* [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528]
@ 2023-03-17 15:54 Richard Henderson
2023-03-17 15:54 ` [PATCH v2 1/9] linux-user: Diagnose misaligned -R size Richard Henderson
` (8 more replies)
0 siblings, 9 replies; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell
The primary issue is that of overflow, where "end" for the last
page of the 32-bit address space overflows to 0. The fix is to
use "last" instead, which can always be represented.
Changes for v2:
* Leave -R 0 unchanged; whether it's currently broken,
or unusable by design is unchanged by this patch set.
* Drop reserved_va -> max_reserved_va name change;
it doesn't really make sense.
Require review:
01-linux-user-Diagnose-misaligned-R-size.patch
03-include-exec-Replace-reserved_va-with-max_reserve.patch
08-accel-tcg-Pass-last-not-end-to-tb_invalidate_phys.patch
r~
Richard Henderson (9):
linux-user: Diagnose misaligned -R size
linux-user: Rename max_reserved_va in main
include/exec: Replace reserved_va with max_reserved_va
accel/tcg: Pass last not end to page_set_flags
accel/tcg: Pass last not end to page_reset_target_data
accel/tcg: Pass last not end to PAGE_FOR_EACH_TB
accel/tcg: Pass last not end to page_collection_lock
accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked
accel/tcg: Pass last not end to tb_invalidate_phys_range
include/exec/cpu-all.h | 15 ++++--
include/exec/exec-all.h | 2 +-
linux-user/arm/target_cpu.h | 2 +-
accel/tcg/tb-maint.c | 95 +++++++++++++++++++------------------
accel/tcg/translate-all.c | 2 +-
accel/tcg/user-exec.c | 25 +++++-----
bsd-user/main.c | 10 ++--
bsd-user/mmap.c | 10 ++--
linux-user/elfload.c | 32 +++++++------
linux-user/main.c | 37 ++++++++-------
linux-user/mmap.c | 22 ++++-----
linux-user/syscall.c | 4 +-
softmmu/physmem.c | 2 +-
13 files changed, 135 insertions(+), 123 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v2 1/9] linux-user: Diagnose misaligned -R size
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
2023-03-20 21:24 ` Philippe Mathieu-Daudé
2023-03-17 15:54 ` [PATCH v2 2/9] linux-user: Rename max_reserved_va in main Richard Henderson
` (7 subsequent siblings)
8 siblings, 1 reply; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell
We have been enforcing host page alignment for the non-R
fallback of MAX_RESERVED_VA, but failing to enforce for -R.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
linux-user/main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/linux-user/main.c b/linux-user/main.c
index 4b18461969..39d9bd4d7a 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -793,6 +793,12 @@ int main(int argc, char **argv, char **envp)
*/
max_reserved_va = MAX_RESERVED_VA(cpu);
if (reserved_va != 0) {
+ if (reserved_va % qemu_host_page_size) {
+ char *s = size_to_str(qemu_host_page_size);
+ fprintf(stderr, "Reserved virtual address not aligned mod %s\n", s);
+ g_free(s);
+ exit(EXIT_FAILURE);
+ }
if (max_reserved_va && reserved_va > max_reserved_va) {
fprintf(stderr, "Reserved virtual address too big\n");
exit(EXIT_FAILURE);
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 2/9] linux-user: Rename max_reserved_va in main
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
2023-03-17 15:54 ` [PATCH v2 1/9] linux-user: Diagnose misaligned -R size Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
2023-03-17 15:54 ` [PATCH v2 3/9] include/exec: Replace reserved_va with max_reserved_va Richard Henderson
` (6 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, Philippe Mathieu-Daudé
Rename to local_max_rva, to avoid a conflict with the next patch.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
linux-user/main.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux-user/main.c b/linux-user/main.c
index 39d9bd4d7a..165fcb653e 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -680,7 +680,7 @@ int main(int argc, char **argv, char **envp)
int i;
int ret;
int execfd;
- unsigned long max_reserved_va;
+ unsigned long local_max_rva;
bool preserve_argv0;
error_init(argv[0]);
@@ -791,7 +791,7 @@ int main(int argc, char **argv, char **envp)
* still try it, if directed by the command-line option, but
* not by default.
*/
- max_reserved_va = MAX_RESERVED_VA(cpu);
+ local_max_rva = MAX_RESERVED_VA(cpu);
if (reserved_va != 0) {
if (reserved_va % qemu_host_page_size) {
char *s = size_to_str(qemu_host_page_size);
@@ -799,7 +799,7 @@ int main(int argc, char **argv, char **envp)
g_free(s);
exit(EXIT_FAILURE);
}
- if (max_reserved_va && reserved_va > max_reserved_va) {
+ if (local_max_rva && reserved_va > local_max_rva) {
fprintf(stderr, "Reserved virtual address too big\n");
exit(EXIT_FAILURE);
}
@@ -808,7 +808,7 @@ int main(int argc, char **argv, char **envp)
* reserved_va must be aligned with the host page size
* as it is used with mmap()
*/
- reserved_va = max_reserved_va & qemu_host_page_mask;
+ reserved_va = local_max_rva & qemu_host_page_mask;
}
{
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 3/9] include/exec: Replace reserved_va with max_reserved_va
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
2023-03-17 15:54 ` [PATCH v2 1/9] linux-user: Diagnose misaligned -R size Richard Henderson
2023-03-17 15:54 ` [PATCH v2 2/9] linux-user: Rename max_reserved_va in main Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
2023-03-20 21:32 ` Philippe Mathieu-Daudé
2023-03-17 15:54 ` [PATCH v2 4/9] accel/tcg: Pass last not end to page_set_flags Richard Henderson
` (5 subsequent siblings)
8 siblings, 1 reply; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell
In addition to the rename, change the semantics to be the
last byte of the guest va, rather than the following byte.
This avoids some overflow conditions.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
include/exec/cpu-all.h | 11 ++++++++++-
linux-user/arm/target_cpu.h | 2 +-
bsd-user/main.c | 10 +++-------
bsd-user/mmap.c | 4 ++--
linux-user/elfload.c | 21 +++++++++++----------
linux-user/main.c | 27 +++++++++++++--------------
linux-user/mmap.c | 4 ++--
7 files changed, 42 insertions(+), 37 deletions(-)
diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 2eb1176538..51b6e8594e 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -152,6 +152,15 @@ static inline void tswap64s(uint64_t *s)
*/
extern uintptr_t guest_base;
extern bool have_guest_base;
+
+/*
+ * If non-zero, the guest virtual address space is a contiguous subset
+ * of the host virtual address space, i.e. '-R reserved_va' is in effect
+ * either from the command-line or by default. The value is the last
+ * byte of the guest address space e.g. UINT32_MAX.
+ *
+ * If zero, the host and guest virtual address spaces are intermingled.
+ */
extern unsigned long reserved_va;
/*
@@ -171,7 +180,7 @@ extern unsigned long reserved_va;
#define GUEST_ADDR_MAX_ \
((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ? \
UINT32_MAX : ~0ul)
-#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_)
+#define GUEST_ADDR_MAX (reserved_va ? : GUEST_ADDR_MAX_)
#else
diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h
index 89ba274cfc..f6383a7cd1 100644
--- a/linux-user/arm/target_cpu.h
+++ b/linux-user/arm/target_cpu.h
@@ -30,7 +30,7 @@ static inline unsigned long arm_max_reserved_va(CPUState *cs)
* the high addresses. Restrict linux-user to the
* cached write-back RAM in the system map.
*/
- return 0x80000000ul;
+ return 0x7ffffffful;
} else {
/*
* We need to be able to map the commpage.
diff --git a/bsd-user/main.c b/bsd-user/main.c
index 89f225dead..babc3b009b 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -68,13 +68,9 @@ bool have_guest_base;
# if HOST_LONG_BITS > TARGET_VIRT_ADDR_SPACE_BITS
# if TARGET_VIRT_ADDR_SPACE_BITS == 32 && \
(TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
-/*
- * There are a number of places where we assign reserved_va to a variable
- * of type abi_ulong and expect it to fit. Avoid the last page.
- */
-# define MAX_RESERVED_VA (0xfffffffful & TARGET_PAGE_MASK)
+# define MAX_RESERVED_VA 0xfffffffful
# else
-# define MAX_RESERVED_VA (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
+# define MAX_RESERVED_VA ((1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
# endif
# else
# define MAX_RESERVED_VA 0
@@ -466,7 +462,7 @@ int main(int argc, char **argv)
envlist_free(envlist);
if (reserved_va) {
- mmap_next_start = reserved_va;
+ mmap_next_start = reserved_va + 1;
}
{
diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
index d6c5a344c9..d35650e562 100644
--- a/bsd-user/mmap.c
+++ b/bsd-user/mmap.c
@@ -234,7 +234,7 @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
size = HOST_PAGE_ALIGN(size) + alignment;
end_addr = start + size;
if (end_addr > reserved_va) {
- end_addr = reserved_va;
+ end_addr = reserved_va + 1;
}
addr = end_addr - qemu_host_page_size;
@@ -243,7 +243,7 @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
if (looped) {
return (abi_ulong)-1;
}
- end_addr = reserved_va;
+ end_addr = reserved_va + 1;
addr = end_addr - qemu_host_page_size;
looped = 1;
continue;
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 150d1d4503..bb2001bf30 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -207,7 +207,7 @@ static bool init_guest_commpage(void)
* has specified -R reserved_va, which would trigger an assert().
*/
if (reserved_va != 0 &&
- TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE >= reserved_va) {
+ TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE - 1 > reserved_va) {
error_report("Cannot allocate vsyscall page");
exit(EXIT_FAILURE);
}
@@ -2499,10 +2499,11 @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
/* Sanity check the guest binary. */
if (reserved_va) {
- if (guest_hiaddr > reserved_va) {
+ if (guest_hiaddr - 1 > reserved_va) {
error_report("%s: requires more than reserved virtual "
"address space (0x%" PRIx64 " > 0x%lx)",
- image_name, (uint64_t)guest_hiaddr, reserved_va);
+ image_name, (uint64_t)guest_hiaddr - 1,
+ reserved_va);
exit(EXIT_FAILURE);
}
} else {
@@ -2523,7 +2524,7 @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
if (reserved_va) {
guest_loaddr = (guest_base >= mmap_min_addr ? 0
: mmap_min_addr - guest_base);
- guest_hiaddr = reserved_va;
+ guest_hiaddr = reserved_va + 1;
}
/* Reserve the address space for the binary, or reserved_va. */
@@ -2750,15 +2751,15 @@ static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE;
void *addr, *test;
- if (guest_hiaddr > reserved_va) {
+ if (guest_hiaddr - 1 > reserved_va) {
error_report("%s: requires more than reserved virtual "
"address space (0x%" PRIx64 " > 0x%lx)",
- image_name, (uint64_t)guest_hiaddr, reserved_va);
+ image_name, (uint64_t)guest_hiaddr - 1, reserved_va);
exit(EXIT_FAILURE);
}
/* Widen the "image" to the entire reserved address space. */
- pgb_static(image_name, 0, reserved_va, align);
+ pgb_static(image_name, 0, reserved_va + 1, align);
/* osdep.h defines this as 0 if it's missing */
flags |= MAP_FIXED_NOREPLACE;
@@ -2766,17 +2767,17 @@ static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
/* Reserve the memory on the host. */
assert(guest_base != 0);
test = g2h_untagged(0);
- addr = mmap(test, reserved_va, PROT_NONE, flags, -1, 0);
+ addr = mmap(test, reserved_va + 1, PROT_NONE, flags, -1, 0);
if (addr == MAP_FAILED || addr != test) {
error_report("Unable to reserve 0x%lx bytes of virtual address "
"space at %p (%s) for use as guest address space (check your "
"virtual memory ulimit setting, min_mmap_addr or reserve less "
- "using -R option)", reserved_va, test, strerror(errno));
+ "using -R option)", reserved_va + 1, test, strerror(errno));
exit(EXIT_FAILURE);
}
qemu_log_mask(CPU_LOG_PAGE, "%s: base @ %p for %lu bytes\n",
- __func__, addr, reserved_va);
+ __func__, addr, reserved_va + 1);
}
void probe_guest_base(const char *image_name, abi_ulong guest_loaddr,
diff --git a/linux-user/main.c b/linux-user/main.c
index 165fcb653e..c1d17a1900 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -109,11 +109,9 @@ static const char *last_log_filename;
# if HOST_LONG_BITS > TARGET_VIRT_ADDR_SPACE_BITS
# if TARGET_VIRT_ADDR_SPACE_BITS == 32 && \
(TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
-/* There are a number of places where we assign reserved_va to a variable
- of type abi_ulong and expect it to fit. Avoid the last page. */
-# define MAX_RESERVED_VA(CPU) (0xfffffffful & TARGET_PAGE_MASK)
+# define MAX_RESERVED_VA(CPU) 0xfffffffful
# else
-# define MAX_RESERVED_VA(CPU) (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
+# define MAX_RESERVED_VA(CPU) ((1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
# endif
# else
# define MAX_RESERVED_VA(CPU) 0
@@ -379,7 +377,9 @@ static void handle_arg_reserved_va(const char *arg)
{
char *p;
int shift = 0;
- reserved_va = strtoul(arg, &p, 0);
+ unsigned long val;
+
+ val = strtoul(arg, &p, 0);
switch (*p) {
case 'k':
case 'K':
@@ -393,10 +393,10 @@ static void handle_arg_reserved_va(const char *arg)
break;
}
if (shift) {
- unsigned long unshifted = reserved_va;
+ unsigned long unshifted = val;
p++;
- reserved_va <<= shift;
- if (reserved_va >> shift != unshifted) {
+ val <<= shift;
+ if (val >> shift != unshifted) {
fprintf(stderr, "Reserved virtual address too big\n");
exit(EXIT_FAILURE);
}
@@ -405,6 +405,8 @@ static void handle_arg_reserved_va(const char *arg)
fprintf(stderr, "Unrecognised -R size suffix '%s'\n", p);
exit(EXIT_FAILURE);
}
+ /* The representation is size - 1, with 0 remaining "default". */
+ reserved_va = val ? val - 1 : 0;
}
static void handle_arg_singlestep(const char *arg)
@@ -793,7 +795,7 @@ int main(int argc, char **argv, char **envp)
*/
local_max_rva = MAX_RESERVED_VA(cpu);
if (reserved_va != 0) {
- if (reserved_va % qemu_host_page_size) {
+ if ((reserved_va + 1) % qemu_host_page_size) {
char *s = size_to_str(qemu_host_page_size);
fprintf(stderr, "Reserved virtual address not aligned mod %s\n", s);
g_free(s);
@@ -804,11 +806,8 @@ int main(int argc, char **argv, char **envp)
exit(EXIT_FAILURE);
}
} else if (HOST_LONG_BITS == 64 && TARGET_VIRT_ADDR_SPACE_BITS <= 32) {
- /*
- * reserved_va must be aligned with the host page size
- * as it is used with mmap()
- */
- reserved_va = local_max_rva & qemu_host_page_mask;
+ /* MAX_RESERVED_VA + 1 is a large power of 2, so is aligned. */
+ reserved_va = local_max_rva;
}
{
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 28135c9e6a..cf14930c30 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -283,7 +283,7 @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
end_addr = start + size;
if (start > reserved_va - size) {
/* Start at the top of the address space. */
- end_addr = ((reserved_va - size) & -align) + size;
+ end_addr = ((reserved_va + 1 - size) & -align) + size;
looped = true;
}
@@ -297,7 +297,7 @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
return (abi_ulong)-1;
}
/* Re-start at the top of the address space. */
- addr = end_addr = ((reserved_va - size) & -align) + size;
+ addr = end_addr = ((reserved_va + 1 - size) & -align) + size;
looped = true;
} else {
prot = page_get_flags(addr);
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 4/9] accel/tcg: Pass last not end to page_set_flags
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
` (2 preceding siblings ...)
2023-03-17 15:54 ` [PATCH v2 3/9] include/exec: Replace reserved_va with max_reserved_va Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
2023-03-17 15:54 ` [PATCH v2 5/9] accel/tcg: Pass last not end to page_reset_target_data Richard Henderson
` (4 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, Philippe Mathieu-Daudé
Pass the address of the last byte to be changed, rather than
the first address past the last byte. This avoids overflow
when the last page of the address space is involved.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1528
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
include/exec/cpu-all.h | 2 +-
accel/tcg/user-exec.c | 16 +++++++---------
bsd-user/mmap.c | 6 +++---
linux-user/elfload.c | 11 ++++++-----
linux-user/mmap.c | 16 ++++++++--------
linux-user/syscall.c | 4 ++--
6 files changed, 27 insertions(+), 28 deletions(-)
diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 51b6e8594e..db38418d93 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -285,7 +285,7 @@ typedef int (*walk_memory_regions_fn)(void *, target_ulong,
int walk_memory_regions(void *, walk_memory_regions_fn);
int page_get_flags(target_ulong address);
-void page_set_flags(target_ulong start, target_ulong end, int flags);
+void page_set_flags(target_ulong start, target_ulong last, int flags);
void page_reset_target_data(target_ulong start, target_ulong end);
int page_check_range(target_ulong start, target_ulong len, int flags);
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index 7b37fd229e..035f8096b2 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -480,24 +480,22 @@ static bool pageflags_set_clear(target_ulong start, target_ulong last,
* The flag PAGE_WRITE_ORG is positioned automatically depending
* on PAGE_WRITE. The mmap_lock should already be held.
*/
-void page_set_flags(target_ulong start, target_ulong end, int flags)
+void page_set_flags(target_ulong start, target_ulong last, int flags)
{
- target_ulong last;
bool reset = false;
bool inval_tb = false;
/* This function should never be called with addresses outside the
guest address space. If this assert fires, it probably indicates
a missing call to h2g_valid. */
- assert(start < end);
- assert(end - 1 <= GUEST_ADDR_MAX);
+ assert(start <= last);
+ assert(last <= GUEST_ADDR_MAX);
/* Only set PAGE_ANON with new mappings. */
assert(!(flags & PAGE_ANON) || (flags & PAGE_RESET));
assert_memory_lock();
- start = start & TARGET_PAGE_MASK;
- end = TARGET_PAGE_ALIGN(end);
- last = end - 1;
+ start &= TARGET_PAGE_MASK;
+ last |= ~TARGET_PAGE_MASK;
if (!(flags & PAGE_VALID)) {
flags = 0;
@@ -510,7 +508,7 @@ void page_set_flags(target_ulong start, target_ulong end, int flags)
}
if (!flags || reset) {
- page_reset_target_data(start, end);
+ page_reset_target_data(start, last + 1);
inval_tb |= pageflags_unset(start, last);
}
if (flags) {
@@ -518,7 +516,7 @@ void page_set_flags(target_ulong start, target_ulong end, int flags)
~(reset ? 0 : PAGE_STICKY));
}
if (inval_tb) {
- tb_invalidate_phys_range(start, end);
+ tb_invalidate_phys_range(start, last + 1);
}
}
diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
index d35650e562..565b9f97ed 100644
--- a/bsd-user/mmap.c
+++ b/bsd-user/mmap.c
@@ -118,7 +118,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot)
if (ret != 0)
goto error;
}
- page_set_flags(start, start + len, prot | PAGE_VALID);
+ page_set_flags(start, start + len - 1, prot | PAGE_VALID);
mmap_unlock();
return 0;
error:
@@ -656,7 +656,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
}
}
the_end1:
- page_set_flags(start, start + len, prot | PAGE_VALID);
+ page_set_flags(start, start + len - 1, prot | PAGE_VALID);
the_end:
#ifdef DEBUG_MMAP
printf("ret=0x" TARGET_ABI_FMT_lx "\n", start);
@@ -767,7 +767,7 @@ int target_munmap(abi_ulong start, abi_ulong len)
}
if (ret == 0) {
- page_set_flags(start, start + len, 0);
+ page_set_flags(start, start + len - 1, 0);
}
mmap_unlock();
return ret;
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index bb2001bf30..b068676340 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -212,7 +212,7 @@ static bool init_guest_commpage(void)
exit(EXIT_FAILURE);
}
page_set_flags(TARGET_VSYSCALL_PAGE,
- TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE,
+ TARGET_VSYSCALL_PAGE | ~TARGET_PAGE_MASK,
PAGE_EXEC | PAGE_VALID);
return true;
}
@@ -443,7 +443,7 @@ static bool init_guest_commpage(void)
exit(EXIT_FAILURE);
}
- page_set_flags(commpage, commpage + qemu_host_page_size,
+ page_set_flags(commpage, commpage | ~qemu_host_page_mask,
PAGE_READ | PAGE_EXEC | PAGE_VALID);
return true;
}
@@ -1315,7 +1315,7 @@ static bool init_guest_commpage(void)
exit(EXIT_FAILURE);
}
- page_set_flags(LO_COMMPAGE, LO_COMMPAGE + TARGET_PAGE_SIZE,
+ page_set_flags(LO_COMMPAGE, LO_COMMPAGE | ~TARGET_PAGE_MASK,
PAGE_READ | PAGE_EXEC | PAGE_VALID);
return true;
}
@@ -1727,7 +1727,7 @@ static bool init_guest_commpage(void)
* and implement syscalls. Here, simply mark the page executable.
* Special case the entry points during translation (see do_page_zero).
*/
- page_set_flags(LO_COMMPAGE, LO_COMMPAGE + TARGET_PAGE_SIZE,
+ page_set_flags(LO_COMMPAGE, LO_COMMPAGE | ~TARGET_PAGE_MASK,
PAGE_EXEC | PAGE_VALID);
return true;
}
@@ -2208,7 +2208,8 @@ static void zero_bss(abi_ulong elf_bss, abi_ulong last_bss, int prot)
/* Ensure that the bss page(s) are valid */
if ((page_get_flags(last_bss-1) & prot) != prot) {
- page_set_flags(elf_bss & TARGET_PAGE_MASK, last_bss, prot | PAGE_VALID);
+ page_set_flags(elf_bss & TARGET_PAGE_MASK, last_bss - 1,
+ prot | PAGE_VALID);
}
if (host_start < host_map_start) {
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index cf14930c30..9c70f51d97 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -181,7 +181,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int target_prot)
}
}
- page_set_flags(start, start + len, page_flags);
+ page_set_flags(start, start + len - 1, page_flags);
ret = 0;
error:
@@ -640,15 +640,15 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int target_prot,
}
page_flags |= PAGE_RESET;
if (passthrough_start == passthrough_end) {
- page_set_flags(start, start + len, page_flags);
+ page_set_flags(start, start + len - 1, page_flags);
} else {
if (start < passthrough_start) {
- page_set_flags(start, passthrough_start, page_flags);
+ page_set_flags(start, passthrough_start - 1, page_flags);
}
- page_set_flags(passthrough_start, passthrough_end,
+ page_set_flags(passthrough_start, passthrough_end - 1,
page_flags | PAGE_PASSTHROUGH);
if (passthrough_end < start + len) {
- page_set_flags(passthrough_end, start + len, page_flags);
+ page_set_flags(passthrough_end, start + len - 1, page_flags);
}
}
the_end:
@@ -763,7 +763,7 @@ int target_munmap(abi_ulong start, abi_ulong len)
}
if (ret == 0) {
- page_set_flags(start, start + len, 0);
+ page_set_flags(start, start + len - 1, 0);
}
mmap_unlock();
return ret;
@@ -849,8 +849,8 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
} else {
new_addr = h2g(host_addr);
prot = page_get_flags(old_addr);
- page_set_flags(old_addr, old_addr + old_size, 0);
- page_set_flags(new_addr, new_addr + new_size,
+ page_set_flags(old_addr, old_addr + old_size - 1, 0);
+ page_set_flags(new_addr, new_addr + new_size - 1,
prot | PAGE_VALID | PAGE_RESET);
}
mmap_unlock();
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 24cea6fb6a..7fbc664e83 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4594,7 +4594,7 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
}
raddr=h2g((unsigned long)host_raddr);
- page_set_flags(raddr, raddr + shm_info.shm_segsz,
+ page_set_flags(raddr, raddr + shm_info.shm_segsz - 1,
PAGE_VALID | PAGE_RESET | PAGE_READ |
(shmflg & SHM_RDONLY ? 0 : PAGE_WRITE));
@@ -4624,7 +4624,7 @@ static inline abi_long do_shmdt(abi_ulong shmaddr)
for (i = 0; i < N_SHM_REGIONS; ++i) {
if (shm_regions[i].in_use && shm_regions[i].start == shmaddr) {
shm_regions[i].in_use = false;
- page_set_flags(shmaddr, shmaddr + shm_regions[i].size, 0);
+ page_set_flags(shmaddr, shmaddr + shm_regions[i].size - 1, 0);
break;
}
}
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 5/9] accel/tcg: Pass last not end to page_reset_target_data
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
` (3 preceding siblings ...)
2023-03-17 15:54 ` [PATCH v2 4/9] accel/tcg: Pass last not end to page_set_flags Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
2023-03-17 15:54 ` [PATCH v2 6/9] accel/tcg: Pass last not end to PAGE_FOR_EACH_TB Richard Henderson
` (3 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, Philippe Mathieu-Daudé
Pass the address of the last byte to be changed, rather than
the first address past the last byte. This avoids overflow
when the last page of the address space is involved.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
include/exec/cpu-all.h | 2 +-
accel/tcg/user-exec.c | 11 +++++------
linux-user/mmap.c | 2 +-
3 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index db38418d93..981c295de9 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -286,7 +286,7 @@ int walk_memory_regions(void *, walk_memory_regions_fn);
int page_get_flags(target_ulong address);
void page_set_flags(target_ulong start, target_ulong last, int flags);
-void page_reset_target_data(target_ulong start, target_ulong end);
+void page_reset_target_data(target_ulong start, target_ulong last);
int page_check_range(target_ulong start, target_ulong len, int flags);
/**
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index 035f8096b2..20b6fc2f6e 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -508,7 +508,7 @@ void page_set_flags(target_ulong start, target_ulong last, int flags)
}
if (!flags || reset) {
- page_reset_target_data(start, last + 1);
+ page_reset_target_data(start, last);
inval_tb |= pageflags_unset(start, last);
}
if (flags) {
@@ -814,15 +814,14 @@ typedef struct TargetPageDataNode {
static IntervalTreeRoot targetdata_root;
-void page_reset_target_data(target_ulong start, target_ulong end)
+void page_reset_target_data(target_ulong start, target_ulong last)
{
IntervalTreeNode *n, *next;
- target_ulong last;
assert_memory_lock();
- start = start & TARGET_PAGE_MASK;
- last = TARGET_PAGE_ALIGN(end) - 1;
+ start &= TARGET_PAGE_MASK;
+ last |= ~TARGET_PAGE_MASK;
for (n = interval_tree_iter_first(&targetdata_root, start, last),
next = n ? interval_tree_iter_next(n, start, last) : NULL;
@@ -885,7 +884,7 @@ void *page_get_target_data(target_ulong address)
return t->data[(page - region) >> TARGET_PAGE_BITS];
}
#else
-void page_reset_target_data(target_ulong start, target_ulong end) { }
+void page_reset_target_data(target_ulong start, target_ulong last) { }
#endif /* TARGET_PAGE_DATA_SIZE */
/* The softmmu versions of these helpers are in cputlb.c. */
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 9c70f51d97..0aa8ae7356 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -946,7 +946,7 @@ abi_long target_madvise(abi_ulong start, abi_ulong len_in, int advice)
if (can_passthrough_madvise(start, end)) {
ret = get_errno(madvise(g2h_untagged(start), len, advice));
if ((advice == MADV_DONTNEED) && (ret == 0)) {
- page_reset_target_data(start, start + len);
+ page_reset_target_data(start, start + len - 1);
}
}
}
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 6/9] accel/tcg: Pass last not end to PAGE_FOR_EACH_TB
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
` (4 preceding siblings ...)
2023-03-17 15:54 ` [PATCH v2 5/9] accel/tcg: Pass last not end to page_reset_target_data Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
2023-03-17 15:54 ` [PATCH v2 7/9] accel/tcg: Pass last not end to page_collection_lock Richard Henderson
` (2 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, Philippe Mathieu-Daudé
Pass the address of the last byte to be changed, rather than
the first address past the last byte. This avoids overflow
when the last page of the address space is involved.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
accel/tcg/tb-maint.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
index 7246c1c46b..2c2e887196 100644
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@@ -126,29 +126,29 @@ static void tb_remove(TranslationBlock *tb)
}
/* TODO: For now, still shared with translate-all.c for system mode. */
-#define PAGE_FOR_EACH_TB(start, end, pagedesc, T, N) \
- for (T = foreach_tb_first(start, end), \
- N = foreach_tb_next(T, start, end); \
+#define PAGE_FOR_EACH_TB(start, last, pagedesc, T, N) \
+ for (T = foreach_tb_first(start, last), \
+ N = foreach_tb_next(T, start, last); \
T != NULL; \
- T = N, N = foreach_tb_next(N, start, end))
+ T = N, N = foreach_tb_next(N, start, last))
typedef TranslationBlock *PageForEachNext;
static PageForEachNext foreach_tb_first(tb_page_addr_t start,
- tb_page_addr_t end)
+ tb_page_addr_t last)
{
- IntervalTreeNode *n = interval_tree_iter_first(&tb_root, start, end - 1);
+ IntervalTreeNode *n = interval_tree_iter_first(&tb_root, start, last);
return n ? container_of(n, TranslationBlock, itree) : NULL;
}
static PageForEachNext foreach_tb_next(PageForEachNext tb,
tb_page_addr_t start,
- tb_page_addr_t end)
+ tb_page_addr_t last)
{
IntervalTreeNode *n;
if (tb) {
- n = interval_tree_iter_next(&tb->itree, start, end - 1);
+ n = interval_tree_iter_next(&tb->itree, start, last);
if (n) {
return container_of(n, TranslationBlock, itree);
}
@@ -319,7 +319,7 @@ struct page_collection {
};
typedef int PageForEachNext;
-#define PAGE_FOR_EACH_TB(start, end, pagedesc, tb, n) \
+#define PAGE_FOR_EACH_TB(start, last, pagedesc, tb, n) \
TB_FOR_EACH_TAGGED((pagedesc)->first_tb, tb, n, page_next)
#ifdef CONFIG_DEBUG_TCG
@@ -994,10 +994,11 @@ void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
{
TranslationBlock *tb;
PageForEachNext n;
+ tb_page_addr_t last = end - 1;
assert_memory_lock();
- PAGE_FOR_EACH_TB(start, end, unused, tb, n) {
+ PAGE_FOR_EACH_TB(start, last, unused, tb, n) {
tb_phys_invalidate__locked(tb);
}
}
@@ -1029,6 +1030,7 @@ bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc)
bool current_tb_modified;
TranslationBlock *tb;
PageForEachNext n;
+ tb_page_addr_t last;
/*
* Without precise smc semantics, or when outside of a TB,
@@ -1045,10 +1047,11 @@ bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc)
assert_memory_lock();
current_tb = tcg_tb_lookup(pc);
+ last = addr | ~TARGET_PAGE_MASK;
addr &= TARGET_PAGE_MASK;
current_tb_modified = false;
- PAGE_FOR_EACH_TB(addr, addr + TARGET_PAGE_SIZE, unused, tb, n) {
+ PAGE_FOR_EACH_TB(addr, last, unused, tb, n) {
if (current_tb == tb &&
(tb_cflags(current_tb) & CF_COUNT_MASK) != 1) {
/*
@@ -1090,12 +1093,13 @@ tb_invalidate_phys_page_range__locked(struct page_collection *pages,
bool current_tb_modified = false;
TranslationBlock *current_tb = retaddr ? tcg_tb_lookup(retaddr) : NULL;
#endif /* TARGET_HAS_PRECISE_SMC */
+ tb_page_addr_t last G_GNUC_UNUSED = end - 1;
/*
* We remove all the TBs in the range [start, end[.
* XXX: see if in some cases it could be faster to invalidate all the code
*/
- PAGE_FOR_EACH_TB(start, end, p, tb, n) {
+ PAGE_FOR_EACH_TB(start, last, p, tb, n) {
/* NOTE: this is subtle as a TB may span two physical pages */
if (n == 0) {
/* NOTE: tb_end may be after the end of the page, but
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 7/9] accel/tcg: Pass last not end to page_collection_lock
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
` (5 preceding siblings ...)
2023-03-17 15:54 ` [PATCH v2 6/9] accel/tcg: Pass last not end to PAGE_FOR_EACH_TB Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
2023-03-17 15:54 ` [PATCH v2 8/9] accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked Richard Henderson
2023-03-17 15:54 ` [PATCH v2 9/9] accel/tcg: Pass last not end to tb_invalidate_phys_range Richard Henderson
8 siblings, 0 replies; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, Philippe Mathieu-Daudé
Pass the address of the last byte to be changed, rather than
the first address past the last byte. This avoids overflow
when the last page of the address space is involved.
Fixes a bug in the loop comparision where "<= end" would lock
one more page than required.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
accel/tcg/tb-maint.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
index 2c2e887196..cc23f7fa45 100644
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@@ -510,20 +510,20 @@ static gint tb_page_addr_cmp(gconstpointer ap, gconstpointer bp, gpointer udata)
}
/*
- * Lock a range of pages ([@start,@end[) as well as the pages of all
+ * Lock a range of pages ([@start,@last]) as well as the pages of all
* intersecting TBs.
* Locking order: acquire locks in ascending order of page index.
*/
static struct page_collection *page_collection_lock(tb_page_addr_t start,
- tb_page_addr_t end)
+ tb_page_addr_t last)
{
struct page_collection *set = g_malloc(sizeof(*set));
tb_page_addr_t index;
PageDesc *pd;
start >>= TARGET_PAGE_BITS;
- end >>= TARGET_PAGE_BITS;
- g_assert(start <= end);
+ last >>= TARGET_PAGE_BITS;
+ g_assert(start <= last);
set->tree = g_tree_new_full(tb_page_addr_cmp, NULL, NULL,
page_entry_destroy);
@@ -533,7 +533,7 @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
retry:
g_tree_foreach(set->tree, page_entry_lock, NULL);
- for (index = start; index <= end; index++) {
+ for (index = start; index <= last; index++) {
TranslationBlock *tb;
PageForEachNext n;
@@ -1153,7 +1153,7 @@ tb_invalidate_phys_page_range__locked(struct page_collection *pages,
void tb_invalidate_phys_page(tb_page_addr_t addr)
{
struct page_collection *pages;
- tb_page_addr_t start, end;
+ tb_page_addr_t start, last;
PageDesc *p;
p = page_find(addr >> TARGET_PAGE_BITS);
@@ -1162,9 +1162,9 @@ void tb_invalidate_phys_page(tb_page_addr_t addr)
}
start = addr & TARGET_PAGE_MASK;
- end = start + TARGET_PAGE_SIZE;
- pages = page_collection_lock(start, end);
- tb_invalidate_phys_page_range__locked(pages, p, start, end, 0);
+ last = addr | ~TARGET_PAGE_MASK;
+ pages = page_collection_lock(start, last);
+ tb_invalidate_phys_page_range__locked(pages, p, start, last + 1, 0);
page_collection_unlock(pages);
}
@@ -1180,7 +1180,7 @@ void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
struct page_collection *pages;
tb_page_addr_t next;
- pages = page_collection_lock(start, end);
+ pages = page_collection_lock(start, end - 1);
for (next = (start & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
start < end;
start = next, next += TARGET_PAGE_SIZE) {
@@ -1225,7 +1225,7 @@ void tb_invalidate_phys_range_fast(ram_addr_t ram_addr,
{
struct page_collection *pages;
- pages = page_collection_lock(ram_addr, ram_addr + size);
+ pages = page_collection_lock(ram_addr, ram_addr + size - 1);
tb_invalidate_phys_page_fast__locked(pages, ram_addr, size, retaddr);
page_collection_unlock(pages);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 8/9] accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
` (6 preceding siblings ...)
2023-03-17 15:54 ` [PATCH v2 7/9] accel/tcg: Pass last not end to page_collection_lock Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
2023-03-20 21:35 ` Philippe Mathieu-Daudé
2023-03-17 15:54 ` [PATCH v2 9/9] accel/tcg: Pass last not end to tb_invalidate_phys_range Richard Henderson
8 siblings, 1 reply; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell
Pass the address of the last byte to be changed, rather than
the first address past the last byte. This avoids overflow
when the last page of the address space is involved.
Properly truncate tb_last to the end of the page; the comment about
tb_end being past the end of the page being ok is not correct,
considering overflow.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
accel/tcg/tb-maint.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
index cc23f7fa45..99c0e708ba 100644
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@@ -1083,35 +1083,33 @@ bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc)
static void
tb_invalidate_phys_page_range__locked(struct page_collection *pages,
PageDesc *p, tb_page_addr_t start,
- tb_page_addr_t end,
+ tb_page_addr_t last,
uintptr_t retaddr)
{
TranslationBlock *tb;
- tb_page_addr_t tb_start, tb_end;
PageForEachNext n;
#ifdef TARGET_HAS_PRECISE_SMC
bool current_tb_modified = false;
TranslationBlock *current_tb = retaddr ? tcg_tb_lookup(retaddr) : NULL;
#endif /* TARGET_HAS_PRECISE_SMC */
- tb_page_addr_t last G_GNUC_UNUSED = end - 1;
/*
- * We remove all the TBs in the range [start, end[.
+ * We remove all the TBs in the range [start, last].
* XXX: see if in some cases it could be faster to invalidate all the code
*/
PAGE_FOR_EACH_TB(start, last, p, tb, n) {
+ tb_page_addr_t tb_start, tb_last;
+
/* NOTE: this is subtle as a TB may span two physical pages */
+ tb_start = tb_page_addr0(tb);
+ tb_last = tb_start + tb->size - 1;
if (n == 0) {
- /* NOTE: tb_end may be after the end of the page, but
- it is not a problem */
- tb_start = tb_page_addr0(tb);
- tb_end = tb_start + tb->size;
+ tb_last = MIN(tb_last, tb_start | ~TARGET_PAGE_MASK);
} else {
tb_start = tb_page_addr1(tb);
- tb_end = tb_start + ((tb_page_addr0(tb) + tb->size)
- & ~TARGET_PAGE_MASK);
+ tb_last = tb_start + (tb_last & ~TARGET_PAGE_MASK);
}
- if (!(tb_end <= start || tb_start >= end)) {
+ if (!(tb_last < start || tb_start > last)) {
#ifdef TARGET_HAS_PRECISE_SMC
if (current_tb == tb &&
(tb_cflags(current_tb) & CF_COUNT_MASK) != 1) {
@@ -1164,7 +1162,7 @@ void tb_invalidate_phys_page(tb_page_addr_t addr)
start = addr & TARGET_PAGE_MASK;
last = addr | ~TARGET_PAGE_MASK;
pages = page_collection_lock(start, last);
- tb_invalidate_phys_page_range__locked(pages, p, start, last + 1, 0);
+ tb_invalidate_phys_page_range__locked(pages, p, start, last, 0);
page_collection_unlock(pages);
}
@@ -1191,7 +1189,7 @@ void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
continue;
}
assert_page_locked(pd);
- tb_invalidate_phys_page_range__locked(pages, pd, start, bound, 0);
+ tb_invalidate_phys_page_range__locked(pages, pd, start, bound - 1, 0);
}
page_collection_unlock(pages);
}
@@ -1211,7 +1209,7 @@ static void tb_invalidate_phys_page_fast__locked(struct page_collection *pages,
}
assert_page_locked(p);
- tb_invalidate_phys_page_range__locked(pages, p, start, start + len, ra);
+ tb_invalidate_phys_page_range__locked(pages, p, start, start + len - 1, ra);
}
/*
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 9/9] accel/tcg: Pass last not end to tb_invalidate_phys_range
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
` (7 preceding siblings ...)
2023-03-17 15:54 ` [PATCH v2 8/9] accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked Richard Henderson
@ 2023-03-17 15:54 ` Richard Henderson
8 siblings, 0 replies; 13+ messages in thread
From: Richard Henderson @ 2023-03-17 15:54 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, Philippe Mathieu-Daudé
Pass the address of the last byte to be changed, rather than
the first address past the last byte. This avoids overflow
when the last page of the address space is involved.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
include/exec/exec-all.h | 2 +-
accel/tcg/tb-maint.c | 31 ++++++++++++++++---------------
accel/tcg/translate-all.c | 2 +-
accel/tcg/user-exec.c | 2 +-
softmmu/physmem.c | 2 +-
5 files changed, 20 insertions(+), 19 deletions(-)
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index ad9eb6067b..ecded1f112 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -678,7 +678,7 @@ void tb_invalidate_phys_addr(target_ulong addr);
void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
#endif
void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr);
-void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end);
+void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t last);
void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
/* GETPC is the true target of the return instruction that we'll execute. */
diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
index 99c0e708ba..3192346b03 100644
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@@ -990,11 +990,10 @@ TranslationBlock *tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
* Called with mmap_lock held for user-mode emulation.
* NOTE: this function must not be called while a TB is running.
*/
-void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
+void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t last)
{
TranslationBlock *tb;
PageForEachNext n;
- tb_page_addr_t last = end - 1;
assert_memory_lock();
@@ -1010,11 +1009,11 @@ void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
*/
void tb_invalidate_phys_page(tb_page_addr_t addr)
{
- tb_page_addr_t start, end;
+ tb_page_addr_t start, last;
start = addr & TARGET_PAGE_MASK;
- end = start + TARGET_PAGE_SIZE;
- tb_invalidate_phys_range(start, end);
+ last = addr | ~TARGET_PAGE_MASK;
+ tb_invalidate_phys_range(start, last);
}
/*
@@ -1168,28 +1167,30 @@ void tb_invalidate_phys_page(tb_page_addr_t addr)
/*
* Invalidate all TBs which intersect with the target physical address range
- * [start;end[. NOTE: start and end may refer to *different* physical pages.
+ * [start;last]. NOTE: start and end may refer to *different* physical pages.
* 'is_cpu_write_access' should be true if called from a real cpu write
* access: the virtual CPU will exit the current TB if code is modified inside
* this TB.
*/
-void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
+void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t last)
{
struct page_collection *pages;
- tb_page_addr_t next;
+ tb_page_addr_t index, index_last;
- pages = page_collection_lock(start, end - 1);
- for (next = (start & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
- start < end;
- start = next, next += TARGET_PAGE_SIZE) {
- PageDesc *pd = page_find(start >> TARGET_PAGE_BITS);
- tb_page_addr_t bound = MIN(next, end);
+ pages = page_collection_lock(start, last);
+
+ index_last = last >> TARGET_PAGE_BITS;
+ for (index = start >> TARGET_PAGE_BITS; index <= index_last; index++) {
+ PageDesc *pd = page_find(index);
+ tb_page_addr_t bound;
if (pd == NULL) {
continue;
}
assert_page_locked(pd);
- tb_invalidate_phys_page_range__locked(pages, pd, start, bound - 1, 0);
+ bound = (index << TARGET_PAGE_BITS) | ~TARGET_PAGE_MASK;
+ bound = MIN(bound, last);
+ tb_invalidate_phys_page_range__locked(pages, pd, start, bound, 0);
}
page_collection_unlock(pages);
}
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index 74deb18bd0..5b13281119 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -572,7 +572,7 @@ void tb_check_watchpoint(CPUState *cpu, uintptr_t retaddr)
cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
addr = get_page_addr_code(env, pc);
if (addr != -1) {
- tb_invalidate_phys_range(addr, addr + 1);
+ tb_invalidate_phys_range(addr, addr);
}
}
}
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index 20b6fc2f6e..a7e0c3e2f4 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -516,7 +516,7 @@ void page_set_flags(target_ulong start, target_ulong last, int flags)
~(reset ? 0 : PAGE_STICKY));
}
if (inval_tb) {
- tb_invalidate_phys_range(start, last + 1);
+ tb_invalidate_phys_range(start, last);
}
}
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index fb412a56e1..322e781676 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -2527,7 +2527,7 @@ static void invalidate_and_set_dirty(MemoryRegion *mr, hwaddr addr,
}
if (dirty_log_mask & (1 << DIRTY_MEMORY_CODE)) {
assert(tcg_enabled());
- tb_invalidate_phys_range(addr, addr + length);
+ tb_invalidate_phys_range(addr, addr + length - 1);
dirty_log_mask &= ~(1 << DIRTY_MEMORY_CODE);
}
cpu_physical_memory_set_dirty_range(addr, length, dirty_log_mask);
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH v2 1/9] linux-user: Diagnose misaligned -R size
2023-03-17 15:54 ` [PATCH v2 1/9] linux-user: Diagnose misaligned -R size Richard Henderson
@ 2023-03-20 21:24 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 13+ messages in thread
From: Philippe Mathieu-Daudé @ 2023-03-20 21:24 UTC (permalink / raw)
To: Richard Henderson, qemu-devel; +Cc: peter.maydell, Laurent Vivier
On 17/3/23 16:54, Richard Henderson wrote:
> We have been enforcing host page alignment for the non-R
> fallback of MAX_RESERVED_VA, but failing to enforce for -R.
>
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> ---
> linux-user/main.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/linux-user/main.c b/linux-user/main.c
> index 4b18461969..39d9bd4d7a 100644
> --- a/linux-user/main.c
> +++ b/linux-user/main.c
> @@ -793,6 +793,12 @@ int main(int argc, char **argv, char **envp)
> */
> max_reserved_va = MAX_RESERVED_VA(cpu);
> if (reserved_va != 0) {
> + if (reserved_va % qemu_host_page_size) {
> + char *s = size_to_str(qemu_host_page_size);
> + fprintf(stderr, "Reserved virtual address not aligned mod %s\n", s);
> + g_free(s);
> + exit(EXIT_FAILURE);
> + }
> if (max_reserved_va && reserved_va > max_reserved_va) {
> fprintf(stderr, "Reserved virtual address too big\n");
> exit(EXIT_FAILURE);
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v2 3/9] include/exec: Replace reserved_va with max_reserved_va
2023-03-17 15:54 ` [PATCH v2 3/9] include/exec: Replace reserved_va with max_reserved_va Richard Henderson
@ 2023-03-20 21:32 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 13+ messages in thread
From: Philippe Mathieu-Daudé @ 2023-03-20 21:32 UTC (permalink / raw)
To: Richard Henderson, qemu-devel; +Cc: peter.maydell
On 17/3/23 16:54, Richard Henderson wrote:
> In addition to the rename, change the semantics to be the
> last byte of the guest va, rather than the following byte.
> This avoids some overflow conditions.
>
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> ---
> include/exec/cpu-all.h | 11 ++++++++++-
> linux-user/arm/target_cpu.h | 2 +-
> bsd-user/main.c | 10 +++-------
> bsd-user/mmap.c | 4 ++--
> linux-user/elfload.c | 21 +++++++++++----------
> linux-user/main.c | 27 +++++++++++++--------------
> linux-user/mmap.c | 4 ++--
> 7 files changed, 42 insertions(+), 37 deletions(-)
> diff --git a/linux-user/mmap.c b/linux-user/mmap.c
> index 28135c9e6a..cf14930c30 100644
> --- a/linux-user/mmap.c
> +++ b/linux-user/mmap.c
> @@ -283,7 +283,7 @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
> end_addr = start + size;
> if (start > reserved_va - size) {
> /* Start at the top of the address space. */
> - end_addr = ((reserved_va - size) & -align) + size;
> + end_addr = ((reserved_va + 1 - size) & -align) + size;
> looped = true;
> }
>
> @@ -297,7 +297,7 @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
> return (abi_ulong)-1;
> }
> /* Re-start at the top of the address space. */
> - addr = end_addr = ((reserved_va - size) & -align) + size;
> + addr = end_addr = ((reserved_va + 1 - size) & -align) + size;
Possible follow-up cleanup:
addr = end_addr = ROUND_DOWN(reserved_va + 1 - size, align) + size;
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Better with another R-b on top ;)
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v2 8/9] accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked
2023-03-17 15:54 ` [PATCH v2 8/9] accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked Richard Henderson
@ 2023-03-20 21:35 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 13+ messages in thread
From: Philippe Mathieu-Daudé @ 2023-03-20 21:35 UTC (permalink / raw)
To: Richard Henderson, qemu-devel; +Cc: peter.maydell
On 17/3/23 16:54, Richard Henderson wrote:
> Pass the address of the last byte to be changed, rather than
> the first address past the last byte. This avoids overflow
> when the last page of the address space is involved.
>
> Properly truncate tb_last to the end of the page; the comment about
> tb_end being past the end of the page being ok is not correct,
> considering overflow.
>
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> ---
> accel/tcg/tb-maint.c | 26 ++++++++++++--------------
> 1 file changed, 12 insertions(+), 14 deletions(-)
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2023-03-20 21:35 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-17 15:54 [PATCH v2 0/9] accel/tcg: Fix page_set_flags and related [#1528] Richard Henderson
2023-03-17 15:54 ` [PATCH v2 1/9] linux-user: Diagnose misaligned -R size Richard Henderson
2023-03-20 21:24 ` Philippe Mathieu-Daudé
2023-03-17 15:54 ` [PATCH v2 2/9] linux-user: Rename max_reserved_va in main Richard Henderson
2023-03-17 15:54 ` [PATCH v2 3/9] include/exec: Replace reserved_va with max_reserved_va Richard Henderson
2023-03-20 21:32 ` Philippe Mathieu-Daudé
2023-03-17 15:54 ` [PATCH v2 4/9] accel/tcg: Pass last not end to page_set_flags Richard Henderson
2023-03-17 15:54 ` [PATCH v2 5/9] accel/tcg: Pass last not end to page_reset_target_data Richard Henderson
2023-03-17 15:54 ` [PATCH v2 6/9] accel/tcg: Pass last not end to PAGE_FOR_EACH_TB Richard Henderson
2023-03-17 15:54 ` [PATCH v2 7/9] accel/tcg: Pass last not end to page_collection_lock Richard Henderson
2023-03-17 15:54 ` [PATCH v2 8/9] accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked Richard Henderson
2023-03-20 21:35 ` Philippe Mathieu-Daudé
2023-03-17 15:54 ` [PATCH v2 9/9] accel/tcg: Pass last not end to tb_invalidate_phys_range Richard Henderson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.