From patchwork Tue Mar 28 08:36:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Alex_Benn=C3=A9e?= X-Patchwork-Id: 96111 Delivered-To: patch@linaro.org Received: by 10.140.89.233 with SMTP id v96csp1600952qgd; Tue, 28 Mar 2017 01:36:52 -0700 (PDT) X-Received: by 10.200.54.136 with SMTP id a8mr26832991qtc.185.1490690212057; Tue, 28 Mar 2017 01:36:52 -0700 (PDT) Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id a39si2902463qkh.236.2017.03.28.01.36.51 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 28 Mar 2017 01:36:52 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:51563 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1csmcV-0008Hh-G7 for patch@linaro.org; Tue, 28 Mar 2017 04:36:51 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34161) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1csmc9-0008GM-8P for qemu-devel@nongnu.org; Tue, 28 Mar 2017 04:36:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1csmc7-000148-KK for qemu-devel@nongnu.org; Tue, 28 Mar 2017 04:36:29 -0400 Received: from mail-wr0-x230.google.com ([2a00:1450:400c:c0c::230]:33584) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1csmc7-00013R-EC for qemu-devel@nongnu.org; Tue, 28 Mar 2017 04:36:27 -0400 Received: by mail-wr0-x230.google.com with SMTP id w43so79527968wrb.0 for ; Tue, 28 Mar 2017 01:36:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=GD8ZnZqGLLy0X89YV8OJ53xghC4jA3XIV3HFKJxdLcU=; b=AZypt11rXwLORb2qvXUZ1bZcidYuO/TBv2Ki6wEBjmy136hGr3Um9rdb02DrzfuWYL XbaQorw+8+dJAogBuL416nqvWrBeRl0kQrS8imfmQ0EhN9VkPLEEhin5ndEuddxwNgdT 7F5aqOdW76QP8SISKc62fLrD2bHyihXbUuoAQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GD8ZnZqGLLy0X89YV8OJ53xghC4jA3XIV3HFKJxdLcU=; b=bfh85n90xG/JlOGyPRpIpHRtY9sHGkAsKjSYOJ+hBNqLE2J/kCjmVnRWNJZlTUKM3t LpNwCzyN0WeB8iDbBONnMVIYzH3YifVB4Uwk7Z0n2S2/i1QnnAqsEreEOT4y/sOkUMHf N9gTH+ioLF77puMEikeifk+jPP3REGII8PaXMgRUjY0OfKmi7MIRPz6prP033hMjk/XS bP8GgoWiPtOG4aumsgpJrvFry8PbImd4xnArQxnhHxgiTK865lUMcoKbu72zS35tmUZ2 nwB3QoI239jYmQwSWE/p184GQ2Fzu4Elks4nXX8ZaRya9j/tBjh3r2VVCiaxyuMzIpIp sSzw== X-Gm-Message-State: AFeK/H2CLhw8wPmFbl2EcoNqRtCymUfdReKUxXgx//4PGO7Or4i08/4Ml3yuksO2QqTDCuWM X-Received: by 10.28.230.204 with SMTP id e73mr13530725wmi.89.1490690185366; Tue, 28 Mar 2017 01:36:25 -0700 (PDT) Received: from zen.linaro.local ([81.128.185.34]) by smtp.gmail.com with ESMTPSA id e16sm3868381wra.62.2017.03.28.01.36.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Mar 2017 01:36:23 -0700 (PDT) Received: from zen.linaroharston (localhost [127.0.0.1]) by zen.linaro.local (Postfix) with ESMTP id 3E34B3E053E; Tue, 28 Mar 2017 09:36:23 +0100 (BST) From: =?utf-8?q?Alex_Benn=C3=A9e?= To: peter.maydell@linaro.org, rth@twiddle.net, pbonzini@redhat.com, kraxel@redhat.com Date: Tue, 28 Mar 2017 09:36:18 +0100 Message-Id: <20170328083623.10396-2-alex.bennee@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170328083623.10396-1-alex.bennee@linaro.org> References: <20170328083623.10396-1-alex.bennee@linaro.org> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c0c::230 Subject: [Qemu-devel] [PATCH v2 1/6] user-exec: handle synchronous signals from QEMU gracefully X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mttcg@listserver.greensocs.com, nikunj@linux.vnet.ibm.com, Riku Voipio , a.rigo@virtualopensystems.com, qemu-devel@nongnu.org, cota@braap.org, bobby.prani@gmail.com, =?utf-8?q?Alex_Benn=C3=A9e?= , fred.konrad@greensocs.com Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" When "tcg: enable thread-per-vCPU" (commit 3725794) was merged the lifetime of current_cpu was changed. Previously a broken linux-user call might abort() which can eventually escalate into a SIGSEGV which would then crash qemu as it attempted to deref a NULL current_cpu. After commit 3725794 it would attempt to fixup state and re-start the run-loop and much hilarity (i.e. a looping lockup) would ensue from jumping into a stale jmp_env. As we can actually tell if we are in the run-loop from looking at the cpu->running flag we should catch this badness first and abort() cleanly rather than try to soldier on. There is a theoretical race between the flag being set and sigsetjmp refreshing the jump buffer but we can try really hard to not introduce crashes into that code. [LV: setgroups03 fails on powerpc LTP] Reported-by: Laurent Vivier Signed-off-by: Alex Bennée Reviewed-by: Richard Henderson --- user-exec.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) -- 2.11.0 diff --git a/user-exec.c b/user-exec.c index 6db075884d..a8f95fa1e1 100644 --- a/user-exec.c +++ b/user-exec.c @@ -57,10 +57,23 @@ static void cpu_exit_tb_from_sighandler(CPUState *cpu, sigset_t *old_set) static inline int handle_cpu_signal(uintptr_t pc, unsigned long address, int is_write, sigset_t *old_set) { - CPUState *cpu; + CPUState *cpu = current_cpu; CPUClass *cc; int ret; + /* For synchronous signals we expect to be coming from the vCPU + * thread (so current_cpu should be valid) and either from running + * code or during translation which can fault as we cross pages. + * + * If neither is true then something has gone wrong and we should + * abort rather than try and restart the vCPU execution. + */ + if (!cpu || !cpu->running) { + printf("qemu:%s received signal outside vCPU context @ pc=0x%" + PRIxPTR "\n", __func__, pc); + abort(); + } + #if defined(DEBUG_SIGNAL) printf("qemu: SIGSEGV pc=0x%08lx address=%08lx w=%d oldset=0x%08lx\n", pc, address, is_write, *(unsigned long *)old_set); @@ -83,7 +96,7 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address, * currently executing TB was modified and must be exited * immediately. */ - cpu_exit_tb_from_sighandler(current_cpu, old_set); + cpu_exit_tb_from_sighandler(cpu, old_set); g_assert_not_reached(); default: g_assert_not_reached(); @@ -94,7 +107,6 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address, are still valid segv ones */ address = h2g_nocheck(address); - cpu = current_cpu; cc = CPU_GET_CLASS(cpu); /* see if it is an MMU fault */ g_assert(cc->handle_mmu_fault);