[Qemu-devel] [PATCH] target-mips: fix corner case in TLBWR causing QEMU to hang

QEMU-Devel Archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] target-mips: fix corner case in TLBWR causing QEMU to hang
@ 2015-09-14 12:43 Leon Alrae
  2015-09-14 19:21 ` Aurelien Jarno
  0 siblings, 1 reply; 3+ messages in thread
From: Leon Alrae @ 2015-09-14 12:43 UTC (permalink / raw
  To: qemu-devel; +Cc: aurelien

cpu_mips_get_random() function is used to generate a random index from
CP0.Wired to TLBSize-1 range. Current implementation avoids generating
the same as before value, hence the while loop. If the guest sets
CP0.Wired to TLBSize-1 (which actually does not sound to be very
practical) QEMU will get stuck in the loop infinitely as we always
generate the same index.

Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
---
 hw/mips/cputimer.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/mips/cputimer.c b/hw/mips/cputimer.c
index 577c9ae..c55d102 100644
--- a/hw/mips/cputimer.c
+++ b/hw/mips/cputimer.c
@@ -33,10 +33,16 @@ uint32_t cpu_mips_get_random (CPUMIPSState *env)
     static uint32_t lfsr = 1;
     static uint32_t prev_idx = 0;
     uint32_t idx;
+    uint32_t nb_rand_tlb = env->tlb->nb_tlb - env->CP0_Wired;
+
+    if (nb_rand_tlb == 1) {
+        return env->tlb->nb_tlb - 1;
+    }
+
     /* Don't return same value twice, so get another value */
     do {
         lfsr = (lfsr >> 1) ^ (-(lfsr & 1u) & 0xd0000001u);
-        idx = lfsr % (env->tlb->nb_tlb - env->CP0_Wired) + env->CP0_Wired;
+        idx = lfsr % nb_rand_tlb + env->CP0_Wired;
     } while (idx == prev_idx);
     prev_idx = idx;
     return idx;
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] target-mips: fix corner case in TLBWR causing QEMU to hang
  2015-09-14 12:43 [Qemu-devel] [PATCH] target-mips: fix corner case in TLBWR causing QEMU to hang Leon Alrae
@ 2015-09-14 19:21 ` Aurelien Jarno
  2015-09-15  9:41   ` Leon Alrae
  0 siblings, 1 reply; 3+ messages in thread
From: Aurelien Jarno @ 2015-09-14 19:21 UTC (permalink / raw
  To: Leon Alrae; +Cc: qemu-devel

On 2015-09-14 13:43, Leon Alrae wrote:
> cpu_mips_get_random() function is used to generate a random index from
> CP0.Wired to TLBSize-1 range. Current implementation avoids generating
> the same as before value, hence the while loop. If the guest sets
> CP0.Wired to TLBSize-1 (which actually does not sound to be very
> practical) QEMU will get stuck in the loop infinitely as we always
> generate the same index.
> 
> Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
> ---
>  hw/mips/cputimer.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/mips/cputimer.c b/hw/mips/cputimer.c
> index 577c9ae..c55d102 100644
> --- a/hw/mips/cputimer.c
> +++ b/hw/mips/cputimer.c
> @@ -33,10 +33,16 @@ uint32_t cpu_mips_get_random (CPUMIPSState *env)
>      static uint32_t lfsr = 1;
>      static uint32_t prev_idx = 0;
>      uint32_t idx;
> +    uint32_t nb_rand_tlb = env->tlb->nb_tlb - env->CP0_Wired;
> +
> +    if (nb_rand_tlb == 1) {
> +        return env->tlb->nb_tlb - 1;
> +    }
> +
>      /* Don't return same value twice, so get another value */
>      do {
>          lfsr = (lfsr >> 1) ^ (-(lfsr & 1u) & 0xd0000001u);
> -        idx = lfsr % (env->tlb->nb_tlb - env->CP0_Wired) + env->CP0_Wired;
> +        idx = lfsr % nb_rand_tlb + env->CP0_Wired;
>      } while (idx == prev_idx);
>      prev_idx = idx;
>      return idx;

Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>

Note that this patch conflicts with the following one, that we might
want to merge, even if the whole series is not ready:

https://lists.gnu.org/archive/html/qemu-devel/2015-07/msg01171.html

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] target-mips: fix corner case in TLBWR causing QEMU to hang
  2015-09-14 19:21 ` Aurelien Jarno
@ 2015-09-15  9:41   ` Leon Alrae
  0 siblings, 0 replies; 3+ messages in thread
From: Leon Alrae @ 2015-09-15  9:41 UTC (permalink / raw
  To: Aurelien Jarno; +Cc: qemu-devel

On 14/09/15 20:21, Aurelien Jarno wrote:
> Note that this patch conflicts with the following one, that we might
> want to merge, even if the whole series is not ready:
> 
> https://lists.gnu.org/archive/html/qemu-devel/2015-07/msg01171.html

Indeed, we should merge that patch as well.

Thanks,
Leon

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-09-15  9:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-14 12:43 [Qemu-devel] [PATCH] target-mips: fix corner case in TLBWR causing QEMU to hang Leon Alrae
2015-09-14 19:21 ` Aurelien Jarno
2015-09-15  9:41   ` Leon Alrae

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).