linux-user/syscall.c: Prevent acquiring clone_lock while fork()

accel/tcg: Remove a redundant argument attrs in io_prepare() accel/tcg: Fix uninitialized hostp in get_page_addr_code_hostp Revert "tcg/user: do not set exit_request gratuitously" -----BEGIN PGP SIGNATURE----- iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmmFkJ0dHHJpY2hhcmQu aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV9aLQgAjOLW3deluyYPggdi YXDAS8YfCFbtXJ36jAeMZnRisXnIXcXkWZr/dseVyVoghz3WUbbRAJrbPuIFrTMq b+IX2Gjh7uXgh65EhmwYrinH2jygOdIK5SdJV7x2DtukA1MdRbDHeM8k1gvFNOdn Y4nNbTFzI6wuNfti6rvat2SaPm+b7QgMckxB3R8cTAb3o4zvzeUqJ1HMbYil9VG8 EHQOGJyq2fViTtBm6ZBQ98BylHxqXOsVclchqwARYTlWrvxeVrJ7LopjbD6BfAUr 3qasEKoM9Gu1J+i2HXC14qHofScqVYIO3zFl4jbMSwBSsABGZY1OQBxynfOw3cJ9 15BiXQ== =1ALE -----END PGP SIGNATURE----- Merge tag 'pull-tcg-20260206' of https://gitlab.com/rth7680/qemu into staging linux-user/syscall.c: Prevent acquiring clone_lock while fork() accel/tcg: Remove a redundant argument attrs in io_prepare() accel/tcg: Fix uninitialized hostp in get_page_addr_code_hostp Revert "tcg/user: do not set exit_request gratuitously" # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmmFkJ0dHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV9aLQgAjOLW3deluyYPggdi # YXDAS8YfCFbtXJ36jAeMZnRisXnIXcXkWZr/dseVyVoghz3WUbbRAJrbPuIFrTMq # b+IX2Gjh7uXgh65EhmwYrinH2jygOdIK5SdJV7x2DtukA1MdRbDHeM8k1gvFNOdn # Y4nNbTFzI6wuNfti6rvat2SaPm+b7QgMckxB3R8cTAb3o4zvzeUqJ1HMbYil9VG8 # EHQOGJyq2fViTtBm6ZBQ98BylHxqXOsVclchqwARYTlWrvxeVrJ7LopjbD6BfAUr # 3qasEKoM9Gu1J+i2HXC14qHofScqVYIO3zFl4jbMSwBSsABGZY1OQBxynfOw3cJ9 # 15BiXQ== # =1ALE # -----END PGP SIGNATURE----- # gpg: Signature made Fri Feb 6 06:56:29 2026 GMT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "richard.henderson@linaro.org" # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full] # Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F * tag 'pull-tcg-20260206' of https://gitlab.com/rth7680/qemu: accel/tcg: Remove a redundant argument attrs in io_prepare() Revert "tcg/user: do not set exit_request gratuitously" linux-user/syscall.c: Prevent acquiring clone_lock while fork() accel/tcg: Fix uninitialized hostp in get_page_addr_code_hostp accel/tcg: Don't pass NULL to get_page_addr_code_hostp Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2 months ago · 51e36e86d9
7 changed files with 31 additions and 24 deletions
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@ -751,7 +751,6 @@ static inline bool cpu_handle_exception(CPUState *cpu, int *ret)

 void tcg_kick_vcpu_thread(CPUState *cpu)
 {
-#ifndef CONFIG_USER_ONLY
    /*
     * Ensure cpu_exec will see the reason why the exit request was set.
     * FIXME: this is not always needed.  Other accelerators instead
@ -759,7 +758,6 @@ void tcg_kick_vcpu_thread(CPUState *cpu)
     * CPU thread; see kvm_arch_pre_run() for example.
     */
    qatomic_store_release(&cpu->exit_request, true);
-#endif

    /* Ensure cpu_exec will see the exit request after TCG has exited.  */
    qatomic_store_release(&cpu->neg.icount_decr.u16.high, -1);
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@ -1271,7 +1271,7 @@ static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr,

 static MemoryRegionSection *
 io_prepare(hwaddr *out_offset, CPUState *cpu, CPUTLBEntryFull *full,
-           MemTxAttrs attrs, vaddr addr, uintptr_t retaddr)
+           vaddr addr, uintptr_t retaddr)
 {
    MemoryRegionSection *section;
    hwaddr mr_offset;
@ -1545,18 +1545,18 @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, vaddr addr,

    (void)probe_access_internal(env_cpu(env), addr, 1, MMU_INST_FETCH,
                                cpu_mmu_index(env_cpu(env), true), false,
-                                &p, &full, 0, false);
+                                hostp, &full, 0, false);
+
+    p = *hostp;
    if (p == NULL) {
        return -1;
    }

    if (full->lg_page_size < TARGET_PAGE_BITS) {
+        *hostp = NULL;
        return -1;
    }

-    if (hostp) {
-        *hostp = p;
-    }
    return qemu_ram_addr_from_host_nofail(p);
 }

@ -1974,12 +1974,10 @@ static uint64_t do_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
    MemoryRegionSection *section;
    MemoryRegion *mr;
    hwaddr mr_offset;
-    MemTxAttrs attrs;

    tcg_debug_assert(size > 0 && size <= 8);

-    attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, addr, ra);
    mr = section->mr;

    BQL_LOCK_GUARD();
@ -1994,13 +1992,11 @@ static Int128 do_ld16_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
    MemoryRegionSection *section;
    MemoryRegion *mr;
    hwaddr mr_offset;
-    MemTxAttrs attrs;
    uint64_t a, b;

    tcg_debug_assert(size > 8 && size <= 16);

-    attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, addr, ra);
    mr = section->mr;

    BQL_LOCK_GUARD();
@ -2492,12 +2488,10 @@ static uint64_t do_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
    MemoryRegionSection *section;
    hwaddr mr_offset;
    MemoryRegion *mr;
-    MemTxAttrs attrs;

    tcg_debug_assert(size > 0 && size <= 8);

-    attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, addr, ra);
    mr = section->mr;

    BQL_LOCK_GUARD();
@ -2512,12 +2506,10 @@ static uint64_t do_st16_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
    MemoryRegionSection *section;
    MemoryRegion *mr;
    hwaddr mr_offset;
-    MemTxAttrs attrs;

    tcg_debug_assert(size > 8 && size <= 16);

-    attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, addr, ra);
    mr = section->mr;

    BQL_LOCK_GUARD();
--- a/accel/tcg/internal-common.h
+++ b/accel/tcg/internal-common.h
@ -82,7 +82,7 @@ void tb_check_watchpoint(CPUState *cpu, uintptr_t retaddr);
 * See get_page_addr_code() (full-system version) for documentation on the
 * return value.
 *
- * Sets *@hostp (when @hostp is non-NULL) as follows.
+ * Sets *@hostp as follows.
 * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
 * to the host address where @addr's content is kept.
 *
@ -105,7 +105,8 @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, vaddr addr,
 static inline tb_page_addr_t get_page_addr_code(CPUArchState *env,
                                                vaddr addr)
 {
-    return get_page_addr_code_hostp(env, addr, NULL);
+    void *discard;
+    return get_page_addr_code_hostp(env, addr, &discard);
 }

 /*
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@ -822,9 +822,7 @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, vaddr addr,
    flags = probe_access_internal(env, addr, 1, MMU_INST_FETCH, false, 0);
    g_assert(flags == 0);

-    if (hostp) {
-        *hostp = g2h_untagged(addr);
-    }
+    *hostp = g2h_untagged(addr);
    return addr;
 }

--- a/linux-user/main.c
+++ b/linux-user/main.c
@ -145,6 +145,7 @@ unsigned long guest_stack_size = TARGET_DEFAULT_STACK_SIZE;
 void fork_start(void)
 {
    start_exclusive();
+    clone_fork_start();
    mmap_fork_start();
    cpu_list_lock();
    qemu_plugin_user_prefork_lock();
@ -174,6 +175,7 @@ void fork_end(pid_t pid)
        cpu_list_unlock();
    }
    gdbserver_fork_end(thread_cpu, pid);
+    clone_fork_end(child);
    /*
     * qemu_init_cpu_list() reinitialized the child exclusive state, but we
     * also need to keep current_cpu consistent, so call end_exclusive() for
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@ -6856,6 +6856,20 @@ static void *clone_func(void *arg)
    return NULL;
 }

+void clone_fork_start(void)
+{
+    pthread_mutex_lock(&clone_lock);
+}
+
+void clone_fork_end(bool child)
+{
+    if (child) {
+        pthread_mutex_init(&clone_lock, NULL);
+    } else {
+        pthread_mutex_unlock(&clone_lock);
+    }
+}
+
 /* do_fork() Must return host values and target errnos (unlike most
   do_*() functions). */
 static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp,
--- a/linux-user/user-internals.h
+++ b/linux-user/user-internals.h
@ -69,6 +69,8 @@ abi_long get_errno(abi_long ret);
 const char *target_strerror(int err);
 int get_osversion(void);
 void init_qemu_uname_release(void);
+void clone_fork_start(void);
+void clone_fork_end(bool child);
 void fork_start(void);
 void fork_end(pid_t pid);