From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:57128)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1SRMBT-0003IN-0r
	for qemu-devel@nongnu.org; Mon, 07 May 2012 07:32:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1SRMBR-0002BN-9I
	for qemu-devel@nongnu.org; Mon, 07 May 2012 07:32:54 -0400
Received: from cantor2.suse.de ([195.135.220.15]:42812 helo=mx2.suse.de)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1SRMBR-0002BD-2f
	for qemu-devel@nongnu.org; Mon, 07 May 2012 07:32:53 -0400
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=us-ascii
From: Alexander Graf <agraf@suse.de>
In-Reply-To: <CAFEAcA-u2Ty0iXNQumn7HY4MH-uVkZ616BZJUAUoC-k02v+WEA@mail.gmail.com>
Date: Mon, 7 May 2012 13:32:50 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <F4C6F921-7E35-4246-BF5F-0652660AA0AB@suse.de>
References: <1336383010-28692-1-git-send-email-agraf@suse.de>
	<CAFEAcA-u2Ty0iXNQumn7HY4MH-uVkZ616BZJUAUoC-k02v+WEA@mail.gmail.com>
Subject: Re: [Qemu-devel] [PATCH] linux-user: Fix stale tbs after mmap
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Riku Voipio <riku.voipio@iki.fi>, qemu-devel Developers <qemu-devel@nongnu.org>


On 07.05.2012, at 12:37, Peter Maydell wrote:

> On 7 May 2012 10:30, Alexander Graf <agraf@suse.de> wrote:
>> @@ -587,6 +587,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong =
len, int prot,
>>     page_dump(stdout);
>>     printf("\n");
>>  #endif
>> +    tb_invalidate_phys_page_range(start, start + len, 0);
>>     mmap_unlock();
>>     return start;
>=20
> The comment at the top of tb_invalidate_phys_page_range() says
> "start and end must refer to the same physical page" -- is it
> out of date or does that not apply to user-mode?
>=20
> Do you need to also invalidate the range on munmap() and
> mprotect-to-not-executable in order to correctly fault on
> the case of:
>  map something
>  execute it
>  unmap it
>  try to execute it again
>=20
> ? (haven't tested that case but it seems like it might be an issue)

Yeah, the issue does exist:

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>

static int foo(void)
{
    return 5;
}

int main(int argc, char **argv)
{
    void *p;
    int x;
    int (*f)(void);

    p =3D =
mmap(NULL,0x1000,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,=
0,0);
    if (!p) {
        printf("Error: mmap returned failure\n");
        exit(1);
    }
    memcpy(p, (void*)foo, 0x10);
    f =3D p;
    x =3D f();
    printf("returned %d\n", x);
    munmap(p, 0x1000);
    x =3D f();
    printf("returned %d\n", x);
}

-----

baur:/> ./test
returned 5
returned 5