From patchwork Mon Apr 1 20:59:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Roth X-Patchwork-Id: 161581 Delivered-To: patch@linaro.org Received: by 2002:a02:c6d8:0:0:0:0:0 with SMTP id r24csp995999jan; Mon, 1 Apr 2019 15:12:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQaj1wNX+CFjwqWESIWDeEUY04hwV8jDb4Bucm2RsVVV+K+YqbIRAK9xLUfSCzP7H1c1Sa X-Received: by 2002:a5b:603:: with SMTP id d3mr53463098ybq.299.1554156734344; Mon, 01 Apr 2019 15:12:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554156734; cv=none; d=google.com; s=arc-20160816; b=ENF9xQANSI4nKMKsk1FSVik9GD5JMZS4A2/o2hdTrBl1HSSLYrZE5lFfViyedDYTor 22rY+kaMzzt9p9vmddx3Yojhga1nOS0BBAcSUeRpg4jzek31KjiCxNm1LERKS/wYkGEg mNWK58k3lfXEMsGWrNEYMLUHmzrEH6jDoqMhZEkCXvrRzd9KwR8avCZfzdcmLMNWdPgv hZXRqv7TFF4SoXkSa0sYulBq41eqS+g+6C2G3q4tz6anD43B5D8Y5Lhut+VdZoRXI5ep lvg6cLO15XydBXFrNhAjYwn+O31WLC+nUaDjXcOl/pU0MO0MOX9gwRJpQLaB0T8iZIM7 FCHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:message-id:references :in-reply-to:date:to:from; bh=WMhljpzP9AkpWoyINCdRiwe1+ExfdfWG9lo0zMvbLIA=; b=twTr/Gf5jUbdFQY+R1vpVkq3b74wVzljbfAFHDQXKwUY1Hxk829pl6dNqStLtgIWpv L0H/J79Ww+RgJzFyBkGlNTW2b5rk7bnOEv2/kC1DeOxEZHFPnlY5YyQ/8VbnSGE+I5dW MDqhslpaX4Nl6IR4+QXX2rCxuXlZGjgl9GDXewnGrFZbHpQ4kqU3uMrAE8/vN7A4YXRI 5NKt9L8QZvDkzslPofHvfgF3khbbW5HVG9exeX0Jyo+cy6tJ3I2rweSXI+UhoRS7Lbcm kuO46y7iGN4XL01lJI/gq9kkbGy/ugWwhgsIauUCCL9BtbMrB4WFlEiWfwTtJ/4vpGPB FfPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id e1si1578617yba.139.2019.04.01.15.12.14 for (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 01 Apr 2019 15:12:14 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: from localhost ([127.0.0.1]:56714 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hB5A5-00019h-R2 for patch@linaro.org; Mon, 01 Apr 2019 18:12:13 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42722) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hB471-0003XT-Bu for qemu-devel@nongnu.org; Mon, 01 Apr 2019 17:05:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hB46z-0004sm-KJ for qemu-devel@nongnu.org; Mon, 01 Apr 2019 17:04:59 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48636) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hB46y-0004nh-7o for qemu-devel@nongnu.org; Mon, 01 Apr 2019 17:04:56 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x31L4ie2114727 for ; Mon, 1 Apr 2019 17:04:48 -0400 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0a-001b2d01.pphosted.com with ESMTP id 2rksvqh0am-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 01 Apr 2019 17:04:46 -0400 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 1 Apr 2019 22:02:22 +0100 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 1 Apr 2019 22:02:20 +0100 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x31L2J5J32899186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 1 Apr 2019 21:02:19 GMT Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 09CE013605E; Mon, 1 Apr 2019 21:02:19 +0000 (GMT) Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BF0E0136055; Mon, 1 Apr 2019 21:02:18 +0000 (GMT) Received: from localhost (unknown [9.80.94.43]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Mon, 1 Apr 2019 21:02:18 +0000 (GMT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 1 Apr 2019 15:59:18 -0500 X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190401210011.16009-1-mdroth@linux.vnet.ibm.com> References: <20190401210011.16009-1-mdroth@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19040121-0036-0000-0000-00000AA31DEC X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010857; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000283; SDB=6.01182941; UDB=6.00619269; IPR=6.00963683; MB=3.00026249; MTD=3.00000008; XFM=3.00000015; UTC=2019-04-01 21:02:21 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19040121-0037-0000-0000-00004B3CB1BD Message-Id: <20190401210011.16009-45-mdroth@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-01_06:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=896 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904010136 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 148.163.156.1 Subject: [Qemu-devel] [PATCH 44/97] target/arm: Fix cpu_get_tb_cpu_state() for non-SVE CPUs X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Richard Henderson , qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Richard Henderson Not only are the sve-related tb_flags fields unused when SVE is disabled, but not all of the cpu registers are initialized properly for computing same. This can corrupt other fields by ORing in -1, which might result in QEMU crashing. This bug was not present in 3.0, but this patch is cc'd to stable because adf92eab90e3f5f34c285 where the bug was introduced was marked for stable. Fixes: adf92eab90e3f5f34c285 Cc: qemu-stable@nongnu.org (3.0.1) Signed-off-by: Richard Henderson Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell (cherry picked from commit e79b445d896deb61909be52b61b87c98a9ed96f7) Signed-off-by: Michael Roth --- target/arm/helper.c | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) -- 2.17.1 diff --git a/target/arm/helper.c b/target/arm/helper.c index 991b077e8f..7ee614c04f 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -12401,36 +12401,39 @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc, uint32_t flags; if (is_a64(env)) { - int sve_el = sve_exception_el(env); - uint32_t zcr_len; - *pc = env->pc; flags = ARM_TBFLAG_AARCH64_STATE_MASK; /* Get control bits for tagged addresses */ flags |= (arm_regime_tbi0(env, mmu_idx) << ARM_TBFLAG_TBI0_SHIFT); flags |= (arm_regime_tbi1(env, mmu_idx) << ARM_TBFLAG_TBI1_SHIFT); - flags |= sve_el << ARM_TBFLAG_SVEEXC_EL_SHIFT; - /* If SVE is disabled, but FP is enabled, - then the effective len is 0. */ - if (sve_el != 0 && fp_el == 0) { - zcr_len = 0; - } else { - int current_el = arm_current_el(env); - ARMCPU *cpu = arm_env_get_cpu(env); + if (arm_feature(env, ARM_FEATURE_SVE)) { + int sve_el = sve_exception_el(env); + uint32_t zcr_len; - zcr_len = cpu->sve_max_vq - 1; - if (current_el <= 1) { - zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]); - } - if (current_el < 2 && arm_feature(env, ARM_FEATURE_EL2)) { - zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[2]); - } - if (current_el < 3 && arm_feature(env, ARM_FEATURE_EL3)) { - zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[3]); + /* If SVE is disabled, but FP is enabled, + * then the effective len is 0. + */ + if (sve_el != 0 && fp_el == 0) { + zcr_len = 0; + } else { + int current_el = arm_current_el(env); + ARMCPU *cpu = arm_env_get_cpu(env); + + zcr_len = cpu->sve_max_vq - 1; + if (current_el <= 1) { + zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]); + } + if (current_el < 2 && arm_feature(env, ARM_FEATURE_EL2)) { + zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[2]); + } + if (current_el < 3 && arm_feature(env, ARM_FEATURE_EL3)) { + zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[3]); + } } + flags |= sve_el << ARM_TBFLAG_SVEEXC_EL_SHIFT; + flags |= zcr_len << ARM_TBFLAG_ZCR_LEN_SHIFT; } - flags |= zcr_len << ARM_TBFLAG_ZCR_LEN_SHIFT; } else { *pc = env->regs[15]; flags = (env->thumb << ARM_TBFLAG_THUMB_SHIFT)