qemu/accel/tcg
Alex Bennée 886cc68943 accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025)
The bug describes a race whereby cpu_exec_step_atomic can acquire a TB
which is invalidated by a tb_flush before we execute it. This doesn't
affect the other cpu_exec modes as a tb_flush by it's nature can only
occur on a quiescent system. The race was described as:

  B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
  B3. tcg_tb_alloc obtains a new TB

      C3. TB obtained with tb_lookup__cpu_state or tb_gen_code
          (same TB as B2)

          A3. start_exclusive critical section entered
          A4. do_tb_flush is called, TB memory freed/re-allocated
          A5. end_exclusive exits critical section

  B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
  B3. tcg_tb_alloc reallocates TB from B2

      C4. start_exclusive critical section entered
      C5. cpu_tb_exec executes the TB code that was free in A4

The simplest fix is to widen the exclusive period to include the TB
lookup. As a result we can drop the complication of checking we are in
the exclusive region before we end it.

Cc: Yifan <me@yifanlu.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1863025
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20200214144952.15502-1-alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2020-02-28 10:58:41 -08:00
..
atomic_common.inc.c tcg: let plugins instrument virtual memory accesses 2019-10-28 15:12:38 +00:00
atomic_template.h trace: Remove trace_mem_build_info_no_se_[bl]e 2020-01-15 15:13:09 -10:00
cpu-exec-common.c qemu-common: Move tcg_enabled() etc. to sysemu/tcg.h 2019-06-11 20:22:09 +02:00
cpu-exec.c accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025) 2020-02-28 10:58:41 -08:00
cputlb.c cputlb: Hoist timestamp outside of loops over tlbs 2020-01-21 14:21:59 -10:00
Makefile.objs plugin-gen: add module for TCG-related code 2019-10-28 15:12:38 +00:00
plugin-gen.c plugin-gen: add module for TCG-related code 2019-10-28 15:12:38 +00:00
plugin-helpers.h plugin-gen: add module for TCG-related code 2019-10-28 15:12:38 +00:00
tcg-all.c accel/tcg: Sanitize include path 2020-01-24 20:59:11 +01:00
tcg-runtime-gvec.c tcg: Search includes from the project root source directory 2020-01-15 15:13:10 -10:00
tcg-runtime.c tcg: Search includes from the project root source directory 2020-01-15 15:13:10 -10:00
tcg-runtime.h tcg: Add support for vector bitwise select 2019-05-22 15:09:43 -04:00
trace-events trace-events: Consistently point to docs/devel/tracing.txt 2019-03-22 16:17:37 +00:00
translate-all.c tcg: Search includes from the project root source directory 2020-01-15 15:13:10 -10:00
translate-all.h cputlb: Pass retaddr to tb_check_watchpoint 2019-09-25 10:56:28 -07:00
translator.c qemu_log_lock/unlock now preserves the qemu_logfile handle. 2019-12-18 20:18:02 +00:00
user-exec-stub.c hw/core: Move cpu.c, cpu.h from qom/ to hw/core/ 2019-08-21 13:24:01 +02:00
user-exec.c tcg: Search includes from the project root source directory 2020-01-15 15:13:10 -10:00