target/s390x: fix s390_probe_access to check PAGE_WRITE_ORG for writeability

Commit Message

Alex Bennée April 22, 2021, 3:44 p.m. UTC

We can remove PAGE_WRITE when (internally) marking a page read-only
because it contains translated code. This can get confused when we are
executing signal return code on signal stacks.

Fixes: e56552cf07 ("target/s390x: Implement the MVPG condition-code-option bit")
Found-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Cornelia Huck <cohuck@redhat.com>
Cc: Thomas Huth <thuth@redhat.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Laurent Vivier <laurent@vivier.eu>
---
 target/s390x/mem_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Richard Henderson April 22, 2021, 4:10 p.m. UTC | #1

On 4/22/21 8:44 AM, Alex Bennée wrote:
> We can remove PAGE_WRITE when (internally) marking a page read-only
> because it contains translated code. This can get confused when we are
> executing signal return code on signal stacks.
> 
> Fixes: e56552cf07 ("target/s390x: Implement the MVPG condition-code-option bit")
> Found-by: Richard Henderson <richard.henderson@linaro.org>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Cornelia Huck <cohuck@redhat.com>
> Cc: Thomas Huth <thuth@redhat.com>
> Cc: David Hildenbrand <david@redhat.com>
> Cc: Laurent Vivier <laurent@vivier.eu>
> ---
>   target/s390x/mem_helper.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~

David Hildenbrand April 22, 2021, 4:43 p.m. UTC | #2

On 22.04.21 17:44, Alex Bennée wrote:
> We can remove PAGE_WRITE when (internally) marking a page read-only
> because it contains translated code. This can get confused when we are
> executing signal return code on signal stacks.
> 
> Fixes: e56552cf07 ("target/s390x: Implement the MVPG condition-code-option bit")
> Found-by: Richard Henderson <richard.henderson@linaro.org>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Cornelia Huck <cohuck@redhat.com>
> Cc: Thomas Huth <thuth@redhat.com>
> Cc: David Hildenbrand <david@redhat.com>
> Cc: Laurent Vivier <laurent@vivier.eu>
> ---
>   target/s390x/mem_helper.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
> index 12e84a4285..f6a7d29273 100644
> --- a/target/s390x/mem_helper.c
> +++ b/target/s390x/mem_helper.c
> @@ -145,7 +145,7 @@ static int s390_probe_access(CPUArchState *env, target_ulong addr, int size,
>   
>   #if defined(CONFIG_USER_ONLY)
>       flags = page_get_flags(addr);
> -    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE))) {
> +    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE_ORG))) {
>           env->__excp_addr = addr;
>           flags = (flags & PAGE_VALID) ? PGM_PROTECTION : PGM_ADDRESSING;
>           if (nonfault) {
> 

Reviewed-by: David Hildenbrand <david@redhat.com>

Cornelia Huck April 23, 2021, 12:22 p.m. UTC | #3

On Thu, 22 Apr 2021 16:44:27 +0100
Alex Bennée <alex.bennee@linaro.org> wrote:

> We can remove PAGE_WRITE when (internally) marking a page read-only
> because it contains translated code. This can get confused when we are
> executing signal return code on signal stacks.
> 
> Fixes: e56552cf07 ("target/s390x: Implement the MVPG condition-code-option bit")
> Found-by: Richard Henderson <richard.henderson@linaro.org>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Cornelia Huck <cohuck@redhat.com>
> Cc: Thomas Huth <thuth@redhat.com>
> Cc: David Hildenbrand <david@redhat.com>
> Cc: Laurent Vivier <laurent@vivier.eu>
> ---
>  target/s390x/mem_helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
> index 12e84a4285..f6a7d29273 100644
> --- a/target/s390x/mem_helper.c
> +++ b/target/s390x/mem_helper.c
> @@ -145,7 +145,7 @@ static int s390_probe_access(CPUArchState *env, target_ulong addr, int size,
>  
>  #if defined(CONFIG_USER_ONLY)
>      flags = page_get_flags(addr);
> -    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE))) {
> +    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE_ORG))) {
>          env->__excp_addr = addr;
>          flags = (flags & PAGE_VALID) ? PGM_PROTECTION : PGM_ADDRESSING;
>          if (nonfault) {

What's the verdict on this one? I plan to queue this to s390-next; but
if we end up doing an -rc5, it might qualify as a regression fix.

If this is going to be in 6.1, I'll add cc:stable when queuing.

Peter Maydell April 23, 2021, 1:06 p.m. UTC | #4

On Fri, 23 Apr 2021 at 13:22, Cornelia Huck <cohuck@redhat.com> wrote:
>
> On Thu, 22 Apr 2021 16:44:27 +0100
> Alex Bennée <alex.bennee@linaro.org> wrote:
>
> > We can remove PAGE_WRITE when (internally) marking a page read-only
> > because it contains translated code. This can get confused when we are
> > executing signal return code on signal stacks.
> >
> > Fixes: e56552cf07 ("target/s390x: Implement the MVPG condition-code-option bit")
> > Found-by: Richard Henderson <richard.henderson@linaro.org>
> > Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> > Cc: Cornelia Huck <cohuck@redhat.com>
> > Cc: Thomas Huth <thuth@redhat.com>
> > Cc: David Hildenbrand <david@redhat.com>
> > Cc: Laurent Vivier <laurent@vivier.eu>
> > ---
> >  target/s390x/mem_helper.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
> > index 12e84a4285..f6a7d29273 100644
> > --- a/target/s390x/mem_helper.c
> > +++ b/target/s390x/mem_helper.c
> > @@ -145,7 +145,7 @@ static int s390_probe_access(CPUArchState *env, target_ulong addr, int size,
> >
> >  #if defined(CONFIG_USER_ONLY)
> >      flags = page_get_flags(addr);
> > -    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE))) {
> > +    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE_ORG))) {
> >          env->__excp_addr = addr;
> >          flags = (flags & PAGE_VALID) ? PGM_PROTECTION : PGM_ADDRESSING;
> >          if (nonfault) {
>
> What's the verdict on this one? I plan to queue this to s390-next; but
> if we end up doing an -rc5, it might qualify as a regression fix.

What's your opinion? I think we do need an rc5 for the network backend
hotplug crash. I don't want to open the doors for lots of new fixes
just because we've got another rc, but on the other hand this one
does look like it's a pretty small and safe fix, and letting intermittent
crash bugs out into the wild seems like it could lead to a lot of
annoying re-investigation of the same bug if it's reported by users
later... So I kind of lean towards putting it in rc5.

thanks
-- PMM

Thomas Huth April 23, 2021, 1:28 p.m. UTC | #5

On 23/04/2021 15.06, Peter Maydell wrote:
> On Fri, 23 Apr 2021 at 13:22, Cornelia Huck <cohuck@redhat.com> wrote:
>>
>> On Thu, 22 Apr 2021 16:44:27 +0100
>> Alex Bennée <alex.bennee@linaro.org> wrote:
>>
>>> We can remove PAGE_WRITE when (internally) marking a page read-only
>>> because it contains translated code. This can get confused when we are
>>> executing signal return code on signal stacks.
>>>
>>> Fixes: e56552cf07 ("target/s390x: Implement the MVPG condition-code-option bit")
>>> Found-by: Richard Henderson <richard.henderson@linaro.org>
>>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>>> Cc: Cornelia Huck <cohuck@redhat.com>
>>> Cc: Thomas Huth <thuth@redhat.com>
>>> Cc: David Hildenbrand <david@redhat.com>
>>> Cc: Laurent Vivier <laurent@vivier.eu>
>>> ---
>>>   target/s390x/mem_helper.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
>>> index 12e84a4285..f6a7d29273 100644
>>> --- a/target/s390x/mem_helper.c
>>> +++ b/target/s390x/mem_helper.c
>>> @@ -145,7 +145,7 @@ static int s390_probe_access(CPUArchState *env, target_ulong addr, int size,
>>>
>>>   #if defined(CONFIG_USER_ONLY)
>>>       flags = page_get_flags(addr);
>>> -    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE))) {
>>> +    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE_ORG))) {
>>>           env->__excp_addr = addr;
>>>           flags = (flags & PAGE_VALID) ? PGM_PROTECTION : PGM_ADDRESSING;
>>>           if (nonfault) {
>>
>> What's the verdict on this one? I plan to queue this to s390-next; but
>> if we end up doing an -rc5, it might qualify as a regression fix.
> 
> What's your opinion? I think we do need an rc5 for the network backend
> hotplug crash. I don't want to open the doors for lots of new fixes
> just because we've got another rc, but on the other hand this one
> does look like it's a pretty small and safe fix, and letting intermittent
> crash bugs out into the wild seems like it could lead to a lot of
> annoying re-investigation of the same bug if it's reported by users
> later... So I kind of lean towards putting it in rc5.

IMHO: It's in a s390x-only file, within a #ifdef CONFIG_USER_ONLY ... so the 
damage this could do is very, very limited, indeed. Thus I'd also suggest to 
include it in a rc5.

  Thomas

Cornelia Huck April 23, 2021, 1:52 p.m. UTC | #6

On Fri, 23 Apr 2021 15:28:19 +0200
Thomas Huth <thuth@redhat.com> wrote:

> On 23/04/2021 15.06, Peter Maydell wrote:
> > On Fri, 23 Apr 2021 at 13:22, Cornelia Huck <cohuck@redhat.com> wrote:  
> >>
> >> On Thu, 22 Apr 2021 16:44:27 +0100
> >> Alex Bennée <alex.bennee@linaro.org> wrote:
> >>  
> >>> We can remove PAGE_WRITE when (internally) marking a page read-only
> >>> because it contains translated code. This can get confused when we are
> >>> executing signal return code on signal stacks.
> >>>
> >>> Fixes: e56552cf07 ("target/s390x: Implement the MVPG condition-code-option bit")
> >>> Found-by: Richard Henderson <richard.henderson@linaro.org>
> >>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> >>> Cc: Cornelia Huck <cohuck@redhat.com>
> >>> Cc: Thomas Huth <thuth@redhat.com>
> >>> Cc: David Hildenbrand <david@redhat.com>
> >>> Cc: Laurent Vivier <laurent@vivier.eu>
> >>> ---
> >>>   target/s390x/mem_helper.c | 2 +-
> >>>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
> >>> index 12e84a4285..f6a7d29273 100644
> >>> --- a/target/s390x/mem_helper.c
> >>> +++ b/target/s390x/mem_helper.c
> >>> @@ -145,7 +145,7 @@ static int s390_probe_access(CPUArchState *env, target_ulong addr, int size,
> >>>
> >>>   #if defined(CONFIG_USER_ONLY)
> >>>       flags = page_get_flags(addr);
> >>> -    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE))) {
> >>> +    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE_ORG))) {
> >>>           env->__excp_addr = addr;
> >>>           flags = (flags & PAGE_VALID) ? PGM_PROTECTION : PGM_ADDRESSING;
> >>>           if (nonfault) {  
> >>
> >> What's the verdict on this one? I plan to queue this to s390-next; but
> >> if we end up doing an -rc5, it might qualify as a regression fix.  
> > 
> > What's your opinion? I think we do need an rc5 for the network backend
> > hotplug crash. I don't want to open the doors for lots of new fixes
> > just because we've got another rc, but on the other hand this one
> > does look like it's a pretty small and safe fix, and letting intermittent
> > crash bugs out into the wild seems like it could lead to a lot of
> > annoying re-investigation of the same bug if it's reported by users
> > later... So I kind of lean towards putting it in rc5.  
> 
> IMHO: It's in a s390x-only file, within a #ifdef CONFIG_USER_ONLY ... so the 
> damage this could do is very, very limited, indeed. Thus I'd also suggest to 
> include it in a rc5.

Exactly, the benefits outweigh the risk IMHO.

Peter, do you want to pick this one directly, or should I send you a pull req?

Peter Maydell April 23, 2021, 1:56 p.m. UTC | #7

On Fri, 23 Apr 2021 at 14:52, Cornelia Huck <cohuck@redhat.com> wrote:
>
> On Fri, 23 Apr 2021 15:28:19 +0200
> Thomas Huth <thuth@redhat.com> wrote:
>
> > On 23/04/2021 15.06, Peter Maydell wrote:
> > > On Fri, 23 Apr 2021 at 13:22, Cornelia Huck <cohuck@redhat.com> wrote:
> > >> What's the verdict on this one? I plan to queue this to s390-next; but
> > >> if we end up doing an -rc5, it might qualify as a regression fix.
> > >
> > > What's your opinion? I think we do need an rc5 for the network backend
> > > hotplug crash. I don't want to open the doors for lots of new fixes
> > > just because we've got another rc, but on the other hand this one
> > > does look like it's a pretty small and safe fix, and letting intermittent
> > > crash bugs out into the wild seems like it could lead to a lot of
> > > annoying re-investigation of the same bug if it's reported by users
> > > later... So I kind of lean towards putting it in rc5.
> >
> > IMHO: It's in a s390x-only file, within a #ifdef CONFIG_USER_ONLY ... so the
> > damage this could do is very, very limited, indeed. Thus I'd also suggest to
> > include it in a rc5.
>
> Exactly, the benefits outweigh the risk IMHO.
>
> Peter, do you want to pick this one directly, or should I send you a pull req?

I'll pick it directly, thanks.

-- PMM

Peter Maydell April 23, 2021, 3:44 p.m. UTC | #8

On Fri, 23 Apr 2021 at 14:56, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Fri, 23 Apr 2021 at 14:52, Cornelia Huck <cohuck@redhat.com> wrote:
> >
> > On Fri, 23 Apr 2021 15:28:19 +0200
> > Thomas Huth <thuth@redhat.com> wrote:
> >
> > > On 23/04/2021 15.06, Peter Maydell wrote:
> > > > On Fri, 23 Apr 2021 at 13:22, Cornelia Huck <cohuck@redhat.com> wrote:
> > > >> What's the verdict on this one? I plan to queue this to s390-next; but
> > > >> if we end up doing an -rc5, it might qualify as a regression fix.
> > > >
> > > > What's your opinion? I think we do need an rc5 for the network backend
> > > > hotplug crash. I don't want to open the doors for lots of new fixes
> > > > just because we've got another rc, but on the other hand this one
> > > > does look like it's a pretty small and safe fix, and letting intermittent
> > > > crash bugs out into the wild seems like it could lead to a lot of
> > > > annoying re-investigation of the same bug if it's reported by users
> > > > later... So I kind of lean towards putting it in rc5.
> > >
> > > IMHO: It's in a s390x-only file, within a #ifdef CONFIG_USER_ONLY ... so the
> > > damage this could do is very, very limited, indeed. Thus I'd also suggest to
> > > include it in a rc5.
> >
> > Exactly, the benefits outweigh the risk IMHO.
> >
> > Peter, do you want to pick this one directly, or should I send you a pull req?
>
> I'll pick it directly, thanks.

...applied to target-arm.next, thanks.

-- PMM

Patch

diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
index 12e84a4285..f6a7d29273 100644
--- a/target/s390x/mem_helper.c
+++ b/target/s390x/mem_helper.c
@@ -145,7 +145,7 @@  static int s390_probe_access(CPUArchState *env, target_ulong addr, int size,
 
 #if defined(CONFIG_USER_ONLY)
     flags = page_get_flags(addr);
-    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE))) {
+    if (!(flags & (access_type == MMU_DATA_LOAD ?  PAGE_READ : PAGE_WRITE_ORG))) {
         env->__excp_addr = addr;
         flags = (flags & PAGE_VALID) ? PGM_PROTECTION : PGM_ADDRESSING;
         if (nonfault) {