From patchwork Mon May 16 13:13:00 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: sergey.fedorov@linaro.org
X-Patchwork-Id: 9102921
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Original-To: patchwork-qemu-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id E8C0FBF29F
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Mon, 16 May 2016 13:14:06 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 4C3CE20274
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Mon, 16 May 2016 13:14:06 +0000 (UTC)
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 32F602026C
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Mon, 16 May 2016 13:14:05 +0000 (UTC)
Received: from localhost ([::1]:43810 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1b2ILU-0008Da-DA for patchwork-qemu-devel@patchwork.kernel.org;
	Mon, 16 May 2016 09:14:04 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54010)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sergey.fedorov@linaro.org>) id 1b2ILM-0008AH-MV
	for qemu-devel@nongnu.org; Mon, 16 May 2016 09:13:57 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sergey.fedorov@linaro.org>) id 1b2ILI-0001YG-DU
	for qemu-devel@nongnu.org; Mon, 16 May 2016 09:13:55 -0400
Received: from mail-lf0-x229.google.com ([2a00:1450:4010:c07::229]:34397)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sergey.fedorov@linaro.org>) id 1b2ILH-0001YA-6a
	for qemu-devel@nongnu.org; Mon, 16 May 2016 09:13:52 -0400
Received: by mail-lf0-x229.google.com with SMTP id m64so116320119lfd.1
	for <qemu-devel@nongnu.org>; Mon, 16 May 2016 06:13:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=kk/bRq7RzC6xfyI3HaVnVB0Ugkm9729Nte3Ahdcdx7Y=;
	b=MeWv1rcdAnWyulVEwaqD+XZGXMmpkQLps+gufkJMPEQJOKItDqmEa70ZfkPKJZcLIe
	2B3N3TkFyDfr4RPId5X/AMrRzpZaZvznKDmYvqD4GIU7LRWlnHdqcdhQ9Yms8D+q9AyT
	V+FjPb7NJQ/fG6xt5ZpwiNr5h1HuxxQhNld0U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=kk/bRq7RzC6xfyI3HaVnVB0Ugkm9729Nte3Ahdcdx7Y=;
	b=apRC7kmUaJA6vHNIzFa9tLre8MiZdpDOC9QFQayoDsDQ/sF1Nw0POI5DvGbCGCr4Ew
	hiEzP+Ru2U0lgWu9U6Ni2rfY8g/htApOgnqaiGyiOGKwGP1NnMWjn400pu9rvU4ZLkeh
	VxWWZ+sOdhpmYyfNqKryci58wXhUCNz2lIsnENBmmF3CeYrvs46KIU8SQyU97LLflOc/
	EF/ZctXzbTb9o/YATfBXcuZzquRGOyoVBAo1RbOaUhGqQ9ZMU9MUmH1UnWpKTZLPk6tk
	md/qvHJtGaEy86/f5V89UuCbSMAPTKFLGyBeDFLl6agbiHfU5ht7Sgv60gL8HjjPaSjM
	MrbQ==
X-Gm-Message-State: 
 AOPr4FWxl0dAdyZhFIG4dGLmFusWlOUoVtDFlFGOh9VeVQbp2i+0ovotTCNV3eCGn5yKVkrc
X-Received: by 10.25.141.131 with SMTP id p125mr12165924lfd.8.1463404430163;
	Mon, 16 May 2016 06:13:50 -0700 (PDT)
Received: from sergey-laptop.Dlink (broadband-46-188-121-115.2com.net.
	[46.188.121.115]) by smtp.gmail.com with ESMTPSA id
	dw6sm5118794lbc.10.2016.05.16.06.13.48
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 16 May 2016 06:13:49 -0700 (PDT)
From: Sergey Fedorov <sergey.fedorov@linaro.org>
To: qemu-devel@nongnu.org
Date: Mon, 16 May 2016 16:13:00 +0300
Message-Id: <1463404380-29302-1-git-send-email-sergey.fedorov@linaro.org>
X-Mailer: git-send-email 1.9.1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2a00:1450:4010:c07::229
Subject: [Qemu-devel] [PATCH] cpu-exec: Fix direct jump to TB spanning page
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Sergey Fedorov <sergey.fedorov@linaro.org>,
	Peter Crosthwaite <crosthwaite.peter@gmail.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Sergey Fedorov <serge.fdrv@gmail.com>,
	=?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
	Richard Henderson <rth@twiddle.net>
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Sergey Fedorov <serge.fdrv@gmail.com>

It is not safe to make a direct jump to a TB spanning two pages in
system emulation because the mapping for the second page can get changed
but we don't take care of direct jumps in this case.

However in user mode emulation, this is not the case because there's
only static address translation and TBs are always invalidated properly.

Fixes: 5b053a4a2827 ("tcg: Clean up direct block chaining safety checks")

Reported-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Sergey Fedorov <serge.fdrv@gmail.com>
Signed-off-by: Sergey Fedorov <sergey.fedorov@linaro.org>
Tested-by: Max Filippov <jcmvbkbc@gmail.com>
---
 cpu-exec.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cpu-exec.c b/cpu-exec.c
index 14df1aacf42a..ec2364df624d 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -344,6 +344,15 @@ static inline TranslationBlock *tb_find_fast(CPUState *cpu,
         *last_tb = NULL;
         cpu->tb_flushed = false;
     }
+#ifndef CONFIG_USER_ONLY
+    /* We don't take care of direct jumps when address mapping changes in
+     * system emulation. So it's not safe to make a direct jump to a TB
+     * spanning two pages because the mapping for the second page can change.
+     */
+    if (tb->page_addr[1] != -1) {
+        *last_tb = NULL;
+    }
+#endif
     /* See if we can patch the calling TB. */
     if (*last_tb && !qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
         tb_add_jump(*last_tb, tb_exit, tb);