mirror of
https://github.com/Motorhead1991/qemu.git
synced 2025-12-29 10:40:36 -07:00
cbdb457d79
Node.js crashes in qemu-system-s390x with random SIGSEGVs / SIGILLs. The v8 JIT used by Node.js can garbage collect and overwrite unused code. Overwriting is performed by WritableJitAllocation::CopyCode(), which ultimately calls memcpy(). For certain sizes, memcpy() uses the MVC instruction. QEMU implements MVC and other similar instructions using helpers. While TCG store ops invalidate affected translation blocks automatically, helpers must do this manually by calling probe_access_flags(). The MVC helper does this using the access_prepare() -> access_prepare_nf() -> s390_probe_access() -> probe_access_flags() call chain. At the last step of this chain, the store size is replaced with 0. This causes the probe_access_flags() -> notdirty_write() -> tb_invalidate_phys_range_fast() chain to miss some translation blocks. When this happens, QEMU executes a mix of old and new code. This quickly leads to either a SIGSEGV or a SIGILL in case the old code ends in the middle of a new instruction. Fix by passing the true size. Reported-by: Berthold Gunreben <azouhr@opensuse.org> Cc: Sarah Kriesch <ada.lovelace@gmx.de> Cc: qemu-stable@nongnu.org Closes: https://bugzilla.opensuse.org/show_bug.cgi?id=1235709 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: David Hildenbrand <david@redhat.com> Fixes: |
||
|---|---|---|
| .. | ||
| alpha | ||
| arm | ||
| avr | ||
| cris | ||
| hexagon | ||
| hppa | ||
| i386 | ||
| loongarch | ||
| m68k | ||
| microblaze | ||
| mips | ||
| nios2 | ||
| openrisc | ||
| ppc | ||
| riscv | ||
| rx | ||
| s390x | ||
| sh4 | ||
| sparc | ||
| tricore | ||
| xtensa | ||
| Kconfig | ||
| meson.build | ||