From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54010)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sergey.fedorov@linaro.org>) id 1b2ILM-0008AH-MV
	for qemu-devel@nongnu.org; Mon, 16 May 2016 09:13:57 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sergey.fedorov@linaro.org>) id 1b2ILI-0001YG-DU
	for qemu-devel@nongnu.org; Mon, 16 May 2016 09:13:55 -0400
Received: from mail-lf0-x229.google.com ([2a00:1450:4010:c07::229]:34397)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sergey.fedorov@linaro.org>) id 1b2ILH-0001YA-6a
	for qemu-devel@nongnu.org; Mon, 16 May 2016 09:13:52 -0400
Received: by mail-lf0-x229.google.com with SMTP id m64so116320119lfd.1
	for <qemu-devel@nongnu.org>; Mon, 16 May 2016 06:13:50 -0700 (PDT)
From: Sergey Fedorov <sergey.fedorov@linaro.org>
Date: Mon, 16 May 2016 16:13:00 +0300
Message-Id: <1463404380-29302-1-git-send-email-sergey.fedorov@linaro.org>
Subject: [Qemu-devel] [PATCH] cpu-exec: Fix direct jump to TB spanning page
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>, Sergey Fedorov <serge.fdrv@gmail.com>, Sergey Fedorov <sergey.fedorov@linaro.org>, Paolo Bonzini <pbonzini@redhat.com>, Peter Crosthwaite <crosthwaite.peter@gmail.com>, Richard Henderson <rth@twiddle.net>

From: Sergey Fedorov <serge.fdrv@gmail.com>

It is not safe to make a direct jump to a TB spanning two pages in
system emulation because the mapping for the second page can get changed
but we don't take care of direct jumps in this case.

However in user mode emulation, this is not the case because there's
only static address translation and TBs are always invalidated properly.

Fixes: 5b053a4a2827 ("tcg: Clean up direct block chaining safety checks")

Reported-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Sergey Fedorov <serge.fdrv@gmail.com>
Signed-off-by: Sergey Fedorov <sergey.fedorov@linaro.org>
---
 cpu-exec.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cpu-exec.c b/cpu-exec.c
index 14df1aacf42a..ec2364df624d 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -344,6 +344,15 @@ static inline TranslationBlock *tb_find_fast(CPUState *cpu,
         *last_tb = NULL;
         cpu->tb_flushed = false;
     }
+#ifndef CONFIG_USER_ONLY
+    /* We don't take care of direct jumps when address mapping changes in
+     * system emulation. So it's not safe to make a direct jump to a TB
+     * spanning two pages because the mapping for the second page can change.
+     */
+    if (tb->page_addr[1] != -1) {
+        *last_tb = NULL;
+    }
+#endif
     /* See if we can patch the calling TB. */
     if (*last_tb && !qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
         tb_add_jump(*last_tb, tb_exit, tb);
-- 
1.9.1