qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] a45799: target/s390x: Fix translation excepti

From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] a45799: target/s390x: Fix translation exception on illegal...
Date: Tue, 11 May 2021 01:31:24 -0700 
  Branch: refs/heads/staging
  Home:   https://github.com/qemu/qemu
  Commit: a457993653acbab673ed4f96b37a212e3693cf9e
      
https://github.com/qemu/qemu/commit/a457993653acbab673ed4f96b37a212e3693cf9e
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-06 (Thu, 06 May 2021)

  Changed paths:
    M target/s390x/translate.c

  Log Message:
  -----------
  target/s390x: Fix translation exception on illegal instruction

Hitting an uretprobe in a s390x TCG guest causes a SIGSEGV. What
happens is:

* uretprobe maps a userspace page containing an invalid instruction.
* uretprobe replaces the target function's return address with the
  address of that page.
* When tb_gen_code() is called on that page, tb->size ends up being 0
  (because the page starts with the invalid instruction), which causes
  virt_page2 to point to the previous page.
* The previous page is not mapped, so this causes a spurious
  translation exception.

tb->size must never be 0: even if there is an illegal instruction, the
instruction bytes that have been looked at must count towards tb->size.
So adjust s390x's translate_one() to act this way for both illegal
instructions and instructions that are known to generate exceptions.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Message-Id: <20210416154939.32404-2-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: ba38cdb4eb1706ef389f2aedeb55943dee0a66ba
      
https://github.com/qemu/qemu/commit/ba38cdb4eb1706ef389f2aedeb55943dee0a66ba
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-06 (Thu, 06 May 2021)

  Changed paths:
    M target/arm/translate.c

  Log Message:
  -----------
  target/arm: Make sure that commpage's tb->size != 0

tb_gen_code() assumes that tb->size must never be zero, otherwise it
may produce spurious exceptions. For ARM this may happen when creating
a translation block for the commpage.

Fix by pretending that commpage translation blocks have at least one
instruction.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210416154939.32404-3-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 5a111a10caee108d552341058bea758a8b3e0d6a
      
https://github.com/qemu/qemu/commit/5a111a10caee108d552341058bea758a8b3e0d6a
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-06 (Thu, 06 May 2021)

  Changed paths:
    M target/xtensa/translate.c

  Log Message:
  -----------
  target/xtensa: Make sure that tb->size != 0

tb_gen_code() assumes that tb->size must never be zero, otherwise it
may produce spurious exceptions. For xtensa this may happen when
decoding an unknown instruction, when handling a write into the
CCOUNT or CCOMPARE special register and when single-stepping the first
instruction of an exception handler.

Fix by pretending that the size of the respective translation block is
1 in all these cases.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Max Filippov <jcmvbkbc@gmail.com>
Acked-by: Max Filippov <jcmvbkbc@gmail.com>
Message-Id: <20210416154939.32404-4-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 75f3752c0f6ade174d01eb74a257768f74b68548
      
https://github.com/qemu/qemu/commit/75f3752c0f6ade174d01eb74a257768f74b68548
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-06 (Thu, 06 May 2021)

  Changed paths:
    M accel/tcg/translate-all.c

  Log Message:
  -----------
  accel/tcg: Assert that tb->size != 0 after translation

If arch-specific code generates a translation block of size 0,
tb_gen_code() may generate a spurious exception. Add an assertion in
order to catch such situations early.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Message-Id: <20210416154939.32404-5-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 74e7f50ea400ac48de5c0447a5943f206b9e405e
      
https://github.com/qemu/qemu/commit/74e7f50ea400ac48de5c0447a5943f206b9e405e
  Author: Eric Farman <farman@linux.ibm.com>
  Date:   2021-05-06 (Thu, 06 May 2021)

  Changed paths:
    M hw/vfio/ccw.c

  Log Message:
  -----------
  vfio-ccw: Permit missing IRQs

Commit 690e29b91102 ("vfio-ccw: Refactor ccw irq handler") changed
one of the checks for the IRQ notifier registration from saying
"the host needs to recognize the only IRQ that exists" to saying
"the host needs to recognize ANY IRQ that exists."

And this worked fine, because the subsequent change to support the
CRW IRQ notifier doesn't get into this code when running on an older
kernel, thanks to a guard by a capability region. The later addition
of the REQ(uest) IRQ by commit b2f96f9e4f5f ("vfio-ccw: Connect the
device request notifier") broke this assumption because there is no
matching capability region. Thus, running new QEMU on an older
kernel fails with:

  vfio: unexpected number of irqs 2

Let's adapt the message here so that there's a better clue of what
IRQ is missing.

Furthermore, let's make the REQ(uest) IRQ not fail when attempting
to register it, to permit running vfio-ccw on a newer QEMU with an
older kernel.

Fixes: b2f96f9e4f5f ("vfio-ccw: Connect the device request notifier")
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20210421152053.2379873-1-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 14dc6b32aa51e3254b05de6b8fe5ef3e0e604009
      
https://github.com/qemu/qemu/commit/14dc6b32aa51e3254b05de6b8fe5ef3e0e604009
  Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
  Date:   2021-05-06 (Thu, 06 May 2021)

  Changed paths:
    M hw/s390x/3270-ccw.c
    M hw/s390x/ccw-device.c
    M hw/s390x/ccw-device.h
    M hw/s390x/s390-ccw.c
    M hw/s390x/virtio-ccw.c

  Log Message:
  -----------
  hw/s390x/ccw: Register qbus type in abstract TYPE_CCW_DEVICE parent

Instead of having all TYPE_CCW_DEVICE children set the bus type to
TYPE_VIRTUAL_CSS_BUS, do it once in the abstract parent.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20210424145313.3287400-1-f4bug@amsat.org>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 2337ca0dd1747851cf596e90a2360578e3f9a473
      
https://github.com/qemu/qemu/commit/2337ca0dd1747851cf596e90a2360578e3f9a473
  Author: Eric Farman <farman@linux.ibm.com>
  Date:   2021-05-06 (Thu, 06 May 2021)

  Changed paths:
    M hw/vfio/ccw.c

  Log Message:
  -----------
  vfio-ccw: Attempt to clean up all IRQs on error

The vfio_ccw_unrealize() routine makes an unconditional attempt to
unregister every IRQ notifier, though they may not have been registered
in the first place (when running on an older kernel, for example).

Let's mirror this behavior in the error cleanups in vfio_ccw_realize()
so that if/when new IRQs are added, it is less confusing to recognize
the necessary procedures. The worst case scenario would be some extra
messages about an undefined IRQ, but since this is an error exit that
won't be the only thing to worry about.

And regarding those messages, let's change it to a warning instead of
an error, to better reflect their severity. The existing code in both
paths handles everything anyway.

Signed-off-by: Eric Farman <farman@linux.ibm.com>
Acked-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-Id: <20210428143652.1571487-1-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: abab122f0941c4fc9c83de7a8f757801264b3055
      
https://github.com/qemu/qemu/commit/abab122f0941c4fc9c83de7a8f757801264b3055
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2021-05-11 (Tue, 11 May 2021)

  Changed paths:
    M accel/tcg/translate-all.c
    M hw/s390x/3270-ccw.c
    M hw/s390x/ccw-device.c
    M hw/s390x/ccw-device.h
    M hw/s390x/s390-ccw.c
    M hw/s390x/virtio-ccw.c
    M hw/vfio/ccw.c
    M target/arm/translate.c
    M target/s390x/translate.c
    M target/xtensa/translate.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/cohuck-gitlab/tags/s390x-20210506' into 
staging

s390x fixes and cleanups; also related fixes in xtensa and arm

# gpg: Signature made Thu 06 May 2021 15:00:04 BST
# gpg:                using RSA key C3D0D66DC3624FF6A8C018CEDECF6B93C6F02FAF
# gpg:                issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown]
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>" [unknown]
# gpg:                 aka "Cornelia Huck <cohuck@redhat.com>" [unknown]
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck-gitlab/tags/s390x-20210506:
  vfio-ccw: Attempt to clean up all IRQs on error
  hw/s390x/ccw: Register qbus type in abstract TYPE_CCW_DEVICE parent
  vfio-ccw: Permit missing IRQs
  accel/tcg: Assert that tb->size != 0 after translation
  target/xtensa: Make sure that tb->size != 0
  target/arm: Make sure that commpage's tb->size != 0
  target/s390x: Fix translation exception on illegal instruction

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/9a408f75dfe4...abab122f0941
reply via email to
[Prev in Thread] Current Thread [Next in Thread]