From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=57758 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OC8Vl-0002lg-Dg
	for qemu-devel@nongnu.org; Wed, 12 May 2010 05:45:57 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <jan.kiszka@web.de>) id 1OC8Vg-0006g6-Pi
	for qemu-devel@nongnu.org; Wed, 12 May 2010 05:45:53 -0400
Received: from fmmailgate01.web.de ([217.72.192.221]:48018)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <jan.kiszka@web.de>) id 1OC6o4-0006IG-Dt
	for qemu-devel@nongnu.org; Wed, 12 May 2010 03:56:41 -0400
Message-ID: <4BEA5F2F.8090107@web.de>
Date: Wed, 12 May 2010 09:56:31 +0200
From: Jan Kiszka <jan.kiszka@web.de>
MIME-Version: 1.0
References: <201004222338.06194.michael@walle.cc> <4BD14B05.3050301@web.de>
	<201005072257.57198.michael@walle.cc>
In-Reply-To: <201005072257.57198.michael@walle.cc>
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig5197B20E64C2B069B1CE3F9F"
Sender: jan.kiszka@web.de
Subject: [Qemu-devel] Re: Commit 9c9bb6c89d4 breaks code execution from flash
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Michael Walle <michael@walle.cc>
Cc: qemu-devel@nongnu.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5197B20E64C2B069B1CE3F9F
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Michael Walle wrote:
> [sorry didn't see the CC to the mailinglist]
>=20
> Am Friday 23 April 2010 09:23:49 schrieb Jan Kiszka:
>> Michael Walle wrote:
>>> Hi Jan,
>>>
>>> your commit "Optimize consecutive CFI02 writes by remapping memory
>>> lazily" breaks the code execution from flash.
>>>
>>> If you write to the flash, the flash will switch into I/O mode. Now i=
f
>>> code is executed from this flash, a cpu_abort will be raised ("Trying=
 to
>>> execute code outside RAM or ROM").
>> Hmm, guess I didn't test execute-in-place back then. Do you happen to
>> have a test case for this scenario? I'll look into this.
> Only for my qemu-lm32 port.. But reading the flash id, while executing =
this=20
> code from flash should trigger the bug.
>=20

OK, that was a hard nut. After various dead ends, I think I found an
possible solution. Can you give this a try?

diff --git a/exec-all.h b/exec-all.h
index 1016de2..b070da9 100644
--- a/exec-all.h
+++ b/exec-all.h
@@ -329,6 +329,10 @@ static inline tb_page_addr_t
get_page_addr_code(CPUState *env1, target_ulong add
     if (unlikely(env1->tlb_table[mmu_idx][page_index].addr_code !=3D
                  (addr & TARGET_PAGE_MASK))) {
         ldub_code(addr);
+        if (unlikely(env1->tlb_table[mmu_idx][page_index].addr_code &
+                     TLB_INVALID_MASK)) {
+            ldub_code(addr);
+        }
     }
     pd =3D env1->tlb_table[mmu_idx][page_index].addr_code &
~TARGET_PAGE_MASK;
     if (pd > IO_MEM_ROM && !(pd & IO_MEM_ROMD)) {
diff --git a/hw/pflash_cfi02.c b/hw/pflash_cfi02.c
index f3d3f41..201e410 100644
--- a/hw/pflash_cfi02.c
+++ b/hw/pflash_cfi02.c
@@ -40,7 +40,7 @@
 #include "qemu-timer.h"
 #include "block.h"

-//#define PFLASH_DEBUG
+#define PFLASH_DEBUG
 #ifdef PFLASH_DEBUG
 #define DPRINTF(fmt, ...)                          \
 do {                                               \
@@ -112,7 +112,7 @@ static uint32_t pflash_read (pflash_t *pfl,
target_phys_addr_t offset,

     DPRINTF("%s: offset " TARGET_FMT_plx "\n", __func__, offset);
     ret =3D -1;
-    if (pfl->rom_mode) {
+    if (!pfl->rom_mode) {
         /* Lazy reset of to ROMD mode */
         if (pfl->wcycle =3D=3D 0)
             pflash_register_memory(pfl, 1);
@@ -185,7 +185,7 @@ static uint32_t pflash_read (pflash_t *pfl,
target_phys_addr_t offset,
         default:
             goto flash_read;
         }
-        DPRINTF("%s: ID " TARGET_FMT_pld " %x\n", __func__, boff, ret);
+        DPRINTF("%s: ID " TARGET_FMT_plx " %x\n", __func__, boff, ret);
         break;
     case 0xA0:
     case 0x10:


Still requires proper patch split up, and I need to think about possible
side effects.

Jan


--------------enig5197B20E64C2B069B1CE3F9F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkvqXzMACgkQitSsb3rl5xTTqACeMM/Zn4xK61p0OwS5rs+ljF9r
gg8AmwY/o6IFDOIQkP7Kr8T+PKwDVGTo
=rKX/
-----END PGP SIGNATURE-----

--------------enig5197B20E64C2B069B1CE3F9F--