From c88c67e58b61618a904d2333ceebefc3c852d32e Mon Sep 17 00:00:00 2001 From: Sergey Fedorov Date: Mon, 16 May 2016 16:13:00 +0300 Subject: [PATCH] cpu-exec: Fix direct jump to TB spanning page It is not safe to make a direct jump to a TB spanning two pages in system emulation because the mapping for the second page can get changed but we don't take care of direct jumps in this case. However in user mode emulation, this is not the case because there's only static address translation and TBs are always invalidated properly. Fixes: 5b053a4a2827 ("tcg: Clean up direct block chaining safety checks") Reported-by: Max Filippov Signed-off-by: Sergey Fedorov Signed-off-by: Sergey Fedorov Tested-by: Max Filippov Message-id: 1463404380-29302-1-git-send-email-sergey.fedorov@linaro.org Signed-off-by: Peter Maydell --- cpu-exec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cpu-exec.c b/cpu-exec.c index 602d0c4d0c..f7c642f4a9 100644 --- a/cpu-exec.c +++ b/cpu-exec.c @@ -345,6 +345,15 @@ static inline TranslationBlock *tb_find_fast(CPUState *cpu, *last_tb = NULL; cpu->tb_flushed = false; } +#ifndef CONFIG_USER_ONLY + /* We don't take care of direct jumps when address mapping changes in + * system emulation. So it's not safe to make a direct jump to a TB + * spanning two pages because the mapping for the second page can change. + */ + if (tb->page_addr[1] != -1) { + *last_tb = NULL; + } +#endif /* See if we can patch the calling TB. */ if (*last_tb && !qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) { tb_add_jump(*last_tb, tb_exit, tb);