From: rail5 <andrew@rail5.org>
The LDPTE helper loads a page table entry (or huge page entry) from guest
memory and currently applies the PALEN mask to the whole 64-bit value.
That mask is intended to constrain the physical address bits, but masking
the full entry also clears upper permission bits in the PTE, including NX
(bit 62). As a result, LoongArch TCG can incorrectly allow instruction
fetches from NX mappings when translation is driven through software
page-walk.
Fix this by masking only the PPN/address field with PALEN while preserving
permission bits, and by clearing any non-architectural (software) bits
using a hardware PTE mask. LDDIR is unchanged since it returns the base
address of the next page table level.
Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319
Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
Cc: qemu-stable@nongnu.org
Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
---
target/loongarch/cpu.c | 11 +++++++++++
target/loongarch/cpu.h | 1 +
target/loongarch/tcg/tlb_helper.c | 25 ++++++++++++++++++++++---
3 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index 8e8b10505d..e22568c84a 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -596,6 +596,17 @@ static void loongarch_cpu_reset_hold(Object *obj, ResetType type)
#ifdef CONFIG_TCG
env->fcsr0_mask = FCSR0_M1 | FCSR0_M2 | FCSR0_M3;
+
+ if (is_la64(env)) {
+ env->hw_pte_mask = MAKE_64BIT_MASK(0, 9) |
+ R_TLBENTRY_64_PPN_MASK |
+ R_TLBENTRY_64_NR_MASK |
+ R_TLBENTRY_64_NX_MASK |
+ R_TLBENTRY_64_RPLV_MASK;
+ } else {
+ env->hw_pte_mask = MAKE_64BIT_MASK(0, 9) |
+ R_TLBENTRY_32_PPN_MASK;
+ }
#endif
env->fcsr0 = 0x0;
diff --git a/target/loongarch/cpu.h b/target/loongarch/cpu.h
index d2dfdc8520..4d333806ed 100644
--- a/target/loongarch/cpu.h
+++ b/target/loongarch/cpu.h
@@ -406,6 +406,7 @@ typedef struct CPUArchState {
uint64_t llval;
uint64_t llval_high; /* For 128-bit atomic SC.Q */
uint64_t llbit_scq; /* Potential LL.D+LD.D+SC.Q sequence in effect */
+ uint64_t hw_pte_mask; /* Mask of architecturally-defined (hardware) PTE bits. */
#endif
#ifndef CONFIG_USER_ONLY
#ifdef CONFIG_TCG
diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_helper.c
index c1dc77a8f8..6581b3b898 100644
--- a/target/loongarch/tcg/tlb_helper.c
+++ b/target/loongarch/tcg/tlb_helper.c
@@ -686,6 +686,21 @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
cpu_loop_exit_restore(cs, retaddr);
}
+static inline uint64_t loongarch_sanitize_hw_pte(CPULoongArchState *env,
+ uint64_t pte)
+{
+ uint64_t palen_mask = loongarch_palen_mask(env);
+ uint64_t ppn_mask = is_la64(env) ? R_TLBENTRY_64_PPN_MASK : R_TLBENTRY_32_PPN_MASK;
+
+ /*
+ * Keep only architecturally-defined PTE bits. Guests may use some
+ * otherwise-unused bits for software purposes.
+ */
+ pte &= env->hw_pte_mask;
+
+ return (pte & ~ppn_mask) | ((pte & ppn_mask) & palen_mask);
+}
+
target_ulong helper_lddir(CPULoongArchState *env, target_ulong base,
uint32_t level, uint32_t mem_idx)
{
@@ -729,6 +744,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
{
CPUState *cs = env_cpu(env);
hwaddr phys, tmp0, ptindex, ptoffset0, ptoffset1;
+ uint64_t pte_raw;
uint64_t badv;
uint64_t ptbase = FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTBASE);
uint64_t ptwidth = FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTWIDTH);
@@ -744,7 +760,6 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
* and the other is the huge page entry,
* whose bit 6 should be 1.
*/
- base = base & palen_mask;
if (FIELD_EX64(base, TLBENTRY, HUGE)) {
/*
* Gets the huge page level and Gets huge page size.
@@ -768,10 +783,11 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
* when loaded into the tlb,
* so the tlb page size needs to be divided by 2.
*/
- tmp0 = base;
+ tmp0 = loongarch_sanitize_hw_pte(env, base);
if (odd) {
tmp0 += MAKE_64BIT_MASK(ps, 1);
}
+ tmp0 = loongarch_sanitize_hw_pte(env, tmp0);
if (!check_ps(env, ps)) {
qemu_log_mask(LOG_GUEST_ERROR, "Illegal huge pagesize %d\n", ps);
@@ -780,12 +796,15 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
} else {
badv = env->CSR_TLBRBADV;
+ base = base & palen_mask;
+
ptindex = (badv >> ptbase) & ((1 << ptwidth) - 1);
ptindex = ptindex & ~0x1; /* clear bit 0 */
ptoffset0 = ptindex << 3;
ptoffset1 = (ptindex + 1) << 3;
phys = base | (odd ? ptoffset1 : ptoffset0);
- tmp0 = ldq_le_phys(cs->as, phys) & palen_mask;
+ pte_raw = ldq_le_phys(cs->as, phys);
+ tmp0 = loongarch_sanitize_hw_pte(env, pte_raw);
ps = ptbase;
}
--
2.47.3
On 2026/3/6 下午3:33, Andrew S. Rightenburg via qemu development wrote:
> From: rail5 <andrew@rail5.org>
>
> The LDPTE helper loads a page table entry (or huge page entry) from guest
> memory and currently applies the PALEN mask to the whole 64-bit value.
>
> That mask is intended to constrain the physical address bits, but masking
> the full entry also clears upper permission bits in the PTE, including NX
> (bit 62). As a result, LoongArch TCG can incorrectly allow instruction
> fetches from NX mappings when translation is driven through software
> page-walk.
>
> Fix this by masking only the PPN/address field with PALEN while preserving
> permission bits, and by clearing any non-architectural (software) bits
> using a hardware PTE mask. LDDIR is unchanged since it returns the base
> address of the next page table level.
>
> Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319
>
> Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
> Cc: qemu-stable@nongnu.org
> Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
> ---
> target/loongarch/cpu.c | 11 +++++++++++
> target/loongarch/cpu.h | 1 +
> target/loongarch/tcg/tlb_helper.c | 25 ++++++++++++++++++++++---
> 3 files changed, 34 insertions(+), 3 deletions(-)
>
> diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
> index 8e8b10505d..e22568c84a 100644
> --- a/target/loongarch/cpu.c
> +++ b/target/loongarch/cpu.c
> @@ -596,6 +596,17 @@ static void loongarch_cpu_reset_hold(Object *obj, ResetType type)
>
> #ifdef CONFIG_TCG
> env->fcsr0_mask = FCSR0_M1 | FCSR0_M2 | FCSR0_M3;
> +
> + if (is_la64(env)) {
> + env->hw_pte_mask = MAKE_64BIT_MASK(0, 9) |
> + R_TLBENTRY_64_PPN_MASK |
> + R_TLBENTRY_64_NR_MASK |
> + R_TLBENTRY_64_NX_MASK |
> + R_TLBENTRY_64_RPLV_MASK;
> + } else {
> + env->hw_pte_mask = MAKE_64BIT_MASK(0, 9) |
> + R_TLBENTRY_32_PPN_MASK;
> + }
> #endif
> env->fcsr0 = 0x0;
>
> diff --git a/target/loongarch/cpu.h b/target/loongarch/cpu.h
> index d2dfdc8520..4d333806ed 100644
> --- a/target/loongarch/cpu.h
> +++ b/target/loongarch/cpu.h
> @@ -406,6 +406,7 @@ typedef struct CPUArchState {
> uint64_t llval;
> uint64_t llval_high; /* For 128-bit atomic SC.Q */
> uint64_t llbit_scq; /* Potential LL.D+LD.D+SC.Q sequence in effect */
> + uint64_t hw_pte_mask; /* Mask of architecturally-defined (hardware) PTE bits. */
> #endif
> #ifndef CONFIG_USER_ONLY
> #ifdef CONFIG_TCG
> diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_helper.c
> index c1dc77a8f8..6581b3b898 100644
> --- a/target/loongarch/tcg/tlb_helper.c
> +++ b/target/loongarch/tcg/tlb_helper.c
> @@ -686,6 +686,21 @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
> cpu_loop_exit_restore(cs, retaddr);
> }
>
> +static inline uint64_t loongarch_sanitize_hw_pte(CPULoongArchState *env,
> + uint64_t pte)
> +{
> + uint64_t palen_mask = loongarch_palen_mask(env);
> + uint64_t ppn_mask = is_la64(env) ? R_TLBENTRY_64_PPN_MASK : R_TLBENTRY_32_PPN_MASK;
> +
> + /*
> + * Keep only architecturally-defined PTE bits. Guests may use some
> + * otherwise-unused bits for software purposes.
> + */
> + pte &= env->hw_pte_mask;
> +
> + return (pte & ~ppn_mask) | ((pte & ppn_mask) & palen_mask);
> +}
> +
> target_ulong helper_lddir(CPULoongArchState *env, target_ulong base,
> uint32_t level, uint32_t mem_idx)
> {
> @@ -729,6 +744,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
> {
> CPUState *cs = env_cpu(env);
> hwaddr phys, tmp0, ptindex, ptoffset0, ptoffset1;
> + uint64_t pte_raw;
> uint64_t badv;
> uint64_t ptbase = FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTBASE);
> uint64_t ptwidth = FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTWIDTH);
> @@ -744,7 +760,6 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
> * and the other is the huge page entry,
> * whose bit 6 should be 1.
> */
> - base = base & palen_mask;
> if (FIELD_EX64(base, TLBENTRY, HUGE)) {
> /*
> * Gets the huge page level and Gets huge page size.
> @@ -768,10 +783,11 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
> * when loaded into the tlb,
> * so the tlb page size needs to be divided by 2.
> */
> - tmp0 = base;
> + tmp0 = loongarch_sanitize_hw_pte(env, base);
> if (odd) {
> tmp0 += MAKE_64BIT_MASK(ps, 1);
> }
> + tmp0 = loongarch_sanitize_hw_pte(env, tmp0);
Hi Andrew,
I think that duplicated calling with loongarch_sanitize_hw_pte() is
unnecessary, the other looks good to me.
Thanks for doing this.
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
>
> if (!check_ps(env, ps)) {
> qemu_log_mask(LOG_GUEST_ERROR, "Illegal huge pagesize %d\n", ps);
> @@ -780,12 +796,15 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
> } else {
> badv = env->CSR_TLBRBADV;
>
> + base = base & palen_mask;
> +
> ptindex = (badv >> ptbase) & ((1 << ptwidth) - 1);
> ptindex = ptindex & ~0x1; /* clear bit 0 */
> ptoffset0 = ptindex << 3;
> ptoffset1 = (ptindex + 1) << 3;
> phys = base | (odd ? ptoffset1 : ptoffset0);
> - tmp0 = ldq_le_phys(cs->as, phys) & palen_mask;
> + pte_raw = ldq_le_phys(cs->as, phys);
> + tmp0 = loongarch_sanitize_hw_pte(env, pte_raw);
> ps = ptbase;
> }
>
>
© 2016 - 2026 Red Hat, Inc.