From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [PULL 04/38] target/arm: Add assert to arm_to_core_mmu_idx()
Date: Fri, 31 Oct 2025 18:32:36 +0000 [thread overview]
Message-ID: <20251031183310.3778349-5-peter.maydell@linaro.org> (raw)
In-Reply-To: <20251031183310.3778349-1-peter.maydell@linaro.org>
Before commit f76cee647c ("target/arm: Introduce mmu indexes for
GCS") it was impossible for arm_to_core_mmu_idx() to return an
invalid core MMU index, because NB_MMU_MODES was 16 and
ARM_MMU_IDX_COREIDX_MASK was 0xf.
That commit raises ARM_MMU_IDX_COREIDX_MASK to 0x1f and NB_MMU_MODES
to 22, so it's now possible for a bogus Arm mmu index to result in an
out of range core mmu index (which can then get used as an array
index in the CPUTLB struct arrays). Coverity complains that this
might result in an out-of-bounds access.
The out-of-bounds access can't happen because we construct all the
ARMMMUIdx values we will use for TLBs to have valid core MMU indexes
in the COREIDX field. But we can add an assert() so that if we ever
do end up operating on a corrupted or wrong ARMMMUIdx value we get an
assert rather than silently indexing off the end of an array. This
should also make Coverity happier.
Coverity: CID 1641404
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251023101339.1983809-1-peter.maydell@linaro.org
---
target/arm/internals.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 6fbf7e1ca49..4c0fa28ef84 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -969,7 +969,9 @@ bool arm_cpu_tlb_fill_align(CPUState *cs, CPUTLBEntryFull *out, vaddr addr,
static inline int arm_to_core_mmu_idx(ARMMMUIdx mmu_idx)
{
- return mmu_idx & ARM_MMU_IDX_COREIDX_MASK;
+ int coreidx = mmu_idx & ARM_MMU_IDX_COREIDX_MASK;
+ assert(coreidx < NB_MMU_MODES);
+ return coreidx;
}
static inline ARMMMUIdx core_to_arm_mmu_idx(CPUARMState *env, int mmu_idx)
--
2.43.0
next prev parent reply other threads:[~2025-10-31 18:38 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-31 18:32 [PULL 00/38] target-arm queue Peter Maydell
2025-10-31 18:32 ` [PULL 01/38] hw/gpio/pl061: Declare pullups/pulldowns as 8-bit types Peter Maydell
2025-10-31 18:32 ` [PULL 02/38] docs/system/arm/virt: Document user-creatable SMMUv3 Peter Maydell
2025-10-31 18:32 ` [PULL 03/38] docs/system/security: Restrict "virtualization use case" to specific machines Peter Maydell
2025-10-31 18:32 ` Peter Maydell [this message]
2025-10-31 18:32 ` [PULL 05/38] hw/arm/virt: Remove deprecated virt-4.1 machine Peter Maydell
2025-10-31 18:32 ` [PULL 06/38] hw/arm/virt: Remove VirtMachineClass::no_ged field Peter Maydell
2025-10-31 18:32 ` [PULL 07/38] hw/arm/virt: Remove deprecated virt-4.2 machine Peter Maydell
2025-10-31 18:32 ` [PULL 08/38] hw/arm/virt: Remove VirtMachineClass::kvm_no_adjvtime field Peter Maydell
2025-10-31 18:32 ` [PULL 09/38] target/arm/hvf: Release memory allocated by hv_vcpu_config_create() Peter Maydell
2025-10-31 18:32 ` [PULL 10/38] target/arm/hvf: Trace vCPU KICK events Peter Maydell
2025-10-31 18:32 ` [PULL 11/38] target/arm/hvf: Check hv_vcpus_exit() returned value Peter Maydell
2025-10-31 18:32 ` [PULL 12/38] target/arm/hvf: Check hv_vcpu_set_vtimer_mask() " Peter Maydell
2025-10-31 18:32 ` [PULL 13/38] accel/hvf: Rename hvf_vcpu_exec() -> hvf_arch_vcpu_exec() Peter Maydell
2025-10-31 18:32 ` [PULL 14/38] accel/hvf: Rename hvf_put|get_registers -> hvf_arch_put|get_registers Peter Maydell
2025-10-31 18:32 ` [PULL 15/38] target/arm/hvf: Mention flush_cpu_state() must run on vCPU thread Peter Maydell
2025-10-31 18:32 ` [PULL 16/38] accel/hvf: Mention hvf_arch_init_vcpu() " Peter Maydell
2025-10-31 18:32 ` [PULL 17/38] target/arm/hvf: Mention hvf_sync_vtimer() " Peter Maydell
2025-10-31 18:32 ` [PULL 18/38] target/arm/hvf: Mention hvf_arch_set_traps() " Peter Maydell
2025-10-31 18:32 ` [PULL 19/38] accel/hvf: Mention hvf_arch_update_guest_debug() must run on vCPU Peter Maydell
2025-10-31 18:32 ` [PULL 20/38] target/arm/hvf: Mention hvf_inject_interrupts() must run on vCPU thread Peter Maydell
2025-10-31 18:32 ` [PULL 21/38] accel/hvf: Implement hvf_arch_vcpu_destroy() Peter Maydell
2025-10-31 18:32 ` [PULL 22/38] target/arm/hvf: Hardcode Apple MIDR Peter Maydell
2025-10-31 18:32 ` [PULL 23/38] target/arm/hvf: Simplify hvf_arm_get_host_cpu_features() Peter Maydell
2025-10-31 18:32 ` [PULL 24/38] target/arm/hvf: switch hvf_arm_get_host_cpu_features to not create a vCPU Peter Maydell
2025-10-31 18:32 ` [PULL 25/38] target/arm/hvf: Factor hvf_handle_exception() out Peter Maydell
2025-10-31 18:32 ` [PULL 26/38] target/i386/hvf: Factor hvf_handle_vmexit() out Peter Maydell
2025-10-31 18:32 ` [PULL 27/38] target/arm/hvf: " Peter Maydell
2025-10-31 18:33 ` [PULL 28/38] target/arm/hvf: Keep calling hv_vcpu_run() in loop Peter Maydell
2025-10-31 18:33 ` [PULL 29/38] cpus: Trace cpu_exec_start() and cpu_exec_end() calls Peter Maydell
2025-10-31 18:33 ` [PULL 30/38] accel/hvf: Guard hv_vcpu_run() between cpu_exec_start/end() calls Peter Maydell
2025-10-31 18:33 ` [PULL 31/38] target/arm: Call aarch64_add_pauth_properties() once in host_initfn() Peter Maydell
2025-10-31 18:33 ` [PULL 32/38] accel/hvf: Restrict ARM specific fields of AccelCPUState Peter Maydell
2025-10-31 18:33 ` [PULL 33/38] target/arm: Rename init_cpreg_list() -> arm_init_cpreg_list() Peter Maydell
2025-10-31 18:33 ` [PULL 34/38] target/arm/hvf: Rename 'vgic' -> 'emu_reginfo' in trace events Peter Maydell
2025-10-31 18:33 ` [PULL 35/38] target/arm: Re-use arm_is_psci_call() in HVF Peter Maydell
2025-10-31 18:33 ` [PULL 36/38] target/arm: Share ARM_PSCI_CALL trace event between TCG and HVF Peter Maydell
2025-10-31 18:33 ` [PULL 37/38] target/arm/hvf/hvf: Document $pc adjustment in HVF & SMC Peter Maydell
2025-10-31 18:33 ` [PULL 38/38] accel/hvf: Trace prefetch abort Peter Maydell
2025-11-01 11:11 ` [PULL 00/38] target-arm queue Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251031183310.3778349-5-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).