From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 77985E77373 for ; Sat, 30 Sep 2023 13:39:59 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qmaBy-00069R-M2; Sat, 30 Sep 2023 09:39:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qmaBx-00069H-6a for qemu-devel@nongnu.org; Sat, 30 Sep 2023 09:39:33 -0400 Received: from hsmtpd-def.xspmail.jp ([2001:240:bb81:94:202:238:198:241]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qmaBu-0002fT-G8 for qemu-devel@nongnu.org; Sat, 30 Sep 2023 09:39:32 -0400 X-Country-Code: JP Received: from sakura.ysato.name (ik1-413-38519.vs.sakura.ne.jp [153.127.30.23]) by hsmtpd-out-1.asahinet.cluster.xspmail.jp (Halon) with ESMTPA id 77cb7f32-e131-46e1-9761-995e4bc24f59; Sat, 30 Sep 2023 22:33:21 +0900 (JST) Received: from SIOS1075.ysato.ml (ZM005235.ppp.dion.ne.jp [222.8.5.235]) by sakura.ysato.name (Postfix) with ESMTPSA id 735E01C0079; Sat, 30 Sep 2023 22:33:19 +0900 (JST) Date: Sat, 30 Sep 2023 22:33:18 +0900 Message-ID: <87jzs7u6ox.wl-ysato@users.sourceforge.jp> From: Yoshinori Sato To: Mikulas Patocka Cc: Richard Henderson , Magnus Damm , qemu-devel@nongnu.org Subject: Re: [PATCH] target/sh4: fix crashes on signal delivery In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/28.2 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Received-SPF: softfail client-ip=2001:240:bb81:94:202:238:198:241; envelope-from=ysato@users.sourceforge.jp; helo=hsmtpd-def.xspmail.jp X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org On Fri, 29 Sep 2023 01:42:08 +0900, Mikulas Patocka wrote: > > sh4 uses gUSA (general UserSpace Atomicity) to provide atomicity on CPUs > that don't have atomic instructions. A gUSA region that adds 1 to an > atomic variable stored in @R2 looks like this: > > 4004b6: 03 c7 mova 4004c4 ,r0 > 4004b8: f3 61 mov r15,r1 > 4004ba: 09 00 nop > 4004bc: fa ef mov #-6,r15 > 4004be: 22 63 mov.l @r2,r3 > 4004c0: 01 73 add #1,r3 > 4004c2: 32 22 mov.l r3,@r2 > 4004c4: 13 6f mov r1,r15 > > R0 contains a pointer to the end of the gUSA region > R1 contains the saved stack pointer > R15 contains negative length of the gUSA region > > When this region is interrupted by a signal, the kernel detects if > R15 >= -128U. If yes, the kernel rolls back PC to the beginning of the > region and restores SP by copying R1 to R15. > > The problem happens if we are interrupted by a signal at address 4004c4. > R15 still holds the value -6, but the atomic value was already written by > an instruction at address 4004c2. In this situation we can't undo the > gUSA. The function unwind_gusa does nothing, the signal handler attempts > to push a signal frame to the address -6 and crashes. > > This patch fixes it, so that if we are interrupted at the last instruction > in a gUSA region, we copy R1 to R15 to restore the correct stack pointer > and avoid crashing. > > There's another bug: if we are interrupted in a delay slot, we save the > address of the instruction in the delay slot. We must save the address of > the previous instruction. > > Signed-off-by: Mikulas Patocka > Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato > --- > linux-user/sh4/signal.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > Index: qemu/linux-user/sh4/signal.c > =================================================================== > --- qemu.orig/linux-user/sh4/signal.c 2023-09-27 19:02:41.000000000 +0200 > +++ qemu/linux-user/sh4/signal.c 2023-09-27 19:55:13.000000000 +0200 > @@ -104,6 +104,14 @@ static void unwind_gusa(CPUSH4State *reg > > /* Reset the SP to the saved version in R1. */ > regs->gregs[15] = regs->gregs[1]; > + } else if (regs->gregs[15] >= -128u && regs->pc == regs->gregs[0]) { > + /* If we are on the last instruction of a gUSA region, we must reset > + the SP, otherwise we would be pushing the signal context to > + invalid memory. */ > + regs->gregs[15] = regs->gregs[1]; > + } else if (regs->flags & TB_FLAG_DELAY_SLOT) { > + /* If we are in a delay slot, push the previous instruction. */ > + regs->pc -= 2; > } > } > > -- Yosinori Sato