* [Qemu-devel] [PATCH 0/2]
@ 2019-02-09 16:27 Emilio G. Cota
2019-02-09 16:27 ` [Qemu-devel] [PATCH 1/2] exec-all: document that tlb_fill can trigger a TLB resize Emilio G. Cota
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Emilio G. Cota @ 2019-02-09 16:27 UTC (permalink / raw)
To: qemu-devel; +Cc: Max Filippov, Alex Bennée, Richard Henderson
Fix a bug introduced with dynamic TLB sizing -- we forgot to account
for possible TLB resizes during tlb_fill().
Max reported the bug and provided a reproducer here:
https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg02283.html
Thanks,
Emilio
^ permalink raw reply [flat|nested] 5+ messages in thread* [Qemu-devel] [PATCH 1/2] exec-all: document that tlb_fill can trigger a TLB resize 2019-02-09 16:27 [Qemu-devel] [PATCH 0/2] Emilio G. Cota @ 2019-02-09 16:27 ` Emilio G. Cota 2019-02-09 20:48 ` Alex Bennée 2019-02-09 16:27 ` [Qemu-devel] [PATCH 2/2] cputlb: update TLB entry/index after tlb_fill Emilio G. Cota 2019-02-09 17:09 ` [Qemu-devel] [PATCH 0/2] Richard Henderson 2 siblings, 1 reply; 5+ messages in thread From: Emilio G. Cota @ 2019-02-09 16:27 UTC (permalink / raw) To: qemu-devel; +Cc: Max Filippov, Alex Bennée, Richard Henderson Signed-off-by: Emilio G. Cota <cota@braap.org> --- include/exec/exec-all.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h index aa7b81aaf0..97b90cb0db 100644 --- a/include/exec/exec-all.h +++ b/include/exec/exec-all.h @@ -475,6 +475,11 @@ static inline void assert_no_pages_locked(void) struct MemoryRegionSection *iotlb_to_section(CPUState *cpu, hwaddr index, MemTxAttrs attrs); +/* + * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the + * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must + * be discarded and looked up again (e.g. via tlb_entry()). + */ void tlb_fill(CPUState *cpu, target_ulong addr, int size, MMUAccessType access_type, int mmu_idx, uintptr_t retaddr); -- 2.17.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] exec-all: document that tlb_fill can trigger a TLB resize 2019-02-09 16:27 ` [Qemu-devel] [PATCH 1/2] exec-all: document that tlb_fill can trigger a TLB resize Emilio G. Cota @ 2019-02-09 20:48 ` Alex Bennée 0 siblings, 0 replies; 5+ messages in thread From: Alex Bennée @ 2019-02-09 20:48 UTC (permalink / raw) To: Emilio G. Cota; +Cc: qemu-devel, Max Filippov, Richard Henderson Emilio G. Cota <cota@braap.org> writes: > Signed-off-by: Emilio G. Cota <cota@braap.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> > --- > include/exec/exec-all.h | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h > index aa7b81aaf0..97b90cb0db 100644 > --- a/include/exec/exec-all.h > +++ b/include/exec/exec-all.h > @@ -475,6 +475,11 @@ static inline void assert_no_pages_locked(void) > struct MemoryRegionSection *iotlb_to_section(CPUState *cpu, > hwaddr index, MemTxAttrs attrs); > > +/* > + * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the > + * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must > + * be discarded and looked up again (e.g. via tlb_entry()). > + */ > void tlb_fill(CPUState *cpu, target_ulong addr, int size, > MMUAccessType access_type, int mmu_idx, uintptr_t retaddr); -- Alex Bennée ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 2/2] cputlb: update TLB entry/index after tlb_fill 2019-02-09 16:27 [Qemu-devel] [PATCH 0/2] Emilio G. Cota 2019-02-09 16:27 ` [Qemu-devel] [PATCH 1/2] exec-all: document that tlb_fill can trigger a TLB resize Emilio G. Cota @ 2019-02-09 16:27 ` Emilio G. Cota 2019-02-09 17:09 ` [Qemu-devel] [PATCH 0/2] Richard Henderson 2 siblings, 0 replies; 5+ messages in thread From: Emilio G. Cota @ 2019-02-09 16:27 UTC (permalink / raw) To: qemu-devel; +Cc: Max Filippov, Alex Bennée, Richard Henderson We are failing to take into account that tlb_fill() can cause a TLB resize, which renders prior TLB entry pointers/indices stale. Fix it by re-doing the TLB entry lookups immediately after tlb_fill. Fixes: 86e1eff8bc ("tcg: introduce dynamic TLB sizing", 2019-01-28) Reported-by: Max Filippov <jcmvbkbc@gmail.com> Tested-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> --- accel/tcg/softmmu_template.h | 8 ++++++++ accel/tcg/cputlb.c | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/accel/tcg/softmmu_template.h b/accel/tcg/softmmu_template.h index 1fdd262ea4..e970a8b378 100644 --- a/accel/tcg/softmmu_template.h +++ b/accel/tcg/softmmu_template.h @@ -129,6 +129,8 @@ WORD_TYPE helper_le_ld_name(CPUArchState *env, target_ulong addr, if (!VICTIM_TLB_HIT(ADDR_READ, addr)) { tlb_fill(ENV_GET_CPU(env), addr, DATA_SIZE, READ_ACCESS_TYPE, mmu_idx, retaddr); + index = tlb_index(env, mmu_idx, addr); + entry = tlb_entry(env, mmu_idx, addr); } tlb_addr = entry->ADDR_READ; } @@ -198,6 +200,8 @@ WORD_TYPE helper_be_ld_name(CPUArchState *env, target_ulong addr, if (!VICTIM_TLB_HIT(ADDR_READ, addr)) { tlb_fill(ENV_GET_CPU(env), addr, DATA_SIZE, READ_ACCESS_TYPE, mmu_idx, retaddr); + index = tlb_index(env, mmu_idx, addr); + entry = tlb_entry(env, mmu_idx, addr); } tlb_addr = entry->ADDR_READ; } @@ -294,6 +298,8 @@ void helper_le_st_name(CPUArchState *env, target_ulong addr, DATA_TYPE val, if (!VICTIM_TLB_HIT(addr_write, addr)) { tlb_fill(ENV_GET_CPU(env), addr, DATA_SIZE, MMU_DATA_STORE, mmu_idx, retaddr); + index = tlb_index(env, mmu_idx, addr); + entry = tlb_entry(env, mmu_idx, addr); } tlb_addr = tlb_addr_write(entry) & ~TLB_INVALID_MASK; } @@ -372,6 +378,8 @@ void helper_be_st_name(CPUArchState *env, target_ulong addr, DATA_TYPE val, if (!VICTIM_TLB_HIT(addr_write, addr)) { tlb_fill(ENV_GET_CPU(env), addr, DATA_SIZE, MMU_DATA_STORE, mmu_idx, retaddr); + index = tlb_index(env, mmu_idx, addr); + entry = tlb_entry(env, mmu_idx, addr); } tlb_addr = tlb_addr_write(entry) & ~TLB_INVALID_MASK; } diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index f580e4dd7e..88cc8389e9 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -1045,6 +1045,8 @@ tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr) if (unlikely(!tlb_hit(entry->addr_code, addr))) { if (!VICTIM_TLB_HIT(addr_code, addr)) { tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0); + index = tlb_index(env, mmu_idx, addr); + entry = tlb_entry(env, mmu_idx, addr); } assert(tlb_hit(entry->addr_code, addr)); } @@ -1125,6 +1127,8 @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr, if (!VICTIM_TLB_HIT(addr_write, addr)) { tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_STORE, mmu_idx, retaddr); + index = tlb_index(env, mmu_idx, addr); + tlbe = tlb_entry(env, mmu_idx, addr); } tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 0/2] 2019-02-09 16:27 [Qemu-devel] [PATCH 0/2] Emilio G. Cota 2019-02-09 16:27 ` [Qemu-devel] [PATCH 1/2] exec-all: document that tlb_fill can trigger a TLB resize Emilio G. Cota 2019-02-09 16:27 ` [Qemu-devel] [PATCH 2/2] cputlb: update TLB entry/index after tlb_fill Emilio G. Cota @ 2019-02-09 17:09 ` Richard Henderson 2 siblings, 0 replies; 5+ messages in thread From: Richard Henderson @ 2019-02-09 17:09 UTC (permalink / raw) To: Emilio G. Cota, qemu-devel; +Cc: Max Filippov, Alex Bennée On 2/9/19 8:27 AM, Emilio G. Cota wrote: > Fix a bug introduced with dynamic TLB sizing -- we forgot to account > for possible TLB resizes during tlb_fill(). > > Max reported the bug and provided a reproducer here: > https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg02283.html Thanks, queued. r~ ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-02-09 20:48 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-02-09 16:27 [Qemu-devel] [PATCH 0/2] Emilio G. Cota 2019-02-09 16:27 ` [Qemu-devel] [PATCH 1/2] exec-all: document that tlb_fill can trigger a TLB resize Emilio G. Cota 2019-02-09 20:48 ` Alex Bennée 2019-02-09 16:27 ` [Qemu-devel] [PATCH 2/2] cputlb: update TLB entry/index after tlb_fill Emilio G. Cota 2019-02-09 17:09 ` [Qemu-devel] [PATCH 0/2] Richard Henderson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).