1. Patchew
  2. QEMU
  3. View series

[PATCH] target/riscv: Remove unconditional MENVCFG_CDE from mask

Zishun Yi posted 1 patch 2 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260511040534.2862443-1-vulab@iscas.ac.cn
Maintainers: Palmer Dabbelt <palmer@dabbelt.com>, Alistair Francis <alistair.francis@wdc.com>, Weiwei Li <liwei1518@gmail.com>, Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>, Liu Zhiwei <zhiwei_liu@linux.alibaba.com>, Chao Liu <chao.liu.zevorn@gmail.com>
target/riscv/csr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] target/riscv: Remove unconditional MENVCFG_CDE from mask
Posted by Zishun Yi 2 weeks ago 
Currently, the MENVCFG_CDE (Counter Delegation Enable) bit is
unconditionally included in the base write mask for CSR_MENVCFG.
This make the subsequent conditional check
`(cfg->ext_smcdeleg ? MENVCFG_CDE : 0)` completely ineffective,
as a bitwise OR cannot clear a bit that is already set.

Fix this by removing MENVCFG_CDE from the initial base mask. The bit
will now only be writable when explicitly granted by the `ext_smcdeleg`
configuration.

This issue was discovered and reported by SpecHunter, an AI-driven
architecture specification analysis tool.

Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2601/qemu.txt
Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>
---
 target/riscv/csr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index da366cf56271..f6bcf128a147 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -3175,7 +3175,7 @@ static RISCVException write_menvcfg(CPURISCVState *env, int csrno,
 {
     const RISCVCPUConfig *cfg = riscv_cpu_cfg(env);
     uint64_t mask = MENVCFG_FIOM | MENVCFG_CBIE | MENVCFG_CBCFE |
-                    MENVCFG_CBZE | MENVCFG_CDE;
+                    MENVCFG_CBZE;
     bool stce_changed = false;
 
     if (riscv_cpu_mxl(env) == MXL_RV64) {
-- 
2.51.2
Re: [PATCH] target/riscv: Remove unconditional MENVCFG_CDE from mask
Posted by Alistair Francis 1 week ago 
On Mon, May 11, 2026 at 2:10 PM Zishun Yi <vulab@iscas.ac.cn> wrote:
>
> Currently, the MENVCFG_CDE (Counter Delegation Enable) bit is
> unconditionally included in the base write mask for CSR_MENVCFG.
> This make the subsequent conditional check
> `(cfg->ext_smcdeleg ? MENVCFG_CDE : 0)` completely ineffective,
> as a bitwise OR cannot clear a bit that is already set.
>
> Fix this by removing MENVCFG_CDE from the initial base mask. The bit
> will now only be writable when explicitly granted by the `ext_smcdeleg`
> configuration.
>
> This issue was discovered and reported by SpecHunter, an AI-driven
> architecture specification analysis tool.
>
> Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2601/qemu.txt
> Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>

Thanks!

Applied to riscv-to-apply.next

Alistair

> ---
>  target/riscv/csr.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index da366cf56271..f6bcf128a147 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -3175,7 +3175,7 @@ static RISCVException write_menvcfg(CPURISCVState *env, int csrno,
>  {
>      const RISCVCPUConfig *cfg = riscv_cpu_cfg(env);
>      uint64_t mask = MENVCFG_FIOM | MENVCFG_CBIE | MENVCFG_CBCFE |
> -                    MENVCFG_CBZE | MENVCFG_CDE;
> +                    MENVCFG_CBZE;
>      bool stce_changed = false;
>
>      if (riscv_cpu_mxl(env) == MXL_RV64) {
> --
> 2.51.2
>
>
Re: [PATCH] target/riscv: Remove unconditional MENVCFG_CDE from mask
Posted by Daniel Henrique Barboza 2 weeks ago 

On 5/11/2026 1:05 AM, Zishun Yi wrote:
> Currently, the MENVCFG_CDE (Counter Delegation Enable) bit is
> unconditionally included in the base write mask for CSR_MENVCFG.
> This make the subsequent conditional check
> `(cfg->ext_smcdeleg ? MENVCFG_CDE : 0)` completely ineffective,
> as a bitwise OR cannot clear a bit that is already set.
> 
> Fix this by removing MENVCFG_CDE from the initial base mask. The bit
> will now only be writable when explicitly granted by the `ext_smcdeleg`
> configuration.
> 
> This issue was discovered and reported by SpecHunter, an AI-driven
> architecture specification analysis tool.
> 
> Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2601/qemu.txt
> Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>
> ---

Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>

>   target/riscv/csr.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index da366cf56271..f6bcf128a147 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -3175,7 +3175,7 @@ static RISCVException write_menvcfg(CPURISCVState *env, int csrno,
>   {
>       const RISCVCPUConfig *cfg = riscv_cpu_cfg(env);
>       uint64_t mask = MENVCFG_FIOM | MENVCFG_CBIE | MENVCFG_CBCFE |
> -                    MENVCFG_CBZE | MENVCFG_CDE;
> +                    MENVCFG_CBZE;
>       bool stce_changed = false;
>   
>       if (riscv_cpu_mxl(env) == MXL_RV64) {

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.