Re: [PATCH] [PATCH] linux-user/aarch64: Reset target data on MADV_DONTNEED
Sorry, I only noticed today that it's not submitted. Version is not critical for us, as we build from masters anyway. Richard, do you know a reason to consider this critical? On Wed, 10 Aug 2022 at 13:04, Peter Maydell wrote: > On Wed, 10 Aug 2022 at 21:00, Vitaly Buka wrote: > > > > How can we land this one? > > Pinging it a week ago rather than now would have been a good start :-( > I think it got missed because you didn't cc the linux-user maintainer. > > Is this a critical fix for 7.1 or can we let it slip to 7.2 ? > > thanks > -- PMM >
Re: [PATCH] [PATCH] linux-user/aarch64: Reset target data on MADV_DONTNEED
How can we land this one?
[PATCH] [PATCH] linux-user/aarch64: Reset target data on MADV_DONTNEED
aarch64 stores MTE tags in target_date, and they should be reset by MADV_DONTNEED. Signed-off-by: Vitaly Buka --- accel/tcg/translate-all.c | 24 include/exec/cpu-all.h| 1 + linux-user/mmap.c | 2 ++ 3 files changed, 27 insertions(+) diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c index ef62a199c7..d6f2f1a40a 100644 --- a/accel/tcg/translate-all.c +++ b/accel/tcg/translate-all.c @@ -2314,6 +2314,30 @@ void page_set_flags(target_ulong start, target_ulong end, int flags) } } +void page_reset_target_data(target_ulong start, target_ulong end) +{ +target_ulong addr, len; + +/* This function should never be called with addresses outside the + guest address space. If this assert fires, it probably indicates + a missing call to h2g_valid. */ +assert(end - 1 <= GUEST_ADDR_MAX); +assert(start < end); +assert_memory_lock(); + +start = start & TARGET_PAGE_MASK; +end = TARGET_PAGE_ALIGN(end); + +for (addr = start, len = end - start; + len != 0; + len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { +PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1); + +g_free(p->target_data); +p->target_data = NULL; +} +} + void *page_get_target_data(target_ulong address) { PageDesc *p = page_find(address >> TARGET_PAGE_BITS); diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h index f5bda2c3ca..491629b9ba 100644 --- a/include/exec/cpu-all.h +++ b/include/exec/cpu-all.h @@ -271,6 +271,7 @@ int walk_memory_regions(void *, walk_memory_regions_fn); int page_get_flags(target_ulong address); void page_set_flags(target_ulong start, target_ulong end, int flags); +void page_reset_target_data(target_ulong start, target_ulong end); int page_check_range(target_ulong start, target_ulong len, int flags); /** diff --git a/linux-user/mmap.c b/linux-user/mmap.c index 4e7a6be6ee..c535dfdc7c 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c @@ -894,6 +894,8 @@ abi_long target_madvise(abi_ulong start, abi_ulong len_in, int advice) if ((advice & MADV_DONTNEED) && can_passthrough_madv_dontneed(start, end)) { ret = get_errno(madvise(g2h_untagged(start), len, MADV_DONTNEED)); +if (ret == 0) +page_reset_target_data(start, start + len); } mmap_unlock(); -- 2.37.0.144.g8ac04bfd2-goog
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
I see something similar in memset It SEGV on sturq0, [x4, #-16] for x4 set to 0xd55214fe008 and near tags are 0xd55214fdff0 and 0xd55214fe000 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: Confirmed Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1926521] Re: QEMU-user ignores MADV_DONTNEED
New issue on GitLab https://gitlab.com/qemu-project/qemu/-/issues/326 ** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #326 https://gitlab.com/qemu-project/qemu/-/issues/326 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1926521 Title: QEMU-user ignores MADV_DONTNEED Status in QEMU: Incomplete Bug description: There is comment int the code "This is a hint, so ignoring and returning success is ok" https://github.com/qemu/qemu/blob/b1cffefa1b163bce9aebc3416f562c1d3886eeaa/linux-user/syscall.c#L11941 But it seems incorrect with the current state of Linux "man madvise" or https://man7.org/linux/man-pages/man2/madvise.2.html says the following: >> These advice values do not influence the semantics >> of the application (except in the case of MADV_DONTNEED) >> After a successful MADV_DONTNEED operation, the semantics >> of memory access in the specified region are changed: >> subsequent accesses of pages in the range will succeed, >> but will result in either repopulating the memory contents >> from the up-to-date contents of the underlying mapped file >> (for shared file mappings, shared anonymous mappings, and >> shmem-based techniques such as System V shared memory >> segments) or zero-fill-on-demand pages for anonymous >> private mappings. Some applications use this behavior clear memory and it would be nice to be able to run them on QEMU without workarounds. Reproducer on "Debian 5.10.24 x86_64 GNU/Linux" as a host. ``` #include "assert.h" #include "stdio.h" #include #include int main() { char *P = (char *)mmap(0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); assert(P); *P = 'A'; while (madvise(P, 4096, MADV_DONTNEED) == -1 && errno == EAGAIN) { } assert(*P == 0); printf("OK\n"); } /* gcc /tmp/madvice.c -o /tmp/madvice qemu-x86_64 /tmp/madvice madvice: /tmp/madvice.c:13: main: Assertion `*P == 0' failed. qemu: uncaught target signal 6 (Aborted) - core dumped Aborted /tmp/madvice OK */ ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1926521/+subscriptions
[Bug 1926521] [NEW] QEMU-user ignores MADV_DONTNEED
Public bug reported: There is comment int the code "This is a hint, so ignoring and returning success is ok" https://github.com/qemu/qemu/blob/b1cffefa1b163bce9aebc3416f562c1d3886eeaa/linux-user/syscall.c#L11941 But it seems incorrect with the current state of Linux "man madvise" or https://man7.org/linux/man-pages/man2/madvise.2.html says the following: >> These advice values do not influence the semantics >> of the application (except in the case of MADV_DONTNEED) >> After a successful MADV_DONTNEED operation, the semantics >> of memory access in the specified region are changed: >> subsequent accesses of pages in the range will succeed, >> but will result in either repopulating the memory contents >> from the up-to-date contents of the underlying mapped file >> (for shared file mappings, shared anonymous mappings, and >> shmem-based techniques such as System V shared memory >> segments) or zero-fill-on-demand pages for anonymous >> private mappings. Some applications use this behavior clear memory and it would be nice to be able to run them on QEMU without workarounds. Reproducer on "Debian 5.10.24 x86_64 GNU/Linux" as a host. ``` #include "assert.h" #include "stdio.h" #include #include int main() { char *P = (char *)mmap(0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); assert(P); *P = 'A'; while (madvise(P, 4096, MADV_DONTNEED) == -1 && errno == EAGAIN) { } assert(*P == 0); printf("OK\n"); } /* gcc /tmp/madvice.c -o /tmp/madvice qemu-x86_64 /tmp/madvice madvice: /tmp/madvice.c:13: main: Assertion `*P == 0' failed. qemu: uncaught target signal 6 (Aborted) - core dumped Aborted /tmp/madvice OK */ ``` ** Affects: qemu Importance: Undecided Status: New ** Summary changed: - QEMU-user does no respect MADV_DONTNEED + QEMU-user ignores MADV_DONTNEED -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1926521 Title: QEMU-user ignores MADV_DONTNEED Status in QEMU: New Bug description: There is comment int the code "This is a hint, so ignoring and returning success is ok" https://github.com/qemu/qemu/blob/b1cffefa1b163bce9aebc3416f562c1d3886eeaa/linux-user/syscall.c#L11941 But it seems incorrect with the current state of Linux "man madvise" or https://man7.org/linux/man-pages/man2/madvise.2.html says the following: >> These advice values do not influence the semantics >> of the application (except in the case of MADV_DONTNEED) >> After a successful MADV_DONTNEED operation, the semantics >> of memory access in the specified region are changed: >> subsequent accesses of pages in the range will succeed, >> but will result in either repopulating the memory contents >> from the up-to-date contents of the underlying mapped file >> (for shared file mappings, shared anonymous mappings, and >> shmem-based techniques such as System V shared memory >> segments) or zero-fill-on-demand pages for anonymous >> private mappings. Some applications use this behavior clear memory and it would be nice to be able to run them on QEMU without workarounds. Reproducer on "Debian 5.10.24 x86_64 GNU/Linux" as a host. ``` #include "assert.h" #include "stdio.h" #include #include int main() { char *P = (char *)mmap(0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); assert(P); *P = 'A'; while (madvise(P, 4096, MADV_DONTNEED) == -1 && errno == EAGAIN) { } assert(*P == 0); printf("OK\n"); } /* gcc /tmp/madvice.c -o /tmp/madvice qemu-x86_64 /tmp/madvice madvice: /tmp/madvice.c:13: main: Assertion `*P == 0' failed. qemu: uncaught target signal 6 (Aborted) - core dumped Aborted /tmp/madvice OK */ ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1926521/+subscriptions
Re: [Bug 1926044] Re: QEMU-user doesn't report HWCAP2_MTE
Thanks for the quick fix! On Tue, Apr 27, 2021 at 2:55 PM Richard Henderson < 1926...@bugs.launchpad.net> wrote: > > https://patchew.org/QEMU/20210427214108.88503-1-richard.hender...@linaro.org/ > > This has missed 6.0, but should be acceptable to roll into 6.0.1. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1926044 > > Title: > QEMU-user doesn't report HWCAP2_MTE > > Status in QEMU: > In Progress > > Bug description: > Reproducible on ffa090bc56e73e287a63261e70ac02c0970be61a > > Host Debian 5.10.24 x86_64 GNU > > Configured with "configure --disable-system --enable-linux-user > --static" > > This one works and prints "OK" as expected: > clang tests/tcg/aarch64/mte-3.c -target aarch64-linux-gnu > -fsanitize=memtag -march=armv8+memtag > qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out && echo OK > > > This one fails and print "0": > cat mytest.c > #include > #include > > #ifndef HWCAP2_MTE > #define HWCAP2_MTE (1 << 18) > #endif > > int main(int ac, char **av) > { > printf("%d\n", (int)(getauxval(AT_HWCAP2) & HWCAP2_MTE)); > } > > > clang mytest.c -target aarch64-linux-gnu -fsanitize=memtag > -march=armv8+memtag > qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out > > To manage notifications about this bug go to: > https://bugs.launchpad.net/qemu/+bug/1926044/+subscriptions > -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1926044 Title: QEMU-user doesn't report HWCAP2_MTE Status in QEMU: In Progress Bug description: Reproducible on ffa090bc56e73e287a63261e70ac02c0970be61a Host Debian 5.10.24 x86_64 GNU Configured with "configure --disable-system --enable-linux-user --static" This one works and prints "OK" as expected: clang tests/tcg/aarch64/mte-3.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out && echo OK This one fails and print "0": cat mytest.c #include #include #ifndef HWCAP2_MTE #define HWCAP2_MTE (1 << 18) #endif int main(int ac, char **av) { printf("%d\n", (int)(getauxval(AT_HWCAP2) & HWCAP2_MTE)); } clang mytest.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1926044/+subscriptions
[Bug 1926044] Re: QEMU-user doesn't report HWCAP2_MTE
Sorry, 0 7 8 should be "HWCAP2_DCPODP HWCAP2_FLAGM2 HWCAP2_FRINT" -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1926044 Title: QEMU-user doesn't report HWCAP2_MTE Status in QEMU: New Bug description: Reproducible on ffa090bc56e73e287a63261e70ac02c0970be61a Host Debian 5.10.24 x86_64 GNU Configured with "configure --disable-system --enable-linux-user --static" This one works and prints "OK" as expected: clang tests/tcg/aarch64/mte-3.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out && echo OK This one fails and print "0": cat mytest.c #include #include #ifndef HWCAP2_MTE #define HWCAP2_MTE (1 << 18) #endif int main(int ac, char **av) { printf("%d\n", (int)(getauxval(AT_HWCAP2) & HWCAP2_MTE)); } clang mytest.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1926044/+subscriptions
[Bug 1926044] Re: QEMU-user doesn't report HWCAP2_MTE
Actually if we make it like this: #include #include int main(int ac, char **av) { for (int i = 0; i < 32; ++i) if ((int)(getauxval(AT_HWCAP2) & (1 << i))) printf("%d\n", i); } clang mytest.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out I see only: HWCAP_FP HWCAP_CRC32 HWCAP_ATOMICS So no HWCAP2_BTI as well. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1926044 Title: QEMU-user doesn't report HWCAP2_MTE Status in QEMU: New Bug description: Reproducible on ffa090bc56e73e287a63261e70ac02c0970be61a Host Debian 5.10.24 x86_64 GNU Configured with "configure --disable-system --enable-linux-user --static" This one works and prints "OK" as expected: clang tests/tcg/aarch64/mte-3.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out && echo OK This one fails and print "0": cat mytest.c #include #include #ifndef HWCAP2_MTE #define HWCAP2_MTE (1 << 18) #endif int main(int ac, char **av) { printf("%d\n", (int)(getauxval(AT_HWCAP2) & HWCAP2_MTE)); } clang mytest.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1926044/+subscriptions
[Bug 1926044] [NEW] QEMU-user doesn't report HWCAP2_MTE
Public bug reported: Reproducible on ffa090bc56e73e287a63261e70ac02c0970be61a Host Debian 5.10.24 x86_64 GNU Configured with "configure --disable-system --enable-linux-user --static" This one works and prints "OK" as expected: clang tests/tcg/aarch64/mte-3.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out && echo OK This one fails and print "0": cat mytest.c #include #include #ifndef HWCAP2_MTE #define HWCAP2_MTE (1 << 18) #endif int main(int ac, char **av) { printf("%d\n", (int)(getauxval(AT_HWCAP2) & HWCAP2_MTE)); } clang mytest.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out ** Affects: qemu Importance: Undecided Status: New ** Tags: aarch64 mte user -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1926044 Title: QEMU-user doesn't report HWCAP2_MTE Status in QEMU: New Bug description: Reproducible on ffa090bc56e73e287a63261e70ac02c0970be61a Host Debian 5.10.24 x86_64 GNU Configured with "configure --disable-system --enable-linux-user --static" This one works and prints "OK" as expected: clang tests/tcg/aarch64/mte-3.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out && echo OK This one fails and print "0": cat mytest.c #include #include #ifndef HWCAP2_MTE #define HWCAP2_MTE (1 << 18) #endif int main(int ac, char **av) { printf("%d\n", (int)(getauxval(AT_HWCAP2) & HWCAP2_MTE)); } clang mytest.c -target aarch64-linux-gnu -fsanitize=memtag -march=armv8+memtag qemu-aarch64 --cpu max -L /usr/aarch64-linux-gnu ./a.out To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1926044/+subscriptions