From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 14/43] target-arm: Fix descriptor address masking in ARM address translation
Date: Thu, 12 May 2016 14:32:36 +0100 [thread overview]
Message-ID: <1463059985-2272-15-git-send-email-peter.maydell@linaro.org> (raw)
In-Reply-To: <1463059985-2272-1-git-send-email-peter.maydell@linaro.org>
From: Sergey Sorokin <afarallax@yandex.ru>
There is a bug in ARM address translation regime with a long-descriptor
format. On the descriptor reading its address is formed from an index
which is a part of the input address. And on the first iteration this index
is incorrectly masked with 'grainsize' mask. But it can be wider according
to pseudo-code.
On the other hand on the iterations other than first the descriptor address
is formed from the previous level descriptor by masking with 'descaddrmask'
value. It always clears just 12 lower bits, but it must clear 'grainsize'
lower bits instead according to pseudo-code.
The patch fixes both cases.
Signed-off-by: Sergey Sorokin <afarallax@yandex.ru>
Message-id: 1460996853-22117-1-git-send-email-afarallax@yandex.ru
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target-arm/helper.c | 29 +++++++++++------------------
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 59efb90..3b76dc3 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -7250,7 +7250,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
uint32_t tg;
uint64_t ttbr;
int ttbr_select;
- hwaddr descaddr, descmask;
+ hwaddr descaddr, indexmask, indexmask_grainsize;
uint32_t tableattrs;
target_ulong page_size;
uint32_t attrs;
@@ -7439,28 +7439,20 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
level = startlevel;
}
- /* Clear the vaddr bits which aren't part of the within-region address,
- * so that we don't have to special case things when calculating the
- * first descriptor address.
- */
- if (va_size != inputsize) {
- address &= (1ULL << inputsize) - 1;
- }
-
- descmask = (1ULL << (stride + 3)) - 1;
+ indexmask_grainsize = (1ULL << (stride + 3)) - 1;
+ indexmask = (1ULL << (inputsize - (stride * (4 - level)))) - 1;
/* Now we can extract the actual base address from the TTBR */
descaddr = extract64(ttbr, 0, 48);
- descaddr &= ~((1ULL << (inputsize - (stride * (4 - level)))) - 1);
+ descaddr &= ~indexmask;
/* The address field in the descriptor goes up to bit 39 for ARMv7
- * but up to bit 47 for ARMv8.
+ * but up to bit 47 for ARMv8, but we use the descaddrmask
+ * up to bit 39 for AArch32, because we don't need other bits in that case
+ * to construct next descriptor address (anyway they should be all zeroes).
*/
- if (arm_feature(env, ARM_FEATURE_V8)) {
- descaddrmask = 0xfffffffff000ULL;
- } else {
- descaddrmask = 0xfffffff000ULL;
- }
+ descaddrmask = ((1ull << (va_size == 64 ? 48 : 40)) - 1) &
+ ~indexmask_grainsize;
/* Secure accesses start with the page table in secure memory and
* can be downgraded to non-secure at any step. Non-secure accesses
@@ -7472,7 +7464,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
uint64_t descriptor;
bool nstable;
- descaddr |= (address >> (stride * (4 - level))) & descmask;
+ descaddr |= (address >> (stride * (4 - level))) & indexmask;
descaddr &= ~7ULL;
nstable = extract32(tableattrs, 4, 1);
descriptor = arm_ldq_ptw(cs, descaddr, !nstable, mmu_idx, fsr, fi);
@@ -7495,6 +7487,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
*/
tableattrs |= extract64(descriptor, 59, 5);
level++;
+ indexmask = indexmask_grainsize;
continue;
}
/* Block entry at level 1 or 2, or page entry at level 3.
--
1.9.1
next prev parent reply other threads:[~2016-05-12 13:33 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-12 13:32 [Qemu-devel] [PULL 00/43] target-arm queue Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 01/43] blizzard: Remove support for DEPTH != 32 Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 02/43] omap_lcdc: " Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 03/43] hw/intc: QOM'ify etraxfs_pic.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 04/43] hw/intc: QOM'ify exynos4210_combiner.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 05/43] hw/intc: QOM'ify exynos4210_gic.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 06/43] hw/intc: QOM'ify imx_avic.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 07/43] hw/intc: QOM'ify pl190.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 08/43] hw/intc: QOM'ify slavio_intctl.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 09/43] hw/intc: QOM'ify grlib_irqmp.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 10/43] hw/intc: QOM'ify omap_intc.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 11/43] bcm2835_property: use cached values when querying framebuffer Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 12/43] hw/arm/nseries: Allocating Large sized arrays to heap Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 13/43] target-arm: Stage 2 permission fault was fixed in AArch32 state Peter Maydell
2016-05-12 13:32 ` Peter Maydell [this message]
2016-05-12 13:32 ` [Qemu-devel] [PULL 15/43] tcg: Add tcg_set_insn_param Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 16/43] gen-icount: Use tcg_set_insn_param Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 17/43] target-arm: Split data abort syndrome generator Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 18/43] target-arm/translate-a64.c: Use extract32 in disas_ldst_reg_imm9 Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 19/43] target-arm/translate-a64.c: Unify some of the ldst_reg decoding Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 20/43] hw/display: QOM'ify exynos4210_fimd.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 21/43] ARM: Virt: Set numa-node-id for cpu and memory nodes Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 22/43] ACPI: Add GICC Affinity Structure Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 23/43] ACPI: Fix the definition of proximity in AcpiSratMemoryAffinity Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 24/43] ACPI: move acpi_build_srat_memory to common place Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 25/43] ACPI: Virt: Generate SRAT table Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 26/43] ARM: Factor out ARM on/off PSCI control functions Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 27/43] i.MX: Add i.MX6 System Reset Controller device Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 28/43] FIFO: Add a FIFO32 implementation Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 29/43] i.MX: Add the Freescale SPI Controller Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 30/43] i.MX: Add i.MX6 SOC implementation Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 31/43] i.MX: Add sabrelite i.MX6 emulation Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 32/43] hw/display/blizzard: Expand out macros Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 33/43] hw/display/blizzard: Remove blizzard_template.h Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 34/43] target-arm: Avoid unnecessary TLB flush on TCR_EL2, TCR_EL3 writes Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 35/43] hw/arm: QOM'ify armv7m.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 36/43] hw/arm: QOM'ify highbank.c Peter Maydell
2016-05-12 13:32 ` [Qemu-devel] [PULL 37/43] hw/arm: QOM'ify integratorcp.c Peter Maydell
2016-05-12 13:33 ` [Qemu-devel] [PULL 38/43] hw/arm: QOM'ify pxa2xx.c Peter Maydell
2016-05-12 13:33 ` [Qemu-devel] [PULL 39/43] hw/arm: QOM'ify pxa2xx_pic.c Peter Maydell
2016-05-12 13:33 ` [Qemu-devel] [PULL 40/43] hw/arm: QOM'ify spitz.c Peter Maydell
2016-05-12 13:33 ` [Qemu-devel] [PULL 41/43] hw/arm: QOM'ify stellaris.c Peter Maydell
2016-05-12 13:33 ` [Qemu-devel] [PULL 42/43] hw/arm: QOM'ify strongarm.c Peter Maydell
2016-05-12 13:33 ` [Qemu-devel] [PULL 43/43] hw/arm: QOM'ify versatilepb.c Peter Maydell
2016-05-12 15:33 ` [Qemu-devel] [PULL 00/43] target-arm queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1463059985-2272-15-git-send-email-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).