From patchwork Tue Mar 28 11:09:31 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Alex_Benn=C3=A9e?= X-Patchwork-Id: 96141 Delivered-To: patch@linaro.org Received: by 10.182.246.10 with SMTP id xs10csp268385obc; Tue, 28 Mar 2017 04:13:13 -0700 (PDT) X-Received: by 10.55.75.86 with SMTP id y83mr10764969qka.25.1490699593422; Tue, 28 Mar 2017 04:13:13 -0700 (PDT) Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id a39si3161600qkh.236.2017.03.28.04.13.13 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 28 Mar 2017 04:13:13 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:52425 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1csp3o-0006ux-Vm for patch@linaro.org; Tue, 28 Mar 2017 07:13:13 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48421) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1csp0S-0004H0-4n for qemu-devel@nongnu.org; Tue, 28 Mar 2017 07:09:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1csp0O-00035e-0Z for qemu-devel@nongnu.org; Tue, 28 Mar 2017 07:09:44 -0400 Received: from mail-wr0-x22b.google.com ([2a00:1450:400c:c0c::22b]:35786) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1csp0N-00035S-Oo for qemu-devel@nongnu.org; Tue, 28 Mar 2017 07:09:39 -0400 Received: by mail-wr0-x22b.google.com with SMTP id u1so99368467wra.2 for ; Tue, 28 Mar 2017 04:09:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=qK4nN2Njmu4l/6V8od0YE5nPUHYbs+OMRrbxKKlftvg=; b=dk/WOx6GkIb7BwhVePrjYbPmvbwEv9kDRuvHjecKAj9oSGyVSoUFHLVnst4A0p5Kok MSCpFkNuHWrM5ggesmbswoJa4UHjlXYOajbCftfAQVaDWSxthLke7yjX677U96AwSki1 h42RjdGhfQrHIHXpUyjwi4+viYaXpVG5Qmelw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qK4nN2Njmu4l/6V8od0YE5nPUHYbs+OMRrbxKKlftvg=; b=O7jajs2hoGAMTwwjlTy1cfxd6AkoJKVBSbQNDZRdALzG2KH5pdk1G2WS/53/eEXGx1 6msR1LxxZHQSNZGVHe5bRE88lh8ExNuudmTpOKB8BJ5TH+RmD/mqEXFLdOou8fuuCBJi eBh2o4DdgNLVsr/DYZGUWotRIDcpYU7FscZlx2xLixtPuCkRx4xLu3JvJXjJKBGdchAo fBljVvT0Yt5CvJ7YucChQO+ZnkaYAs2H7F8SQQgn925nQ+gmKTqTVMKfyM28T4Q0Cd5m SgzP8N5xdX3vvoiqgoK4iNu0q4GppEYdkK+7DDlgfnkl17kYqx4d0AevJnhQcVs5qNTo kEUQ== X-Gm-Message-State: AFeK/H1ECR2KaiJv7J4x/oQDKE3xxUALpNiQ3GMbNzYK6K+TRQJkja/HCQXAK5Tx39sy8Zvf X-Received: by 10.28.208.7 with SMTP id h7mr13881190wmg.79.1490699378572; Tue, 28 Mar 2017 04:09:38 -0700 (PDT) Received: from zen.linaro.local ([81.128.185.34]) by smtp.gmail.com with ESMTPSA id h76sm3149662wmd.33.2017.03.28.04.09.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Mar 2017 04:09:36 -0700 (PDT) Received: from zen.linaroharston (localhost [127.0.0.1]) by zen.linaro.local (Postfix) with ESMTP id 5F42A3E053E; Tue, 28 Mar 2017 12:09:36 +0100 (BST) From: =?utf-8?q?Alex_Benn=C3=A9e?= To: peter.maydell@linaro.org Date: Tue, 28 Mar 2017 12:09:31 +0100 Message-Id: <20170328110936.24806-2-alex.bennee@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170328110936.24806-1-alex.bennee@linaro.org> References: <20170328110936.24806-1-alex.bennee@linaro.org> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c0c::22b Subject: [Qemu-devel] [PULL 1/6] user-exec: handle synchronous signals from QEMU gracefully X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Riku Voipio , =?utf-8?q?Alex_Benn=C3=A9e?= , qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" When "tcg: enable thread-per-vCPU" (commit 3725794) was merged the lifetime of current_cpu was changed. Previously a broken linux-user call might abort() which can eventually escalate into a SIGSEGV which would then crash qemu as it attempted to deref a NULL current_cpu. After commit 3725794 it would attempt to fixup state and re-start the run-loop and much hilarity (i.e. a looping lockup) would ensue from jumping into a stale jmp_env. As we can actually tell if we are in the run-loop from looking at the cpu->running flag we should catch this badness first and abort() cleanly rather than try to soldier on. There is a theoretical race between the flag being set and sigsetjmp refreshing the jump buffer but we can try really hard to not introduce crashes into that code. [LV: setgroups03 fails on powerpc LTP] Reported-by: Laurent Vivier Signed-off-by: Alex Bennée Reviewed-by: Richard Henderson Reviewed-by: Paolo Bonzini --- user-exec.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) -- 2.11.0 diff --git a/user-exec.c b/user-exec.c index 6db075884d..a8f95fa1e1 100644 --- a/user-exec.c +++ b/user-exec.c @@ -57,10 +57,23 @@ static void cpu_exit_tb_from_sighandler(CPUState *cpu, sigset_t *old_set) static inline int handle_cpu_signal(uintptr_t pc, unsigned long address, int is_write, sigset_t *old_set) { - CPUState *cpu; + CPUState *cpu = current_cpu; CPUClass *cc; int ret; + /* For synchronous signals we expect to be coming from the vCPU + * thread (so current_cpu should be valid) and either from running + * code or during translation which can fault as we cross pages. + * + * If neither is true then something has gone wrong and we should + * abort rather than try and restart the vCPU execution. + */ + if (!cpu || !cpu->running) { + printf("qemu:%s received signal outside vCPU context @ pc=0x%" + PRIxPTR "\n", __func__, pc); + abort(); + } + #if defined(DEBUG_SIGNAL) printf("qemu: SIGSEGV pc=0x%08lx address=%08lx w=%d oldset=0x%08lx\n", pc, address, is_write, *(unsigned long *)old_set); @@ -83,7 +96,7 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address, * currently executing TB was modified and must be exited * immediately. */ - cpu_exit_tb_from_sighandler(current_cpu, old_set); + cpu_exit_tb_from_sighandler(cpu, old_set); g_assert_not_reached(); default: g_assert_not_reached(); @@ -94,7 +107,6 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address, are still valid segv ones */ address = h2g_nocheck(address); - cpu = current_cpu; cc = CPU_GET_CLASS(cpu); /* see if it is an MMU fault */ g_assert(cc->handle_mmu_fault);