From: Chris Williams <diodesign@tuta.io>
To: Palmer Dabbelt <palmer@sifive.com>,
Alistair Francis <alistair.francis@wdc.com>,
Sagar Karandikar <sagark@eecs.berkeley.edu>,
Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Cc: Qemu Riscv <qemu-riscv@nongnu.org>, Qemu Devel <qemu-devel@nongnu.org>
Subject: [PATCH v2 1/1] target/riscv/pmp: Fix bug preventing
Date: Sun, 6 Oct 2019 10:32:06 +0200 (CEST) [thread overview]
Message-ID: <LqVBb_I--3-1@tuta.io> (raw)
Hello. I hope you don't mind me resubmitting this patch. Please let me know if
I've formatted it incorrectly or if it needs more explanation. My previous
attempt probably wasn't formatted quite right. This is my first time
contributing to Qemu, so I'm keen to get it right - thanks.
This fixes an issue that prevents a RISC-V CPU from executing instructions
immediately from the base address of a PMP TOR region.
When jumping to an instruction in a PMP TOR region, pmp_hart_has_privs() is
called to validate the access. If this instruction is the very first word of a
PMP TOR region, at address 0 relative to the start address of the region, then
the access will fail. This is because pmp_hart_has_privs() is called with size
0 to perform this validation, causing this check...
e = pmp_is_in_range(env, i, addr + size - 1);
... to fail, as (addr + size - 1) falls below the base address of the PMP
region. Really, the access should succeed. For example, if I have a region
spanning 0x80d96000 to 0x88d95fff and the CPU jumps to 0x80d96000, then:
s = 0x80d96000
e = 0x80d95fff
And the validation fails. The size check proposed below catches these zero-size
instruction fetch access probes. The word alignment in pmpaddr{0-15} and
earlier instruction alignment checks should prevent the execution of
instructions over the upper boundary of the PMP region, though I'm happy to give
this more attention if this is a concern.
Signed-off-by: Chris Williams <diodesign@tuta.io <mailto:diodesign@tuta.io>>
diff --git a/target/riscv/pmp.c b/target/riscv/pmp.c
index d4f1007109..9308672e20 100644
--- a/target/riscv/pmp.c
+++ b/target/riscv/pmp.c
@@ -235,8 +235,9 @@ bool pmp_hart_has_privs(CPURISCVState *env, target_ulong
addr,
/* 1.10 draft priv spec states there is an implicit order
from low to high */
for (i = 0; i < MAX_RISCV_PMPS; i++) {
+ /* catch zero-size instruction checks */
s = pmp_is_in_range(env, i, addr);
- e = pmp_is_in_range(env, i, addr + size - 1);
+ e = pmp_is_in_range(env, i, (size == 0) ? addr : addr + size - 1);
/* partially inside */
if ((s + e) == 1) {
next reply other threads:[~2019-10-06 8:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-06 8:32 Chris Williams [this message]
2019-10-11 22:18 ` [PATCH v2 1/1] target/riscv/pmp: Fix bug preventing Alistair Francis
2019-10-11 23:17 ` Dayeol Lee
2019-10-15 18:02 ` Chris Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=LqVBb_I--3-1@tuta.io \
--to=diodesign@tuta.io \
--cc=alistair.francis@wdc.com \
--cc=kbastian@mail.uni-paderborn.de \
--cc=palmer@sifive.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=sagark@eecs.berkeley.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).