qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] target/ppc: Fix broadcast tlbie synchronisation


From: Philippe Mathieu-Daudé
Subject: Re: [PATCH 1/3] target/ppc: Fix broadcast tlbie synchronisation
Date: Thu, 28 Mar 2024 14:18:42 +0100
User-agent: Mozilla Thunderbird

On 28/3/24 06:31, Nicholas Piggin wrote:
With mttcg, broadcast tlbie instructions do not wait until other vCPUs
have been kicked out of TCG execution before they complete (including
necessary subsequent tlbsync, etc., instructions). This is contrary to
the ISA, and it permits other vCPUs to use translations after the TLB
flush. For example:

    CPU0
    // *memP is initially 0, memV maps to memP with *pte
    *pte = 0;
    ptesync ; tlbie ; eieio ; tlbsync ; ptesync
    *memP = 1;

    CPU1
    assert(*memV == 0);

It is possible for the assertion to fail because CPU1 translates memV
using the TLB after CPU0 has stored 1 to the underlying memory. This
race was observed with a careful test case where CPU1 checks run in a
very large expensive TB so it can run for the entire CPU0 period between
clearing the pte and storing the memory. It's normally very difficult to
hit, but preemption of host vCPU threads could trigger the race
anywhere.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
  target/ppc/helper_regs.c | 2 +-
  target/ppc/mmu_helper.c  | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)

To the best of my knowledge,
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>




reply via email to

[Prev in Thread] Current Thread [Next in Thread]