[PULL 24/29] target/ppc: Fix decrementer time underflow and infinite timer loop

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Daniel Henrique Barboza <danielhb413@gmail.com>
To: qemu-devel@nongnu.org
Cc: qemu-ppc@nongnu.org, danielhb413@gmail.com,
	peter.maydell@linaro.org, richard.henderson@linaro.org,
	Nicholas Piggin <npiggin@gmail.com>,
	sdicaro@DDCI.com
Subject: [PULL 24/29] target/ppc: Fix decrementer time underflow and infinite timer loop
Date: Sat, 10 Jun 2023 10:31:27 -0300	[thread overview]
Message-ID: <20230610133132.290703-25-danielhb413@gmail.com> (raw)
In-Reply-To: <20230610133132.290703-1-danielhb413@gmail.com>

From: Nicholas Piggin <npiggin@gmail.com>

It is possible to store a very large value to the decrementer that it
does not raise the decrementer exception so the timer is scheduled, but
the next time value wraps and is treated as in the past.

This can occur if (u64)-1 is stored on a zero-triggered exception, or
(u64)-1 is stored twice on an underflow-triggered exception, for
example.

If such a value is set in DECAR, it gets stored to the decrementer by
the timer function, which then immediately causes another timer, which
hangs QEMU.

Clamp the decrementer to the implemented width, and use that as the
value for the timer calculation, effectively preventing this overflow.

Reported-by: sdicaro@DDCI.com
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20230530131214.373524-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
---
 hw/ppc/ppc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c
index 4e816c68c7..d80b0adc6c 100644
--- a/hw/ppc/ppc.c
+++ b/hw/ppc/ppc.c
@@ -798,6 +798,8 @@ static void __cpu_ppc_store_decr(PowerPCCPU *cpu, uint64_t *nextp,
     int64_t signed_decr;

     /* Truncate value to decr_width and sign extend for simplicity */
+    value = extract64(value, 0, nr_bits);
+    decr = extract64(decr, 0, nr_bits);
     signed_value = sextract64(value, 0, nr_bits);
     signed_decr = sextract64(decr, 0, nr_bits);

-- 
2.40.1

next prev parent reply	other threads:[~2023-06-10 13:36 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-10 13:31 [PULL 00/29] ppc queue Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 01/29] pnv/xive2: Add definition for TCTXT Config register Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 02/29] pnv/xive2: Add definition for the ESB cache configuration register Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 03/29] pnv/xive2: Allow writes to the Physical Thread Enable registers Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 04/29] pnv/xive2: Introduce macros to manipulate TIMA addresses Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 05/29] pnv/xive2: Handle TIMA access through all ports Daniel Henrique Barboza
2023-06-20 10:45   ` Peter Maydell
2023-06-20 11:20     ` Cédric Le Goater
2023-06-20 14:31       ` Frederic Barrat
2023-06-20 14:57         ` Cédric Le Goater
2023-06-21  7:18         ` Cédric Le Goater
2023-06-21 15:18           ` Frederic Barrat
2023-06-21 16:59             ` Cédric Le Goater
2023-06-10 13:31 ` [PULL 06/29] target/ppc: Fix nested-hv HEAI delivery Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 07/29] pnv/xive2: Quiet down some error messages Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 08/29] target/ppc: Fix PMU hflags calculation Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 09/29] target/ppc: PMU do not clear MMCR0[FCECE] on performance monitor alert Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 10/29] target/ppc: Fix msgclrp interrupt type Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 11/29] target/ppc: Support directed privileged doorbell interrupt (SDOOR) Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 12/29] target/ppc: PMU implement PERFM interrupts Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 13/29] target/ppc: Remove single use function Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 14/29] target/ppc: Remove "ext" parameter of ppcemb_tlb_check() Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 15/29] target/ppc: Move ppcemb_tlb_search() to mmu_common.c Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 16/29] target/ppc: Remove some unneded line breaks Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 17/29] target/ppc: Simplify ppcemb_tlb_search() Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 18/29] target/ppc: Change ppcemb_tlb_check() to return bool Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 19/29] target/ppc: Eliminate goto in mmubooke_check_tlb() Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 20/29] target/ppc: Fix lqarx to set cpu_reserve Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 21/29] target/ppc: Ensure stcx size matches larx Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 22/29] target/ppc: Remove larx/stcx. memory barrier semantics Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 23/29] target/ppc: Rework store conditional to avoid branch Daniel Henrique Barboza
2023-06-10 13:31 ` Daniel Henrique Barboza [this message]
2023-06-10 13:31 ` [PULL 25/29] target/ppc: Decrementer fix BookE semantics Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 26/29] hw/ppc/openpic: Do not open-code ROUND_UP() macro Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 27/29] tests/avocado/tuxrun_baselines: Fix ppc64 tests for binaries without slirp Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 28/29] target/ppc: Implement gathering irq statistics Daniel Henrique Barboza
2023-06-10 13:31 ` [PULL 29/29] hw/ppc/Kconfig: MAC_NEWWORLD should always select USB_OHCI_PCI Daniel Henrique Barboza
2023-06-10 15:44 ` [PULL 00/29] ppc queue Richard Henderson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4e816c68c dfblob:d80b0adc6 )
 OR (
bs:"[PULL 24/29] target/ppc: Fix decrementer time underflow and infinite timer loop" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230610133132.290703-25-danielhb413@gmail.com \
    --to=danielhb413@gmail.com \
    --cc=npiggin@gmail.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-ppc@nongnu.org \
    --cc=richard.henderson@linaro.org \
    --cc=sdicaro@DDCI.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).