From nobody Tue Feb 10 01:32:56 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1487258616841507.99020840748733;
 Thu, 16 Feb 2017 07:23:36 -0800 (PST)
Received: from localhost ([::1]:47303 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1ceNuA-0005BY-2d
	for importer@patchew.org; Thu, 16 Feb 2017 10:23:34 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51880)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1ceN6c-0003oa-HH
	for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:32:23 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1ceN6b-0008Ac-KC
	for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:32:22 -0500
Received: from mail-wr0-x244.google.com ([2a00:1450:400c:c0c::244]:34089)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <paolo.bonzini@gmail.com>)
	id 1ceN6b-00089z-Dp
	for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:32:21 -0500
Received: by mail-wr0-x244.google.com with SMTP id c4so2275240wrd.1
	for <qemu-devel@nongnu.org>; Thu, 16 Feb 2017 06:32:21 -0800 (PST)
Received: from 640k.lan (94-39-187-56.adsl-ull.clienti.tiscali.it.
	[94.39.187.56])
	by smtp.gmail.com with ESMTPSA id g5sm9203365wrd.0.2017.02.16.06.32.17
	for <qemu-devel@nongnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 16 Feb 2017 06:32:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:subject:date:message-id:in-reply-to:references;
	bh=8TdVYE1nWfrjliKi5Y839QFZGz7Sh7r/yUEBVJN5AiE=;
	b=f2QM550FQ5UkQkq784GA8jrj4y7KpjpWlzqWf9/sGQRYxbjXft5TN5SAFEX6nEMdp4
	TRT/gaHfusvq5CwjhmVvKYWEipKkcAeAsuTMLG5OVo4M9tzTa2awIPKHg+ndOsV7DslH
	7qiwOns56puWwgUwI4VD3YkbKKna2vVO7Di2Iz6lH9pc45zdzlwO16XO295M9Xc1U2EL
	jFwvEDhRkrGjq7I8JeFrUOgqrhRita4jz1MKTEE3kIHDGS4P79GimGhkGt1w3BeVXs0p
	iei3/ZTR21UOox+VDp8hcCXItbW1ns+wVxI0sQhZUsVH5P8e7cXY+3JrSSZXbzfgvTn4
	1P1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:subject:date:message-id
	:in-reply-to:references;
	bh=8TdVYE1nWfrjliKi5Y839QFZGz7Sh7r/yUEBVJN5AiE=;
	b=LM2s0IeIef72ARqwhrm47pMvcxxm5fnIQ5GlrZGi7sBEuJKbX4VPcGUH7QuiA3XFoT
	hi7oW8QcoAkpFpZf023/fSmDgclWOa2llJRC5A5OLbPD/ObLIVfS3EpSZ0cXpjOynXFw
	PzmUYnuEjLrYhzUNXYvl3Bg2BHM/3Tn/yKfe+xwmE2A6TPZcsyu5g0V11kh3xA3x+msc
	oKauhjM/BjxkSLKDKDq4Pxuq1im6bYpYEjMDRWrPFrt7xWyMrcClGuvEuaSYhDdQqtGl
	upenwHlw3Xjy3DUZK/2lEhQ8UGqz3Puw4+G+5w5C6XwqQXj7Ot1NqU9pQpk5CWrwGdTF
	vl6g==
X-Gm-Message-State: 
 AMke39ltaML87IHBcrIiubT/iLNmKw+8t+I3jrotmNGHFGI6fYvaA0GwWTba8Cl5H8bScg==
X-Received: by 10.223.150.73 with SMTP id c9mr2898938wra.19.1487255540178;
	Thu, 16 Feb 2017 06:32:20 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Date: Thu, 16 Feb 2017 15:31:35 +0100
Message-Id: <1487255507-106654-12-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1487255507-106654-1-git-send-email-pbonzini@redhat.com>
References: <1487255507-106654-1-git-send-email-pbonzini@redhat.com>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2a00:1450:400c:c0c::244
Subject: [Qemu-devel] [PULL 11/23] cpu-exec: fix icount out-of-bounds access
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

When icount is active, tb_add_jump is surprisingly called with an
out of bounds basic block index.  I have no idea how that can work,
but it does not seem like a good idea.  Clear *last_tb for all
TB_EXIT_ICOUNT_EXPIRED cases, even when all you have to do is
refill icount_extra.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 cpu-exec.c              | 7 ++++---
 include/exec/exec-all.h | 1 +
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/cpu-exec.c b/cpu-exec.c
index 57583f1..1f7d217 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -542,7 +542,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, Tran=
slationBlock *tb,
=20
     trace_exec_tb(tb, tb->pc);
     ret =3D cpu_tb_exec(cpu, tb);
-    *last_tb =3D (TranslationBlock *)(ret & ~TB_EXIT_MASK);
+    tb =3D (TranslationBlock *)(ret & ~TB_EXIT_MASK);
     *tb_exit =3D ret & TB_EXIT_MASK;
     switch (*tb_exit) {
     case TB_EXIT_REQUESTED:
@@ -566,6 +566,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, Tran=
slationBlock *tb,
         abort();
 #else
         int insns_left =3D cpu->icount_decr.u32;
+        *last_tb =3D NULL;
         if (cpu->icount_extra && insns_left >=3D 0) {
             /* Refill decrementer and continue execution.  */
             cpu->icount_extra +=3D insns_left;
@@ -575,17 +576,17 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, Tr=
anslationBlock *tb,
         } else {
             if (insns_left > 0) {
                 /* Execute remaining instructions.  */
-                cpu_exec_nocache(cpu, insns_left, *last_tb, false);
+                cpu_exec_nocache(cpu, insns_left, tb, false);
                 align_clocks(sc, cpu);
             }
             cpu->exception_index =3D EXCP_INTERRUPT;
-            *last_tb =3D NULL;
             cpu_loop_exit(cpu);
         }
         break;
 #endif
     }
     default:
+        *last_tb =3D tb;
         break;
     }
 }
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index bbc9478..21ab7bf 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -318,6 +318,7 @@ static inline void tb_set_jmp_target(TranslationBlock *=
tb,
 static inline void tb_add_jump(TranslationBlock *tb, int n,
                                TranslationBlock *tb_next)
 {
+    assert(n < ARRAY_SIZE(tb->jmp_list_next));
     if (tb->jmp_list_next[n]) {
         /* Another thread has already done this while we were
          * outside of the lock; nothing to do in this case */
--=20
1.8.3.1