From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 23/26] linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
Date: Thu, 11 Jan 2018 13:38:19 +0000 [thread overview]
Message-ID: <1515677902-23436-24-git-send-email-peter.maydell@linaro.org> (raw)
In-Reply-To: <1515677902-23436-1-git-send-email-peter.maydell@linaro.org>
Our copy of the nwfpe code for emulating of the old FPA11 floating
point unit doesn't check the coprocessor number in the instruction
when it emulates it. This means that we might treat some
instructions which should really UNDEF as being FPA11 instructions by
accident.
The kernel's copy of the nwfpe code doesn't make this error; I suspect
the bug was noticed and fixed as part of the process of mainlining
the nwfpe code more than a decade ago.
Add a check that the coprocessor number (which is always in bits
[11:8] of the instruction) is either 1 or 2, which is where the
FPA11 lives.
Reported-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
linux-user/arm/nwfpe/fpa11.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/linux-user/arm/nwfpe/fpa11.c b/linux-user/arm/nwfpe/fpa11.c
index 441e3b1..f6f8163 100644
--- a/linux-user/arm/nwfpe/fpa11.c
+++ b/linux-user/arm/nwfpe/fpa11.c
@@ -137,8 +137,17 @@ unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa, CPUARMState* qregs)
unsigned int nRc = 0;
// unsigned long flags;
FPA11 *fpa11;
+ unsigned int cp;
// save_flags(flags); sti();
+ /* Check that this is really an FPA11 instruction: the coprocessor
+ * field in bits [11:8] must be 1 or 2.
+ */
+ cp = (opcode >> 8) & 0xf;
+ if (cp != 1 && cp != 2) {
+ return 0;
+ }
+
qemufpa=qfpa;
user_registers=qregs;
--
2.7.4
next prev parent reply other threads:[~2018-01-11 13:38 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-11 13:37 [Qemu-devel] [PULL 00/26] target-arm queue Peter Maydell
2018-01-11 13:37 ` [Qemu-devel] [PULL 01/26] linux-user: Add support for big-endian aarch64 Peter Maydell
2018-01-11 13:37 ` [Qemu-devel] [PULL 02/26] linux-user: Add separate aarch64_be uname Peter Maydell
2018-01-11 13:37 ` [Qemu-devel] [PULL 03/26] linux-user: Fix endianess of aarch64 signal trampoline Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 04/26] configure: Add aarch64_be-linux-user target Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 05/26] linux-user: Add aarch64_be magic numbers to qemu-binfmt-conf.sh Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 06/26] linux-user: Separate binfmt arm CPU families Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 07/26] linux-user: Activate armeb handler registration Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 08/26] target/arm: Fix stlxp for aarch64_be Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 09/26] Virt: ACPI: fix qemu assert due to re-assigned table data address Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 10/26] imx_fec: Do not link to netdev Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 11/26] imx_fec: Refactor imx_eth_enable_rx() Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 12/26] imx_fec: Change queue flushing heuristics Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 13/26] imx_fec: Move Tx frame buffer away from the stack Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 14/26] imx_fec: Use ENET_FTRL to determine truncation length Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 15/26] imx_fec: Use MIN instead of explicit ternary operator Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 16/26] imx_fec: Emulate SHIFT16 in ENETx_RACC Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 17/26] imx_fec: Add support for multiple Tx DMA rings Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 18/26] imx_fec: Use correct length for packet size Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 19/26] imx_fec: Fix a typo in imx_enet_receive() Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 20/26] imx_fec: Reserve full FSL_IMX25_FEC_SIZE page for the register file Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 21/26] hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask() Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 22/26] hw/sd/pxa2xx_mmci: add read/write() trace events Peter Maydell
2018-01-11 13:38 ` Peter Maydell [this message]
2018-01-11 13:38 ` [Qemu-devel] [PULL 24/26] target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 25/26] hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI Peter Maydell
2018-01-11 13:38 ` [Qemu-devel] [PULL 26/26] hw/intc/arm_gic: reserved register addresses are RAZ/WI Peter Maydell
2018-01-11 14:19 ` [Qemu-devel] [PULL 00/26] target-arm queue no-reply
2018-01-11 15:24 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1515677902-23436-24-git-send-email-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).