* [RFC PATCH] target/ppc: don't overflow SR lookup with 64 bit vaddr
@ 2025-11-27 17:19 Alex Bennée
2025-11-27 17:37 ` Peter Maydell
0 siblings, 1 reply; 2+ messages in thread
From: Alex Bennée @ 2025-11-27 17:19 UTC (permalink / raw)
To: qemu-devel
Cc: Alex Bennée, Nicholas Piggin, Chinmay Rath,
open list:PowerPC TCG CPUs
One of the side effects of making vaddr always 64 bits is there are
places where we assume it is sized to the guest. As a result a simple
shift might bring in extra bits.
Using extract32 stops the crash in:
./pyvenv/bin/meson test qtest-ppc/prom-env-test
with TCI enabled but the test still hangs.
Over to you PPC maintainers ;-)
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
---
target/ppc/mmu-hash32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/ppc/mmu-hash32.c b/target/ppc/mmu-hash32.c
index 8b980a5aa90..ce9c86ceacd 100644
--- a/target/ppc/mmu-hash32.c
+++ b/target/ppc/mmu-hash32.c
@@ -342,7 +342,7 @@ bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
}
/* 3. Look up the Segment Register */
- sr = env->sr[eaddr >> 28];
+ sr = env->sr[extract32(eaddr, 28, 4)];
/* 4. Handle direct store segments */
if (sr & SR32_T) {
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [RFC PATCH] target/ppc: don't overflow SR lookup with 64 bit vaddr
2025-11-27 17:19 [RFC PATCH] target/ppc: don't overflow SR lookup with 64 bit vaddr Alex Bennée
@ 2025-11-27 17:37 ` Peter Maydell
0 siblings, 0 replies; 2+ messages in thread
From: Peter Maydell @ 2025-11-27 17:37 UTC (permalink / raw)
To: Alex Bennée
Cc: qemu-devel, Nicholas Piggin, Chinmay Rath,
open list:PowerPC TCG CPUs
On Thu, 27 Nov 2025 at 17:20, Alex Bennée <alex.bennee@linaro.org> wrote:
>
> One of the side effects of making vaddr always 64 bits
vaddr has traditionally always been 64 bits, though.
(introduced in 2013 commit 577f42c0e11a5 as 'uint64_t').
Commit a70af12ad in February changed it the other way,
so that it is now uintptr_t instead of uint64_t, and might
be 32 bits on some hosts.
> is there are
> places where we assume it is sized to the guest. As a result a simple
> shift might bring in extra bits.
>
> Using extract32 stops the crash in:
>
> ./pyvenv/bin/meson test qtest-ppc/prom-env-test
>
> with TCI enabled but the test still hangs.
>
> Over to you PPC maintainers ;-)
But vaddr is an unsigned type -- why has something
sign-extended a 32-bit guest register value into it?
I think your problem is somewhere down in the callstack
where we are likely inadvertently sign-extending.
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> ---
> target/ppc/mmu-hash32.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target/ppc/mmu-hash32.c b/target/ppc/mmu-hash32.c
> index 8b980a5aa90..ce9c86ceacd 100644
> --- a/target/ppc/mmu-hash32.c
> +++ b/target/ppc/mmu-hash32.c
> @@ -342,7 +342,7 @@ bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
> }
>
> /* 3. Look up the Segment Register */
> - sr = env->sr[eaddr >> 28];
> + sr = env->sr[extract32(eaddr, 28, 4)];
>
> /* 4. Handle direct store segments */
> if (sr & SR32_T) {
> --
thanks
-- PMM
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-27 17:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-27 17:19 [RFC PATCH] target/ppc: don't overflow SR lookup with 64 bit vaddr Alex Bennée
2025-11-27 17:37 ` Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).