[Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Giovanni Mascellani]

Public bug reported:

qemu-s390x in user mode crashes with SIGILL (under host architecture
x86_64, running Debian unstable) when executing target instruction
"stck" ("STORE CLOCK", see
https://www-01.ibm.com/support/docview.wss?uid=isg26480faec85f44e2385256d5200627dee&aid=1),
which is basically a kind of equivalent of Intel "rdtsc". The same
instruction works fine under qemu-s390x in system mode. The bug is
reproducible with both the qemu version distributed in Debian unstable
and with the latest upstream master (commit
47994e16b1d66411953623e7c0bf0cdcd50bd507).

This bug manifested itself as a crash of ssh-keygen program, which uses
"stck" to obtain some bits of randomness during key creation. Bisection
of the code led to the attached minimal example. Compile with (inside an
s390x system):

 $ gcc -c -o test.o test.c
 $ gcc -c -o rdtsc.o rdtsc.S
 $ gcc -o test test.o rdtsc.o

Then run test. It will crash with SIGILL in user mode and run fine in
system mode. Also, compare with the original file at
https://github.com/openssl/openssl/blob/master/crypto/s390xcpuid.pl#L139
(there the instruction "stckf" is also used; it is probable that it has
the same problem if it is supported altogether, but it did not test for
this).

Running qemu-s390x with options -d
in_asm,out_asm,op,op_opt,exec,nochain,cpu gives the trace attached in
log.txt.

Thanks, Giovanni.

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "test.c"
   https://bugs.launchpad.net/bugs/1815024/+attachment/5236687/+files/test.c

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815024

Title:
  SIGILL on instruction "stck" under qemu-s390x in user mode

Status in QEMU:
  New

Bug description:
  qemu-s390x in user mode crashes with SIGILL (under host architecture
  x86_64, running Debian unstable) when executing target instruction
  "stck" ("STORE CLOCK", see
  https://www-01.ibm.com/support/docview.wss?uid=isg26480faec85f44e2385256d5200627dee&aid=1),
  which is basically a kind of equivalent of Intel "rdtsc". The same
  instruction works fine under qemu-s390x in system mode. The bug is
  reproducible with both the qemu version distributed in Debian unstable
  and with the latest upstream master (commit
  47994e16b1d66411953623e7c0bf0cdcd50bd507).

  This bug manifested itself as a crash of ssh-keygen program, which
  uses "stck" to obtain some bits of randomness during key creation.
  Bisection of the code led to the attached minimal example. Compile
  with (inside an s390x system):

   $ gcc -c -o test.o test.c
   $ gcc -c -o rdtsc.o rdtsc.S
   $ gcc -o test test.o rdtsc.o

  Then run test. It will crash with SIGILL in user mode and run fine in
  system mode. Also, compare with the original file at
  https://github.com/openssl/openssl/blob/master/crypto/s390xcpuid.pl#L139
  (there the instruction "stckf" is also used; it is probable that it
  has the same problem if it is supported altogether, but it did not
  test for this).

  Running qemu-s390x with options -d
  in_asm,out_asm,op,op_opt,exec,nochain,cpu gives the trace attached in
  log.txt.

  Thanks, Giovanni.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815024/+subscriptions

[Qemu-devel] [Bug 1815024] Re: SIGILL on instruction "stck" under qemu-s390x in user mode

[Giovanni Mascellani]

** Attachment added: "rdtsc.S"
   https://bugs.launchpad.net/qemu/+bug/1815024/+attachment/5236688/+files/rdtsc.S

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815024

Title:
  SIGILL on instruction "stck" under qemu-s390x in user mode

Status in QEMU:
  New

Bug description:
  qemu-s390x in user mode crashes with SIGILL (under host architecture
  x86_64, running Debian unstable) when executing target instruction
  "stck" ("STORE CLOCK", see
  https://www-01.ibm.com/support/docview.wss?uid=isg26480faec85f44e2385256d5200627dee&aid=1),
  which is basically a kind of equivalent of Intel "rdtsc". The same
  instruction works fine under qemu-s390x in system mode. The bug is
  reproducible with both the qemu version distributed in Debian unstable
  and with the latest upstream master (commit
  47994e16b1d66411953623e7c0bf0cdcd50bd507).

  This bug manifested itself as a crash of ssh-keygen program, which
  uses "stck" to obtain some bits of randomness during key creation.
  Bisection of the code led to the attached minimal example. Compile
  with (inside an s390x system):

   $ gcc -c -o test.o test.c
   $ gcc -c -o rdtsc.o rdtsc.S
   $ gcc -o test test.o rdtsc.o

  Then run test. It will crash with SIGILL in user mode and run fine in
  system mode. Also, compare with the original file at
  https://github.com/openssl/openssl/blob/master/crypto/s390xcpuid.pl#L139
  (there the instruction "stckf" is also used; it is probable that it
  has the same problem if it is supported altogether, but it did not
  test for this).

  Running qemu-s390x with options -d
  in_asm,out_asm,op,op_opt,exec,nochain,cpu gives the trace attached in
  log.txt.

  Thanks, Giovanni.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815024/+subscriptions

[Qemu-devel] [Bug 1815024] Re: SIGILL on instruction "stck" under qemu-s390x in user mode

[Giovanni Mascellani]

** Attachment added: "log.txt"
   https://bugs.launchpad.net/qemu/+bug/1815024/+attachment/5236689/+files/log.txt

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815024

Title:
  SIGILL on instruction "stck" under qemu-s390x in user mode

Status in QEMU:
  New

Bug description:
  qemu-s390x in user mode crashes with SIGILL (under host architecture
  x86_64, running Debian unstable) when executing target instruction
  "stck" ("STORE CLOCK", see
  https://www-01.ibm.com/support/docview.wss?uid=isg26480faec85f44e2385256d5200627dee&aid=1),
  which is basically a kind of equivalent of Intel "rdtsc". The same
  instruction works fine under qemu-s390x in system mode. The bug is
  reproducible with both the qemu version distributed in Debian unstable
  and with the latest upstream master (commit
  47994e16b1d66411953623e7c0bf0cdcd50bd507).

  This bug manifested itself as a crash of ssh-keygen program, which
  uses "stck" to obtain some bits of randomness during key creation.
  Bisection of the code led to the attached minimal example. Compile
  with (inside an s390x system):

   $ gcc -c -o test.o test.c
   $ gcc -c -o rdtsc.o rdtsc.S
   $ gcc -o test test.o rdtsc.o

  Then run test. It will crash with SIGILL in user mode and run fine in
  system mode. Also, compare with the original file at
  https://github.com/openssl/openssl/blob/master/crypto/s390xcpuid.pl#L139
  (there the instruction "stckf" is also used; it is probable that it
  has the same problem if it is supported altogether, but it did not
  test for this).

  Running qemu-s390x with options -d
  in_asm,out_asm,op,op_opt,exec,nochain,cpu gives the trace attached in
  log.txt.

  Thanks, Giovanni.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815024/+subscriptions

[Qemu-devel] [Bug 1815024] Re: SIGILL on instruction "stck" under qemu-s390x in user mode

[Giovanni Mascellani]

I am also attaching the compiled program, in case it is helpful.

** Attachment added: "test"
   https://bugs.launchpad.net/qemu/+bug/1815024/+attachment/5236690/+files/test

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815024

Title:
  SIGILL on instruction "stck" under qemu-s390x in user mode

Status in QEMU:
  New

Bug description:
  qemu-s390x in user mode crashes with SIGILL (under host architecture
  x86_64, running Debian unstable) when executing target instruction
  "stck" ("STORE CLOCK", see
  https://www-01.ibm.com/support/docview.wss?uid=isg26480faec85f44e2385256d5200627dee&aid=1),
  which is basically a kind of equivalent of Intel "rdtsc". The same
  instruction works fine under qemu-s390x in system mode. The bug is
  reproducible with both the qemu version distributed in Debian unstable
  and with the latest upstream master (commit
  47994e16b1d66411953623e7c0bf0cdcd50bd507).

  This bug manifested itself as a crash of ssh-keygen program, which
  uses "stck" to obtain some bits of randomness during key creation.
  Bisection of the code led to the attached minimal example. Compile
  with (inside an s390x system):

   $ gcc -c -o test.o test.c
   $ gcc -c -o rdtsc.o rdtsc.S
   $ gcc -o test test.o rdtsc.o

  Then run test. It will crash with SIGILL in user mode and run fine in
  system mode. Also, compare with the original file at
  https://github.com/openssl/openssl/blob/master/crypto/s390xcpuid.pl#L139
  (there the instruction "stckf" is also used; it is probable that it
  has the same problem if it is supported altogether, but it did not
  test for this).

  Running qemu-s390x with options -d
  in_asm,out_asm,op,op_opt,exec,nochain,cpu gives the trace attached in
  log.txt.

  Thanks, Giovanni.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815024/+subscriptions

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Cornelia Huck]

On Thu, 07 Feb 2019 09:46:07 -0000
Giovanni Mascellani <gio@debian.org> wrote:

> Public bug reported:
> 
> qemu-s390x in user mode crashes with SIGILL (under host architecture
> x86_64, running Debian unstable) when executing target instruction
> "stck" ("STORE CLOCK", see
> https://www-01.ibm.com/support/docview.wss?uid=isg26480faec85f44e2385256d5200627dee&aid=1),
> which is basically a kind of equivalent of Intel "rdtsc". The same
> instruction works fine under qemu-s390x in system mode. The bug is
> reproducible with both the qemu version distributed in Debian unstable
> and with the latest upstream master (commit
> 47994e16b1d66411953623e7c0bf0cdcd50bd507).

Did that work before commit 7de3b1cdc67 ("s390x/tcg: properly implement
the TOD")?

> 
> This bug manifested itself as a crash of ssh-keygen program, which uses
> "stck" to obtain some bits of randomness during key creation. Bisection
> of the code led to the attached minimal example. Compile with (inside an
> s390x system):
> 
>  $ gcc -c -o test.o test.c
>  $ gcc -c -o rdtsc.o rdtsc.S
>  $ gcc -o test test.o rdtsc.o
> 
> Then run test. It will crash with SIGILL in user mode and run fine in
> system mode. Also, compare with the original file at
> https://github.com/openssl/openssl/blob/master/crypto/s390xcpuid.pl#L139
> (there the instruction "stckf" is also used; it is probable that it has
> the same problem if it is supported altogether, but it did not test for
> this).

stckf will end up at the same helper, so it seems likely to hit the
same problem.

> 
> Running qemu-s390x with options -d
> in_asm,out_asm,op,op_opt,exec,nochain,cpu gives the trace attached in
> log.txt.

I think the problem is that the helper tries to access the todstate
object, which we won't have in user mode IIUC. David?

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Giovanni Mascellani]

[-- Attachment #1: Type: text/plain, Size: 1310 bytes --]

Hi, thanks for answering!

Il 07/02/19 11:49, Cornelia Huck ha scritto:
> Did that work before commit 7de3b1cdc67 ("s390x/tcg: properly implement
> the TOD")?

It does not seem so:

$ /qemu-s390x-new -version
qemu-s390x version 2.12.50 (v2.12.0-1983-g7de3b1cdc6-dirty)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
$ /qemu-s390x-new ./a.out
Istruzione non consentita

(i.e., "illegal instruction")

But this might be expected. Now I go to the previous commit (f777b20544)
and recompile:

$ /qemu-s390x-new -version
qemu-s390x version 2.12.50 (v2.12.0-1982-gf777b20544-dirty)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
$ /qemu-s390x-new ./a.out
Istruzione non consentita

So again. And even going back to 76ed4b18de (i.e., skipping a few
apparently related s390x commits):

$ /qemu-s390x-new -version
qemu-s390x version 2.12.50 (v2.12.0-1976-g76ed4b18de-dirty)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
$ /qemu-s390x-new ./a.out
Istruzione non consentita
> stckf will end up at the same helper, so it seems likely to hit the
> same problem.

I guessed so.

Thanks again, Giovanni.
-- 
Giovanni Mascellani <g.mascellani@gmail.com>
Postdoc researcher - Université Libre de Bruxelles


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Thomas Huth]

[-- Attachment #1: Type: text/plain, Size: 3964 bytes --]

On 2019-02-07 12:05, Giovanni Mascellani wrote:
> Hi, thanks for answering!
> 
> Il 07/02/19 11:49, Cornelia Huck ha scritto:
>> Did that work before commit 7de3b1cdc67 ("s390x/tcg: properly implement
>> the TOD")?
> 
> It does not seem so
The problem is rather that the STCK instruction is fenced with
"#ifndef CONFIG_USER_ONLY" ... quick-n-dirty hack to allow it:

diff --git a/target/s390x/helper.h b/target/s390x/helper.h
index 018e9dd..8baa784 100644
--- a/target/s390x/helper.h
+++ b/target/s390x/helper.h
@@ -122,12 +122,13 @@ DEF_HELPER_4(cu42, i32, env, i32, i32, i32)
 DEF_HELPER_5(msa, i32, env, i32, i32, i32, i32)
 DEF_HELPER_FLAGS_1(stpt, TCG_CALL_NO_RWG, i64, env)
 
+DEF_HELPER_FLAGS_1(stck, TCG_CALL_NO_RWG_SE, i64, env)
+
 #ifndef CONFIG_USER_ONLY
 DEF_HELPER_3(servc, i32, env, i64, i64)
 DEF_HELPER_4(diag, void, env, i32, i32, i32)
 DEF_HELPER_3(load_psw, noreturn, env, i64, i64)
 DEF_HELPER_FLAGS_2(spx, TCG_CALL_NO_RWG, void, env, i64)
-DEF_HELPER_FLAGS_1(stck, TCG_CALL_NO_RWG_SE, i64, env)
 DEF_HELPER_FLAGS_2(sck, TCG_CALL_NO_RWG, i32, env, i64)
 DEF_HELPER_FLAGS_2(sckc, TCG_CALL_NO_RWG, void, env, i64)
 DEF_HELPER_FLAGS_2(sckpf, TCG_CALL_NO_RWG, void, env, i64)
diff --git a/target/s390x/insn-data.def b/target/s390x/insn-data.def
index dab805f..41e2911 100644
--- a/target/s390x/insn-data.def
+++ b/target/s390x/insn-data.def
@@ -962,6 +962,10 @@
     D(0xb93e, KIMD,    RRE,   MSA,  0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_KIMD)
     D(0xb93f, KLMD,    RRE,   MSA,  0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_KLMD)
 
+/* STORE CLOCK */
+    C(0xb205, STCK,    S,     Z,   la2, 0, new, m1_64, stck, 0)
+    C(0xb27c, STCKF,   S,     SCF, la2, 0, new, m1_64, stck, 0)
+
 #ifndef CONFIG_USER_ONLY
 /* COMPARE AND SWAP AND PURGE */
     E(0xb250, CSP,     RRE,   Z,   r1_32u, ra2, r1_P, 0, csp, 0, MO_TEUL, IF_PRIV)
@@ -1020,9 +1024,6 @@
     F(0x8000, SSM,     S,     Z,   0, m2_8u, 0, 0, ssm, 0, IF_PRIV)
 /* SIGNAL PROCESSOR */
     F(0xae00, SIGP,    RS_a,  Z,   0, a2, 0, 0, sigp, 0, IF_PRIV)
-/* STORE CLOCK */
-    C(0xb205, STCK,    S,     Z,   la2, 0, new, m1_64, stck, 0)
-    C(0xb27c, STCKF,   S,     SCF, la2, 0, new, m1_64, stck, 0)
 /* STORE CLOCK EXTENDED */
     C(0xb278, STCKE,   S,     Z,   0, a2, 0, 0, stcke, 0)
 /* STORE CLOCK COMPARATOR */
diff --git a/target/s390x/misc_helper.c b/target/s390x/misc_helper.c
index 52262f6..b9eea7f 100644
--- a/target/s390x/misc_helper.c
+++ b/target/s390x/misc_helper.c
@@ -396,6 +396,16 @@ uint32_t HELPER(sigp)(CPUS390XState *env, uint64_t order_code, uint32_t r1,
 
     return cc;
 }
+
+#else
+
+uint64_t HELPER(stck)(CPUS390XState *env)
+{
+    uint64_t ns = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+
+    return (ns << 9) / 125 + (((ns & 0xff80000000000000ull) / 125) << 9);
+}
+
 #endif
 
 #ifndef CONFIG_USER_ONLY
diff --git a/target/s390x/translate.c b/target/s390x/translate.c
index 639084a..177e281 100644
--- a/target/s390x/translate.c
+++ b/target/s390x/translate.c
@@ -4034,6 +4034,14 @@ static DisasJumpType op_ectg(DisasContext *s, DisasOps *o)
     return DISAS_NEXT;
 }
 
+static DisasJumpType op_stck(DisasContext *s, DisasOps *o)
+{
+    gen_helper_stck(o->out, cpu_env);
+    /* ??? We don't implement clock states.  */
+    gen_op_movi_cc(s, 0);
+    return DISAS_NEXT;
+}
+
 #ifndef CONFIG_USER_ONLY
 static DisasJumpType op_spka(DisasContext *s, DisasOps *o)
 {
@@ -4061,14 +4069,6 @@ static DisasJumpType op_stap(DisasContext *s, DisasOps *o)
     return DISAS_NEXT;
 }
 
-static DisasJumpType op_stck(DisasContext *s, DisasOps *o)
-{
-    gen_helper_stck(o->out, cpu_env);
-    /* ??? We don't implement clock states.  */
-    gen_op_movi_cc(s, 0);
-    return DISAS_NEXT;
-}
-
 static DisasJumpType op_stcke(DisasContext *s, DisasOps *o)
 {
     TCGv_i64 c1 = tcg_temp_new_i64();


... then your test program works fine without crashing.

 Thomas


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Giovanni Mascellani]

[-- Attachment #1: Type: text/plain, Size: 871 bytes --]

Hi,

Il 07/02/19 12:26, Thomas Huth ha scritto:
> The problem is rather that the STCK instruction is fenced with
> "#ifndef CONFIG_USER_ONLY" ... quick-n-dirty hack to allow it:

Thanks for the patch. Unfortunately on my system it failes with:

  LINK    s390x-linux-user/qemu-s390x
/usr/bin/ld: ../libqemuutil.a(cpu-get-icount.o):(.bss+0x0): multiple
definition of `use_icount'; exec.o:(.bss+0x58): first defined here
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:207: qemu-s390x] Error 1
make: *** [Makefile:432: subdir-s390x-linux-user] Error 2

The error does not appear when compiling from current master.

I am compiling with

 $ git clean -fdx
 $ ./configure --target-list=s390x-linux-user
 $ make -j16

Giovanni.
-- 
Giovanni Mascellani <g.mascellani@gmail.com>
Postdoc researcher - Université Libre de Bruxelles


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Thomas Huth]

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

On 2019-02-07 12:46, Giovanni Mascellani wrote:
> Hi,
> 
> Il 07/02/19 12:26, Thomas Huth ha scritto:
>> The problem is rather that the STCK instruction is fenced with
>> "#ifndef CONFIG_USER_ONLY" ... quick-n-dirty hack to allow it:
> 
> Thanks for the patch. Unfortunately on my system it failes with:
> 
>   LINK    s390x-linux-user/qemu-s390x
> /usr/bin/ld: ../libqemuutil.a(cpu-get-icount.o):(.bss+0x0): multiple
> definition of `use_icount'; exec.o:(.bss+0x58): first defined here
> collect2: error: ld returned 1 exit status
> make[1]: *** [Makefile:207: qemu-s390x] Error 1
> make: *** [Makefile:432: subdir-s390x-linux-user] Error 2
> 
> The error does not appear when compiling from current master.

I just saw it, too. Seems like the stubs/cpu-get-icount.c file now gets
pulled in for some reason. Try this on top:

diff --git a/stubs/cpu-get-icount.c b/stubs/cpu-get-icount.c
index 35f0c1e..8da6646 100644
--- a/stubs/cpu-get-icount.c
+++ b/stubs/cpu-get-icount.c
@@ -4,7 +4,7 @@
 #include "sysemu/cpus.h"
 #include "qemu/main-loop.h"

-int use_icount;
+int use_icount __attribute__((weak));

 int64_t cpu_get_icount(void)
 {

... anyway, I'll ponder about that a little bit and will try to come up
with a proper, mergable patch instead.

 Thomas


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Richard Henderson]

On 2/7/19 12:01 PM, Thomas Huth wrote:
> On 2019-02-07 12:46, Giovanni Mascellani wrote:
>> Hi,
>>
>> Il 07/02/19 12:26, Thomas Huth ha scritto:
>>> The problem is rather that the STCK instruction is fenced with
>>> "#ifndef CONFIG_USER_ONLY" ... quick-n-dirty hack to allow it:
>>
>> Thanks for the patch. Unfortunately on my system it failes with:
>>
>>   LINK    s390x-linux-user/qemu-s390x
>> /usr/bin/ld: ../libqemuutil.a(cpu-get-icount.o):(.bss+0x0): multiple
>> definition of `use_icount'; exec.o:(.bss+0x58): first defined here
>> collect2: error: ld returned 1 exit status
>> make[1]: *** [Makefile:207: qemu-s390x] Error 1
>> make: *** [Makefile:432: subdir-s390x-linux-user] Error 2
>>
>> The error does not appear when compiling from current master.
> 
> I just saw it, too. Seems like the stubs/cpu-get-icount.c file now gets
> pulled in for some reason. Try this on top:
> 
> diff --git a/stubs/cpu-get-icount.c b/stubs/cpu-get-icount.c
> index 35f0c1e..8da6646 100644
> --- a/stubs/cpu-get-icount.c
> +++ b/stubs/cpu-get-icount.c
> @@ -4,7 +4,7 @@
>  #include "sysemu/cpus.h"
>  #include "qemu/main-loop.h"
> 
> -int use_icount;
> +int use_icount __attribute__((weak));
> 
>  int64_t cpu_get_icount(void)
>  {
> 
> ... anyway, I'll ponder about that a little bit and will try to come up
> with a proper, mergable patch instead.

See also

  https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg06734.html

which I never followed up on the review changes requested.


r~

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Thomas Huth]

On 2019-02-07 13:15, Richard Henderson wrote:
> On 2/7/19 12:01 PM, Thomas Huth wrote:
>> On 2019-02-07 12:46, Giovanni Mascellani wrote:
>>> Hi,
>>>
>>> Il 07/02/19 12:26, Thomas Huth ha scritto:
>>>> The problem is rather that the STCK instruction is fenced with
>>>> "#ifndef CONFIG_USER_ONLY" ... quick-n-dirty hack to allow it:
>>>
>>> Thanks for the patch. Unfortunately on my system it failes with:
>>>
>>>   LINK    s390x-linux-user/qemu-s390x
>>> /usr/bin/ld: ../libqemuutil.a(cpu-get-icount.o):(.bss+0x0): multiple
>>> definition of `use_icount'; exec.o:(.bss+0x58): first defined here
>>> collect2: error: ld returned 1 exit status
>>> make[1]: *** [Makefile:207: qemu-s390x] Error 1
>>> make: *** [Makefile:432: subdir-s390x-linux-user] Error 2
>>>
>>> The error does not appear when compiling from current master.
>>
>> I just saw it, too. Seems like the stubs/cpu-get-icount.c file now gets
>> pulled in for some reason. Try this on top:
>>
>> diff --git a/stubs/cpu-get-icount.c b/stubs/cpu-get-icount.c
>> index 35f0c1e..8da6646 100644
>> --- a/stubs/cpu-get-icount.c
>> +++ b/stubs/cpu-get-icount.c
>> @@ -4,7 +4,7 @@
>>  #include "sysemu/cpus.h"
>>  #include "qemu/main-loop.h"
>>
>> -int use_icount;
>> +int use_icount __attribute__((weak));
>>
>>  int64_t cpu_get_icount(void)
>>  {
>>
>> ... anyway, I'll ponder about that a little bit and will try to come up
>> with a proper, mergable patch instead.
> 
> See also
> 
>   https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg06734.html
> 
> which I never followed up on the review changes requested.

Ah, right, now that you've mentioned it, it rings a bell! Do you have
some spare time to respin the series, with using time2tod() in the
HELPER(stck) function?

 Thomas

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Giovanni Mascellani]

[-- Attachment #1: Type: text/plain, Size: 714 bytes --]

Hi,

Il 07/02/19 13:15, Richard Henderson ha scritto:
> See also
> 
>   https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg06734.html
> 
> which I never followed up on the review changes requested.

I can confirm that both patches (Thomas' and Richard's) work for me.
Although they produce rather different results:

 Thomas' patch:   around 6346926678828662276
 Richard's patch: around 9048173079139739571

They also appear to grow at different speeds, if I am not mistaken. I
have no idea of what is correct, because I do not know s390x.

Thanks again for your interest, Giovanni.
-- 
Giovanni Mascellani <g.mascellani@gmail.com>
Postdoc researcher - Université Libre de Bruxelles


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Richard Henderson]

On 2/7/19 12:36 PM, Thomas Huth wrote:
> On 2019-02-07 13:15, Richard Henderson wrote:
>> See also
>>
>>   https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg06734.html
>>
>> which I never followed up on the review changes requested.
> 
> Ah, right, now that you've mentioned it, it rings a bell! Do you have
> some spare time to respin the series, with using time2tod() in the
> HELPER(stck) function?

I'll try to do so tomorrow.


r~

Re: [Qemu-devel] [Bug 1815024] [NEW] SIGILL on instruction "stck" under qemu-s390x in user mode

[Thomas Huth]

[-- Attachment #1: Type: text/plain, Size: 939 bytes --]

On 2019-02-07 14:00, Giovanni Mascellani wrote:
> Hi,
> 
> Il 07/02/19 13:15, Richard Henderson ha scritto:
>> See also
>>
>>   https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg06734.html
>>
>> which I never followed up on the review changes requested.
> 
> I can confirm that both patches (Thomas' and Richard's) work for me.
> Although they produce rather different results:
> 
>  Thomas' patch:   around 6346926678828662276
>  Richard's patch: around 9048173079139739571
> 
> They also appear to grow at different speeds, if I am not mistaken. I
> have no idea of what is correct, because I do not know s390x.

Both are wrong. I missed to add the TOD_UNIX_EPOCH offset, and Richard
missed to use the time2tod() conversion.

Anyway, I yield to Richard's patches since he posted his patches first
(unless he does not have any spare time to work on it at all, then I
could have another look).

 Thomas


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[Qemu-devel] [Bug 1815024] Re: SIGILL on instruction "stck" under qemu-s390x in user mode

[Thomas Huth]

Fix has been merged:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=965018bea7ce79e1987

** Changed in: qemu
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815024

Title:
  SIGILL on instruction "stck" under qemu-s390x in user mode

Status in QEMU:
  Fix Committed

Bug description:
  qemu-s390x in user mode crashes with SIGILL (under host architecture
  x86_64, running Debian unstable) when executing target instruction
  "stck" ("STORE CLOCK", see
  https://www-01.ibm.com/support/docview.wss?uid=isg26480faec85f44e2385256d5200627dee&aid=1),
  which is basically a kind of equivalent of Intel "rdtsc". The same
  instruction works fine under qemu-s390x in system mode. The bug is
  reproducible with both the qemu version distributed in Debian unstable
  and with the latest upstream master (commit
  47994e16b1d66411953623e7c0bf0cdcd50bd507).

  This bug manifested itself as a crash of ssh-keygen program, which
  uses "stck" to obtain some bits of randomness during key creation.
  Bisection of the code led to the attached minimal example. Compile
  with (inside an s390x system):

   $ gcc -c -o test.o test.c
   $ gcc -c -o rdtsc.o rdtsc.S
   $ gcc -o test test.o rdtsc.o

  Then run test. It will crash with SIGILL in user mode and run fine in
  system mode. Also, compare with the original file at
  https://github.com/openssl/openssl/blob/master/crypto/s390xcpuid.pl#L139
  (there the instruction "stckf" is also used; it is probable that it
  has the same problem if it is supported altogether, but it did not
  test for this).

  Running qemu-s390x with options -d
  in_asm,out_asm,op,op_opt,exec,nochain,cpu gives the trace attached in
  log.txt.

  Thanks, Giovanni.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815024/+subscriptions

[Qemu-devel] [Bug 1815024] Re: SIGILL on instruction "stck" under qemu-s390x in user mode

[Thomas Huth]

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815024

Title:
  SIGILL on instruction "stck" under qemu-s390x in user mode

Status in QEMU:
  Fix Released

Bug description:
  qemu-s390x in user mode crashes with SIGILL (under host architecture
  x86_64, running Debian unstable) when executing target instruction
  "stck" ("STORE CLOCK", see
  https://www-01.ibm.com/support/docview.wss?uid=isg26480faec85f44e2385256d5200627dee&aid=1),
  which is basically a kind of equivalent of Intel "rdtsc". The same
  instruction works fine under qemu-s390x in system mode. The bug is
  reproducible with both the qemu version distributed in Debian unstable
  and with the latest upstream master (commit
  47994e16b1d66411953623e7c0bf0cdcd50bd507).

  This bug manifested itself as a crash of ssh-keygen program, which
  uses "stck" to obtain some bits of randomness during key creation.
  Bisection of the code led to the attached minimal example. Compile
  with (inside an s390x system):

   $ gcc -c -o test.o test.c
   $ gcc -c -o rdtsc.o rdtsc.S
   $ gcc -o test test.o rdtsc.o

  Then run test. It will crash with SIGILL in user mode and run fine in
  system mode. Also, compare with the original file at
  https://github.com/openssl/openssl/blob/master/crypto/s390xcpuid.pl#L139
  (there the instruction "stckf" is also used; it is probable that it
  has the same problem if it is supported altogether, but it did not
  test for this).

  Running qemu-s390x with options -d
  in_asm,out_asm,op,op_opt,exec,nochain,cpu gives the trace attached in
  log.txt.

  Thanks, Giovanni.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815024/+subscriptions