target/ppc/translate/vsx-impl.c.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The move to decodetree flipped the inequality test for the VEC / VSX
MSR facility check.
This caused application crashes under Linux, where these facility
unavailable interrupts are used for lazy-switching of VEC/VSX register
sets. Getting the incorrect interrupt would result in wrong registers
being loaded, potentially overwriting live values and/or exposing
stale ones.
Cc: qemu-stable@nongnu.org
Reported-by: Joel Stanley <joel@jms.id.au>
Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769
Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
target/ppc/translate/vsx-impl.c.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
index 6db87ab336..0266f09119 100644
--- a/target/ppc/translate/vsx-impl.c.inc
+++ b/target/ppc/translate/vsx-impl.c.inc
@@ -2268,7 +2268,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,
static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired)
{
- if (paired || a->rt >= 32) {
+ if (paired || a->rt < 32) {
REQUIRE_VSX(ctx);
} else {
REQUIRE_VECTOR(ctx);
--
2.42.0Nicholas Piggin <npiggin@gmail.com> writes:
> The move to decodetree flipped the inequality test for the VEC / VSX
> MSR facility check.
>
> This caused application crashes under Linux, where these facility
> unavailable interrupts are used for lazy-switching of VEC/VSX register
> sets. Getting the incorrect interrupt would result in wrong registers
> being loaded, potentially overwriting live values and/or exposing
> stale ones.
>
> Cc: qemu-stable@nongnu.org
> Reported-by: Joel Stanley <joel@jms.id.au>
> Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769
> Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
> target/ppc/translate/vsx-impl.c.inc | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
> index 6db87ab336..0266f09119 100644
> --- a/target/ppc/translate/vsx-impl.c.inc
> +++ b/target/ppc/translate/vsx-impl.c.inc
> @@ -2268,7 +2268,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,
>
> static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired)
> {
> - if (paired || a->rt >= 32) {
> + if (paired || a->rt < 32) {
> REQUIRE_VSX(ctx);
> } else {
> REQUIRE_VECTOR(ctx);
What about the X-form down below?
static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired)
{
if (paired || a->rt >= 32) {
REQUIRE_VSX(ctx);
} else {
REQUIRE_VECTOR(ctx);
}
return do_lstxv(ctx, a->ra, cpu_gpr[a->rb], a->rt, store, paired);
}
Hi Fabiano,
On 9/10/24 04:36, Fabiano Rosas wrote:
> Nicholas Piggin <npiggin@gmail.com> writes:
>
>> The move to decodetree flipped the inequality test for the VEC / VSX
>> MSR facility check.
>>
>> This caused application crashes under Linux, where these facility
>> unavailable interrupts are used for lazy-switching of VEC/VSX register
>> sets. Getting the incorrect interrupt would result in wrong registers
>> being loaded, potentially overwriting live values and/or exposing
>> stale ones.
>>
>> Cc: qemu-stable@nongnu.org
>> Reported-by: Joel Stanley <joel@jms.id.au>
>> Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")
>> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769
>> Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
>> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
>> ---
>> target/ppc/translate/vsx-impl.c.inc | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
>> index 6db87ab336..0266f09119 100644
>> --- a/target/ppc/translate/vsx-impl.c.inc
>> +++ b/target/ppc/translate/vsx-impl.c.inc
>> @@ -2268,7 +2268,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,
>>
>> static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired)
>> {
>> - if (paired || a->rt >= 32) {
>> + if (paired || a->rt < 32) {
>> REQUIRE_VSX(ctx);
>> } else {
>> REQUIRE_VECTOR(ctx);
>
> What about the X-form down below?
>
> static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired)
> {
> if (paired || a->rt >= 32) {
> REQUIRE_VSX(ctx);
> } else {
> REQUIRE_VECTOR(ctx);
> }
>
> return do_lstxv(ctx, a->ra, cpu_gpr[a->rb], a->rt, store, paired);
> }
Thanks for catching this. I have posted the fix here:
https://lore.kernel.org/qemu-devel/20240913043827.914457-1-harshpb@linux.ibm.com/T/#u
regards,
Harsh
On 2/13/24 09:39, Nicholas Piggin wrote:
> The move to decodetree flipped the inequality test for the VEC / VSX
> MSR facility check.
>
> This caused application crashes under Linux, where these facility
> unavailable interrupts are used for lazy-switching of VEC/VSX register
> sets. Getting the incorrect interrupt would result in wrong registers
> being loaded, potentially overwriting live values and/or exposing
> stale ones.
>
> Cc: qemu-stable@nongnu.org
> Reported-by: Joel Stanley <joel@jms.id.au>
> Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769
> Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
with a RHEL9 image.
Thanks,
C.
> ---
> target/ppc/translate/vsx-impl.c.inc | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
> index 6db87ab336..0266f09119 100644
> --- a/target/ppc/translate/vsx-impl.c.inc
> +++ b/target/ppc/translate/vsx-impl.c.inc
> @@ -2268,7 +2268,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,
>
> static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired)
> {
> - if (paired || a->rt >= 32) {
> + if (paired || a->rt < 32) {
> REQUIRE_VSX(ctx);
> } else {
> REQUIRE_VECTOR(ctx);
On 2/13/24 14:09, Nicholas Piggin wrote:
> The move to decodetree flipped the inequality test for the VEC / VSX
> MSR facility check.
>
> This caused application crashes under Linux, where these facility
> unavailable interrupts are used for lazy-switching of VEC/VSX register
> sets. Getting the incorrect interrupt would result in wrong registers
> being loaded, potentially overwriting live values and/or exposing
> stale ones.
>
> Cc: qemu-stable@nongnu.org
> Reported-by: Joel Stanley <joel@jms.id.au>
> Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769
> Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
> target/ppc/translate/vsx-impl.c.inc | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
> index 6db87ab336..0266f09119 100644
> --- a/target/ppc/translate/vsx-impl.c.inc
> +++ b/target/ppc/translate/vsx-impl.c.inc
> @@ -2268,7 +2268,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,
>
> static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired)
> {
> - if (paired || a->rt >= 32) {
> + if (paired || a->rt < 32) {
Thanks for catching this,
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
> REQUIRE_VSX(ctx);
> } else {
> REQUIRE_VECTOR(ctx);
© 2016 - 2024 Red Hat, Inc.