From: timothee.cocault@gmail.com
To: richard.henderson@linaro.org, anjo@rev.ng
Cc: qemu-devel@nongnu.org
Subject: Re: [PATCH 0/9] Replace remaining target_ulong in system-mode accel
Date: Tue, 22 Aug 2023 21:02:24 +0200 [thread overview]
Message-ID: <00e9e08eae1004ef67fe8dca3aaf5043e6863faa.camel@gmail.com> (raw)
In-Reply-To: e871da82-dcaf-b7da-d299-99e8911d1e9b@linaro.org
Hi,
Maybe its too late for the 8.1 window, but I noticed that this patchset
fixes a segfault in qemu-system-ppc (and other 32 bits archs ?) introduced by
commit fb2c53c.
Therefore maybe it would be relevant to get merge it before 8.2.
I put the details below, please tell me if you prefer I file a bug.
If the guest accesses memory accross the 32-bits boundary (eg: fetching a dword
at 0xffffffff), do_ld4_mmu will make two calls to do_ld_beN (one for
0xffffffff, the other for 0x100000000).
In the second call, mmu_lookup1 will call tlb_hit(tlb_addr, addr) to see check
if the address is already in the TLB. If the first page is loaded, this
will result in a call to tlb_hit(0, 0x100000000) which returns 0,
telling it wrongly that the address belongs in page 0.
data->haddr will then be set to an out-of-bounds address.
The Patch 7/9 "include/exec: Widen tlb_hit/tlb_hit_page()" fixes that.
Example crash:
# asm dump
# 0x04: 3820ffff li r1, -1
# 0x08: 81210000 lwz r9, 0(r1)
$ ./build/qemu-system-ppc -device loader,addr=4,data=0x3820ffff81210000,data-len=8,data-be=true -device loader,addr=0x4,cpu-num=0
Thread 3 "qemu-system-ppc" received signal SIGSEGV, Segmentation fault.
#0 0x0000555555cbf8c7 in do_ld_bytes_beN (p=0x7ffff6c4a2a0, ret_be=0x25) at ../accel/tcg/cputlb.c:2141
#1 0x0000555555cbfe41 in do_ld_beN (env=0x55555684faa0, p=0x7ffff6c4a2a0, ret_be=0x25, mmu_idx=0x3, type=MMU_DATA_LOAD, mop=MO_BEUL, ra=0x7fff7000014d) at ../accel/tcg/cputlb.c:2302
#2 0x0000555555cc088b in do_ld4_mmu (env=0x55555684faa0, addr=0xffffffff, oi=0x123, ra=0x7fff7000014d, access_type=MMU_DATA_LOAD) at ../accel/tcg/cputlb.c:2505
#3 0x0000555555cc092b in helper_ldul_mmu (env=0x55555684faa0, addr=0xffffffff, oi=0x123, retaddr=0x7fff7000014d) at ../accel/tcg/cputlb.c:2516
#4 0x00007fff70000190 in code_gen_buffer ()
#5 0x0000555555cab186 in cpu_tb_exec (cpu=0x55555684d2d0, itb=0x7fffb0000040, tb_exit=0x7ffff6c4a8b0) at ../accel/tcg/cpu-exec.c:457
#6 0x0000555555cabeaf in cpu_loop_exec_tb (cpu=0x55555684d2d0, tb=0x7fffb0000040, pc=0x4, last_tb=0x7ffff6c4a8c0, tb_exit=0x7ffff6c4a8b0) at ../accel/tcg/cpu-exec.c:919
#7 0x0000555555cac219 in cpu_exec_loop (cpu=0x55555684d2d0, sc=0x7ffff6c4a940) at ../accel/tcg/cpu-exec.c:1040
#8 0x0000555555cac2d7 in cpu_exec_setjmp (cpu=0x55555684d2d0, sc=0x7ffff6c4a940) at ../accel/tcg/cpu-exec.c:1057
#9 0x0000555555cac35e in cpu_exec (cpu=0x55555684d2d0) at ../accel/tcg/cpu-exec.c:1083
#10 0x0000555555ccb9a0 in tcg_cpus_exec (cpu=0x55555684d2d0) at ../accel/tcg/tcg-accel-ops.c:75
#11 0x0000555555cccef5 in rr_cpu_thread_fn (arg=0x55555684d2d0) at ../accel/tcg/tcg-accel-ops-rr.c:261
#12 0x0000555555e8d661 in qemu_thread_start (args=0x5555568b6310) at ../util/qemu-thread-posix.c:541
#13 0x00007ffff7a8c9eb in start_thread (arg=<optimized out>) at pthread_create.c:444
#14 0x00007ffff7b10dfc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
Regards,
Timothée.
next reply other threads:[~2023-08-22 18:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-22 19:02 timothee.cocault [this message]
2023-08-22 19:33 ` [PATCH 0/9] Replace remaining target_ulong in system-mode accel Michael Tokarev
2023-08-22 19:44 ` Michael Tokarev
-- strict thread matches above, loose matches on Subject: below --
2023-08-07 15:56 Anton Johansson via
2023-08-09 0:03 ` Richard Henderson
2023-09-21 19:03 ` Michael Tokarev
2023-09-22 10:45 ` Anton Johansson via
2023-09-23 4:51 ` Michael Tokarev
2023-09-25 11:41 ` Anton Johansson via
2023-07-21 20:58 Anton Johansson via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00e9e08eae1004ef67fe8dca3aaf5043e6863faa.camel@gmail.com \
--to=timothee.cocault@gmail.com \
--cc=anjo@rev.ng \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).