qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] accel/tcg: Fix translation exception on invalid instruction
@ 2021-04-13 13:23 Ilya Leoshkevich
  2021-04-13 15:29 ` Richard Henderson
  0 siblings, 1 reply; 2+ messages in thread
From: Ilya Leoshkevich @ 2021-04-13 13:23 UTC (permalink / raw)
  To: Richard Henderson, Paolo Bonzini
  Cc: Christian Borntraeger, Cornelia Huck, qemu-devel,
	Ilya Leoshkevich, David Hildenbrand

Hitting an uretprobe in a s390x TCG guest causes a SIGSEGV. What
happens is:

* uretprobe maps a userspace page containing an invalid instruction.
* uretprobe replaces the target function's return address with the
  address of that page.
* When tb_gen_code() is called on that page, tb->size ends up being 0
  (because the page starts with the invalid instruction), which causes
  virt_page2 to point to the previous page.
* The previous page is not mapped, so this causes a spurious
  translation exception.

Fix by special-casing tb->size == 0: since there is no useful code, we
don't need to link pages in this case.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
---
 accel/tcg/translate-all.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index ba6ab09790..77043b98c4 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -1848,7 +1848,6 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     CPUArchState *env = cpu->env_ptr;
     TranslationBlock *tb, *existing_tb;
     tb_page_addr_t phys_pc, phys_page2;
-    target_ulong virt_page2;
     tcg_insn_unit *gen_code_buf;
     int gen_code_size, search_size, max_insns;
 #ifdef CONFIG_PROFILER
@@ -2085,11 +2084,15 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     }
 
     /* check next page if needed */
-    virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
     phys_page2 = -1;
-    if ((pc & TARGET_PAGE_MASK) != virt_page2) {
-        phys_page2 = get_page_addr_code(env, virt_page2);
+    if (tb->size != 0) {
+        target_ulong virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
+
+        if ((pc & TARGET_PAGE_MASK) != virt_page2) {
+            phys_page2 = get_page_addr_code(env, virt_page2);
+        }
     }
+
     /*
      * No explicit memory barrier is required -- tb_link_page() makes the
      * TB visible in a consistent state.
-- 
2.29.2



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] accel/tcg: Fix translation exception on invalid instruction
  2021-04-13 13:23 [PATCH] accel/tcg: Fix translation exception on invalid instruction Ilya Leoshkevich
@ 2021-04-13 15:29 ` Richard Henderson
  0 siblings, 0 replies; 2+ messages in thread
From: Richard Henderson @ 2021-04-13 15:29 UTC (permalink / raw)
  To: Ilya Leoshkevich, Paolo Bonzini
  Cc: Christian Borntraeger, Cornelia Huck, qemu-devel, David Hildenbrand

On 4/13/21 6:23 AM, Ilya Leoshkevich wrote:
> * When tb_gen_code() is called on that page, tb->size ends up being 0

This is the bug, in target/s390x.  Perhaps we need to add an assert that size 
!= 0 after translation...


> Fix by special-casing tb->size == 0: since there is no useful code, we
> don't need to link pages in this case.

Yes we do, because we need to link to the page to notice when changes to that 
page occur.

While this won't happen in the specific case of uretprobe, it affects every 
other instance of a TB which begins with an illegal instruction.


r~


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-04-13 15:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-13 13:23 [PATCH] accel/tcg: Fix translation exception on invalid instruction Ilya Leoshkevich
2021-04-13 15:29 ` Richard Henderson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).