[Qemu-devel] another 64/32 mmap() bug

[Qemu-devel] another 64/32 mmap() bug

[Vince Weaver]

In trying to get the remaining spec2k/spec2k6 benchmarks to run, I've 
found another 64-bit/32-bit mmap() linux-user problem.

This could be a kernel problem.

The mmap() call in conjunction with MAP_32BIT will make sure the address 
of an allocation is < 32-bit.  The problem is it doesn't check that the
_entire address range_ is < 32-bit.

So it will return an address of say 0xffff0000 for an allocation of
128kB, and the end of that allocation will not be addressable, causing 
a segfault.

Vince

Re: [Qemu-devel] another 64/32 mmap() bug

[Vince Weaver]

Hello

So I've tracked down this problem.  The linux-user mmap() code does not 
check to see if an allocation crosses the 2^32 barrier, which is a problem 
for emulating 32-bit code on a 64-bit machine.

The attached patch is a hack that fixes this problem, and also the related 
mremap() problem.  These definitely aren't meant to be committed. 
Hoepfully someone who understands the linux-user mmap() code better than I 
do can take a look at things.

With the patch though, I can finally run correctly all 48 of Spec2k on 
sparc32-linux-user on x86_64, and I can run all but 5 of Spec2k6.

Patch below, hoepfully pine doesn't mess it up this time.

Vince

Index: linux-user/mmap.c
===================================================================
--- linux-user/mmap.c	(revision 5321)
+++ linux-user/mmap.c	(working copy)
@@ -353,16 +353,27 @@
          host_offset = offset & qemu_host_page_mask;
          host_len = len + offset - host_offset;
          host_len = HOST_PAGE_ALIGN(host_len);
+try_again:
          mmap_start = mmap_find_vma(real_start, host_len);
          if (mmap_start == (abi_ulong)-1) {
              errno = ENOMEM;
              goto fail;
          }
+
+#if TARGET_ABI_BITS == 32 
+               /* vmw */
+        if ( (long)g2h(mmap_start)+host_len > 0xffff0000) {
+	   printf("WARNING! Host len too high: 0x%x + 0x%x\n",mmap_start,host_len);
+	   goto try_again;
+        }
+#endif 
+
          /* Note: we prefer to control the mapping address. It is
             especially important if qemu_host_page_size >
-           qemu_real_host_page_size */
+           qemu_real_host_page_size */
          p = mmap(g2h(mmap_start),
                   host_len, prot, flags | MAP_FIXED, fd, host_offset);
+
          if (p == MAP_FAILED)
              goto fail;
          /* update start so that it points to the file position at 'offset' */
@@ -538,6 +549,25 @@
      mmap_lock();
      /* XXX: use 5 args syscall */
      host_addr = (long)mremap(g2h(old_addr), old_size, new_size, flags);
+#if TARGET_ABI_BITS == 32
+    if (host_addr > 0xffffffff) {
+       void *temp_addr;
+ 
+       temp_addr = mmap(NULL,new_size,
+			PROT_READ|PROT_WRITE,MAP_ANONYMOUS|MAP_PRIVATE|MAP_32BIT, 0, 0);
+       memcpy(temp_addr,(void *)host_addr,old_size);
+       munmap((void *)host_addr,new_size); 
+       host_addr=(long)temp_addr;
+
+ 
+       if (host_addr > 0xffffffff) {
+ 
+          printf("ERROR!  mremap() returned 64-bit value on 32-bit target!\n\n");
+          exit(-1); 
+       }
+    }
+#endif 
+
      if (host_addr == -1) {
          new_addr = -1;
      } else {