From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45302)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alex.bennee@linaro.org>) id 1bJF3V-00073S-Hg
	for qemu-devel@nongnu.org; Sat, 02 Jul 2016 03:09:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alex.bennee@linaro.org>) id 1bJF3T-0006mh-C4
	for qemu-devel@nongnu.org; Sat, 02 Jul 2016 03:09:32 -0400
Received: from mail-wm0-x22f.google.com ([2a00:1450:400c:c09::22f]:38043)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alex.bennee@linaro.org>) id 1bJF3T-0006mb-5a
	for qemu-devel@nongnu.org; Sat, 02 Jul 2016 03:09:31 -0400
Received: by mail-wm0-x22f.google.com with SMTP id r201so53749194wme.1
	for <qemu-devel@nongnu.org>; Sat, 02 Jul 2016 00:09:31 -0700 (PDT)
References: <1467389770-9738-1-git-send-email-alex.bennee@linaro.org>
	<1467389770-9738-2-git-send-email-alex.bennee@linaro.org>
	<20160702001736.GA2295@flamenco>
From: Alex =?utf-8?Q?Benn=C3=A9e?= <alex.bennee@linaro.org>
In-reply-to: <20160702001736.GA2295@flamenco>
Date: Sat, 02 Jul 2016 08:09:35 +0100
Message-ID: <87y45kiki8.fsf@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Subject: Re: [Qemu-devel] [PATCH 1/2] tcg: Ensure safe tb_jmp_cache lookup
 out of 'tb_lock'
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Emilio G. Cota" <cota@braap.org>
Cc: mttcg@listserver.greensocs.com, qemu-devel@nongnu.org, fred.konrad@greensocs.com, a.rigo@virtualopensystems.com, serge.fdrv@gmail.com, bobby.prani@gmail.com, rth@twiddle.net, mark.burton@greensocs.com, pbonzini@redhat.com, jan.kiszka@siemens.com, peter.maydell@linaro.org, claudio.fontana@huawei.com, Sergey Fedorov <sergey.fedorov@linaro.org>, Peter Crosthwaite <crosthwaite.peter@gmail.com>


Emilio G. Cota <cota@braap.org> writes:

> On Fri, Jul 01, 2016 at 17:16:09 +0100, Alex Bennée wrote:
>> From: Sergey Fedorov <serge.fdrv@gmail.com>
> (snip)
>> @@ -333,7 +338,7 @@ static inline TranslationBlock *tb_find_fast(CPUState *cpu,
>>         is executed. */
>>      cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
>>      tb_lock();
>> -    tb = cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)];
>> +    tb = atomic_read(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)]);
>>      if (unlikely(!tb || tb->pc != pc || tb->cs_base != cs_base ||
>>                   tb->flags != flags)) {
>>          tb = tb_find_slow(cpu, pc, cs_base, flags);
>> diff --git a/translate-all.c b/translate-all.c
>> index eaa95e4..1fcfe79 100644
>> --- a/translate-all.c
>> +++ b/translate-all.c
>> @@ -1004,11 +1004,16 @@ void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
>>          invalidate_page_bitmap(p);
>>      }
>>
>> +    /* Ensure that we won't find the TB in the shared hash table
>> +     * if we con't see it in CPU's local cache.
>
> s/con't/can't/
>
>> +     * Pairs with smp_rmb() in tb_find_slow(). */
>> +    smp_wmb();
>
> This fence is already embedded in qht_remove, since it internally
> calls seqlock_write_end() on a successful removal, so we could get
> away with a comment instead of emitting a redundant fence.
> However, if qht ever changed its implementation this would have
> to be taken into account. So I'd be OK with emitting the
> fence here too.
>
>> +
>>      /* remove the TB from the hash list */
>>      h = tb_jmp_cache_hash_func(tb->pc);
>>      CPU_FOREACH(cpu) {
>>          if (cpu->tb_jmp_cache[h] == tb) {
>
> Missing atomic_read here: if (atomic_read(cpu->tb_jmp_cache[...])) {

Oops, good catch.

>
>> -            cpu->tb_jmp_cache[h] = NULL;
>> +            atomic_set(&cpu->tb_jmp_cache[h], NULL);
>
> Other than that,
>
>   Reviewed-by: Emilio G. Cota <cota@braap.org>


--
Alex Bennée