On Wed, 28 Jan 2026 at 08:43, Panda Jiang <[email protected]> wrote: > > In tb_gen_code(), get_page_addr_code_hostp() is called to get a host > mapping for a guest PC. If the function fails (e.g., for an I/O region) > and returns -1, it previously left its output pointer parameter > ('host_pc' in the caller) unmodified. > > If the caller's variable was uninitialized, this leads to undefined > behavior when it is later used, for example in setjmp_gen_code(). This > was observed as a segmentation fault when running QEMU with the > '-d in_asm' logging option when mmu translation fails. > > As suggested by Richard Henderson, fix this within get_page_addr_code_hostp() > itself rather than in the caller. Ensure that in all failure paths where -1 > is returned, the output pointer is explicitly set to NULL. > > Signed-off-by: Panda Jiang <[email protected]> > --- > + Changes in v2: > + - Moved the fix from the caller (tb_gen_code) to the callee > + (get_page_addr_code_hostp). > + - Set the output pointer to NULL on failure paths inside > + get_page_addr_code_hostp, as suggested. > + - Updated commit message to reflect the new approach.
See Richard's elsewhere fix: https://lore.kernel.org/qemu-devel/[email protected]/ > accel/tcg/cputlb.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c > index 6900a12682..6d7cfd2b5a 100644 > --- a/accel/tcg/cputlb.c > +++ b/accel/tcg/cputlb.c > @@ -1543,6 +1543,10 @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState > *env, vaddr addr, > CPUTLBEntryFull *full; > void *p; > > + if (hostp) { > + *hostp = NULL; > + } > + > (void)probe_access_internal(env_cpu(env), addr, 1, MMU_INST_FETCH, > cpu_mmu_index(env_cpu(env), true), false, > &p, &full, 0, false); > -- > 2.39.2 (Apple Git-143) > >
