From: Nicholas Piggin <npiggin@gmail.com>
To: qemu-ppc@nongnu.org
Cc: Nicholas Piggin <npiggin@gmail.com>,
qemu-devel@nongnu.org,
Daniel Henrique Barboza <dbarboza@ventanamicro.com>,
sdicaro@DDCI.com
Subject: [PATCH v1 1/2] target/ppc: Fix decrementer time underflow and infinite timer loop
Date: Tue, 30 May 2023 23:12:12 +1000 [thread overview]
Message-ID: <20230530131214.373524-1-npiggin@gmail.com> (raw)
It is possible to store a very large value to the decrementer that it
does not raise the decrementer exception so the timer is scheduled, but
the next time value wraps and is treated as in the past.
This can occur if (u64)-1 is stored on a zero-triggered exception, or
(u64)-1 is stored twice on an underflow-triggered exception, for
example.
If such a value is set in DECAR, it gets stored to the decrementer by
the timer function, which then immediately causes another timer, which
hangs QEMU.
Clamp the decrementer to the implemented width, and use that as the
value for the timer calculation, effectively preventing this overflow.
Reported-by: sdicaro@DDCI.com
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
sdicaro@DDCI.com debugged and reported this, I just changed their fix
to extract variable bits so it works with large decrementer. So most
of the credit goes to them.
Thanks,
Nick
hw/ppc/ppc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c
index 4e816c68c7..d80b0adc6c 100644
--- a/hw/ppc/ppc.c
+++ b/hw/ppc/ppc.c
@@ -798,6 +798,8 @@ static void __cpu_ppc_store_decr(PowerPCCPU *cpu, uint64_t *nextp,
int64_t signed_decr;
/* Truncate value to decr_width and sign extend for simplicity */
+ value = extract64(value, 0, nr_bits);
+ decr = extract64(decr, 0, nr_bits);
signed_value = sextract64(value, 0, nr_bits);
signed_decr = sextract64(decr, 0, nr_bits);
--
2.40.1
next reply other threads:[~2023-05-30 13:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-30 13:12 Nicholas Piggin [this message]
2023-05-30 13:12 ` [PATCH v1 2/2] target/ppc: Decrementer fix BookE semantics Nicholas Piggin
2023-06-05 13:38 ` Daniel Henrique Barboza
2023-06-05 13:38 ` [PATCH v1 1/2] target/ppc: Fix decrementer time underflow and infinite timer loop Daniel Henrique Barboza
2023-06-07 9:26 ` Michael Tokarev
2023-06-07 9:43 ` Daniel Henrique Barboza
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230530131214.373524-1-npiggin@gmail.com \
--to=npiggin@gmail.com \
--cc=dbarboza@ventanamicro.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=sdicaro@DDCI.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).