[Qemu-devel] [PULL 4/4] translate-all: Fix user-mode self-modifying code in 2 page long TB

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Richard Henderson <rth@twiddle.net>
To: qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, Stanislav Shmarov <snarpix@gmail.com>
Subject: [Qemu-devel] [PULL 4/4] translate-all: Fix user-mode self-modifying code in 2 page long TB
Date: Fri,  8 Jul 2016 13:38:39 -0700	[thread overview]
Message-ID: <1468010319-16494-5-git-send-email-rth@twiddle.net> (raw)
In-Reply-To: <1468010319-16494-1-git-send-email-rth@twiddle.net>

From: Stanislav Shmarov <snarpix@gmail.com>

In user-mode emulation Translation Block can consist of 2 guest pages.
In that case QEMU also mprotects 2 host pages that are dedicated for
guest memory, containing instructions. QEMU detects self-modifying code
with SEGFAULT signal processing.

In case if instruction in 1st page is modifying memory of 2nd
page (or vice versa) QEMU will mark 2nd page with PAGE_WRITE,
invalidate TB, generate new TB contatining 1 guest instruction and
exit to CPU loop. QEMU won't call mprotect, and new TB will cause
same SEGFAULT. Page will have both PAGE_WRITE_ORG and PAGE_WRITE
flags, so QEMU will handle the signal as guest binary problem,
and exit with guest SEGFAULT.

Solution is to do following: In case if current TB was invalidated
continue to invalidate TBs from remaining guest pages and mark pages
as PAGE_WRITE. After that disable host page protection with mprotect.
If current tb was invalidated longjmp to main loop. That is more
efficient, since we won't get SEGFAULT when executing new TB.

Reviewed-by: Sergey Fedorov <sergey.fedorov@linaro.org>
Signed-off-by: Stanislav Shmarov <snarpix@gmail.com>
Message-Id: <1467880392-1043630-1-git-send-email-snarpix@gmail.com>
Signed-off-by: Richard Henderson <rth@twiddle.net>
---
 translate-all.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/translate-all.c b/translate-all.c
index eaa95e4..0d47c1c 100644
--- a/translate-all.c
+++ b/translate-all.c
@@ -2000,6 +2000,7 @@ int page_check_range(target_ulong start, target_ulong len, int flags)
 int page_unprotect(target_ulong address, uintptr_t pc)
 {
     unsigned int prot;
+    bool current_tb_invalidated;
     PageDesc *p;
     target_ulong host_start, host_end, addr;
 
@@ -2021,6 +2022,7 @@ int page_unprotect(target_ulong address, uintptr_t pc)
         host_end = host_start + qemu_host_page_size;
 
         prot = 0;
+        current_tb_invalidated = false;
         for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
             p = page_find(addr >> TARGET_PAGE_BITS);
             p->flags |= PAGE_WRITE;
@@ -2028,10 +2030,7 @@ int page_unprotect(target_ulong address, uintptr_t pc)
 
             /* and since the content will be modified, we must invalidate
                the corresponding translated code. */
-            if (tb_invalidate_phys_page(addr, pc)) {
-                mmap_unlock();
-                return 2;
-            }
+            current_tb_invalidated |= tb_invalidate_phys_page(addr, pc);
 #ifdef DEBUG_TB_CHECK
             tb_invalidate_check(addr);
 #endif
@@ -2040,7 +2039,8 @@ int page_unprotect(target_ulong address, uintptr_t pc)
                  prot & PAGE_BITS);
 
         mmap_unlock();
-        return 1;
+        /* If current TB was invalidated return to main loop */
+        return current_tb_invalidated ? 2 : 1;
     }
     mmap_unlock();
     return 0;
-- 
2.7.4

next prev parent reply	other threads:[~2016-07-08 20:39 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-08 20:38 [Qemu-devel] [PULL 0/4] tlb fixes for self-modifying code Richard Henderson
2016-07-08 20:38 ` [Qemu-devel] [PULL 1/4] cputlb: Move VICTIM_TLB_HIT out of line Richard Henderson
2016-07-08 20:38 ` [Qemu-devel] [PULL 2/4] cputlb: Add address parameter to VICTIM_TLB_HIT Richard Henderson
2016-07-08 20:38 ` [Qemu-devel] [PULL 3/4] cputlb: Fix for self-modifying writes across page boundaries Richard Henderson
2016-07-29  2:50   ` TeLeMan
2016-07-08 20:38 ` Richard Henderson [this message]
2016-07-11 17:46 ` [Qemu-devel] [PULL 0/4] tlb fixes for self-modifying code Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:eaa95e4 dfblob:0d47c1c )
 OR (
bs:"[Qemu-devel] [PULL 4/4] translate-all: Fix user-mode self-modifying code in 2 page long TB" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1468010319-16494-5-git-send-email-rth@twiddle.net \
    --to=rth@twiddle.net \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=snarpix@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).