While I could not replicate the failure Peter reported, the apparent root cause -- the old magic fixed page -- should affect other guests as well. In particular, the old arm32 magic fixed page at 0xffff0f00, and the hppa magic fixed page at 0.
In the arm32 and hppa cases that I just mentioned -- but notably not the x86_64 case that Peter reported -- there is special-case code in target/*/translate.c to handle those addresses without actually doing the read from the unmapped address. Therefore, until we fix these sort of address space representational errors, we cannot even rely on page_check_range() to validate the execute access. Instead, modify the host signal handler to intercept this at SIGSEGV. At this point we're sure that there is no guest special case that we have overlooked, because we did attempt the read for execute. Also, I noticed that we really ought to have some barriers around this code to make sure that the modifications to helper_retaddr are in fact visible to the host signal handler. Also, some minor cleanups to the set of read functions that we expose for use during translation. Also, a trivial duplicated condition. r~ Richard Henderson (5): include/qemu/atomic.h: Add signal_barrier tcg: Introduce set/clear_helper_retaddr tcg: Remove cpu_ld*_code_ra tcg: Remove duplicate #if !defined(CODE_ACCESS) tcg: Release mmap_lock on translation fault include/exec/cpu_ldst.h | 20 ++++++ include/exec/cpu_ldst_useronly_template.h | 40 ++++++++---- include/qemu/atomic.h | 11 ++++ accel/tcg/user-exec.c | 76 ++++++++++++++++------- target/arm/helper-a64.c | 8 +-- target/arm/sve_helper.c | 43 +++++++------ 6 files changed, 135 insertions(+), 63 deletions(-) -- 2.17.1
