1. Patchew
  2. QEMU
  3. View series

[PATCH] accel/tcg: Fix undefined jump with x86_cpu_tlb_fill

Daniel Hoffman posted 1 patch 1 year, 4 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20221201064813.1315752-1-dhoff749@gmail.com
Maintainers: Paolo Bonzini <pbonzini@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, Eduardo Habkost <eduardo@habkost.net>
target/i386/tcg/sysemu/excp_helper.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] accel/tcg: Fix undefined jump with x86_cpu_tlb_fill
Posted by Daniel Hoffman 1 year, 4 months ago 
Signed-off-by: Daniel Hoffman <dhoff749@gmail.com>
---
 target/i386/tcg/sysemu/excp_helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
index 405a5d414a..6a93e96eb7 100644
--- a/target/i386/tcg/sysemu/excp_helper.c
+++ b/target/i386/tcg/sysemu/excp_helper.c
@@ -595,6 +595,7 @@ bool x86_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
     CPUX86State *env = cs->env_ptr;
     TranslateResult out;
     TranslateFault err;
+    bool use_stage2 = env->hflags2 & HF2_NPT_MASK;
 
     if (get_physical_address(env, addr, access_type, mmu_idx, &out, &err)) {
         /*
@@ -615,7 +616,7 @@ bool x86_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
         return false;
     }
 
-    if (err.stage2 != S2_NONE) {
+    if (use_stage2 && err.stage2 != S2_NONE) {
         raise_stage2(env, &err, retaddr);
     }
 
-- 
2.34.1
Re: [PATCH] accel/tcg: Fix undefined jump with x86_cpu_tlb_fill
Posted by Richard Henderson 1 year, 4 months ago 
On 11/30/22 22:48, Daniel Hoffman wrote:
> Signed-off-by: Daniel Hoffman <dhoff749@gmail.com>
> ---
>   target/i386/tcg/sysemu/excp_helper.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
> index 405a5d414a..6a93e96eb7 100644
> --- a/target/i386/tcg/sysemu/excp_helper.c
> +++ b/target/i386/tcg/sysemu/excp_helper.c
> @@ -595,6 +595,7 @@ bool x86_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
>       CPUX86State *env = cs->env_ptr;
>       TranslateResult out;
>       TranslateFault err;
> +    bool use_stage2 = env->hflags2 & HF2_NPT_MASK;
>   
>       if (get_physical_address(env, addr, access_type, mmu_idx, &out, &err)) {
>           /*
> @@ -615,7 +616,7 @@ bool x86_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
>           return false;
>       }
>   
> -    if (err.stage2 != S2_NONE) {
> +    if (use_stage2 && err.stage2 != S2_NONE) {
>           raise_stage2(env, &err, retaddr);
>       }
>   

The patch description is missing, which might have included some indication of how the 
problem might have been triggered.

 From inspection I can guess that it comes from the incomplete initialization of 
TranslateFault in get_physical_address, after the check for a canonical address form.  In 
any case this is not an ideal fix.


r~

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.