Hi, Maybe its too late for the 8.1 window, but I noticed that this patchset fixes a segfault in qemu-system-ppc (and other 32 bits archs ?) introduced by commit fb2c53c. Therefore maybe it would be relevant to get merge it before 8.2.
I put the details below, please tell me if you prefer I file a bug. If the guest accesses memory accross the 32-bits boundary (eg: fetching a dword at 0xffffffff), do_ld4_mmu will make two calls to do_ld_beN (one for 0xffffffff, the other for 0x100000000). In the second call, mmu_lookup1 will call tlb_hit(tlb_addr, addr) to see check if the address is already in the TLB. If the first page is loaded, this will result in a call to tlb_hit(0, 0x100000000) which returns 0, telling it wrongly that the address belongs in page 0. data->haddr will then be set to an out-of-bounds address. The Patch 7/9 "include/exec: Widen tlb_hit/tlb_hit_page()" fixes that. Example crash: # asm dump # 0x04: 3820ffff li r1, -1 # 0x08: 81210000 lwz r9, 0(r1) $ ./build/qemu-system-ppc -device loader,addr=4,data=0x3820ffff81210000,data-len=8,data-be=true -device loader,addr=0x4,cpu-num=0 Thread 3 "qemu-system-ppc" received signal SIGSEGV, Segmentation fault. #0 0x0000555555cbf8c7 in do_ld_bytes_beN (p=0x7ffff6c4a2a0, ret_be=0x25) at ../accel/tcg/cputlb.c:2141 #1 0x0000555555cbfe41 in do_ld_beN (env=0x55555684faa0, p=0x7ffff6c4a2a0, ret_be=0x25, mmu_idx=0x3, type=MMU_DATA_LOAD, mop=MO_BEUL, ra=0x7fff7000014d) at ../accel/tcg/cputlb.c:2302 #2 0x0000555555cc088b in do_ld4_mmu (env=0x55555684faa0, addr=0xffffffff, oi=0x123, ra=0x7fff7000014d, access_type=MMU_DATA_LOAD) at ../accel/tcg/cputlb.c:2505 #3 0x0000555555cc092b in helper_ldul_mmu (env=0x55555684faa0, addr=0xffffffff, oi=0x123, retaddr=0x7fff7000014d) at ../accel/tcg/cputlb.c:2516 #4 0x00007fff70000190 in code_gen_buffer () #5 0x0000555555cab186 in cpu_tb_exec (cpu=0x55555684d2d0, itb=0x7fffb0000040, tb_exit=0x7ffff6c4a8b0) at ../accel/tcg/cpu-exec.c:457 #6 0x0000555555cabeaf in cpu_loop_exec_tb (cpu=0x55555684d2d0, tb=0x7fffb0000040, pc=0x4, last_tb=0x7ffff6c4a8c0, tb_exit=0x7ffff6c4a8b0) at ../accel/tcg/cpu-exec.c:919 #7 0x0000555555cac219 in cpu_exec_loop (cpu=0x55555684d2d0, sc=0x7ffff6c4a940) at ../accel/tcg/cpu-exec.c:1040 #8 0x0000555555cac2d7 in cpu_exec_setjmp (cpu=0x55555684d2d0, sc=0x7ffff6c4a940) at ../accel/tcg/cpu-exec.c:1057 #9 0x0000555555cac35e in cpu_exec (cpu=0x55555684d2d0) at ../accel/tcg/cpu-exec.c:1083 #10 0x0000555555ccb9a0 in tcg_cpus_exec (cpu=0x55555684d2d0) at ../accel/tcg/tcg-accel-ops.c:75 #11 0x0000555555cccef5 in rr_cpu_thread_fn (arg=0x55555684d2d0) at ../accel/tcg/tcg-accel-ops-rr.c:261 #12 0x0000555555e8d661 in qemu_thread_start (args=0x5555568b6310) at ../util/qemu-thread-posix.c:541 #13 0x00007ffff7a8c9eb in start_thread (arg=<optimized out>) at pthread_create.c:444 #14 0x00007ffff7b10dfc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Regards, Timothée.
