From nobody Sun Sep 28 16:28:08 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1758668749; cv=none; d=zohomail.com; s=zohoarc; b=MF6vc9xe17kQWdJzZnrqBRe0pFq7Fln9bQpeG/8gy/NCgUwAgGoZpYMUvdkq6EccqQUKaXQZ/DgrcY4qUWuSjTLYKh+Z769x3HHWE4xpG+VRVC7Hnz/8Y4fuRVfTob9+TG+5m71kkwmTlPIQt/jgQj0kwpxrU1s4oRscJYlhrVM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758668749; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=h7jBToDckL+9WdyOpUrdDydxCn382Hk4iBNUg68buw0=; b=Z5P8eghnTVD4aG+gGOIFaHKm7FbTJo1mHjrzt/yxRQ61tSfoWZdLjD3XbMAWNaXPYsQnPIj909N2Z1S/OdsWR35zqiKkpF51JNfOqBUsZMYD2QB6Dv0tJCgOXvYFOY9jmEXFXAbT/k0vncLopU0Ahs+MHEx0FfuSm87FU/OSogI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758668749420998.1491224607747; Tue, 23 Sep 2025 16:05:49 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1C3g-0006t5-NC; Tue, 23 Sep 2025 19:04:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1C3f-0006sf-5k for qemu-devel@nongnu.org; Tue, 23 Sep 2025 19:04:27 -0400 Received: from mail-pf1-x435.google.com ([2607:f8b0:4864:20::435]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1v1C3Z-0004R1-Vz for qemu-devel@nongnu.org; Tue, 23 Sep 2025 19:04:26 -0400 Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-77d94c6562fso6193019b3a.2 for ; Tue, 23 Sep 2025 16:04:19 -0700 (PDT) Received: from stoup.. ([71.212.157.132]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-77f297235fcsm8901897b3a.16.2025.09.23.16.04.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Sep 2025 16:04:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1758668657; x=1759273457; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=h7jBToDckL+9WdyOpUrdDydxCn382Hk4iBNUg68buw0=; b=X+DJb1NEH4YreAED7QZCPtJn/bAGNmhZROrIcZ7aVw/oWLV/WWdVh12IUJPF6/mMSf PldgC6VLtKiqZjZz9LAC0AInlHvj3mWsIIPsl9Zt52M0Ap3pnwrGNBhmZ6KtvnHKEhNM 2n9oXix6akpFkwfmMxDwyphKv7ONk9aRlzyGkHhqJHou/eQA/XETlefPrUKhkD3lwHc2 KPT2EVUyR5rjiVnA5iPlYC+X0LCP/hMbleG/KAGhISsuBhozMQnCHtqUDh51jxG4C1yF 8NeiJBxStfTyeaY9YcWy/OfpBmWdkcMzipw7Eof9uZh7CmOYQrvLxd2w14vNXu96IaPu c+HQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758668657; x=1759273457; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=h7jBToDckL+9WdyOpUrdDydxCn382Hk4iBNUg68buw0=; b=a0eqQEe2Wyuh0hdVMWrYEUBAdjchFsypfEL4Xi7oq1N7pDXOgm3I6UsTSfO7GxyeCN GQao7IlRTCzf6D9Xy+RMLmyd9wjR8O4W2ZMjL+DbOcL3mEviLrDrYx3DFNIMnnEn/gx4 D+3R00g7aMIQfiTaNYML1xmLy3ukF3PUXRdHlWzM3KDdKdH0Q+6s5AmxfWqGOmGoSbKq t3ODFThMl+BfgLEdYW+H0wt8HYlwfFuQIHUPyo67hGHWjJlOvpBL+zZSaoljBvSd/wj0 mfzgYuKOwKf36OYMvv4XSwg7/b750DBOIC0VmiuqUrB/UgmND9chEnmmzBtYIdDwc7Ob KN3w== X-Gm-Message-State: AOJu0YxAm3As1VlkKy4XnAJCWsQ8FgK6WnkMZ335EQn4XsYK+6ryUKyA 7Cc6k/sf8PaY8nSqb6JD5uDQMQGOt+s+F8S3vE/G0DWOD9tCvKns9oH7vwgOGkB+ZStSC5+x339 vKHpR X-Gm-Gg: ASbGncssF8dCovbbBkA4pFNk+XVc5glGgIPuDqcH8tp/5hsxa9XBGv7qGVAsLl7aPpj evlegrGuWz1gtsLxDx1PSACQSCTpYmlwbc9mN9KZHx1OhVagPCITtijBuu+HXHDSFFKIAcFdVM+ aBf9NDLMLTfIHLhTdzRmTfxHMOVeGxHrwxa/XEPVgf9iogzlMBfl7fKcruP6LY2yE3+pedsPHnp /lCn1jzUiAHSaMc01GXZbqPd66nVjey22Kst/s0RFjTagtj4PqBnc+MapPk8jWek/6YkmSN8grV xsdbCBKMyohOSDh4RgvS6SLN4LovVEg+NNhFjcBsqjxr9BWaa6uCCIEsOAf8wUTwq04NU06ljDo ALhWmsaSN3xnPbDuYRhfEst//id6Q X-Google-Smtp-Source: AGHT+IEYyt6JwWFXglePl3CgdewMub9FyehNXYnz+1CLME8YsVNXpHdn2zuXJG1NrzAjlzcm4Xrd6A== X-Received: by 2002:a05:6a00:139e:b0:772:4b05:7899 with SMTP id d2e1a72fcca58-77f538479dfmr4313594b3a.7.1758668656875; Tue, 23 Sep 2025 16:04:16 -0700 (PDT) From: Richard Henderson To: qemu-devel@nongnu.org Cc: kasperl@rivosinc.com, lazyparser@gmail.com, liwei1518@gmail.com, =?UTF-8?q?=E6=9D=8E=E5=A8=81=E5=A8=81?= Subject: [PATCH] accel/tcg: Properly unlink a TB linked to itself Date: Tue, 23 Sep 2025 16:04:15 -0700 Message-ID: <20250923230415.3688766-1-richard.henderson@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::435; envelope-from=richard.henderson@linaro.org; helo=mail-pf1-x435.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1758668750813116600 When we remove dest from orig's links, we lose the link that we rely on later to reset links. This can lead to failure to release from spinlock with self-modifying code. Reported-by: =E6=9D=8E=E5=A8=81=E5=A8=81 Signed-off-by: Richard Henderson Reviewed-by: Anton Johansson Tested-by: Anton Johansson --- accel/tcg/tb-maint.c | 8 +++++ tests/tcg/riscv64/tb-link.c | 60 +++++++++++++++++++++++++++++++ tests/tcg/riscv64/Makefile.target | 1 + 3 files changed, 69 insertions(+) create mode 100644 tests/tcg/riscv64/tb-link.c diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c index 0048316f99..e6d45c9c12 100644 --- a/accel/tcg/tb-maint.c +++ b/accel/tcg/tb-maint.c @@ -836,6 +836,14 @@ static inline void tb_remove_from_jmp_list(Translation= Block *orig, int n_orig) * We first acquired the lock, and since the destination pointer match= es, * we know for sure that @orig is in the jmp list. */ + if (dest =3D=3D orig) { + /* + * In the case of a TB that links to itself, removing the entry + * from the list means that it won't be present later during + * tb_jmp_unlink -- unlink now. + */ + tb_reset_jump(orig, n_orig); + } pprev =3D &dest->jmp_list_head; TB_FOR_EACH_JMP(dest, tb, n) { if (tb =3D=3D orig && n =3D=3D n_orig) { diff --git a/tests/tcg/riscv64/tb-link.c b/tests/tcg/riscv64/tb-link.c new file mode 100644 index 0000000000..b6fcca8668 --- /dev/null +++ b/tests/tcg/riscv64/tb-link.c @@ -0,0 +1,60 @@ +#include +#include +#include +#include +#include +#include + + +int main() +{ + /* + * ## 1. RISC-V machine code. + * Assembly: + * L: j L ; Jump to self (spin). + * li a0, 42 ; Place 42 into the return value register a0. + * ret ; Return to caller. + */ + static const uint32_t machine_code[] =3D { + 0x0000006f, /* jal zero, #0 */ + 0x02a00513, /* addi a0, zero, 42 */ + 0x00008067 /* jalr zero, ra, 0 */ + }; + size_t code_size =3D sizeof(machine_code); + int tmp; + pthread_t thread_id; + void *thread_return_value; + uint32_t *buffer; + + /* ## 2. Allocate executable memory. */ + buffer =3D mmap( + NULL, + code_size, + PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_PRIVATE | MAP_ANONYMOUS, + -1, 0 + ); + assert(buffer !=3D MAP_FAILED); + + /* ## 3. Copy machine code into buffer. */ + memcpy(buffer, machine_code, code_size); + + /* ## 4. Execute the code in a separate thread. */ + tmp =3D pthread_create(&thread_id, NULL, (void *(*)(void *))buffer, NU= LL); + assert(tmp =3D=3D 0); + + /* + * Wait a second and then try to patch the generated code to get the + * runner thread to get unstuck by patching the spin jump. + */ + sleep(1); + buffer[0] =3D 0x00000013; /* nop */ + __builtin___clear_cache((char *)buffer, (char *)(buffer + 1)); + + tmp =3D pthread_join(thread_id, &thread_return_value); + assert(tmp =3D=3D 0); + + tmp =3D (intptr_t)thread_return_value; + assert(tmp =3D=3D 42); + return 0; +} diff --git a/tests/tcg/riscv64/Makefile.target b/tests/tcg/riscv64/Makefile= .target index 4da5b9a3b3..ba684616fd 100644 --- a/tests/tcg/riscv64/Makefile.target +++ b/tests/tcg/riscv64/Makefile.target @@ -4,6 +4,7 @@ VPATH +=3D $(SRC_PATH)/tests/tcg/riscv64 TESTS +=3D test-div TESTS +=3D noexec +TESTS +=3D tb-link =20 # Disable compressed instructions for test-noc TESTS +=3D test-noc --=20 2.43.0