From: Thomas Huth <thuth@redhat.com>
To: qemu-devel@nongnu.org
Cc: Stefan Hajnoczi <stefanha@redhat.com>,
Ilya Leoshkevich <iii@linux.ibm.com>,
Berthold Gunreben <azouhr@opensuse.org>,
Sarah Kriesch <ada.lovelace@gmx.de>,
qemu-stable@nongnu.org,
Richard Henderson <richard.henderson@linaro.org>,
David Hildenbrand <david@redhat.com>
Subject: [PULL 08/20] target/s390x: Fix MVC not always invalidating translation blocks
Date: Thu, 30 Jan 2025 14:15:22 +0100 [thread overview]
Message-ID: <20250130131535.91297-9-thuth@redhat.com> (raw)
In-Reply-To: <20250130131535.91297-1-thuth@redhat.com>
From: Ilya Leoshkevich <iii@linux.ibm.com>
Node.js crashes in qemu-system-s390x with random SIGSEGVs / SIGILLs.
The v8 JIT used by Node.js can garbage collect and overwrite unused
code. Overwriting is performed by WritableJitAllocation::CopyCode(),
which ultimately calls memcpy(). For certain sizes, memcpy() uses the
MVC instruction.
QEMU implements MVC and other similar instructions using helpers. While
TCG store ops invalidate affected translation blocks automatically,
helpers must do this manually by calling probe_access_flags(). The MVC
helper does this using the access_prepare() -> access_prepare_nf() ->
s390_probe_access() -> probe_access_flags() call chain.
At the last step of this chain, the store size is replaced with 0. This
causes the probe_access_flags() -> notdirty_write() ->
tb_invalidate_phys_range_fast() chain to miss some translation blocks.
When this happens, QEMU executes a mix of old and new code. This
quickly leads to either a SIGSEGV or a SIGILL in case the old code
ends in the middle of a new instruction.
Fix by passing the true size.
Reported-by: Berthold Gunreben <azouhr@opensuse.org>
Cc: Sarah Kriesch <ada.lovelace@gmx.de>
Cc: qemu-stable@nongnu.org
Closes: https://bugzilla.opensuse.org/show_bug.cgi?id=1235709
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Fixes: e2faabee78ff ("accel/tcg: Forward probe size on to notdirty_write")
Message-ID: <20250128001338.11474-1-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
target/s390x/tcg/mem_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/s390x/tcg/mem_helper.c b/target/s390x/tcg/mem_helper.c
index 32717acb7d..c6ab2901e5 100644
--- a/target/s390x/tcg/mem_helper.c
+++ b/target/s390x/tcg/mem_helper.c
@@ -149,7 +149,7 @@ static inline int s390_probe_access(CPUArchState *env, target_ulong addr,
int mmu_idx, bool nonfault,
void **phost, uintptr_t ra)
{
- int flags = probe_access_flags(env, addr, 0, access_type, mmu_idx,
+ int flags = probe_access_flags(env, addr, size, access_type, mmu_idx,
nonfault, phost, ra);
if (unlikely(flags & TLB_INVALID_MASK)) {
--
2.48.1
next prev parent reply other threads:[~2025-01-30 13:16 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-30 13:15 [PULL 00/20] Functional tests, s390x improvements and slirp fixes Thomas Huth
2025-01-30 13:15 ` [PULL 01/20] tests/functional/qemu_test/decorators: Fix bad check for imports Thomas Huth
2025-01-30 13:15 ` [PULL 02/20] tests/functional: Fix broken decorators with lamda functions Thomas Huth
2025-01-30 13:15 ` [PULL 03/20] tests/functional: Convert the migration avocado test Thomas Huth
2025-01-30 13:15 ` [PULL 04/20] tests/functional: Fix the aarch64_tcg_plugins test Thomas Huth
2025-01-30 13:15 ` [PULL 05/20] tests/functional: Add a ppc64 mac99 test Thomas Huth
2025-01-30 13:15 ` [PULL 06/20] tests/functional/test_mips_malta: Fix comment about endianness of the test Thomas Huth
2025-01-30 13:15 ` [PULL 07/20] target/s390x: Fix PPNO execution with icount Thomas Huth
2025-01-30 13:15 ` Thomas Huth [this message]
2025-01-30 13:15 ` [PULL 09/20] tests/tcg/s390x: Test modifying code using the MVC instruction Thomas Huth
2025-01-30 13:15 ` [PULL 10/20] hw/s390x/s390-virtio-ccw: Fix a record/replay deadlock Thomas Huth
2025-01-30 13:15 ` [PULL 11/20] virtio-balloon-pci: Allow setting nvectors, so we can use MSI-X Thomas Huth
2025-01-30 13:15 ` [PULL 12/20] virtio-mem-pci: " Thomas Huth
2025-01-30 13:15 ` [PULL 13/20] s390x/s390-virtio-ccw: Support plugging PCI-based virtio memory devices Thomas Huth
2025-01-30 13:15 ` [PULL 14/20] tests/functional: Extend PPC 40p test with Linux boot Thomas Huth
2025-01-30 13:15 ` [PULL 15/20] tests/functional: Add a decorator for skipping long running tests Thomas Huth
2025-01-30 13:15 ` [PULL 16/20] tests/functional: Add the ReplayKernelBase class Thomas Huth
2025-01-30 13:15 ` [PULL 17/20] tests/functional/test_mipsel_malta: Convert the mipsel replay tests Thomas Huth
2025-01-30 13:15 ` [PULL 18/20] tests/functional/test_mips64el_malta: Convert the mips64el " Thomas Huth
2025-01-30 13:15 ` [PULL 19/20] tests/functional/test_mips_malta: Convert the mips big endian " Thomas Huth
2025-01-30 13:15 ` [PULL 20/20] net/slirp: libslirp 4.9.0 compatibility Thomas Huth
2025-02-01 3:03 ` [PULL 00/20] Functional tests, s390x improvements and slirp fixes Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250130131535.91297-9-thuth@redhat.com \
--to=thuth@redhat.com \
--cc=ada.lovelace@gmx.de \
--cc=azouhr@opensuse.org \
--cc=david@redhat.com \
--cc=iii@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.