target/riscv/cpu_helper.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-)
Before changing the flow check for sv39/48/57.
According to specification (for Supervisor mode):
Sv39 implementations support a 39-bit virtual address space, divided into 4 KiB pages.
Instruction fetch addresses and load and store effective addresses, which are 64 bits,
must have bits 63–39 all equal to bit 38, or else a page-fault exception will occur.
Likewise for Sv48 and Sv57.
So the high bits are equal to bit 38 for sv39.
According to specification (for Hypervisor mode):
For Sv39x4, address bits of the guest physical address 63:41 must all be zeros, or else a
guest-page-fault exception occurs.
Likewise for Sv48x4 and Sv57x4.
For Sv48x4 address bits 63:50 must all be zeros, or else a guest-page-fault exception occurs.
For Sv57x4 address bits 63:59 must all be zeros, or else a guest-page-fault exception occurs.
For example we are trying to access address 0xffff_ffff_ff01_0000 with only G-translation enabled.
So expected behavior is to generate exception. But qemu doesn't generate such exception.
For the old check, we get
va_bits == 41, mask == (1 << 24) - 1, masked_msbs == (0xffff_ffff_ff01_0000 >> 40) & mask == mask.
Accordingly, the condition masked_msbs != 0 && masked_msbs != mask is not fulfilled
and the check passes.
Signed-off-by: Irina Ryapolova <irina.ryapolova@syntacore.com>
---
Changes for v2:
-Add more detailed commit message
---
target/riscv/cpu_helper.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f88c503cf4..27289f2305 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -863,17 +863,24 @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
CPUState *cs = env_cpu(env);
int va_bits = PGSHIFT + levels * ptidxbits + widened;
- target_ulong mask, masked_msbs;
- if (TARGET_LONG_BITS > (va_bits - 1)) {
- mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
- } else {
- mask = 0;
- }
- masked_msbs = (addr >> (va_bits - 1)) & mask;
+ if (first_stage == true) {
+ target_ulong mask, masked_msbs;
+
+ if (TARGET_LONG_BITS > (va_bits - 1)) {
+ mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
+ } else {
+ mask = 0;
+ }
+ masked_msbs = (addr >> (va_bits - 1)) & mask;
- if (masked_msbs != 0 && masked_msbs != mask) {
- return TRANSLATE_FAIL;
+ if (masked_msbs != 0 && masked_msbs != mask) {
+ return TRANSLATE_FAIL;
+ }
+ } else {
+ if (vm != VM_1_10_SV32 && addr >> va_bits != 0) {
+ return TRANSLATE_FAIL;
+ }
}
int ptshift = (levels - 1) * ptidxbits;
--
2.25.1
On Sat, Apr 8, 2023 at 1:34 AM Irina Ryapolova
<irina.ryapolova@syntacore.com> wrote:
>
> Before changing the flow check for sv39/48/57.
>
> According to specification (for Supervisor mode):
> Sv39 implementations support a 39-bit virtual address space, divided into 4 KiB pages.
> Instruction fetch addresses and load and store effective addresses, which are 64 bits,
> must have bits 63–39 all equal to bit 38, or else a page-fault exception will occur.
> Likewise for Sv48 and Sv57.
>
> So the high bits are equal to bit 38 for sv39.
>
> According to specification (for Hypervisor mode):
> For Sv39x4, address bits of the guest physical address 63:41 must all be zeros, or else a
> guest-page-fault exception occurs.
>
> Likewise for Sv48x4 and Sv57x4.
> For Sv48x4 address bits 63:50 must all be zeros, or else a guest-page-fault exception occurs.
> For Sv57x4 address bits 63:59 must all be zeros, or else a guest-page-fault exception occurs.
>
> For example we are trying to access address 0xffff_ffff_ff01_0000 with only G-translation enabled.
> So expected behavior is to generate exception. But qemu doesn't generate such exception.
>
> For the old check, we get
> va_bits == 41, mask == (1 << 24) - 1, masked_msbs == (0xffff_ffff_ff01_0000 >> 40) & mask == mask.
> Accordingly, the condition masked_msbs != 0 && masked_msbs != mask is not fulfilled
> and the check passes.
>
> Signed-off-by: Irina Ryapolova <irina.ryapolova@syntacore.com>
Do you mind rebasing this patch on
https://github.com/alistair23/qemu/tree/riscv-to-apply.next and
sending a v3?
Alistair
> ---
> Changes for v2:
> -Add more detailed commit message
> ---
> target/riscv/cpu_helper.c | 25 ++++++++++++++++---------
> 1 file changed, 16 insertions(+), 9 deletions(-)
>
> diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
> index f88c503cf4..27289f2305 100644
> --- a/target/riscv/cpu_helper.c
> +++ b/target/riscv/cpu_helper.c
> @@ -863,17 +863,24 @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
>
> CPUState *cs = env_cpu(env);
> int va_bits = PGSHIFT + levels * ptidxbits + widened;
> - target_ulong mask, masked_msbs;
>
> - if (TARGET_LONG_BITS > (va_bits - 1)) {
> - mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
> - } else {
> - mask = 0;
> - }
> - masked_msbs = (addr >> (va_bits - 1)) & mask;
> + if (first_stage == true) {
> + target_ulong mask, masked_msbs;
> +
> + if (TARGET_LONG_BITS > (va_bits - 1)) {
> + mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
> + } else {
> + mask = 0;
> + }
> + masked_msbs = (addr >> (va_bits - 1)) & mask;
>
> - if (masked_msbs != 0 && masked_msbs != mask) {
> - return TRANSLATE_FAIL;
> + if (masked_msbs != 0 && masked_msbs != mask) {
> + return TRANSLATE_FAIL;
> + }
> + } else {
> + if (vm != VM_1_10_SV32 && addr >> va_bits != 0) {
> + return TRANSLATE_FAIL;
> + }
> }
>
> int ptshift = (levels - 1) * ptidxbits;
> --
> 2.25.1
>
>
On Sat, Apr 8, 2023 at 1:34 AM Irina Ryapolova
<irina.ryapolova@syntacore.com> wrote:
>
> Before changing the flow check for sv39/48/57.
>
> According to specification (for Supervisor mode):
> Sv39 implementations support a 39-bit virtual address space, divided into 4 KiB pages.
> Instruction fetch addresses and load and store effective addresses, which are 64 bits,
> must have bits 63–39 all equal to bit 38, or else a page-fault exception will occur.
> Likewise for Sv48 and Sv57.
>
> So the high bits are equal to bit 38 for sv39.
>
> According to specification (for Hypervisor mode):
> For Sv39x4, address bits of the guest physical address 63:41 must all be zeros, or else a
> guest-page-fault exception occurs.
>
> Likewise for Sv48x4 and Sv57x4.
> For Sv48x4 address bits 63:50 must all be zeros, or else a guest-page-fault exception occurs.
> For Sv57x4 address bits 63:59 must all be zeros, or else a guest-page-fault exception occurs.
>
> For example we are trying to access address 0xffff_ffff_ff01_0000 with only G-translation enabled.
> So expected behavior is to generate exception. But qemu doesn't generate such exception.
>
> For the old check, we get
> va_bits == 41, mask == (1 << 24) - 1, masked_msbs == (0xffff_ffff_ff01_0000 >> 40) & mask == mask.
> Accordingly, the condition masked_msbs != 0 && masked_msbs != mask is not fulfilled
> and the check passes.
>
> Signed-off-by: Irina Ryapolova <irina.ryapolova@syntacore.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Alistair
> ---
> Changes for v2:
> -Add more detailed commit message
> ---
> target/riscv/cpu_helper.c | 25 ++++++++++++++++---------
> 1 file changed, 16 insertions(+), 9 deletions(-)
>
> diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
> index f88c503cf4..27289f2305 100644
> --- a/target/riscv/cpu_helper.c
> +++ b/target/riscv/cpu_helper.c
> @@ -863,17 +863,24 @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
>
> CPUState *cs = env_cpu(env);
> int va_bits = PGSHIFT + levels * ptidxbits + widened;
> - target_ulong mask, masked_msbs;
>
> - if (TARGET_LONG_BITS > (va_bits - 1)) {
> - mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
> - } else {
> - mask = 0;
> - }
> - masked_msbs = (addr >> (va_bits - 1)) & mask;
> + if (first_stage == true) {
> + target_ulong mask, masked_msbs;
> +
> + if (TARGET_LONG_BITS > (va_bits - 1)) {
> + mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
> + } else {
> + mask = 0;
> + }
> + masked_msbs = (addr >> (va_bits - 1)) & mask;
>
> - if (masked_msbs != 0 && masked_msbs != mask) {
> - return TRANSLATE_FAIL;
> + if (masked_msbs != 0 && masked_msbs != mask) {
> + return TRANSLATE_FAIL;
> + }
> + } else {
> + if (vm != VM_1_10_SV32 && addr >> va_bits != 0) {
> + return TRANSLATE_FAIL;
> + }
> }
>
> int ptshift = (levels - 1) * ptidxbits;
> --
> 2.25.1
>
>
On 2023/4/7 23:32, Irina Ryapolova wrote:
> Before changing the flow check for sv39/48/57.
>
> According to specification (for Supervisor mode):
> Sv39 implementations support a 39-bit virtual address space, divided into 4 KiB pages.
> Instruction fetch addresses and load and store effective addresses, which are 64 bits,
> must have bits 63–39 all equal to bit 38, or else a page-fault exception will occur.
> Likewise for Sv48 and Sv57.
>
> So the high bits are equal to bit 38 for sv39.
>
> According to specification (for Hypervisor mode):
> For Sv39x4, address bits of the guest physical address 63:41 must all be zeros, or else a
> guest-page-fault exception occurs.
>
> Likewise for Sv48x4 and Sv57x4.
> For Sv48x4 address bits 63:50 must all be zeros, or else a guest-page-fault exception occurs.
> For Sv57x4 address bits 63:59 must all be zeros, or else a guest-page-fault exception occurs.
>
> For example we are trying to access address 0xffff_ffff_ff01_0000 with only G-translation enabled.
> So expected behavior is to generate exception. But qemu doesn't generate such exception.
>
> For the old check, we get
> va_bits == 41, mask == (1 << 24) - 1, masked_msbs == (0xffff_ffff_ff01_0000 >> 40) & mask == mask.
> Accordingly, the condition masked_msbs != 0 && masked_msbs != mask is not fulfilled
> and the check passes.
>
> Signed-off-by: Irina Ryapolova <irina.ryapolova@syntacore.com>
> ---
> Changes for v2:
> -Add more detailed commit message
Reviewed-by: Weiwei Li <liweiwei@iscas.ac.cn>
I remember I have sent Reviewed-by for last version of this patch. And
it seems no change in following code.
Weiwei Li
> ---
> target/riscv/cpu_helper.c | 25 ++++++++++++++++---------
> 1 file changed, 16 insertions(+), 9 deletions(-)
>
> diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
> index f88c503cf4..27289f2305 100644
> --- a/target/riscv/cpu_helper.c
> +++ b/target/riscv/cpu_helper.c
> @@ -863,17 +863,24 @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
>
> CPUState *cs = env_cpu(env);
> int va_bits = PGSHIFT + levels * ptidxbits + widened;
> - target_ulong mask, masked_msbs;
>
> - if (TARGET_LONG_BITS > (va_bits - 1)) {
> - mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
> - } else {
> - mask = 0;
> - }
> - masked_msbs = (addr >> (va_bits - 1)) & mask;
> + if (first_stage == true) {
> + target_ulong mask, masked_msbs;
> +
> + if (TARGET_LONG_BITS > (va_bits - 1)) {
> + mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
> + } else {
> + mask = 0;
> + }
> + masked_msbs = (addr >> (va_bits - 1)) & mask;
>
> - if (masked_msbs != 0 && masked_msbs != mask) {
> - return TRANSLATE_FAIL;
> + if (masked_msbs != 0 && masked_msbs != mask) {
> + return TRANSLATE_FAIL;
> + }
> + } else {
> + if (vm != VM_1_10_SV32 && addr >> va_bits != 0) {
> + return TRANSLATE_FAIL;
> + }
> }
>
> int ptshift = (levels - 1) * ptidxbits;
© 2016 - 2024 Red Hat, Inc.