From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34261)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pm215@archaic.org.uk>) id 1WIior-000113-20
	for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:03:01 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pm215@archaic.org.uk>) id 1WIioq-0007RB-1K
	for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:02:56 -0500
Received: from mnementh.archaic.org.uk ([2001:8b0:1d0::1]:46191)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pm215@archaic.org.uk>) id 1WIiop-0007Eu-Rr
	for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:02:55 -0500
From: Peter Maydell <peter.maydell@linaro.org>
Date: Wed, 26 Feb 2014 18:01:57 +0000
Message-Id: <1393437755-23586-8-git-send-email-peter.maydell@linaro.org>
In-Reply-To: <1393437755-23586-1-git-send-email-peter.maydell@linaro.org>
References: <1393437755-23586-1-git-send-email-peter.maydell@linaro.org>
Subject: [Qemu-devel] [PULL 07/45] target-arm: Load correct access bits from
	ARMv5 level 2 page table descriptors
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <aliguori@amazon.com>
Cc: Blue Swirl <blauwirbel@gmail.com>, qemu-devel@nongnu.org, Aurelien Jarno <aurelien@aurel32.net>

In ARMv5 level 2 page table descriptors, each 4K or 64K page is split into
four subpages, each of which can have different access permission settings,
which are specified by four two-bit fields in the l2 descriptor. A
long-standing cut-and-paste error meant we were using the wrong bits in
the virtual address to select the access-permission field for 4K pages.

The error has presumably not been noticed before because most guests don't
make use of the ability to set the access permissions differently for
each 1K subpage: if the guest gives the whole page the same access
permissions it doesn't matter which of the 4 AP fields we select.
(The whole issue is irrelevant for ARMv7 CPUs anyway because subpages
aren't supported there.)

Reported-by: Vivek Rai <Vivek.Rai@emulex.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1392667690-8731-1-git-send-email-peter.maydell@linaro.org
---
 target-arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index c993581..b44aa1b 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2798,7 +2798,7 @@ static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type,
             break;
         case 2: /* 4k page.  */
             phys_addr = (desc & 0xfffff000) | (address & 0xfff);
-            ap = (desc >> (4 + ((address >> 13) & 6))) & 3;
+            ap = (desc >> (4 + ((address >> 9) & 6))) & 3;
             *page_size = 0x1000;
             break;
         case 3: /* 1k page.  */
-- 
1.9.0