From: Nicholas Piggin <npiggin@gmail.com>
To: qemu-ppc@nongnu.org
Cc: "Nicholas Piggin" <npiggin@gmail.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Daniel Henrique Barboza" <danielhb413@gmail.com>,
qemu-devel@nongnu.org, "Peter Maydell" <peter.maydell@linaro.org>,
qemu-arm@nongnu.org, qemu-riscv@nongnu.org,
qemu-s390x@nongnu.org
Subject: [PATCH-for-9.1 v2 0/3] target/ppc: fix tlb flushing race (plus
Date: Fri, 5 Apr 2024 22:53:35 +1000 [thread overview]
Message-ID: <20240405125340.380828-1-npiggin@gmail.com> (raw)
ppc's broadcast tlb flushe must ensure all vCPUs have invalidated
their TLBs when the tlbie sequence completes. This is not true in
the current TCG implementation, due to async_run_on_cpu() returning
before the remote CPU runs the job.
Fixing ppc requires moving to async_safe_run_on_cpu(), however this
API does not guarantee that either, and actually changing to the
tlb_flush_*_all_cpus_synced() variants introduces another race
which is that the flush is not even guaraneed to complete on the
local CPU. To ensure that it is, the tlbie has to be made the last
instruction in the TB.
Fixing ppc removes the last caller of the non-synced TLB flush
variants, we can remove some dead code too.
For others - at least arm, riscv, and s390x all use the
tlb_flush_*_all_cpus_synced() calls AFAIKS without ending the TB. But
it's possible I've missed where they do, or they have other issues that
mean it's not required for the flush to take effect until some later
operation which does end the TB. Maybe there is no problem, but it might
be worth looking at.
To reproduce, I have a kvm-unit-tests case for ppc but should be quite
easy to port to other archs. You just need to be careful for the local
CPU test case that your tlbi instruction is in the same TB as the
subsequent load/store that is to incorrectly use a stale translation.
https://gitlab.com/npiggin/kvm-unit-tests/-/tree/powerpc
The test 'powerpc/mmu.elf tlbie:tlbi-other-cpu' breaks with upstream
QEMU. If we use tlb_flush_*_all_cpus_synced() like other arch, then
'powerpc/mmu.elf tlbie:tlbi-this-cpu' also breaks.
Since v1 I understood the full problem and fix, and fixed the fix.
Thanks,
Nick
Nicholas Piggin (3):
target/ppc: Fix broadcast tlbie synchronisation
tcg/cputlb: Remove non-synced variants of global TLB flushes
tcg/cputlb: remove other-cpu capability from TLB flushing
docs/devel/multi-thread-tcg.rst | 13 +-
include/exec/exec-all.h | 97 ++-----------
accel/tcg/cputlb.c | 145 ++-----------------
target/ppc/helper_regs.c | 2 +-
target/ppc/mmu_helper.c | 2 +-
target/ppc/translate.c | 7 +
target/ppc/translate/storage-ctrl-impl.c.inc | 7 +
7 files changed, 44 insertions(+), 229 deletions(-)
--
2.43.0
next reply other threads:[~2024-04-05 12:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-05 12:53 Nicholas Piggin [this message]
2024-04-05 12:53 ` [PATCH v2 1/3] target/ppc: Fix broadcast tlbie synchronisation Nicholas Piggin
2024-04-05 12:53 ` [PATCH v2 2/3] tcg/cputlb: Remove non-synced variants of global TLB flushes Nicholas Piggin
2024-04-05 17:08 ` Richard Henderson
2024-04-05 12:53 ` [PATCH v2 3/3] tcg/cputlb: remove other-cpu capability from TLB flushing Nicholas Piggin
2024-04-05 17:09 ` Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240405125340.380828-1-npiggin@gmail.com \
--to=npiggin@gmail.com \
--cc=danielhb413@gmail.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).