From bc572be47286f6fc7eac583ce05c898830a09a41 Mon Sep 17 00:00:00 2001
From: Daniel Deptford <4424222+redmercury@users.noreply.github.com>
Date: Thu, 22 Aug 2019 02:54:24 -0700
Subject: [PATCH] Check for TLB invalidation after read callback(s). (#1122)

* Adding regression test for issue where writing memory into a read only segment during a access callback fails.

* Check for TLB invalidation when calling read callbacks;  Writes to read-only memory by the callback cause a TLB flush which requires a re-read of the TLB.
---
 qemu/softmmu_template.h                    | 10 ++++++--
 tests/regress/hook_readonly_write_local.py | 30 ++++++++++++++++++++++
 2 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100755 tests/regress/hook_readonly_write_local.py

diff --git a/qemu/softmmu_template.h b/qemu/softmmu_template.h
index 9f81e0f4..6e5e896b 100644
--- a/qemu/softmmu_template.h
+++ b/qemu/softmmu_template.h
@@ -289,8 +289,11 @@ WORD_TYPE helper_le_ld_name(CPUArchState *env, target_ulong addr, int mmu_idx,
     retaddr -= GETPC_ADJ;
 
     /* If the TLB entry is for a different page, reload and try again.  */
+    /* If the TLB entry addend is invalidated by any callbacks (perhaps due to
+       a TLB flush), reload and try again.  */
     if ((addr & TARGET_PAGE_MASK)
-         != (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK))) {
+         != (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK))
+         || env->tlb_table[mmu_idx][index].addend == -1) {
 #ifdef ALIGNED_ONLY
         if ((addr & (DATA_SIZE - 1)) != 0) {
             //cpu_unaligned_access(ENV_GET_CPU(env), addr, READ_ACCESS_TYPE,
@@ -517,8 +520,11 @@ WORD_TYPE helper_be_ld_name(CPUArchState *env, target_ulong addr, int mmu_idx,
     retaddr -= GETPC_ADJ;
 
     /* If the TLB entry is for a different page, reload and try again.  */
+    /* If the TLB entry addend is invalidated by any callbacks (perhaps due to
+       a TLB flush), reload and try again.  */
     if ((addr & TARGET_PAGE_MASK)
-         != (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK))) {
+         != (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK))
+         || env->tlb_table[mmu_idx][index].addend == -1) {
 #ifdef ALIGNED_ONLY
         if ((addr & (DATA_SIZE - 1)) != 0) {
             //cpu_unaligned_access(ENV_GET_CPU(env), addr, READ_ACCESS_TYPE,
diff --git a/tests/regress/hook_readonly_write_local.py b/tests/regress/hook_readonly_write_local.py
new file mode 100755
index 00000000..76b15891
--- /dev/null
+++ b/tests/regress/hook_readonly_write_local.py
@@ -0,0 +1,30 @@
+#!/usr/bin/python
+from unicorn import *
+from unicorn.x86_const import *
+import regress
+
+PAGE_SIZE = 4 * 1024
+ACCESS_ADDR = 0x1000
+
+# mov eax, [0x1000]
+# mov eax, [0x1000]
+CODE = b'\xA1\x00\x10\x00\x00\xA1\x00\x10\x00\x00'
+
+def hook_mem_read(uc, access, address, size, value, data):
+    print("Reading at " + str(address))
+    uc.mem_write(address, CODE);
+
+class REP(regress.RegressTest):
+
+    def test_rep(self):
+        mu = Uc(UC_ARCH_X86, UC_MODE_32)
+
+        mu.mem_map(0, PAGE_SIZE)
+        mu.mem_write(0, CODE)
+        mu.mem_map(ACCESS_ADDR, PAGE_SIZE, UC_PROT_READ);
+        mu.hook_add(UC_HOOK_MEM_READ, hook_mem_read, begin = ACCESS_ADDR, end = ACCESS_ADDR + PAGE_SIZE)
+
+        mu.emu_start(0, len(CODE))
+
+if __name__ == '__main__':
+    regress.main()