* [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction
@ 2022-12-01 18:44 Thomas Huth
2022-12-01 20:51 ` Richard Henderson
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Thomas Huth @ 2022-12-01 18:44 UTC (permalink / raw)
To: qemu-devel, Richard Henderson, David Hildenbrand, Ilya Leoshkevich
Cc: qemu-s390x
The SET ADDRESS SPACE CONTROL FAST instruction is not privileged, it can be
used from problem space, too. Just the switching to the home address space
is privileged and should still generate a privilege exception. This bug is
e.g. causing programs like Java that use the "getcpu" vdso kernel function
to crash (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990417#26 ).
While we're at it, also check if DAT is not enabled. In that case the
instruction is supposed to generate a special operation exception.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/655
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
target/s390x/tcg/insn-data.h.inc | 2 +-
target/s390x/tcg/cc_helper.c | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/target/s390x/tcg/insn-data.h.inc b/target/s390x/tcg/insn-data.h.inc
index 7e952bdfc8..54d4250c9f 100644
--- a/target/s390x/tcg/insn-data.h.inc
+++ b/target/s390x/tcg/insn-data.h.inc
@@ -1365,7 +1365,7 @@
/* SERVICE CALL LOGICAL PROCESSOR (PV hypercall) */
F(0xb220, SERVC, RRE, Z, r1_o, r2_o, 0, 0, servc, 0, IF_PRIV | IF_IO)
/* SET ADDRESS SPACE CONTROL FAST */
- F(0xb279, SACF, S, Z, 0, a2, 0, 0, sacf, 0, IF_PRIV)
+ C(0xb279, SACF, S, Z, 0, a2, 0, 0, sacf, 0)
/* SET CLOCK */
F(0xb204, SCK, S, Z, 0, m2_64a, 0, 0, sck, 0, IF_PRIV | IF_IO)
/* SET CLOCK COMPARATOR */
diff --git a/target/s390x/tcg/cc_helper.c b/target/s390x/tcg/cc_helper.c
index b2e8d3d9f5..b36f8cdc8b 100644
--- a/target/s390x/tcg/cc_helper.c
+++ b/target/s390x/tcg/cc_helper.c
@@ -487,6 +487,10 @@ void HELPER(sacf)(CPUS390XState *env, uint64_t a1)
{
HELPER_LOG("%s: %16" PRIx64 "\n", __func__, a1);
+ if (!(env->psw.mask & PSW_MASK_DAT)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIAL_OP, GETPC());
+ }
+
switch (a1 & 0xf00) {
case 0x000:
env->psw.mask &= ~PSW_MASK_ASC;
@@ -497,6 +501,9 @@ void HELPER(sacf)(CPUS390XState *env, uint64_t a1)
env->psw.mask |= PSW_ASC_SECONDARY;
break;
case 0x300:
+ if ((env->psw.mask & PSW_MASK_PSTATE) != 0) {
+ tcg_s390_program_interrupt(env, PGM_PRIVILEGED, GETPC());
+ }
env->psw.mask &= ~PSW_MASK_ASC;
env->psw.mask |= PSW_ASC_HOME;
break;
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction
2022-12-01 18:44 [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction Thomas Huth
@ 2022-12-01 20:51 ` Richard Henderson
2022-12-02 7:41 ` Thomas Huth
2022-12-02 12:31 ` David Hildenbrand
2022-12-02 23:39 ` Ilya Leoshkevich
2 siblings, 1 reply; 5+ messages in thread
From: Richard Henderson @ 2022-12-01 20:51 UTC (permalink / raw)
To: Thomas Huth, qemu-devel, David Hildenbrand, Ilya Leoshkevich; +Cc: qemu-s390x
On 12/1/22 10:44, Thomas Huth wrote:
> The SET ADDRESS SPACE CONTROL FAST instruction is not privileged, it can be
> used from problem space, too. Just the switching to the home address space
> is privileged and should still generate a privilege exception. This bug is
> e.g. causing programs like Java that use the "getcpu" vdso kernel function
> to crash (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990417#26 ).
>
> While we're at it, also check if DAT is not enabled. In that case the
> instruction is supposed to generate a special operation exception.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/655
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> ---
Looks ok, as far as it goes. We appear to be missing the check for CR0_SECONDARY, which
is unpredictable for SACF but mandatory for SAC.
I'll give you
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
for fixing the incorrect IF_PRIV check, which by itself should be enough to fix the Java
issue.
r~
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction
2022-12-01 20:51 ` Richard Henderson
@ 2022-12-02 7:41 ` Thomas Huth
0 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2022-12-02 7:41 UTC (permalink / raw)
To: Richard Henderson, qemu-devel, David Hildenbrand, Ilya Leoshkevich
Cc: qemu-s390x
On 01/12/2022 21.51, Richard Henderson wrote:
> On 12/1/22 10:44, Thomas Huth wrote:
>> The SET ADDRESS SPACE CONTROL FAST instruction is not privileged, it can be
>> used from problem space, too. Just the switching to the home address space
>> is privileged and should still generate a privilege exception. This bug is
>> e.g. causing programs like Java that use the "getcpu" vdso kernel function
>> to crash (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990417#26 ).
>>
>> While we're at it, also check if DAT is not enabled. In that case the
>> instruction is supposed to generate a special operation exception.
>>
>> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/655
>> Signed-off-by: Thomas Huth <thuth@redhat.com>
>> ---
>
> Looks ok, as far as it goes. We appear to be missing the check for
> CR0_SECONDARY, which is unpredictable for SACF but mandatory for SAC.
Yes, but if I got our sources right, we do not implement SAC yet. Looks like
Linux does not use it, so nobody bothered to implement it yet. Since it
should be very similar to SACF, it should be easy to add - I can try to come
up with an additional patch for it later.
> I'll give you
>
> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
>
> for fixing the incorrect IF_PRIV check, which by itself should be enough to
> fix the Java issue.
Thanks!
Thomas
PS: We might have a similar bug with the MVCP and MVCS instructions ...
seems like they could be called from userspace in certain situations, too.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction
2022-12-01 18:44 [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction Thomas Huth
2022-12-01 20:51 ` Richard Henderson
@ 2022-12-02 12:31 ` David Hildenbrand
2022-12-02 23:39 ` Ilya Leoshkevich
2 siblings, 0 replies; 5+ messages in thread
From: David Hildenbrand @ 2022-12-02 12:31 UTC (permalink / raw)
To: Thomas Huth, qemu-devel, Richard Henderson, Ilya Leoshkevich; +Cc: qemu-s390x
On 01.12.22 19:44, Thomas Huth wrote:
> The SET ADDRESS SPACE CONTROL FAST instruction is not privileged, it can be
> used from problem space, too. Just the switching to the home address space
> is privileged and should still generate a privilege exception. This bug is
> e.g. causing programs like Java that use the "getcpu" vdso kernel function
> to crash (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990417#26 ).
>
> While we're at it, also check if DAT is not enabled. In that case the
> instruction is supposed to generate a special operation exception.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/655
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> ---
> target/s390x/tcg/insn-data.h.inc | 2 +-
> target/s390x/tcg/cc_helper.c | 7 +++++++
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/target/s390x/tcg/insn-data.h.inc b/target/s390x/tcg/insn-data.h.inc
> index 7e952bdfc8..54d4250c9f 100644
> --- a/target/s390x/tcg/insn-data.h.inc
> +++ b/target/s390x/tcg/insn-data.h.inc
> @@ -1365,7 +1365,7 @@
> /* SERVICE CALL LOGICAL PROCESSOR (PV hypercall) */
> F(0xb220, SERVC, RRE, Z, r1_o, r2_o, 0, 0, servc, 0, IF_PRIV | IF_IO)
> /* SET ADDRESS SPACE CONTROL FAST */
> - F(0xb279, SACF, S, Z, 0, a2, 0, 0, sacf, 0, IF_PRIV)
> + C(0xb279, SACF, S, Z, 0, a2, 0, 0, sacf, 0)
> /* SET CLOCK */
> F(0xb204, SCK, S, Z, 0, m2_64a, 0, 0, sck, 0, IF_PRIV | IF_IO)
> /* SET CLOCK COMPARATOR */
> diff --git a/target/s390x/tcg/cc_helper.c b/target/s390x/tcg/cc_helper.c
> index b2e8d3d9f5..b36f8cdc8b 100644
> --- a/target/s390x/tcg/cc_helper.c
> +++ b/target/s390x/tcg/cc_helper.c
> @@ -487,6 +487,10 @@ void HELPER(sacf)(CPUS390XState *env, uint64_t a1)
> {
> HELPER_LOG("%s: %16" PRIx64 "\n", __func__, a1);
>
> + if (!(env->psw.mask & PSW_MASK_DAT)) {
> + tcg_s390_program_interrupt(env, PGM_SPECIAL_OP, GETPC());
> + }
> +
> switch (a1 & 0xf00) {
> case 0x000:
> env->psw.mask &= ~PSW_MASK_ASC;
> @@ -497,6 +501,9 @@ void HELPER(sacf)(CPUS390XState *env, uint64_t a1)
> env->psw.mask |= PSW_ASC_SECONDARY;
> break;
> case 0x300:
> + if ((env->psw.mask & PSW_MASK_PSTATE) != 0) {
> + tcg_s390_program_interrupt(env, PGM_PRIVILEGED, GETPC());
> + }
> env->psw.mask &= ~PSW_MASK_ASC;
> env->psw.mask |= PSW_ASC_HOME;
> break;
Reviewed-by: David Hildenbrand <david@redhat.com>
--
Thanks,
David / dhildenb
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction
2022-12-01 18:44 [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction Thomas Huth
2022-12-01 20:51 ` Richard Henderson
2022-12-02 12:31 ` David Hildenbrand
@ 2022-12-02 23:39 ` Ilya Leoshkevich
2 siblings, 0 replies; 5+ messages in thread
From: Ilya Leoshkevich @ 2022-12-02 23:39 UTC (permalink / raw)
To: Thomas Huth, qemu-devel, Richard Henderson, David Hildenbrand; +Cc: qemu-s390x
On Thu, 2022-12-01 at 19:44 +0100, Thomas Huth wrote:
> The SET ADDRESS SPACE CONTROL FAST instruction is not privileged, it
> can be
> used from problem space, too. Just the switching to the home address
> space
> is privileged and should still generate a privilege exception. This
> bug is
> e.g. causing programs like Java that use the "getcpu" vdso kernel
> function
> to crash (see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990417#26 ).
>
> While we're at it, also check if DAT is not enabled. In that case the
> instruction is supposed to generate a special operation exception.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/655
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> ---
> target/s390x/tcg/insn-data.h.inc | 2 +-
> target/s390x/tcg/cc_helper.c | 7 +++++++
> 2 files changed, 8 insertions(+), 1 deletion(-)
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-12-02 23:41 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-01 18:44 [PATCH v2 for-8.0] target/s390x/tcg: Fix and improve the SACF instruction Thomas Huth
2022-12-01 20:51 ` Richard Henderson
2022-12-02 7:41 ` Thomas Huth
2022-12-02 12:31 ` David Hildenbrand
2022-12-02 23:39 ` Ilya Leoshkevich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.