @@ static void tcg_region_trees_init(void) } } -static struct tcg_region_tree *tc_ptr_to_region_tree(const void *cp) +static struct tcg_region_tree *tc_ptr_to_region_tree(const void *p) { - void *p = tcg_splitwx_to_rw(cp); size_t region_idx; + /* + * Like tcg_splitwx_to_rw, with no assert. The pc may come from + * a signal handler over which the caller has no control. + */ + if (!in_code_gen_buffer(p)) { + p -= tcg_splitwx_diff; + if (!in_code_gen_buffer(p)) { + return NULL; + } + } + if (p < region.start_aligned) { region_idx = 0; } else { @@ -536,6 +546,7 @@ void tcg_tb_insert(TranslationBlock *tb) { struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr); + g_assert(rt != NULL); qemu_mutex_lock(&rt->lock); g_tree_insert(rt->tree, &tb->tc, tb); qemu_mutex_unlock(&rt->lock); @@ -545,6 +556,7 @@ void tcg_tb_remove(TranslationBlock *tb) { struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr); + g_assert(rt != NULL); qemu_mutex_lock(&rt->lock); g_tree_remove(rt->tree, &tb->tc); qemu_mutex_unlock(&rt->lock); @@ -561,6 +573,10 @@ TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr) TranslationBlock *tb; struct tb_tc s = { .ptr = (void *)tc_ptr }; + if (rt == NULL) { + return NULL; + } + qemu_mutex_lock(&rt->lock); tb = g_tree_lookup(rt->tree, &s); qemu_mutex_unlock(&rt->lock);