[Qemu-commits] [qemu/qemu] 7e9a7c: cputlb: Move VICTIM_TLB

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 7e9a7c: cputlb: Move VICTIM_TLB_HIT out of li

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] 7e9a7c: cputlb: Move VICTIM_TLB_HIT out of line
Date:	Mon, 11 Jul 2016 11:00:03 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 7e9a7c50d9a400ef51242d661a261123c2cc9485
      
https://github.com/qemu/qemu/commit/7e9a7c50d9a400ef51242d661a261123c2cc9485
  Author: Richard Henderson <address@hidden>
  Date:   2016-07-08 (Fri, 08 Jul 2016)

  Changed paths:
    M cputlb.c
    M softmmu_template.h

  Log Message:
  -----------
  cputlb: Move VICTIM_TLB_HIT out of line

There are currently 22 invocations of this function,
and we're about to increase that number.

Signed-off-by: Richard Henderson <address@hidden>


  Commit: a390284b80d2b6581143cdb40666674e60e635ae
      
https://github.com/qemu/qemu/commit/a390284b80d2b6581143cdb40666674e60e635ae
  Author: Samuel Damashek <address@hidden>
  Date:   2016-07-08 (Fri, 08 Jul 2016)

  Changed paths:
    M cputlb.c
    M softmmu_template.h

  Log Message:
  -----------
  cputlb: Add address parameter to VICTIM_TLB_HIT

[rth: Split out from the original patch.]

Signed-off-by: Samuel Damashek <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>


  Commit: 81daabaf7a572f138a8b88ba6eea556bdb0cce46
      
https://github.com/qemu/qemu/commit/81daabaf7a572f138a8b88ba6eea556bdb0cce46
  Author: Samuel Damashek <address@hidden>
  Date:   2016-07-08 (Fri, 08 Jul 2016)

  Changed paths:
    M softmmu_template.h

  Log Message:
  -----------
  cputlb: Fix for self-modifying writes across page boundaries

As it currently stands, QEMU does not properly handle self-modifying code
when the write is unaligned and crosses a page boundary. The procedure
for handling a write to the current translation block is to write-protect
the current translation block, catch the write, split up the translation
block into the current instruction (which remains write-protected so that
the current instruction is not modified) and the remaining instructions
in the translation block, and then restore the CPU state to before the
write occurred so the write will be retried and successfully executed.
However, since unaligned writes across pages are split into one-byte
writes for simplicity, writes to the second page (which is not the
current TB) may succeed before a write to the current TB is attempted,
and since these writes are not invalidated before resuming state after
splitting the TB, these writes will be performed a second time, thus
corrupting the second page. Credit goes to Patrick Hulin for
discovering this.

In recent 64-bit versions of Windows running in emulated mode, this
results in either being very unstable (a BSOD after a couple minutes of
uptime), or being entirely unable to boot. Windows performs one or more
8-byte unaligned self-modifying writes (xors) which intersect the end
of the current TB and the beginning of the next TB, which runs into the
aforementioned issue. This commit fixes that issue by making the
unaligned write loop perform the writes in forwards order, instead of
reverse order. This way, QEMU immediately tries to write to the current
TB, and splits the TB before any write to the second page is executed.
The write then proceeds as intended. With this patch applied, I am able
to boot and use Windows 7 64-bit and Windows 10 64-bit in QEMU without
KVM.

Per Richard Henderson's input, this patch also ensures the second page
is in the TLB before executing the write loop, to ensure the second
page is mapped.

The original discussion of the issue is located at
http://lists.nongnu.org/archive/html/qemu-devel/2014-08/msg02161.html.

Signed-off-by: Samuel Damashek <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>


  Commit: 7399a337e4126f7c8c8af3336726f001378c4798
      
https://github.com/qemu/qemu/commit/7399a337e4126f7c8c8af3336726f001378c4798
  Author: Stanislav Shmarov <address@hidden>
  Date:   2016-07-08 (Fri, 08 Jul 2016)

  Changed paths:
    M translate-all.c

  Log Message:
  -----------
  translate-all: Fix user-mode self-modifying code in 2 page long TB

In user-mode emulation Translation Block can consist of 2 guest pages.
In that case QEMU also mprotects 2 host pages that are dedicated for
guest memory, containing instructions. QEMU detects self-modifying code
with SEGFAULT signal processing.

In case if instruction in 1st page is modifying memory of 2nd
page (or vice versa) QEMU will mark 2nd page with PAGE_WRITE,
invalidate TB, generate new TB contatining 1 guest instruction and
exit to CPU loop. QEMU won't call mprotect, and new TB will cause
same SEGFAULT. Page will have both PAGE_WRITE_ORG and PAGE_WRITE
flags, so QEMU will handle the signal as guest binary problem,
and exit with guest SEGFAULT.

Solution is to do following: In case if current TB was invalidated
continue to invalidate TBs from remaining guest pages and mark pages
as PAGE_WRITE. After that disable host page protection with mprotect.
If current tb was invalidated longjmp to main loop. That is more
efficient, since we won't get SEGFAULT when executing new TB.

Reviewed-by: Sergey Fedorov <address@hidden>
Signed-off-by: Stanislav Shmarov <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>


  Commit: 7de2cc8f787a9cf8edff616c75ea9e73a86db9ca
      
https://github.com/qemu/qemu/commit/7de2cc8f787a9cf8edff616c75ea9e73a86db9ca
  Author: Peter Maydell <address@hidden>
  Date:   2016-07-11 (Mon, 11 Jul 2016)

  Changed paths:
    M cputlb.c
    M softmmu_template.h
    M translate-all.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20160708' into staging

two self-modifying code fixes

# gpg: Signature made Fri 08 Jul 2016 21:28:50 BST
# gpg:                using RSA key 0xAD1270CC4DD0279B
# gpg: Good signature from "Richard Henderson <address@hidden>"
# gpg:                 aka "Richard Henderson <address@hidden>"
# gpg:                 aka "Richard Henderson <address@hidden>"
# Primary key fingerprint: 9CB1 8DDA F8E8 49AD 2AFC  16A4 AD12 70CC 4DD0 279B

* remotes/rth/tags/pull-tcg-20160708:
  translate-all: Fix user-mode self-modifying code in 2 page long TB
  cputlb: Fix for self-modifying writes across page boundaries
  cputlb: Add address parameter to VICTIM_TLB_HIT
  cputlb: Move VICTIM_TLB_HIT out of line

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/a91a4e7d8cfe...7de2cc8f787a

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] 7e9a7c: cputlb: Move VICTIM_TLB_HIT out of line, GitHub <=

Prev by Date: [Qemu-commits] [qemu/qemu] 823efc: qdev: Don't stop applying globals on first error
Next by Date: [Qemu-commits] [qemu/qemu] b39b77: pc-bios/s390-ccw: Pass selected SCSI device to IPL
Previous by thread: [Qemu-commits] [qemu/qemu] 823efc: qdev: Don't stop applying globals on first error
Next by thread: [Qemu-commits] [qemu/qemu] b39b77: pc-bios/s390-ccw: Pass selected SCSI device to IPL
Index(es):
- Date
- Thread