From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: Richard Henderson <richard.henderson@linaro.org>
Cc: nd@arm.com, qemu-devel@nongnu.org
Subject: tst-arm-mte bug: PSTATE.TCO is cleared on exceptions
Date: Mon, 20 Apr 2020 11:29:02 +0100 [thread overview]
Message-ID: <20200420102902.GE15401@arm.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 605 bytes --]
i'm using the branch at
https://github.com/rth7680/qemu/tree/tgt-arm-mte
to test armv8.5-a mte and hope this is ok to report bugs here.
i'm doing tests in qemu-system-aarch64 with linux userspace
code and it seems TCO bit gets cleared after syscalls or other
kernel entry, but PSTATE is expected to be restored, so i
suspect it is a qemu bug.
i think the architecture saves/restores PSTATE using SPSR_ELx
on exceptions.
i used the linux branch
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/log/?h=devel/mte-v2
attached a reproducer that segfaults in qemu but should work.
thanks.
[-- Attachment #2: bug.c --]
[-- Type: text/x-csrc, Size: 1216 bytes --]
// CFLAGS = -march=armv8.5-a+memtag
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#define TAG_SHIFT 56
#ifndef PROT_MTE
#define PROT_MTE 0x20
#endif
#ifndef PR_SET_TAGGED_ADDR_CTRL
#define PR_SET_TAGGED_ADDR_CTRL 55
#define PR_GET_TAGGED_ADDR_CTRL 56
#define PR_TAGGED_ADDR_ENABLE 1UL
#endif
#ifndef PR_MTE_TCF_SYNC
#define PR_MTE_TCF_SYNC 2UL
#define PR_MTE_TAG_SHIFT 3
#endif
int main()
{
if (prctl(PR_SET_TAGGED_ADDR_CTRL, PR_TAGGED_ADDR_ENABLE|PR_MTE_TCF_SYNC|(0xffff << PR_MTE_TAG_SHIFT), 0, 0, 0))
abort();
unsigned long *a = mmap(0, 1<<12, PROT_READ|PROT_WRITE|PROT_MTE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (a == MAP_FAILED)
abort();
// tag ptr a
a = (void*)((unsigned long)a|(1UL<<TAG_SHIFT));
// tag memory a[0], a[1]
asm volatile ("stg %1, %0" : "=Q"(*a) : "r"(a));
// turn tag checks off
asm volatile ("msr tco, 1");
a[0]=1; // ok
a[1]=2; // ok
a[2]=3; // tag mismatch but tco==1 so ok
write(1, "foo\n", 4);
// PSTATE.TCO (bit 25) should be still set after the syscall
unsigned long x;
asm volatile ("mrs %0, tco" : "=r"(x));
printf("tco = 0x%lx\n", x);
a[3]=4; // tag mismatch, segfaults if tco==0
return 0;
}
next reply other threads:[~2020-04-20 13:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-20 10:29 Szabolcs Nagy [this message]
2020-04-22 4:39 ` tst-arm-mte bug: PSTATE.TCO is cleared on exceptions Richard Henderson
2020-04-24 19:47 ` Richard Henderson
2020-05-06 12:57 ` Szabolcs Nagy
2020-05-07 9:59 ` Szabolcs Nagy
2020-05-07 17:21 ` Richard Henderson
2020-05-18 12:59 ` Szabolcs Nagy
2020-05-19 18:46 ` Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200420102902.GE15401@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=nd@arm.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).