From: "Alex Bennée" <alex.bennee@linaro.org>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Jaroslaw Pelczar <j.pelczar@samsung.com>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] target/arm: Fix abort on exception return from AArch64 to AArch32
Date: Wed, 12 Jul 2017 16:36:14 +0100 [thread overview]
Message-ID: <877ezd8y6p.fsf@linaro.org> (raw)
In-Reply-To: <CAFEAcA8FAp6TvY+DBVGzYVizLw9iarPQMLRw3haNxtFeEBYjHg@mail.gmail.com>
Peter Maydell <peter.maydell@linaro.org> writes:
> On 12 July 2017 at 12:39, Jaroslaw Pelczar <j.pelczar@samsung.com> wrote:
>> Problem manifests itself when we handle the following sequence:
>>
>> 1. 64-bit Secure EL3 returns to 32-bit Secure EL1
>> 2. 32-bit Secure EL1 performs SMC call to 64-bit Secure EL3
>> 3. 64-bit Secure EL3 performs return ERET to 32-bit Secure EL1]
>> 4. 32-bit Secure EL1 receives prefetch abort
>>
>> If CPU's env->pc is not set to the same value as env->regs[15],
>> during ERET the simulator will try to fetch instruction from EL3's
>> virtual address inside 32-bit Secure EL1 virtual address space.
>> This will cause Prefetch Abort in 32-bit Secure EL1.
>>
>> Problem occurs because of the following code generation scheme:
>>
>> 1. disas_uncond_b_reg will decode ERET
>> 2. gen_helper_exception_return(cpu_env) will generate thunk to
>> helper_exception_return
>> 3. s->is_jmp is set to DISAS_JUMP
>> 4. gen_intermediate_code_a64 will see dc->is_jmp == DISAS_JUMP
>> 5. tcg_gen_lookup_and_goto_ptr(cpu_pc) will be called which trigger
>> access cpu->pc to fetch next opcode
>>
>> At this point cpu->pc will have EL3's PC value.
>>
>> Signed-off-by: Jaroslaw Pelczar <j.pelczar@samsung.com>
>> ---
>> target/arm/op_helper.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
>> index 2a85666..8222c19 100644
>> --- a/target/arm/op_helper.c
>> +++ b/target/arm/op_helper.c
>> @@ -1027,6 +1027,9 @@ void HELPER(exception_return)(CPUARMState *env)
>> } else {
>> env->regs[15] = env->elr_el[cur_el] & ~0x3;
>> }
>> +
>> + env->pc = env->regs[15];
>> +
>> qemu_log_mask(CPU_LOG_INT, "Exception return from AArch64 EL%d to "
>> "AArch32 EL%d PC 0x%" PRIx32 "\n",
>> cur_el, new_el, env->regs[15]);
>
> Thanks for the bug report. I don't think this is the best
> fix, though. What should happen is that for ERET we do
> not attempt to do a lookup_and_goto_ptr(), we should just
> go back out to the main loop and get the next TB from there.
>
> I think this may be fixed as one of the things Alex's
> recent patchset tackles?
Yes, see:
https://lists.nongnu.org/archive/html/qemu-devel/2017-07/msg02963.html
I'll probably get v4 out tomorrow at which point you can merge it ;-)
>
> thanks
> -- PMM
--
Alex Bennée
prev parent reply other threads:[~2017-07-12 15:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170712113922eucas1p1c6588b2e29439254cafd3d8dde5c505c@eucas1p1.samsung.com>
2017-07-12 11:39 ` [Qemu-devel] target/arm: Fix abort on exception return from AArch64 to AArch32 Jaroslaw Pelczar
2017-07-12 12:29 ` Peter Maydell
2017-07-12 15:36 ` Alex Bennée [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877ezd8y6p.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=j.pelczar@samsung.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.