From patchwork Tue Jan 23 14:47:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 125523 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp1801555ljf; Tue, 23 Jan 2018 06:51:18 -0800 (PST) X-Google-Smtp-Source: AH8x22710iKgF7gfFTo+hl/HEHSmgdQgR1/EL72CnCTH3BeUY4UX6eLxjRWJRuOION451TorUKWu X-Received: by 10.129.76.72 with SMTP id z69mr2706762ywa.255.1516719078562; Tue, 23 Jan 2018 06:51:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516719078; cv=none; d=google.com; s=arc-20160816; b=ut665d7Mn+J3P5qMJS4ePW8t8zcjtw460DDrFY9RmI2j/21bYuFZRe9032ioC+nlyf Yj0xt3c8yF9Ro+JbwaULxtG7d/ijKKDs5qrLcGtqIJGzs6+6Plfji6dsPpugjE23kPmn 6mApc0uPiH1cp+hiCvWRRHDu9dEpgCvNKtAk4+9YVdfn/g7YOSBm4+vN5MciQ/uNg7wu h+a0Sa/Ev8HqwxxFfioIJ/d92S06Esl1g0eX8pccvpoTLH0YIt1iVPX0s0VQ7m4QdgNl oSxMpaMGRtWLxeWQ+fssclkmBT8PFFJfp11eoBiSQBLuw3sN8qQFHbCfYDdnPRnlW9lQ 0TIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject :content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=ZKDiuspwHa9P3QEP06oWBubBMnAOYkhSJye8ys9OjGI=; b=TdeBcY1Oo5S49OuyJ2jCdgh5ES9tI+dFEIvBPPeqIs+PrYYfGULqfnirT2vgiP4auT 1/5ENGugiOU6OSt7h+Tbr5UGYW1egWfELUr8q+VJzc/ynJ+lYQvJH9qK60jkV0IfGHDn TFeZP+U9PG4jGWerK2e1tdvFxp7oZ4ty7tblFxpGmGL93Xj1i2Ovin/gVDwGv/MTdY3s FrF8jVCzMISwxAS3VXbIYMBmPrbLva7MDEzvKOZ0iyk/6qfAIxaI27h5QYxtwCMfwne4 xVzxMLLc9K0kBzHWV5ZpDtBI1madgzfObtnBie/XkuEW0YCDBMkCf3+DeIds23CiMIs9 oeNw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id 203si2511672ybc.161.2018.01.23.06.51.18 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Jan 2018 06:51:18 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:33599 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzuw-0008Qn-06 for patch@linaro.org; Tue, 23 Jan 2018 09:51:18 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43407) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs1-00075Q-17 for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzrw-0002JX-QB for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:17 -0500 Received: from mout.kundenserver.de ([212.227.17.10]:49182) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzrw-0002IP-FU; Tue, 23 Jan 2018 09:48:12 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MTQ1P-1eBdm90eRz-00SKIL; Tue, 23 Jan 2018 15:48:10 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:47:55 +0100 Message-Id: <20180123144807.5618-2-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> MIME-Version: 1.0 X-Provags-ID: V03:K0:wpCLzc9kLopZja2236XSDOZA9oiwgErHQNL9RNucOX1917WaDhN PBQEihMpH+WaXXhUkkqtmmEcBeS6ujkCkF2UREvwc5LEXmdsIx9ORTqmiWahJ4dCSXrrmiq ULj1+tUyFNFUoIWwHw06SBzZJLYAaa4dWN6TyVnxA9CZu5sKnbrbhu+yfypUS+g2JxOSM3J mM1vIVl3Ul2t4zCqPlgZA== X-UI-Out-Filterresults: notjunk:1; V01:K0:iJmDBE7uI6k=:57PvMpElEg6j/ECXYcRBLm rZn9y+9ICQ3xDUUlziSLNL+5ssDFNsgMirlmhO5wYVTc8Vd77/3Z22CLy+RgxTIRoU1bMJZ15 g4wFcfapBQ/QHAfa6cQ0DfAdD/UlURRocYmwQVyNIQOuYuY6SFYeeKNiloaNyCBg4UmIVXUlb BYfD8UOUiLgsUsx7K3M7Bq8plV34qYkE06ehiLH+VeCvpG8+HLzCy3PsSJb7a/7v4dwZJ1k8s mwNX0l6kGVWx4Me7QjxegGj3Uu7tpadEEfRr2fXjSF1buuZXxOARzEOljqKZKpmAzRPJsXz0/ F/VyFgaVe/qp1OdnyDaNzYgodGNxSCCJPT5ptwhL7zU9scPZ4HdmRcyAhXyP+3FwGIShOGCNL dv8iW923JiXY5Ih2rRJBeyFLFfB6Zi5qVVVaGYoDchNCZJ7dqJlzpHARDwXJa9k1nKRczAUxh v/z3nk7C8kcKLUcSE+kZzTYhUtyRpbkYQKmZnxZe4FczgR1Q+FouRR+fUrGVpU1z6olX6ZRBg p+RMX0Zbcm9Sls2kAto2dzUcsReGORR49Z37SuDF+w5CcohbP7SrOEyjAFAJcRUAIDDeeryZd FIYiN0wIwirHe1zyXncuSCLTUl9Dns7v5dTkSkpgEuphCkM82vkgxnzbjPg9SPQ6yAm/kKdE6 JWlusiBHxUGC3PErj206XlrueJPcrueIQMrynO7LXbmdRfn5ERt0oCgTurnDoqMdE1V9DYJCk knaeFupM7gXFR3ZTaSJHtRtSm41IgnPQp3D+sVHLxdRpjzVzgcOLhIVz3Ho= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 212.227.17.10 Subject: [Qemu-devel] [PULL 01/13] linux-user: Fix locking order in fork_start() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , qemu-stable@nongnu.org, Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell Our locking order is that the tb lock should be taken inside the mmap_lock, but fork_start() grabs locks the other way around. This means that if a heavily multithreaded guest process (such as Java) calls fork() it can deadlock, with the thread that called fork() stuck in fork_start() with the tb lock and waiting for the mmap lock, but some other thread in tb_find() with the mmap lock and waiting for the tb lock. The cpu_list_lock() should also always be taken last, not first. Fix this by making fork_start() grab the locks in the right order. The order in which we drop locks doesn't matter, so we leave fork_end() the way it is. Signed-off-by: Peter Maydell Cc: qemu-stable@nongnu.org Reviewed-by: Paolo Bonzini Reviewed-by: Alex Bennée Message-Id: <1512397331-15238-1-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.14.3 diff --git a/linux-user/main.c b/linux-user/main.c index 450eb3ce65..e8406917e3 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -127,9 +127,9 @@ int cpu_get_pic_interrupt(CPUX86State *env) /* Make sure everything is in a consistent state for calling fork(). */ void fork_start(void) { - cpu_list_lock(); - qemu_mutex_lock(&tb_ctx.tb_lock); mmap_fork_start(); + qemu_mutex_lock(&tb_ctx.tb_lock); + cpu_list_lock(); } void fork_end(int child) From patchwork Tue Jan 23 14:47:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 125524 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp1801798ljf; Tue, 23 Jan 2018 06:51:52 -0800 (PST) X-Google-Smtp-Source: AH8x226tk19TLaC/Zkfo1odQId8udjyheg1BkMxwGYvlJxCJ6/+5jb90EM8+zgXRSkDX2lieRWbG X-Received: by 10.37.186.72 with SMTP id z8mr2604882ybj.33.1516719112625; Tue, 23 Jan 2018 06:51:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516719112; cv=none; d=google.com; s=arc-20160816; b=huLQiivHhR/g3sWt2A3yH2mQExIztCJbxpSyRMaxwesC4FWz3e6k6H/gqMjvtLeWk9 kfSI3icr7QGkHN4d/VpjLMuHoqcFs0fCmNZSw2K4D5jvbN4B3W6jP7qoYAKhMDsHmMJf LiR9QHteWqAGUTFT43skSClZYhivBiw+1ngxOchOw/4h+h+Uo6vh3XbZdO8OquF0SSqr 5IQyphM/eY8g1aw5j3Bcac3peO58tdAj8wrkdR8R1L1z0VYu2fX9P9R8OcfH5+U4hI0Q gDo6nW/dlr/a3mCJ196EWeIqRtsRGeR/9lYuTkiCxgfx5d6Fsf1GuU6NL3V83Nwhdmwh 34LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=M1dFrUV9+hwf+jEX7Drr6mwEeAnbaiKoScVdDOeNGHQ=; b=b3Oy7EUsi9w129wh8X8flFEDOa4G9JgOlmVPDbqhpHMU0XB5vV8t8ffo3TEApRMROq KG/+U3wPSDzPMSak4fYH0bIbuj0dtYXGE2Ns0CHv246JkMq2xmETnSEKrU8PBGMdy26m ZCwvSFl7YruxWgi704jgVNH6QHjPFyv01uGN7OhOGoh2sliTYtrRvZwSxoMzm0X158DN Iyig0Q9Zw7Uz3w49n8o1KnJ06jhMV9NCEklcBjIqZBuNAnLXhmAAWFEhxqM3WfULid/T JVeBgsyUlD1okwM+wdLl8Tum6M3tG+grywmNm97zibZBaScGtOtPgQ+Xs0GODonxmxrJ nuoA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id i4si2447336ybb.503.2018.01.23.06.51.52 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Jan 2018 06:51:52 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:33615 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzvT-0001S1-VT for patch@linaro.org; Tue, 23 Jan 2018 09:51:52 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43409) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs1-00075R-4U for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzrw-0002Jr-VL for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:17 -0500 Received: from mout.kundenserver.de ([217.72.192.73]:53116) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzrw-0002IY-LT for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:12 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MHYCK-1ef5nS2WRI-003PY2; Tue, 23 Jan 2018 15:48:10 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:47:56 +0100 Message-Id: <20180123144807.5618-3-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> X-Provags-ID: V03:K0:Hz2/MRvBgvoNyWuDIH5Xyajag+PMslGb0SGwzc1G8jcCnYDJZgq e6aox1QvGtxaak3TB4gQwm/nUM+EE2IxaqLAr0xXN75pyKspJXmq9i98CTz8yOJsfPWOAxT 5bYDEm2fObX7g7ysJ1C4IFDz2rphsC9WP0HcsDsnUs3HyUsQt0kGTbryR+qBqFJ7yF9vRub Y/p63Yu3GCJslwF1D0FwA== X-UI-Out-Filterresults: notjunk:1; V01:K0:DsM+9peBhFc=:VjfyhFiya1Hn/REWjKHe8a tKYSF2V83oDfEF0Fj73gKjriZcgqDv6fpVHnqpmc8AF6Vp4H3xTN/xsflGuZCjFCoPUWRRAOF VccZO7KVPL7FmB3ZjwS7TjFSMu0skJ/cNT3TpiptIdIfnJzFAv3Oe10ixGnF0Uyu5qoCWeiPp oVxb6VjnMkeiW+IEmXHb/B091rUJFllaaO4wx57mrJ+NyFlWuFc58rgFuYPmZIexBSqGpOWTr Tii4hTDa/a/T9hKgiigrezFITI8NnRWRaxQ6xykKbAhN7TOCKK/5DRwrldhu0w4qUWXLuxVGN nDp8FL7vc9fxAer+kvgh7FBmDyhU/eOwCLgFFA3COyH4VBnHYSAED1MwHWlX6S2PSbKpPQ6E+ Gch+2xpmx6eYxQWT3dK7ptqRP566XCw/tD9BcHsLARb81n/E4NZPOnOqzJpm2AEMIlQ4VlYlj DpyfOY74H6ynbyAGyAU4S9vGqI6FJozzlFxuHAGlHIGZS8Sw2ggHuPhVDsNcnvMUNnN3o8+SM +CSlsLmVZsROjtIM4Rl+qrq3XCd6V99pppsStw29Wiw0jID4Zmk9W8cKX0RKMoOQ5PEu9zi/i Il9O7VxszRJsXxttKBdtLeYWsds8WSsepe6WVp2wM5qptAdHyJ+G/uQw6Xo+NCK5FRGA1dyeL y87PKUJ860zrEY1ID2/qW17P3o6K8IkCzKwC7UqoSjBeNKwMgoEGvsOEjODxfYoGhkubi0CRH CPBjdtHA/ArrORfV0sjcg7OiqtPRIqhBjIlGAg== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.72.192.73 Subject: [Qemu-devel] [PULL 02/13] linux-user: wrap fork() in a start/end exclusive section X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell When we do a fork() in usermode emulation, we need to be in a start/end exclusive section, so that we can ensure that no other thread is in an RCU section. Otherwise you can get this deadlock: - fork thread: has mmap_lock, waits for rcu_sync_lock (because rcu_init_lock() is registered as a pthread_atfork() hook) - RCU thread: has rcu_sync_lock, waits for rcu_read_(un)lock - another CPU thread: in RCU critical section, waits for mmap_lock This can show up if you have a heavily multithreaded guest program that does a fork(). Signed-off-by: Peter Maydell Reported-by: Stuart Monteith Message-Id: <1512650481-1723-1-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/main.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.14.3 diff --git a/linux-user/main.c b/linux-user/main.c index e8406917e3..2140465709 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -127,6 +127,7 @@ int cpu_get_pic_interrupt(CPUX86State *env) /* Make sure everything is in a consistent state for calling fork(). */ void fork_start(void) { + start_exclusive(); mmap_fork_start(); qemu_mutex_lock(&tb_ctx.tb_lock); cpu_list_lock(); @@ -147,9 +148,13 @@ void fork_end(int child) qemu_mutex_init(&tb_ctx.tb_lock); qemu_init_cpu_list(); gdbserver_fork(thread_cpu); + /* qemu_init_cpu_list() takes care of reinitializing the + * exclusive state, so we don't need to end_exclusive() here. + */ } else { qemu_mutex_unlock(&tb_ctx.tb_lock); cpu_list_unlock(); + end_exclusive(); } } From patchwork Tue Jan 23 14:47:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 125525 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp1802916ljf; Tue, 23 Jan 2018 06:54:09 -0800 (PST) X-Google-Smtp-Source: AH8x226xBTH+tWagBSyV+AOpTHB0EIItYBpXA88nx4yIzkeubxnAWo6Z+tO3ygs829c/lhOli0is X-Received: by 10.37.231.140 with SMTP id e134mr2650513ybh.329.1516719249763; Tue, 23 Jan 2018 06:54:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516719249; cv=none; d=google.com; s=arc-20160816; b=EDfoCix0SCodoqQskKPBKgFO3/083Ph+4eReUFasnhnC9BCO6aISZtM1BJdYkppnBT wzsBPoeXNiiOiCVzlS0fekVfRWc8RynGKRqxor9YfEYmEo2kHdjslgppe6MuOp1tJTA7 7G5WcMc7I3PhTQxFnasw0M6yU/CCBkLoFQYifpnlTcNWTgIk+/vAR8HndAYx4oJmq12d BCEzeNdXuGgAYod59qPXH+tVbZoyUgF09fXWVYS6cQwdPQRwf3bJ1cv6XiCJmg/XKtv2 ETvT7LUx2VI255y+UXh2Ue+nDaUPfJkFPR1DGKbDZcITLd1ann62a+M1isx4nehP/xRo O7LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=QOZwx3X+7XWvpo1A1mvLhMncSSCzVaPysi+bYK3a7IE=; b=mAlmcho1H3aEJqC96xZj5slZ7RHnE6Lu+iOM95hoKIVOQGHS1/D9Qaho0igq4LlOaB KavGE3lqn+mZDIbjJILR6YPDcsAnYuaHDyug/n+rBpxh+WkA9X+UCwhgVoq1DM4lgrd3 E/bkbSKi8XlRkmf9PK7c0sxP40Sil1ouHPdTIRBfc8FeNip9pEPJSWrW9EymNqxVXj+u yJNA4HPzlGRlAioSTLBtGkB85Jqfs1fNslIOtpN4nHnVvgGfW3HSkknkS1vTTJlhze7r mcRFiln4ssxtMTaulzAc7HcRfrMyW6wm6a9/85djSluZ2JNVN8sdHcXipDWab3vxNED2 J0TQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id s84si4080611yws.800.2018.01.23.06.54.09 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Jan 2018 06:54:09 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:33619 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzxh-0002Y5-3b for patch@linaro.org; Tue, 23 Jan 2018 09:54:09 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43413) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs1-00075T-9q for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzrx-0002L4-GN for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:17 -0500 Received: from mout.kundenserver.de ([217.72.192.74]:53530) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzrx-0002J7-5P for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:13 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MK26P-1eccpC08ST-001Tjn; Tue, 23 Jan 2018 15:48:11 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:47:57 +0100 Message-Id: <20180123144807.5618-4-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> X-Provags-ID: V03:K0:3F1/Ic4jxFHZZVXnDMoPYVFwpCGYk66ConPA/+uPXryjzoUeuMr 5Ekzj4QfeCuQweUEwC8IMEzrGPKYlI7EKMuqc70OFIsy+9MOI9jaiwygYJN2Jvl1lzGGoOE 7Ez5NOQkH6hykImKfkBmqidDJ00PmNDwhFG1t9pWGOnDedWXMMc0ISjgQfPMHWEAFIUPYKX 23Th3NXsmTzXi7607iQOg== X-UI-Out-Filterresults: notjunk:1; V01:K0:2RHHCqty9I0=:yPn85MOc9BaxVaA6us0w/B b1P2Ej8zqWzQ7VQbN95fj9knvENB5vzWM/DoRD/RfMyPlWL0UZ6z/hCgzKztOytr3HbEthfGY V4+fkt5FGmqFWaR49Pi1VolMMAGCH6rvP2NXSduLKwBxyyKIHrLhCwHk6vagR2bkFAoZkOJJQ PjdkA0fH1dvUmMC4LEQs5DLxFKcgwFWD5tGHjnLFIRpSdw6qhcbJNhnM6jAC1NIvpekNay6lm Q6keCVvl7kZC0MrbjsVgAmFFdrCLx6SJBh5dbB2+WKhZW1i8RJ2AZg7eW0sueSFCnCr35xpVG 3FY2TyjzzrZQSkETOG5iicuEebMzzBgpziiclhoUtDR2fIrQbXCW9ZwYJnFqRU/7OSfvNxE2e jS6FsuwTCzg50fwnAsMK8aySBHEcqdulp3xenAJO9M9zpc3HW4FG3vlEZnYGv8ZP+RPxR+JGi YZxl2fEnCBEK75omsaQmd1z2eUX5YY7REIXPj/Nt2jfq9F1+erP+uFgZollvDHHIo6sNvKYdq pvil36YBcobh0t/Ag19X7YbNXKDH0TSdPQeQQTMd38W4DCb/NQLduFaSWZHLhfb75RMCGC44g x3ZY1m4QGRfRri5Zxjc+9/XOhpcCtSNLQCGqCKpmknrDUvbJs4zvUjKshmgtzizOgP31FbdYS dE54mDKpR/24pKZbH3sd6mg/BRIjiFsUnIMl4Oa7Gzwh1Tgw3lk4ivmO2CtHeAxjSuOCzwWij ihGkqauL1HIDEjpGHaFEdPHPcrFevcucBGWgWQ== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.72.192.74 Subject: [Qemu-devel] [PULL 03/13] linux-user: Fix length calculations in host_to_target_cmsg() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell The handling of length calculations in host_to_target_cmsg() was rather confused: * when checking for whether the target cmsg header fit in the remaining buffer, we were using the host struct size, not the target size * we were setting tgt_len to "target payload + header length" but then using it as if it were the target payload length alone * in various message type cases we weren't handling the possibility that host or target buffers were truncated Fix these problems. The second one in particular is liable to result in us overrunning the guest provided buffer, since we will try to convert more data than is actually present. Fixes: https://bugs.launchpad.net/qemu/+bug/1701808 Reported-by: Bruno Haible Signed-off-by: Peter Maydell Message-Id: <1513345976-22958-2-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) -- 2.14.3 diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 11c9116c4a..a1b9772a85 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1782,7 +1782,7 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, * to the guest via the CTRUNC bit), unlike truncation * in target_to_host_cmsg, which is a QEMU bug. */ - if (msg_controllen < sizeof(struct cmsghdr)) { + if (msg_controllen < sizeof(struct target_cmsghdr)) { target_msgh->msg_flags |= tswap32(MSG_CTRUNC); break; } @@ -1794,8 +1794,6 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, } target_cmsg->cmsg_type = tswap32(cmsg->cmsg_type); - tgt_len = TARGET_CMSG_LEN(len); - /* Payload types which need a different size of payload on * the target must adjust tgt_len here. */ @@ -1809,12 +1807,13 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, break; } default: + tgt_len = len; break; } - if (msg_controllen < tgt_len) { + if (msg_controllen < TARGET_CMSG_LEN(tgt_len)) { target_msgh->msg_flags |= tswap32(MSG_CTRUNC); - tgt_len = msg_controllen; + tgt_len = msg_controllen - sizeof(struct target_cmsghdr); } /* We must now copy-and-convert len bytes of payload @@ -1875,6 +1874,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, uint32_t *v = (uint32_t *)data; uint32_t *t_int = (uint32_t *)target_data; + if (len != sizeof(uint32_t) || + tgt_len != sizeof(uint32_t)) { + goto unimplemented; + } __put_user(*v, t_int); break; } @@ -1888,6 +1891,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, struct errhdr_t *target_errh = (struct errhdr_t *)target_data; + if (len != sizeof(struct errhdr_t) || + tgt_len != sizeof(struct errhdr_t)) { + goto unimplemented; + } __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno); __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin); __put_user(errh->ee.ee_type, &target_errh->ee.ee_type); @@ -1911,6 +1918,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, uint32_t *v = (uint32_t *)data; uint32_t *t_int = (uint32_t *)target_data; + if (len != sizeof(uint32_t) || + tgt_len != sizeof(uint32_t)) { + goto unimplemented; + } __put_user(*v, t_int); break; } @@ -1924,6 +1935,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, struct errhdr6_t *target_errh = (struct errhdr6_t *)target_data; + if (len != sizeof(struct errhdr6_t) || + tgt_len != sizeof(struct errhdr6_t)) { + goto unimplemented; + } __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno); __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin); __put_user(errh->ee.ee_type, &target_errh->ee.ee_type); @@ -1950,8 +1965,8 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, } } - target_cmsg->cmsg_len = tswapal(tgt_len); - tgt_space = TARGET_CMSG_SPACE(len); + target_cmsg->cmsg_len = tswapal(TARGET_CMSG_LEN(tgt_len)); + tgt_space = TARGET_CMSG_SPACE(tgt_len); if (msg_controllen < tgt_space) { tgt_space = msg_controllen; } From patchwork Tue Jan 23 14:47:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 125527 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp1804422ljf; Tue, 23 Jan 2018 06:57:24 -0800 (PST) X-Google-Smtp-Source: AH8x2263EBwyp48g23FS5xyn768tgQ3KgC3iFSeYCCh9pzMIgXUzJwkqOqhBWuqsVrapG2trnWFW X-Received: by 10.129.182.31 with SMTP id u31mr2665335ywh.22.1516719444066; Tue, 23 Jan 2018 06:57:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516719444; cv=none; d=google.com; s=arc-20160816; b=TsnMO1f0fpLdrpYMiXgqP7WUJQ7R3xiT97PhUQ2uZMZgoOhqfv9ntW1PzzF6boYOeP dsmtwrYKmj8Dp/QZSkDnapr8HrO7LcB5Vh5QNIl2YlcRqBASLngfnG8sfP3ZGk7WHjPI wyLhKiSb9PiQKdSMMKzWIHc/68VEapkcvRrF++SuXhXN2MbuTj3DS7sMj7WXvbAtqNxl xIy64/5UkteVUuw2YCC0F0W+r5IrxtsYWyj8mb429fcAwQHkQoqr9O0LGMsDhVYhv+DZ tyUsjjyAQ+8ZByyIS+aFHFNUzrmOpM+7p4epbjrb4zuBrlp3SvE2W3kHC0M3e/TqvP7+ T3pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=gyPJx5Ctnxv4pveFzRH7oNE0Bz4F3exoW81Y/Oq0v4o=; b=cIA5/pycfL4c24o4iXMzbGpk4Sdf4NfixzH8XM42yDDO5rYOlXv/DpIyfFVUMw2R/2 ITKFKa1HW8If1iZ4zWJk0d0umI5RPvx0eAfUlX5ZVoygb067JNfhUpoPN7Vn3T6ip8Sp s4ce0HCFyJZu9pTSvHplbvmrcQp7MvMVCInU6oK11kFpbAZ57B6d4Q96bL4KpoLZWtg1 FUEAREwuvOx48s6HECAoHMboWvxh6ziEZqa2+o3r+G60MZ6xOklJ14mHnH43ksd1/4q1 ZCX9+YeQZSGeuJGvIuR97oSr2oiDU2qCtyTFZ1lOZpxjJobRDrJg0WsaU3xIrHf21+Kv tehA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id i127si4008502ywb.662.2018.01.23.06.57.23 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Jan 2018 06:57:24 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:33646 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ee00p-0006IX-Eh for patch@linaro.org; Tue, 23 Jan 2018 09:57:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43436) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs1-00075X-W8 for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:24 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzrx-0002Ls-RO for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:18 -0500 Received: from mout.kundenserver.de ([217.72.192.75]:49163) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzrx-0002JK-FQ for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:13 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MEEHY-1ebq8R21Ps-00FUuk; Tue, 23 Jan 2018 15:48:11 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:47:58 +0100 Message-Id: <20180123144807.5618-5-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> X-Provags-ID: V03:K0:U236OxjhNZQP9sV1QSy+To9wxSYlGkkO6HXxMdRcj9GSzWb95zb PIamQUy2y29m3Fd/XT7zfsFuIhxVb3Yn0WBEKYTTe1gmb02wHdk1rWMUnytYBP+GRHNlHZx PgiPG/lkubsR6zYTnE3XzpP9/Jabr1C3XH8FaBxffjaYuqHcprTfLAXiqOTM19GxA/bOCWx f3N+eJLdYjtPFtBnEXOGw== X-UI-Out-Filterresults: notjunk:1; V01:K0:dtu6pRj9CSg=:bPThIwxMkrBJvN3OBa4ey9 wGzHFgTVBP6ff9E+1t1Z1Di4v+VoYbXMbOFxoLNJ+K9XpFWc3bEpUstQFMFoAy/554qq7lNdS CqShdWweYK2M06tBbUJbv+xVp9f7yFswQ/7HYZ8jvM7uG3kNjSsxwTf+NUGueIWdNwrq+khL3 vFnBksyjuftiJIxBnTVNEyI6ohy9nRIV0l6PTK3BzeHDf/eEVnx445dXI30sJmVPcCIj8rWTn nZLZjwpIKWpMFcOGuF3lx8yG5yP5RQUnU7ZWMJ9LFSasAVdJE27M7MsDrgfqvqyOos3FAMaTE gz1u8e5SeQ0DE/CMEgtiRX4uLZ9Q39HHFCVhyOMK7LD7Ne6ehzNUx0sqWnUikkRH7lmNGfG6J PIveNG77zDusgG7aNTEEPFYqLVC4FMR9shv+MiO/FeFvmIDLYmEgk1zKltI6fcX6MdLdFiWWA uH1hfOrjB/j2lQzAKuIh0uPm2PcUnhVmejs/CKEA2CfI0R3pEP2ZRd06MBc41Nulap53d3V5n CJmtowsBHRAIfHDYKxcYpi+OtnJNTFu3eGAS+rYw13Rd/O4Dox9D5WF3GFHrwe5YnYJ6UJquZ PtiNmWTK/hVNj9tBRBynnZsUJVX7y6Wj+fA4/cUuY2QkAGPXoWOH2IxtPJF4Su9lslLAGhRkd ihFghO+SGsBHiMr2f+xx0zse+ab6u1Pycj/c4GdCl/SxxGcTJBEBK0JNx/nXBuAqMdyyGGoBs 4eTmZKAmiuOwjyljRX1NoHPSfXXiFgBqJoJynQ== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.72.192.75 Subject: [Qemu-devel] [PULL 04/13] linux-user: Don't use CMSG_ALIGN(sizeof struct cmsghdr) X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell The Linux struct cmsghdr is already guaranteed to be sufficiently aligned that CMSG_ALIGN(sizeof struct cmsghdr) is always equal to sizeof struct cmsghdr. Stop doing the unnecessary alignment arithmetic for host and target cmsghdr. This follows kernel commit 1ff8cebf49ed9e9ca2 and brings our TARGET_CMSG_* macros back into line with the kernel ones, as well as making them easier to understand. Signed-off-by: Peter Maydell Reviewed-by: Laurent Vivier Message-Id: <1513345976-22958-3-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 4 ++-- linux-user/syscall_defs.h | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) -- 2.14.3 diff --git a/linux-user/syscall.c b/linux-user/syscall.c index a1b9772a85..39553c81b6 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1692,7 +1692,7 @@ static inline abi_long target_to_host_cmsg(struct msghdr *msgh, void *target_data = TARGET_CMSG_DATA(target_cmsg); int len = tswapal(target_cmsg->cmsg_len) - - TARGET_CMSG_ALIGN(sizeof (struct target_cmsghdr)); + - sizeof(struct target_cmsghdr); space += CMSG_SPACE(len); if (space > msgh->msg_controllen) { @@ -1773,7 +1773,7 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, void *data = CMSG_DATA(cmsg); void *target_data = TARGET_CMSG_DATA(target_cmsg); - int len = cmsg->cmsg_len - CMSG_ALIGN(sizeof (struct cmsghdr)); + int len = cmsg->cmsg_len - sizeof(struct cmsghdr); int tgt_len, tgt_space; /* We never copy a half-header but may copy half-data; diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index bec3680b94..a35c52a60a 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -303,9 +303,9 @@ struct target_cmsghdr { __target_cmsg_nxthdr(mhdr, cmsg, cmsg_start) #define TARGET_CMSG_ALIGN(len) (((len) + sizeof (abi_long) - 1) \ & (size_t) ~(sizeof (abi_long) - 1)) -#define TARGET_CMSG_SPACE(len) (TARGET_CMSG_ALIGN (len) \ - + TARGET_CMSG_ALIGN (sizeof (struct target_cmsghdr))) -#define TARGET_CMSG_LEN(len) (TARGET_CMSG_ALIGN (sizeof (struct target_cmsghdr)) + (len)) +#define TARGET_CMSG_SPACE(len) (sizeof(struct target_cmsghdr) + \ + TARGET_CMSG_ALIGN(len)) +#define TARGET_CMSG_LEN(len) (sizeof(struct target_cmsghdr) + (len)) static __inline__ struct target_cmsghdr * __target_cmsg_nxthdr(struct target_msghdr *__mhdr, From patchwork Tue Jan 23 14:47:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 125522 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp1800297ljf; Tue, 23 Jan 2018 06:48:50 -0800 (PST) X-Google-Smtp-Source: AH8x226zWY2Ea4Q/v3WazMWrrC3G86BPXsxROAjWVVY9EwoFIbMgRbOaybDxEkRrSdcd1IDTed6j X-Received: by 10.37.102.2 with SMTP id a2mr2623030ybc.496.1516718929936; Tue, 23 Jan 2018 06:48:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516718929; cv=none; d=google.com; s=arc-20160816; b=uht1zLl0/ez5on56ubjNJjQCxAlLfjjiJNt0N3vFybT8sP2AWQEHj9ErpmbVYHdz/Q Q71gUZI8BjDTy5naHbIJCCobWyxOEI556QljcoNKTr0Y3a1lSp6UxNaIPo71rjbtxtN0 hAGV0bkWNHsJH/CqvDMHNfb0ueWjtc8y2kbmXx/+/SyvQeRRyxrF4Az/+Q+ZKDd6njFR rsK+bx7sZhcwZnSF6ZlZzOI4MVmxXKgsKC8/THTHpSsIUXcEkbKHdwomxBzyywPA80T2 wVoXVwhvye4mUy74nLMfzr9Yi0x9lw36DTBMbwfqBuEIKKnTO3sSZaYmpOhxDm1lXsoL yamg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=UCkj6YAZeowd4BKshfLJYQ8nizK15B7S8fUoZogrPCk=; b=JnnKjRO1vn7F1eSjUC92wkVtpi9rkCgtW0fcjOBsLrIB6oNdNL4RU7Yu770yrq65NW 25ulyKlZubDi/AI0DAGeQQOxe7mzWkjnggmNAH97PVWhzHNzfNy9S+yOzhnFy3IvxuG3 aw6qsqDNBiiJGcLY4bvwNLyJXP9DVpgVpvYTuxQlY1pj7sHbct1jlH1S8JN5Kmxbbya7 ut0/BAVWATPi6gKqVDwAo1WgDRbbQ8Fzs5JxJQPc314ws6m9efFuwP35n2S2bgTrWgqQ 3oYAMr7hzoDfri0ABPmyLDHvgeLz6Z3bWbciJUzhxDo2vMcYhXO3zeVxPa9h4jlDSU8H Ctaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id c84si499439ybb.630.2018.01.23.06.48.49 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Jan 2018 06:48:49 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:33595 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzsX-00078x-7p for patch@linaro.org; Tue, 23 Jan 2018 09:48:49 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43441) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs2-00075d-3t for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzry-0002MS-7W for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:18 -0500 Received: from mout.kundenserver.de ([212.227.17.10]:61908) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzrx-0002KF-Ta for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:14 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MgOZS-1eP6BZ3ouM-00Nhaa; Tue, 23 Jan 2018 15:48:12 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:47:59 +0100 Message-Id: <20180123144807.5618-6-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> X-Provags-ID: V03:K0:luA8hJq+VZuSvonZgjeZBULZ9JP7uhkJSi7+fPKsdu8kK0cejUb TJX4iCfP9IC8yYDKQ1ZI5MvfhC1GHGgKuPb8WytFs+QE31cjPXukzQsWdIMGgui/SBZr7zH 29oUcxgiEIKiCcNSdrwcGySUR5Z8QNXBc8L739h7yzTNVuGxQrFIEI10FtM6vB3F6blw/uu 9SlaM5tt5QP9iAGJ3cQ1Q== X-UI-Out-Filterresults: notjunk:1; V01:K0:qrq+Ggasjxw=:kE6qD1oqFWa+Aj+okQLnkV FA1qzVFP+mu6FNMG02zpP+wl1XnMDJXFGTavDISe4DO/E0xc20FbZDK28gQGFU7vG+eNdwYgG 1jlWjXIUZX4BeI7mMm0EyqzHHGgRS+0NnMpCvwuR8lf2Dyx+pff7MMD8+Gxcb1aIcwk/B+EjI WkSBZaYjY7lqlpLoPCrO05bmOUK568VjJlPyLxFDWs8viE7GZLMmMmPO/Btn6Kp1PvveB7na6 0jJj3Yc80IgbHsoDDYD932KNK9VWDH1dRsKAj4tLZ3a0L7DlU3dNlw4wcyX+9pPJ8T5yuyudZ gEsk73bX6zrpA3aQt5kqic1EU4JrZ9pBAFJZIqY6UTO8E5x7m000705i5o27VrCYSiGcN9OkW kf3ZQCcjxps+/BGgf99EHIZML31cr6kryGracklktbl+Ixgy6E9QxDJnF6HvnVQ2M/ABmnthx JwYvjTkTdNt1A43FFPDT5BHymYL4EjmBQZNU3dTPOiv9XRoFrOMZ4GDIZvG9/tYI3Tomnn9ea YU44vUeX6DVsM2T8iXc7Qzf9a4Ky1e6p3lunOM1je97VkUdpg1uZNJSowC/L0d4YUOCL4WT/X P3Zl3J2M8VqdVLLtRrkCOoOu3PA0RLvfJSLMA/SbI2Uc1YAriO793r8NkEH/PzOc3TCxeTpQS SDb9NIi4GPLSiZ8F7mf6y9NXJQKXNbkAX4j70X8YlUcwul5SVfKvRCHUBOq7LgQgkedFaqOe4 YguJxvzDQkHhQF2YN6gia5kqBzC/qAL5wLfvzQ== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 212.227.17.10 Subject: [Qemu-devel] [PULL 05/13] linux-user: Translate flags argument to dup3 syscall X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell The third argument to dup3() is a flags word which may be O_CLOEXEC. We weren't translating this flag from target to host value, which meant that if the target used a different value from the host (eg sparc guest and x86 host) the dup3() call would fail EINVAL. Do the correct translation. Fixes: https://bugs.launchpad.net/qemu/+bug/1704658 Reported-by: Bruno Haible Signed-off-by: Peter Maydell Reviewed-by: Laurent Vivier Message-Id: <1513351080-25917-1-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.14.3 diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 39553c81b6..41ded90ee6 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -8490,11 +8490,19 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, #endif #if defined(CONFIG_DUP3) && defined(TARGET_NR_dup3) case TARGET_NR_dup3: - ret = get_errno(dup3(arg1, arg2, arg3)); + { + int host_flags; + + if ((arg3 & ~TARGET_O_CLOEXEC) != 0) { + return -EINVAL; + } + host_flags = target_to_host_bitmask(arg3, fcntl_flags_tbl); + ret = get_errno(dup3(arg1, arg2, host_flags)); if (ret >= 0) { fd_trans_dup(arg1, arg2); } break; + } #endif #ifdef TARGET_NR_getppid /* not on alpha */ case TARGET_NR_getppid: From patchwork Tue Jan 23 14:48:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 125528 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp1804457ljf; Tue, 23 Jan 2018 06:57:27 -0800 (PST) X-Google-Smtp-Source: AH8x226I9g6teZ04f4vWqMb/LqcQY40lkn1GldMxKsf2McdVN8Kpt4ZkW4dOowUr5V8zsS8o0ypy X-Received: by 10.37.191.207 with SMTP id q15mr2628969ybm.148.1516719447017; Tue, 23 Jan 2018 06:57:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516719447; cv=none; d=google.com; s=arc-20160816; b=hCS+Q586oY/PJfllqS+e/no2UM9gmPksTZec+pQrR2tjw0nNfMaOeYnOHsXhqUb0vA 0rrMeu6FI1QG6il8HzQ5SuHFk0/t/sfvCXks1lpbZTAUmwdV1sTp0k3hzwiGir/xx1xC hRKiHG7FDrxzcUzgI/QTBH4AyGNWrvvDXk55/TuRHCKnB8KehNrG6sruTH8Yb6tJ9BFj 9SI/2TGiObA5oQsKbo/DoEhCns5D2yzhx4lH73GZ2uQdrNxRTpVtQv3epn4JcXCnNfoh DzKiFRrYQqFn5bcPIHkXt5foHH2kaTVesHS36WHQ7GT8EhQYxcu25I3bQtyOCSFQ/BeG hvzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=v/LrosPDm1rLmSv3N1dvz3PTJO2esdX8Bkfw3hvq1ic=; b=q+djeDJN4q1a6R/iVbv5EQk1jeCMdRsoHgqrbmjLvrQoVDrurN7qzOeNZ4Uh+Mvt+f faBLneb+sKFcXXs39nGRXoOu6HxdyAGYo+UT344Qx4ERW6GRcaTOh6H8sITVCTWIPmCm JvOX5S5ImagF3g079AhXxqwbPi+OV7lVXG6eyiB5SJ5aomZP8S9lfqXG+pG0Yf7XQOEW toMbawgsMwKq5w3k2xbjiLaKqLzsXZ8nXkBNDDAiM3xt+8t93FMO0ZH7riS/iEk59M7I G9Sso2r2FnxBrk+1DdJMvFMdny5F5DTGLR2o9+38JKeMqBEfkcPNFEsUkRf0Co0q6Ono ePmA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id s124si2466782ybb.587.2018.01.23.06.57.26 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Jan 2018 06:57:27 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:33647 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ee00s-0006Kw-Cy for patch@linaro.org; Tue, 23 Jan 2018 09:57:26 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43507) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs5-00077y-KJ for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzs1-0002RE-8W for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:21 -0500 Received: from mout.kundenserver.de ([217.72.192.75]:60970) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzs0-0002Pu-Te for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:17 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MYvnH-1eH9Ya03pD-00VeDd; Tue, 23 Jan 2018 15:48:15 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:48:05 +0100 Message-Id: <20180123144807.5618-12-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> X-Provags-ID: V03:K0:hMFxyN8c5zru5LIll7eVGuZ/RbAZWps8KUZ0gLDws2KgdsFccJ6 4tl7ZI2tZ+hlyiPJTC7Tt8Xrajlg2X6xzzJxc/M1I0iWSS22ogC9/VIimpDQeMirg9qHUEs WunMIH9aCJbygG6qtuE55xtOTLfLEeD7gYq+swkqGAqWb1hvTXIXJfj4axvJF89CRHqUkHO J0v9ReNWPRWH5YPRov9gQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:gHevY1lKvUQ=:tyZIFGyKsV7IAeNdBb2+N9 Fo5vgRnOoNClKypIGgEV0Vtx0KmUYwSSoG3z1yk+5T3DUMqABHBqEMaG4aPzSvnvw85MLUo4r 6PPd002MrC63GibfmAUhopGVH0DEyYsXCtHbMXi+eWyRmqpi2Q0tqNqIGRjYDTbD50zix/47y Wo/s/XLu9+b3B2xJ/ev5av/X8yMEhgEbRTI6LwrfUuFmfC2z5YSD0yQrncTcbcczv4x1OdZPW p1wOS2LgTbmlvLCdmyPI/i17y/mu2ElRYcXFck9vX6xINw9s4O6FEMPE6DLaXgWPM97hOWSxT VkKdVmJJeSxh+FsyjeFQYGOr35CnDJSVigUX+j/J5VxCOca3TkKeu9zSM2wVZkChs0gXs/0lw l5hocaUtsHP2zZcRe8mVUCd7rAEi0v5AqKJMUQsa1aUAEDbRpREfWUNW3L0xp00CwQFhH9T2E 9ID3jCNpXtm+7MheWWNFxlrBCe0HMigIeIBynaydm5xoTtP4QzgRXkvU4os+Y6qcZ/b5xEiGH 0qnHbkUrn/xlzFQs/XzaXoUB4N2BWIGeqPN30ZTKcV9zrDPeNPPEgHw0w0TXoTJFhsI95zR9H PXTpT+cHGosqfzpzdWr9fIK5cZdcPUr8KJzxNAoh2a434tSh5Z81K7rGqx1sMlRX1nnZyKhfw DseamHeXhJsN68Qa7hQi3HWd4LOfdqANqFN76qhy+8pBHZ5A54KwMOxkNmjgY0sIvdaHgvxcX +PPWeUdwk5hLpsZeEXXDrWFwrb/QVJyWGuNIMg== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.72.192.75 Subject: [Qemu-devel] [PULL 11/13] linux-user: Propagate siginfo_t through to handle_cpu_signal() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell Currently all the architecture/OS specific cpu_signal_handler() functions call handle_cpu_signal() without passing it the siginfo_t. We're going to want that so we can look at the si_code to determine whether this is a SEGV_ACCERR access violation or some other kind of fault, so change the functions to pass through the pointer to the siginfo_t rather than just the si_addr value. Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-Id: <1511879725-9576-2-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- accel/tcg/user-exec.c | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) -- 2.14.3 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c index f42285ea1c..e8f26ff0cb 100644 --- a/accel/tcg/user-exec.c +++ b/accel/tcg/user-exec.c @@ -57,12 +57,13 @@ static void cpu_exit_tb_from_sighandler(CPUState *cpu, sigset_t *old_set) the effective address of the memory exception. 'is_write' is 1 if a write caused the exception and otherwise 0'. 'old_set' is the signal set which should be restored */ -static inline int handle_cpu_signal(uintptr_t pc, unsigned long address, +static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info, int is_write, sigset_t *old_set) { CPUState *cpu = current_cpu; CPUClass *cc; int ret; + unsigned long address = (unsigned long)info->si_addr; /* We must handle PC addresses from two different sources: * a call return address and a signal frame address. @@ -215,9 +216,8 @@ int cpu_signal_handler(int host_signum, void *pinfo, #endif pc = EIP_sig(uc); trapno = TRAP_sig(uc); - return handle_cpu_signal(pc, (unsigned long)info->si_addr, - trapno == 0xe ? - (ERROR_sig(uc) >> 1) & 1 : 0, + return handle_cpu_signal(pc, info, + trapno == 0xe ? (ERROR_sig(uc) >> 1) & 1 : 0, &MASK_sig(uc)); } @@ -261,9 +261,8 @@ int cpu_signal_handler(int host_signum, void *pinfo, #endif pc = PC_sig(uc); - return handle_cpu_signal(pc, (unsigned long)info->si_addr, - TRAP_sig(uc) == 0xe ? - (ERROR_sig(uc) >> 1) & 1 : 0, + return handle_cpu_signal(pc, info, + TRAP_sig(uc) == 0xe ? (ERROR_sig(uc) >> 1) & 1 : 0, &MASK_sig(uc)); } @@ -341,8 +340,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, is_write = 1; } #endif - return handle_cpu_signal(pc, (unsigned long)info->si_addr, - is_write, &uc->uc_sigmask); + return handle_cpu_signal(pc, info, is_write, &uc->uc_sigmask); } #elif defined(__alpha__) @@ -372,8 +370,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, is_write = 1; } - return handle_cpu_signal(pc, (unsigned long)info->si_addr, - is_write, &uc->uc_sigmask); + return handle_cpu_signal(pc, info, is_write, &uc->uc_sigmask); } #elif defined(__sparc__) @@ -432,8 +429,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, break; } } - return handle_cpu_signal(pc, (unsigned long)info->si_addr, - is_write, sigmask); + return handle_cpu_signal(pc, info, is_write, sigmask); } #elif defined(__arm__) @@ -466,9 +462,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, * later processor; on v5 we will always report this as a read). */ is_write = extract32(uc->uc_mcontext.error_code, 11, 1); - return handle_cpu_signal(pc, (unsigned long)info->si_addr, - is_write, - &uc->uc_sigmask); + return handle_cpu_signal(pc, info, is_write, &uc->uc_sigmask); } #elif defined(__aarch64__) @@ -495,8 +489,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, void *puc) /* Ignore bits 23 & 24, controlling indexing. */ || (insn & 0x3a400000) == 0x28000000); /* C3.3.7,14-16 */ - return handle_cpu_signal(pc, (uintptr_t)info->si_addr, - is_write, &uc->uc_sigmask); + return handle_cpu_signal(pc, info, is_write, &uc->uc_sigmask); } #elif defined(__ia64) @@ -529,9 +522,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, void *puc) default: break; } - return handle_cpu_signal(ip, (unsigned long)info->si_addr, - is_write, - (sigset_t *)&uc->uc_sigmask); + return handle_cpu_signal(ip, info, is_write, (sigset_t *)&uc->uc_sigmask); } #elif defined(__s390__) @@ -583,8 +574,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, } break; } - return handle_cpu_signal(pc, (unsigned long)info->si_addr, - is_write, &uc->uc_sigmask); + return handle_cpu_signal(pc, info, is_write, &uc->uc_sigmask); } #elif defined(__mips__) @@ -599,8 +589,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, /* XXX: compute is_write */ is_write = 0; - return handle_cpu_signal(pc, (unsigned long)info->si_addr, - is_write, &uc->uc_sigmask); + return handle_cpu_signal(pc, info, is_write, &uc->uc_sigmask); } #else From patchwork Tue Jan 23 14:48:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 125526 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp1803692ljf; Tue, 23 Jan 2018 06:55:53 -0800 (PST) X-Google-Smtp-Source: AH8x224zAWa9L0437PEUDK/i0oMfCdsvVBToBso4EcPS4C2Tr+v/VVwZ+Xw8lcp0lwYruDnyiB5W X-Received: by 10.37.4.10 with SMTP id 10mr2714987ybe.473.1516719353548; Tue, 23 Jan 2018 06:55:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516719353; cv=none; d=google.com; s=arc-20160816; b=Rdj4nr7u1bRfVC+ndDBaXxOwgN8UnrhC02M5JydVDmpE0goVUS84COMC3ggb4r52nM 49y485f8bbCzZIz7Hcpa6VwoHNh+Avock0WMGf4hyUiLS7PgOhk8rl1sah4ug2Bluker Tqvm2qHdfJ+N8y7o66Uc2wCCyStEmDcZDHcH4HtYJ13Lk+A7F8gGfMAkPLwX8OAY0rL8 mBUKjj43yf2ayCLb3w1+4MLZbnyiHGjMYH2EI0ZhLp96xU5hl/0z3DGdDC07Ut12sHXL +1GRaDgFwhKfoP0m4+XyaI654Uwi+dlwj520H/R6hehPEBCZIS05E1dXr5N4KiOwb8sB SxVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=VTErDZaA6Oz3Gsqef1iFeEj39LcBVyN556A97mcBN0Y=; b=qMNwR0Fb2mgVz2ehLKAAUcXqefJjUtXIz8p7oylQ6NaADag6REkVA4ZBCfbwfxwMu3 udR9wKdWzNogNV0dnxg/3NvRKA4P6PTRKYf3asbq7g5CMBi/YBG5PgfZWeFwroCli7Zv FLkIaTRCO90oy1PkEIwTtEahw1jvW3Waq2bX3I4Zee/gCCl5e5dKi9nurqHS58cDaS+z u2/lPrZ8JVbw9/btb32/WTOGyIcygXaLTtvDFAgmSKZmH3Wnw4kHE2KINYadvKRebRC4 ZTrIIiOp9FpdWH6szDHnYSU/dTxwwV/6l8fbcjOr2cfxHDd9dAXHmgqZhdw5fWQXfja4 ryWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id z193si601707yba.164.2018.01.23.06.55.53 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Jan 2018 06:55:53 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:33639 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzzM-0004xW-Th for patch@linaro.org; Tue, 23 Jan 2018 09:55:52 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43522) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs6-00078R-1Y for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:28 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzs1-0002Rg-M0 for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:22 -0500 Received: from mout.kundenserver.de ([212.227.17.10]:63310) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzs1-0002Qa-Ba for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:17 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MfHZq-1eSNyH22ck-00OoaS; Tue, 23 Jan 2018 15:48:15 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:48:06 +0100 Message-Id: <20180123144807.5618-13-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> X-Provags-ID: V03:K0:t7jvgJY2Pzd3rNu8ICtaAYMPJwotmFxCJyksQJOUjRo9WtHi1/Z 4adLVJ9J1ysZfITQaa8BaZ5fhpDdSsoCMcuikzFZI5sZMo9+lnEfEInLHnE9en4uSIiniXS b5g5wCxZdwtsTstuVD2crQV89/kSMb6ZnV80SpII/1+jZcCVhFx+ZcDHe/AvQOTFA+hbwjo TBj4iTSy5T+XO/jNsZvrw== X-UI-Out-Filterresults: notjunk:1; V01:K0:NydL/eYLj2E=:ydFoFm3lt6wpMMpn/FWtYV xKBbnrViYhdlOZvpEWPnjObL440+G7S0r8wHH7JV34KdDVtgySwAVc0X13tlWxxk4cvVyWsD/ en7kX14H2N+R2kueQb/UNvbf/nwukmIB+JK53JimVeymG4gb6z2E8DXKpABXrmnojvatWqt3S eS4czXSQjRMoDH41r1dFsXe24cM+pA4gR9H9kaYxMIgH97elZ8hBJo7D+0q7em+8oYMgZuRZJ aV6Omm+ZKzpzGOlSLVK9yEuf9h9axXFIDjgNBvKX3bU/kTerHZgvGAkZ79nM8qsAjn2H+Wk0/ gFTe++kIvzOCQFsSftNKSeWM5oNHbVO5CPSZTC6yRWDlPCRVkt2XQDryMcECka4bKzsX8A8Vc HfQA4paMXjLiIBz2Afvvh8ln1q3CT5DtGHDUNgt0jBouQ7aRtiVMiqQUzPCR7wn7JY/NJ019A VgnSgo5e0eonZ5DVkkKhh4SCS60MkRG79dll/lleXUE/HYDmqKhmLXqotBgZFT0sJQlZC6wj/ 46wMUFwPB5/dmfwUwPnXxNORjhm7zA3pDu6rak+lV8oOB75ndb0VVP77+2xbnur2703HBsJmo 52uq2SUBG3d06B1v4ScFXKrdLhFPbiWH8/VtXWfUVo18sJg/j4EO0QyUx7y+mAkqydp7CDIL6 m0J3qCqXDnpSPq21Ar3Ebfp1yQVFGqXfuVX6IzCbb7ianR/IVlgvVCpVY7kpVuBiA32p76Nnl auE8I1pZzIeHUR0GlEcoM0nqLbVW2d/qNniaUQ== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 212.227.17.10 Subject: [Qemu-devel] [PULL 12/13] page_unprotect(): handle calls to pages that are PAGE_WRITE X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell If multiple guest threads in user-mode emulation write to a page which QEMU has marked read-only because of cached TCG translations, the threads can race in page_unprotect: * threads A & B both try to do a write to a page with code in it at the same time (ie which we've made non-writeable, so SEGV) * they race into the signal handler with this faulting address * thread A happens to get to page_unprotect() first and takes the mmap lock, so thread B sits waiting for it to be done * A then finds the page, marks it PAGE_WRITE and mprotect()s it writable * A can then continue OK (returns from signal handler to retry the memory access) * ...but when B gets the mmap lock it finds that the page is already PAGE_WRITE, and so it exits page_unprotect() via the "not due to protected translation" code path, and wrongly delivers the signal to the guest rather than just retrying the access In particular, this meant that trying to run 'javac' in user-mode emulation would fail with a spurious guest SIGSEGV. Handle this by making page_unprotect() assume that a call for a page which is already PAGE_WRITE is due to a race of this sort and return a "fault handled" indication. Since this would cause an infinite loop if we ever called page_unprotect() for some other kind of fault than "write failed due to bad access permissions", tighten the condition in handle_cpu_signal() to check the signal number and si_code, and add a comment so that if somebody does ever find themselves debugging an infinite loop of faults they have some clue about why. (The trick for identifying the correct setting for current_tb_invalidated for thread B (needed to handle the precise-SMC case) is due to Richard Henderson. Paolo Bonzini suggested just relying on si_code rather than trying anything more complicated.) Signed-off-by: Peter Maydell Message-Id: <1511879725-9576-3-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- accel/tcg/translate-all.c | 50 +++++++++++++++++++++++++++++------------------ accel/tcg/user-exec.c | 13 +++++++++++- 2 files changed, 43 insertions(+), 20 deletions(-) -- 2.14.3 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c index 7736257085..67795cd78c 100644 --- a/accel/tcg/translate-all.c +++ b/accel/tcg/translate-all.c @@ -2181,29 +2181,41 @@ int page_unprotect(target_ulong address, uintptr_t pc) /* if the page was really writable, then we change its protection back to writable */ - if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) { - host_start = address & qemu_host_page_mask; - host_end = host_start + qemu_host_page_size; - - prot = 0; + if (p->flags & PAGE_WRITE_ORG) { current_tb_invalidated = false; - for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) { - p = page_find(addr >> TARGET_PAGE_BITS); - p->flags |= PAGE_WRITE; - prot |= p->flags; - - /* and since the content will be modified, we must invalidate - the corresponding translated code. */ - current_tb_invalidated |= tb_invalidate_phys_page(addr, pc); -#ifdef CONFIG_USER_ONLY - if (DEBUG_TB_CHECK_GATE) { - tb_invalidate_check(addr); + if (p->flags & PAGE_WRITE) { + /* If the page is actually marked WRITE then assume this is because + * this thread raced with another one which got here first and + * set the page to PAGE_WRITE and did the TB invalidate for us. + */ +#ifdef TARGET_HAS_PRECISE_SMC + TranslationBlock *current_tb = tb_find_pc(pc); + if (current_tb) { + current_tb_invalidated = tb_cflags(current_tb) & CF_INVALID; } #endif + } else { + host_start = address & qemu_host_page_mask; + host_end = host_start + qemu_host_page_size; + + prot = 0; + for (addr = host_start; addr < host_end; addr += TARGET_PAGE_SIZE) { + p = page_find(addr >> TARGET_PAGE_BITS); + p->flags |= PAGE_WRITE; + prot |= p->flags; + + /* and since the content will be modified, we must invalidate + the corresponding translated code. */ + current_tb_invalidated |= tb_invalidate_phys_page(addr, pc); +#ifdef CONFIG_USER_ONLY + if (DEBUG_TB_CHECK_GATE) { + tb_invalidate_check(addr); + } +#endif + } + mprotect((void *)g2h(host_start), qemu_host_page_size, + prot & PAGE_BITS); } - mprotect((void *)g2h(host_start), qemu_host_page_size, - prot & PAGE_BITS); - mmap_unlock(); /* If current TB was invalidated return to main loop */ return current_tb_invalidated ? 2 : 1; diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c index e8f26ff0cb..c973752562 100644 --- a/accel/tcg/user-exec.c +++ b/accel/tcg/user-exec.c @@ -104,7 +104,18 @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info, pc, address, is_write, *(unsigned long *)old_set); #endif /* XXX: locking issue */ - if (is_write && h2g_valid(address)) { + /* Note that it is important that we don't call page_unprotect() unless + * this is really a "write to nonwriteable page" fault, because + * page_unprotect() assumes that if it is called for an access to + * a page that's writeable this means we had two threads racing and + * another thread got there first and already made the page writeable; + * so we will retry the access. If we were to call page_unprotect() + * for some other kind of fault that should really be passed to the + * guest, we'd end up in an infinite loop of retrying the faulting + * access. + */ + if (is_write && info->si_signo == SIGSEGV && info->si_code == SEGV_ACCERR && + h2g_valid(address)) { switch (page_unprotect(h2g(address), pc)) { case 0: /* Fault not caused by a page marked unwritable to protect