qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 86131c: target/s390x: Fix translation excepti

From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] 86131c: target/s390x: Fix translation exception on illegal...
Date: Thu, 20 May 2021 12:12:08 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 86131c71b13257e095d8c4f4453d52cbc6553c07
      
https://github.com/qemu/qemu/commit/86131c71b13257e095d8c4f4453d52cbc6553c07
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M target/s390x/translate.c

  Log Message:
  -----------
  target/s390x: Fix translation exception on illegal instruction

Hitting an uretprobe in a s390x TCG guest causes a SIGSEGV. What
happens is:

* uretprobe maps a userspace page containing an invalid instruction.
* uretprobe replaces the target function's return address with the
  address of that page.
* When tb_gen_code() is called on that page, tb->size ends up being 0
  (because the page starts with the invalid instruction), which causes
  virt_page2 to point to the previous page.
* The previous page is not mapped, so this causes a spurious
  translation exception.

tb->size must never be 0: even if there is an illegal instruction, the
instruction bytes that have been looked at must count towards tb->size.
So adjust s390x's translate_one() to act this way for both illegal
instructions and instructions that are known to generate exceptions.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Message-Id: <20210416154939.32404-2-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 48a130923c59b706e7f33527490028eb8a86b97e
      
https://github.com/qemu/qemu/commit/48a130923c59b706e7f33527490028eb8a86b97e
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M target/arm/translate.c

  Log Message:
  -----------
  target/arm: Make sure that commpage's tb->size != 0

tb_gen_code() assumes that tb->size must never be zero, otherwise it
may produce spurious exceptions. For ARM this may happen when creating
a translation block for the commpage.

Fix by pretending that commpage translation blocks have at least one
instruction.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210416154939.32404-3-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: f689befde664f917510e842660a69961faf8ba7b
      
https://github.com/qemu/qemu/commit/f689befde664f917510e842660a69961faf8ba7b
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M target/xtensa/translate.c

  Log Message:
  -----------
  target/xtensa: Make sure that tb->size != 0

tb_gen_code() assumes that tb->size must never be zero, otherwise it
may produce spurious exceptions. For xtensa this may happen when
decoding an unknown instruction, when handling a write into the
CCOUNT or CCOMPARE special register and when single-stepping the first
instruction of an exception handler.

Fix by pretending that the size of the respective translation block is
1 in all these cases.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Max Filippov <jcmvbkbc@gmail.com>
Acked-by: Max Filippov <jcmvbkbc@gmail.com>
Message-Id: <20210416154939.32404-4-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 0b00b0c1e05b34904635cf1b5cfdd945d1a8475e
      
https://github.com/qemu/qemu/commit/0b00b0c1e05b34904635cf1b5cfdd945d1a8475e
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M accel/tcg/translate-all.c

  Log Message:
  -----------
  accel/tcg: Assert that tb->size != 0 after translation

If arch-specific code generates a translation block of size 0,
tb_gen_code() may generate a spurious exception. Add an assertion in
order to catch such situations early.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Message-Id: <20210416154939.32404-5-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 6178d4689a1e6a0d2b6dea1dad990e74148fa9d1
      
https://github.com/qemu/qemu/commit/6178d4689a1e6a0d2b6dea1dad990e74148fa9d1
  Author: Eric Farman <farman@linux.ibm.com>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M hw/vfio/ccw.c

  Log Message:
  -----------
  vfio-ccw: Permit missing IRQs

Commit 690e29b91102 ("vfio-ccw: Refactor ccw irq handler") changed
one of the checks for the IRQ notifier registration from saying
"the host needs to recognize the only IRQ that exists" to saying
"the host needs to recognize ANY IRQ that exists."

And this worked fine, because the subsequent change to support the
CRW IRQ notifier doesn't get into this code when running on an older
kernel, thanks to a guard by a capability region. The later addition
of the REQ(uest) IRQ by commit b2f96f9e4f5f ("vfio-ccw: Connect the
device request notifier") broke this assumption because there is no
matching capability region. Thus, running new QEMU on an older
kernel fails with:

  vfio: unexpected number of irqs 2

Let's adapt the message here so that there's a better clue of what
IRQ is missing.

Furthermore, let's make the REQ(uest) IRQ not fail when attempting
to register it, to permit running vfio-ccw on a newer QEMU with an
older kernel.

Fixes: b2f96f9e4f5f ("vfio-ccw: Connect the device request notifier")
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20210421152053.2379873-1-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: a6d8b731130bf76c3d2932b067befa5c380e0dee
      
https://github.com/qemu/qemu/commit/a6d8b731130bf76c3d2932b067befa5c380e0dee
  Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M hw/s390x/3270-ccw.c
    M hw/s390x/ccw-device.c
    M hw/s390x/ccw-device.h
    M hw/s390x/s390-ccw.c
    M hw/s390x/virtio-ccw.c

  Log Message:
  -----------
  hw/s390x/ccw: Register qbus type in abstract TYPE_CCW_DEVICE parent

Instead of having all TYPE_CCW_DEVICE children set the bus type to
TYPE_VIRTUAL_CSS_BUS, do it once in the abstract parent.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20210424145313.3287400-1-f4bug@amsat.org>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: dcc9cf3801039741b7a574b5035db283a7fed271
      
https://github.com/qemu/qemu/commit/dcc9cf3801039741b7a574b5035db283a7fed271
  Author: Eric Farman <farman@linux.ibm.com>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M hw/vfio/ccw.c

  Log Message:
  -----------
  vfio-ccw: Attempt to clean up all IRQs on error

The vfio_ccw_unrealize() routine makes an unconditional attempt to
unregister every IRQ notifier, though they may not have been registered
in the first place (when running on an older kernel, for example).

Let's mirror this behavior in the error cleanups in vfio_ccw_realize()
so that if/when new IRQs are added, it is less confusing to recognize
the necessary procedures. The worst case scenario would be some extra
messages about an undefined IRQ, but since this is an error exit that
won't be the only thing to worry about.

And regarding those messages, let's change it to a warning instead of
an error, to better reflect their severity. The existing code in both
paths handles everything anyway.

Signed-off-by: Eric Farman <farman@linux.ibm.com>
Acked-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-Id: <20210428143652.1571487-1-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 9b21049edd3c352efc615e030cd8e931e0c6f910
      
https://github.com/qemu/qemu/commit/9b21049edd3c352efc615e030cd8e931e0c6f910
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M target/i386/tcg/translate.c

  Log Message:
  -----------
  target/i386: Make sure that vsyscall's tb->size != 0

tb_gen_code() assumes that tb->size must never be zero, otherwise it
may produce spurious exceptions. For x86_64 this may happen when
creating a translation block for the vsyscall page.

Fix by pretending that vsyscall translation blocks have at least one
instruction.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210519045738.1335210-2-iii@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: f66487756b0553b156d8e3e81bc6411cfc38176e
      
https://github.com/qemu/qemu/commit/f66487756b0553b156d8e3e81bc6411cfc38176e
  Author: Ilya Leoshkevich <iii@linux.ibm.com>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M tests/tcg/x86_64/Makefile.target
    A tests/tcg/x86_64/vsyscall.c

  Log Message:
  -----------
  tests/tcg/x86_64: add vsyscall smoke test

Having a small test will prevent trivial regressions in the future.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20210519045738.1335210-3-iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>


  Commit: 972e848b53970d12cb2ca64687ef8ff797fb6236
      
https://github.com/qemu/qemu/commit/972e848b53970d12cb2ca64687ef8ff797fb6236
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2021-05-20 (Thu, 20 May 2021)

  Changed paths:
    M accel/tcg/translate-all.c
    M hw/s390x/3270-ccw.c
    M hw/s390x/ccw-device.c
    M hw/s390x/ccw-device.h
    M hw/s390x/s390-ccw.c
    M hw/s390x/virtio-ccw.c
    M hw/vfio/ccw.c
    M target/arm/translate.c
    M target/i386/tcg/translate.c
    M target/s390x/translate.c
    M target/xtensa/translate.c
    M tests/tcg/x86_64/Makefile.target
    A tests/tcg/x86_64/vsyscall.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/cohuck-gitlab/tags/s390x-20210520-v2' 
into staging

s390x fixes and cleanups; also related fixes in xtensa,
arm, and x86 code

# gpg: Signature made Thu 20 May 2021 13:23:15 BST
# gpg:                using RSA key C3D0D66DC3624FF6A8C018CEDECF6B93C6F02FAF
# gpg:                issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown]
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>" [unknown]
# gpg:                 aka "Cornelia Huck <cohuck@redhat.com>" [unknown]
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck-gitlab/tags/s390x-20210520-v2:
  tests/tcg/x86_64: add vsyscall smoke test
  target/i386: Make sure that vsyscall's tb->size != 0
  vfio-ccw: Attempt to clean up all IRQs on error
  hw/s390x/ccw: Register qbus type in abstract TYPE_CCW_DEVICE parent
  vfio-ccw: Permit missing IRQs
  accel/tcg: Assert that tb->size != 0 after translation
  target/xtensa: Make sure that tb->size != 0
  target/arm: Make sure that commpage's tb->size != 0
  target/s390x: Fix translation exception on illegal instruction

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/a1362f392b0a...972e848b5397
reply via email to
[Prev in Thread] Current Thread [Next in Thread]