From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Nicholas Piggin <npiggin@gmail.com>, qemu-ppc@nongnu.org
Cc: Richard Henderson <richard.henderson@linaro.org>,
Paolo Bonzini <pbonzini@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [PATCH 1/3] target/ppc: Fix broadcast tlbie synchronisation
Date: Thu, 28 Mar 2024 14:18:42 +0100 [thread overview]
Message-ID: <9ac30d29-6ad6-44fb-96ad-22ed16489c73@linaro.org> (raw)
In-Reply-To: <20240328053131.2604454-2-npiggin@gmail.com>
On 28/3/24 06:31, Nicholas Piggin wrote:
> With mttcg, broadcast tlbie instructions do not wait until other vCPUs
> have been kicked out of TCG execution before they complete (including
> necessary subsequent tlbsync, etc., instructions). This is contrary to
> the ISA, and it permits other vCPUs to use translations after the TLB
> flush. For example:
>
> CPU0
> // *memP is initially 0, memV maps to memP with *pte
> *pte = 0;
> ptesync ; tlbie ; eieio ; tlbsync ; ptesync
> *memP = 1;
>
> CPU1
> assert(*memV == 0);
>
> It is possible for the assertion to fail because CPU1 translates memV
> using the TLB after CPU0 has stored 1 to the underlying memory. This
> race was observed with a careful test case where CPU1 checks run in a
> very large expensive TB so it can run for the entire CPU0 period between
> clearing the pte and storing the memory. It's normally very difficult to
> hit, but preemption of host vCPU threads could trigger the race
> anywhere.
>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
> target/ppc/helper_regs.c | 2 +-
> target/ppc/mmu_helper.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
To the best of my knowledge,
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
next prev parent reply other threads:[~2024-03-28 13:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 5:31 [PATCH 0/3] target/ppc: fix tlb flushing race Nicholas Piggin
2024-03-28 5:31 ` [PATCH 1/3] target/ppc: Fix broadcast tlbie synchronisation Nicholas Piggin
2024-03-28 13:18 ` Philippe Mathieu-Daudé [this message]
2024-03-28 5:31 ` [PATCH 2/3] tcg/cputlb: Remove non-synced variants of global TLB flushes Nicholas Piggin
2024-03-28 13:18 ` Philippe Mathieu-Daudé
2024-03-28 5:31 ` [PATCH 3/3] tcg/cputlb: remove other-cpu capability from TLB flushing Nicholas Piggin
2024-03-28 8:12 ` [PATCH 0/3] target/ppc: fix tlb flushing race Nicholas Piggin
2024-03-28 10:15 ` Nicholas Piggin
2024-03-28 10:37 ` Nicholas Piggin
2024-03-28 13:20 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9ac30d29-6ad6-44fb-96ad-22ed16489c73@linaro.org \
--to=philmd@linaro.org \
--cc=npiggin@gmail.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.