From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, "Nicholas Piggin" <npiggin@gmail.com>,
"Cédric Le Goater" <clg@kaod.org>,
"Michael Tokarev" <mjt@tls.msk.ru>
Subject: [Stable-8.2.2 66/78] target/ppc: Fix crash on machine check caused by ifetch
Date: Thu, 29 Feb 2024 01:54:42 +0300 [thread overview]
Message-ID: <20240228225455.274062-6-mjt@tls.msk.ru> (raw)
In-Reply-To: <qemu-stable-8.2.2-20240229000326@cover.tls.msk.ru>
From: Nicholas Piggin <npiggin@gmail.com>
is_prefix_insn_excp() loads the first word of the instruction address
which caused an exception, to determine whether or not it was prefixed
so the prefix bit can be set in [H]SRR1.
This works if the instruction image can be loaded, but if the exception
was caused by an ifetch, this load could fail and cause a recursive
exception and crash. Machine checks caused by ifetch are not excluded
from the prefix check and can crash (see issue 2108 for an example).
Fix this by excluding machine checks caused by ifetch from the prefix
check.
Cc: qemu-stable@nongnu.org
Acked-by: Cédric Le Goater <clg@kaod.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2108
Fixes: 55a7fa34f89 ("target/ppc: Machine check on invalid real address access on POWER9/10")
Fixes: 5a5d3b23cb2 ("target/ppc: Add SRR1 prefix indication to interrupt handlers")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
(cherry picked from commit c8fd9667e5975fe2e70a906e125a758737eab707)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
index a42743a3e0..9b8fd69b85 100644
--- a/target/ppc/excp_helper.c
+++ b/target/ppc/excp_helper.c
@@ -1312,6 +1312,10 @@ static bool is_prefix_insn_excp(PowerPCCPU *cpu, int excp)
{
CPUPPCState *env = &cpu->env;
+ if (!(env->insns_flags2 & PPC2_ISA310)) {
+ return false;
+ }
+
if (!tcg_enabled()) {
/*
* This does not load instructions and set the prefix bit correctly
@@ -1322,6 +1326,15 @@ static bool is_prefix_insn_excp(PowerPCCPU *cpu, int excp)
}
switch (excp) {
+ case POWERPC_EXCP_MCHECK:
+ if (!(env->error_code & PPC_BIT(42))) {
+ /*
+ * Fetch attempt caused a machine check, so attempting to fetch
+ * again would cause a recursive machine check.
+ */
+ return false;
+ }
+ break;
case POWERPC_EXCP_HDSI:
/* HDSI PRTABLE_FAULT has the originating access type in error_code */
if ((env->spr[SPR_HDSISR] & DSISR_PRTABLE_FAULT) &&
@@ -1332,10 +1345,10 @@ static bool is_prefix_insn_excp(PowerPCCPU *cpu, int excp)
* instruction at NIP would cause recursive faults with the same
* translation).
*/
- break;
+ return false;
}
- /* fall through */
- case POWERPC_EXCP_MCHECK:
+ break;
+
case POWERPC_EXCP_DSI:
case POWERPC_EXCP_DSEG:
case POWERPC_EXCP_ALIGN:
@@ -1346,17 +1359,13 @@ static bool is_prefix_insn_excp(PowerPCCPU *cpu, int excp)
case POWERPC_EXCP_VPU:
case POWERPC_EXCP_VSXU:
case POWERPC_EXCP_FU:
- case POWERPC_EXCP_HV_FU: {
- uint32_t insn = ppc_ldl_code(env, env->nip);
- if (is_prefix_insn(env, insn)) {
- return true;
- }
+ case POWERPC_EXCP_HV_FU:
break;
- }
default:
- break;
+ return false;
}
- return false;
+
+ return is_prefix_insn(env, ppc_ldl_code(env, env->nip));
}
#else
static bool is_prefix_insn_excp(PowerPCCPU *cpu, int excp)
@@ -3224,6 +3233,7 @@ void ppc_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
switch (env->excp_model) {
#if defined(TARGET_PPC64)
+ case POWERPC_EXCP_POWER8:
case POWERPC_EXCP_POWER9:
case POWERPC_EXCP_POWER10:
/*
@@ -3245,6 +3255,10 @@ void ppc_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
env->error_code |= PPC_BIT(42);
} else { /* Fetch */
+ /*
+ * is_prefix_insn_excp() tests !PPC_BIT(42) to avoid fetching
+ * the instruction, so that must always be clear for fetches.
+ */
env->error_code = PPC_BIT(36) | PPC_BIT(44) | PPC_BIT(45);
}
break;
--
2.39.2
next prev parent reply other threads:[~2024-02-28 22:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-28 22:54 [Stable-8.2.2 v2 00/78] Patch Round-up for stable 8.2.2, freeze on 2024-03-02 Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 61/78] hw/hppa/Kconfig: Fix building with "configure --without-default-devices" Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 62/78] docs/system: Update description for input grab key Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 63/78] system/vl: " Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 64/78] .gitlab-ci.d/windows.yml: Drop msys2-32bit job Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 65/78] target/ppc: Fix lxv/stxv MSR facility check Michael Tokarev
2024-02-28 22:54 ` Michael Tokarev [this message]
2024-02-28 22:54 ` [Stable-8.2.2 67/78] update edk2 submodule to edk2-stable202402 Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 68/78] update edk2 binaries " Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 69/78] hw/nvme: fix invalid endian conversion Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 70/78] pl031: Update last RTCLR value on write in case it's read back Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 71/78] target/i386: mask high bits of CR3 in 32-bit mode Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 72/78] target/i386: check validity of VMCB addresses Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 73/78] target/i386: Fix physical address truncation Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 74/78] target/i386: remove unnecessary/wrong application of the A20 mask Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 75/78] target/i386: leave the A20 bit set in the final NPT walk Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 76/78] tests/vm: update openbsd image to 7.4 Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 77/78] tests/vm: avoid re-building the VM images all the time Michael Tokarev
2024-02-28 22:54 ` [Stable-8.2.2 78/78] gitlab: force allow use of pip in Cirrus jobs Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240228225455.274062-6-mjt@tls.msk.ru \
--to=mjt@tls.msk.ru \
--cc=clg@kaod.org \
--cc=npiggin@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.