qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, qemu-stable@nongnu.org
Subject: [PULL 14/14] tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc()
Date: Fri, 15 Nov 2024 12:58:49 -0800	[thread overview]
Message-ID: <20241115205849.266094-15-richard.henderson@linaro.org> (raw)
In-Reply-To: <20241115205849.266094-1-richard.henderson@linaro.org>

From: Peter Maydell <peter.maydell@linaro.org>

In simd_desc() we create a SIMD descriptor from various pieces
including an arbitrary data value from the caller.  We try to
sanitize these to make sure everything will fit: the 'data' value
needs to fit in the SIMD_DATA_BITS (== 22) sized field.  However we
do that sanitizing with:
   tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS));

This works for the case where the data is supposed to be considered
as a signed integer (which can then be returned via simd_data()).
However, some callers want to treat the data value as unsigned.

Specifically, for the Arm SVE operations, make_svemte_desc()
assembles a data value as a collection of fields, and it needs to use
all 22 bits.  Currently if MTE is enabled then its MTEDESC SIZEM1
field may have the most significant bit set, and then it will trip
this assertion.

Loosen the assertion so that we only check that the data value will
fit into the field in some way, either as a signed or as an unsigned
value.  This means we will fail to detect some kinds of bug in the
callers, but we won't spuriously assert for intentional use of the
data field as unsigned.

Cc: qemu-stable@nongnu.org
Fixes: db432672dc50e ("tcg: Add generic vector expanders")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2601
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20241115172515.1229393-1-peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/tcg-op-gvec.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index 78ee1ced80..97e4df221a 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -88,7 +88,20 @@ uint32_t simd_desc(uint32_t oprsz, uint32_t maxsz, int32_t data)
     uint32_t desc = 0;
 
     check_size_align(oprsz, maxsz, 0);
-    tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS));
+
+    /*
+     * We want to check that 'data' will fit into SIMD_DATA_BITS.
+     * However, some callers want to treat the data as a signed
+     * value (which they can later get back with simd_data())
+     * and some want to treat it as an unsigned value.
+     * So here we assert only that the data will fit into the
+     * field in at least one way. This means that some invalid
+     * values from the caller will not be detected, e.g. if the
+     * caller wants to handle the value as a signed integer but
+     * incorrectly passes us 1 << (SIMD_DATA_BITS - 1).
+     */
+    tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS) ||
+                     data == extract32(data, 0, SIMD_DATA_BITS));
 
     oprsz = (oprsz / 8) - 1;
     maxsz = (maxsz / 8) - 1;
-- 
2.43.0



  parent reply	other threads:[~2024-11-15 21:03 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-15 20:58 [PULL 00/14] tcg + linux-user patch queue Richard Henderson
2024-11-15 20:58 ` [PULL 01/14] linux-user: Fix setreuid and setregid to use direct syscalls Richard Henderson
2024-11-15 20:58 ` [PULL 02/14] accel/tcg: Fix user-only probe_access_internal plugin check Richard Henderson
2024-11-15 20:58 ` [PULL 03/14] linux-user: Tolerate CONFIG_LSM_MMAP_MIN_ADDR Richard Henderson
2024-11-15 20:58 ` [PULL 04/14] tests/tcg: Test that sigreturn() does not corrupt the signal mask Richard Henderson
2024-11-15 20:58 ` [PULL 05/14] target/i386: fix hang when using slow path for ptw_setl Richard Henderson
2024-11-15 20:58 ` [PULL 06/14] cpu: ensure we don't call start_exclusive from cpu_exec Richard Henderson
2024-11-15 20:58 ` [PULL 07/14] linux-user: Honor elf alignment when placing images Richard Henderson
2024-11-15 20:58 ` [PULL 08/14] linux-user: Drop image_info.alignment Richard Henderson
2024-11-15 20:58 ` [PULL 09/14] linux-user/aarch64: Reduce vdso alignment to 4k Richard Henderson
2024-11-15 20:58 ` [PULL 10/14] linux-user/arm: " Richard Henderson
2024-11-15 20:58 ` [PULL 11/14] linux-user/loongarch64: " Richard Henderson
2024-11-15 20:58 ` [PULL 12/14] linux-user/ppc: " Richard Henderson
2024-11-15 20:58 ` [PULL 13/14] linux-user/arm: Select vdso for be8 and be32 modes Richard Henderson
2024-11-15 20:58 ` Richard Henderson [this message]
2024-11-16 10:39 ` [PULL 00/14] tcg + linux-user patch queue Peter Maydell
2024-11-16 16:38   ` Richard Henderson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241115205849.266094-15-richard.henderson@linaro.org \
    --to=richard.henderson@linaro.org \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).